Joe Sandbox Cloud Basic Analysis Report

Loading Joe Sandbox Report ...

Edit tour

Windows Analysis Report
chica-pc-shield-1-75-0-1300-en-win.exe

Overview

General Information

Sample name:chica-pc-shield-1-75-0-1300-en-win.exe
Analysis ID:1545541
MD5:1870fbe03e739325c142eacbe1667ff3
SHA1:7b86308efbcde9175b405445179bbceb196d0f73
SHA256:fba0337b65c15b029ee4f87b3db5fcfc6ce61a29289d9e6c58d0bcebee995ce0
Tags:exeuser-MaxMax66
Infos:

Detection

GhostRat, KillMBR, Xtreme RAT
Score:54
Range:0 - 100
Whitelisted:false
Confidence:100%

Signatures

Malicious sample detected (through community Yara rule)
Yara detected AntiVM3
Yara detected GhostRat
Yara detected KillMBR
Yara detected Xtreme RAT
Contains functionality to automate explorer (e.g. start an application)
Contains functionality to hide user accounts
Creates a FSFilter Anti-Virus service
Creates an undocumented autostart registry key
Found PHP interpreter
May modify the system service descriptor table (often done to hook functions)
Tries to detect sandboxes and other dynamic analysis tools (process name or module or function)
AV process strings found (often used to terminate AV products)
Allocates memory with a write watch (potentially for evading sandboxes)
Checks for available system drives (often done to infect USB drives)
Contains functionality to call native functions
Contains functionality to check if a debugger is running (IsDebuggerPresent)
Contains functionality to check if a window is minimized (may be used to check if an application is visible)
Contains functionality to communicate with device drivers
Contains functionality to delete services
Contains functionality to dynamically determine API calls
Contains functionality to enumerate process and check for explorer.exe or svchost.exe (often used for thread injection)
Contains functionality to launch a process as a different user
Contains functionality to launch a program with higher privileges
Contains functionality to query locales information (e.g. system language)
Contains functionality to query network adapater information
Contains functionality to shutdown / reboot the system
Creates a process in suspended mode (likely to inject code)
Creates files inside the driver directory
Creates files inside the system directory
Creates or modifies windows services
Detected potential crypto function
Drops PE files
Drops PE files to the windows directory (C:\Windows)
Enables debug privileges
Extensive use of GetProcAddress (often used to hide API calls)
Found dropped PE file which has not been started or loaded
Found evasive API chain (date check)
Found evasive API chain (may stop execution after checking a module file name)
Found large amount of non-executed APIs
Found potential string decryption / allocating functions
IP address seen in connection with other malware
May infect USB drives
May sleep (evasive loops) to hinder dynamic analysis
OS version to string mapping found (often used in BOTs)
PE file contains executable resources (Code or Archives)
PE file contains sections with non-standard names
Queries disk information (often used to detect virtual machines)
Queries the volume information (name, serial number etc) of a device
Registers a DLL
Sample execution stops while process was sleeping (likely an evasion)
Sample file is different than original file name gathered from version info
Sigma detected: Classes Autorun Keys Modification
Sigma detected: Wow6432Node CurrentVersion Autorun Keys Modification
Stores files to the Windows start menu directory
Uses 32bit PE files
Uses Microsoft's Enhanced Cryptographic Provider
Uses code obfuscation techniques (call, push, ret)
Uses insecure TLS / SSL version for HTTPS connection
Uses the system / local time for branch decision (may execute only at specific dates)
Yara detected Credential Stealer
Yara signature match

Classification

Process Tree

  • System is w10x64
  • chica-pc-shield-1-75-0-1300-en-win.exe (PID: 2704 cmdline: "C:\Users\user\Desktop\chica-pc-shield-1-75-0-1300-en-win.exe" MD5: 1870FBE03E739325C142EACBE1667FF3)
    • chica-pc-shield-1-75-0-1300-en-win.tmp (PID: 6460 cmdline: "C:\Users\user\AppData\Local\Temp\is-LBG9E.tmp\chica-pc-shield-1-75-0-1300-en-win.tmp" /SL5="$20430,8630815,54272,C:\Users\user\Desktop\chica-pc-shield-1-75-0-1300-en-win.exe" MD5: C2BE7988C8762E314534B2908C4D6E49)
      • regsvr32.exe (PID: 5452 cmdline: "C:\Windows\system32\regsvr32.exe" /s "C:\Program Files (x86)\ChicaLogic\ChicaPC-Shield\mbamext.dll" MD5: B0C2FA35D14A9FAD919E99D9D75E1B9E)
      • regsvr32.exe (PID: 4276 cmdline: "C:\Windows\system32\regsvr32.exe" /s "C:\Program Files (x86)\ChicaLogic\ChicaPC-Shield\ssubtmr6.dll" MD5: 878E47C8656E53AE8A8A21E927C6F7E0)
      • regsvr32.exe (PID: 5972 cmdline: "C:\Windows\system32\regsvr32.exe" /s "C:\Program Files (x86)\ChicaLogic\ChicaPC-Shield\vbalsgrid6.ocx" MD5: 878E47C8656E53AE8A8A21E927C6F7E0)
      • cpcs.exe (PID: 2412 cmdline: "C:\Program Files (x86)\ChicaLogic\ChicaPC-Shield\cpcs.exe" /starttrial MD5: 064E37783673E0094DAE704513F29393)
        • regsvr32.exe (PID: 3652 cmdline: regsvr32.exe /s "C:\Program Files (x86)\ChicaLogic\ChicaPC-Shield\ssubtmr6.dll" MD5: 878E47C8656E53AE8A8A21E927C6F7E0)
        • regsvr32.exe (PID: 5792 cmdline: regsvr32.exe /s "C:\Program Files (x86)\ChicaLogic\ChicaPC-Shield\vbalsgrid6.ocx" MD5: 878E47C8656E53AE8A8A21E927C6F7E0)
      • cpcs.exe (PID: 5440 cmdline: "C:\Program Files (x86)\ChicaLogic\ChicaPC-Shield\cpcs.exe" /update MD5: 064E37783673E0094DAE704513F29393)
        • regsvr32.exe (PID: 6292 cmdline: regsvr32.exe /s "C:\Program Files (x86)\ChicaLogic\ChicaPC-Shield\ssubtmr6.dll" MD5: 878E47C8656E53AE8A8A21E927C6F7E0)
        • regsvr32.exe (PID: 5652 cmdline: regsvr32.exe /s "C:\Program Files (x86)\ChicaLogic\ChicaPC-Shield\vbalsgrid6.ocx" MD5: 878E47C8656E53AE8A8A21E927C6F7E0)
      • cpcs.exe (PID: 3472 cmdline: "C:\Program Files (x86)\ChicaLogic\ChicaPC-Shield\cpcs.exe" MD5: 064E37783673E0094DAE704513F29393)
        • regsvr32.exe (PID: 2452 cmdline: regsvr32.exe /s "C:\Program Files (x86)\ChicaLogic\ChicaPC-Shield\ssubtmr6.dll" MD5: 878E47C8656E53AE8A8A21E927C6F7E0)
        • regsvr32.exe (PID: 7088 cmdline: regsvr32.exe /s "C:\Program Files (x86)\ChicaLogic\ChicaPC-Shield\vbalsgrid6.ocx" MD5: 878E47C8656E53AE8A8A21E927C6F7E0)
  • cpcsgui.exe (PID: 6780 cmdline: "C:\Program Files (x86)\ChicaLogic\ChicaPC-Shield\cpcsgui.exe" /install /silent MD5: 9CC7642A4825E87C9EACB29391279F43)
  • svchost.exe (PID: 1408 cmdline: C:\Windows\System32\svchost.exe -k netsvcs -p -s BITS MD5: B7F884C1B74A263F746EE12A5F7C9F6A)
  • cpcsscheduler.exe (PID: 5660 cmdline: "C:\Program Files (x86)\ChicaLogic\ChicaPC-Shield\cpcsscheduler.exe" MD5: C56F757EB2A6D9B850FAD5F075008A57)
  • cleanup

Malware Configuration

No configs have been found

Yara Signatures

Memory Dumps

SourceRuleDescriptionAuthorStrings
00000012.00000003.2839561000.000000000CFD9000.00000004.00000020.00020000.00000000.sdmpxtremratXtrem RAT v3.5Jean-Philippe Teissier / @Jipe_
  • 0x2cee0:$a: XTREME
  • 0x2d04a:$a: XTREME
  • 0x3b4fe:$a: XTREME
  • 0x3c040:$a: XTREME
  • 0x3b4fe:$h: XTREME RAT
  • 0x3c040:$h: XTREME RAT
00000009.00000003.2529281722.0000000009BA5000.00000004.00000020.00020000.00000000.sdmpthequickbrow_APT1unknownAlienVault Labs
  • 0x7b834:$s1: thequickbrownfxjmpsvalzydg
00000009.00000003.2546777163.000000000C828000.00000004.00000020.00020000.00000000.sdmpxtremratXtrem RAT v3.5Jean-Philippe Teissier / @Jipe_
  • 0x2b53a:$a: XTREME
  • 0x32c52:$a: XTREME
  • 0x3dda0:$a: XTREME
  • 0x3dda0:$h: XTREME RAT
00000009.00000003.2545861202.000000000D4FA000.00000004.00000020.00020000.00000000.sdmpxtremratXtrem RAT v3.5Jean-Philippe Teissier / @Jipe_
  • 0x30a76:$a: XTREME
  • 0x30f12:$a: XTREME
  • 0x30a76:$h: XTREME RAT
  • 0x30f12:$h: XTREME RAT
00000012.00000003.2839681114.000000000D42B000.00000004.00000020.00020000.00000000.sdmpxtremratXtrem RAT v3.5Jean-Philippe Teissier / @Jipe_
  • 0x30d0e:$a: XTREME
  • 0x31102:$a: XTREME
  • 0x37b52:$a: XTREME
  • 0x387c6:$a: XTREME
  • 0x30d0e:$h: XTREME RAT
  • 0x31102:$h: XTREME RAT
  • 0x37b52:$h: XTREME RAT
  • 0x387c6:$h: XTREME RAT
Click to see the 16 entries

Sigma Signatures

System Summary

barindex
Sigma detected: Classes Autorun Keys Modification
Source: Registry Key setAuthor: Victor Sergeev, Daniil Yugoslavskiy, Gleb Sukhodolskiy, Timur Zinniatullin, oscd.community, Tim Shelton, frack113 (split): Data: Details: {57CE581A-0CB6-4266-9CA0-19364C90A0B3}, EventID: 13, EventType: SetValue, Image: C:\Windows\System32\regsvr32.exe, ProcessId: 5452, TargetObject: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\AllFilesystemObjects\shellex\ContextMenuHandlers\MBAMShlExt\(Default)
Sigma detected: Wow6432Node CurrentVersion Autorun Keys Modification
Source: Registry Key setAuthor: Victor Sergeev, Daniil Yugoslavskiy, Gleb Sukhodolskiy, Timur Zinniatullin, oscd.community, Tim Shelton, frack113 (split): Data: Details: C:\Program Files (x86)\ChicaLogic\ChicaPC-Shield\cpcsgui.exe /install /silent, EventID: 13, EventType: SetValue, Image: C:\Users\user\AppData\Local\Temp\is-LBG9E.tmp\chica-pc-shield-1-75-0-1300-en-win.tmp, ProcessId: 6460, TargetObject: HKEY_LOCAL_MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\ChicaPC-Shield
Sigma detected: Windows Processes Suspicious Parent Directory
Source: Process startedAuthor: vburov: Data: Command: C:\Windows\System32\svchost.exe -k netsvcs -p -s BITS, CommandLine: C:\Windows\System32\svchost.exe -k netsvcs -p -s BITS, CommandLine|base64offset|contains: , Image: C:\Windows\System32\svchost.exe, NewProcessName: C:\Windows\System32\svchost.exe, OriginalFileName: C:\Windows\System32\svchost.exe, ParentCommandLine: , ParentImage: , ParentProcessId: 632, ProcessCommandLine: C:\Windows\System32\svchost.exe -k netsvcs -p -s BITS, ProcessId: 1408, ProcessName: svchost.exe

Suricata Signatures

No Suricata rule has matched

Joe Sandbox Signatures

Click to jump to signature section

Show All Signature Results
Source: C:\Program Files (x86)\ChicaLogic\ChicaPC-Shield\cpcsgui.exeCode function: 12_2_005E02A0 CryptAcquireContextW,12_2_005E02A0
Source: C:\Program Files (x86)\ChicaLogic\ChicaPC-Shield\cpcsgui.exeCode function: 12_2_005E0410 CryptCreateHash,CryptHashData,CryptDestroyHash,CryptDeriveKey,CryptDecrypt,CryptDestroyKey,CryptDestroyHash,12_2_005E0410
Source: C:\Program Files (x86)\ChicaLogic\ChicaPC-Shield\cpcsgui.exeCode function: 12_2_6BB6FFD0 CryptAcquireContextW,12_2_6BB6FFD0
Source: C:\Program Files (x86)\ChicaLogic\ChicaPC-Shield\cpcsgui.exeCode function: 12_2_6BB54B60 _memset,SHGetValueW,lstrlenA,CryptUnprotectData,std::exception::exception,GetLastError,__CxxThrowException@8,LocalFree,12_2_6BB54B60
Source: C:\Program Files (x86)\ChicaLogic\ChicaPC-Shield\cpcsgui.exeCode function: 12_2_6BB70240 CryptCreateHash,CryptHashData,CryptDestroyHash,CryptGetHashParam,CryptDestroyHash,CryptDestroyHash,12_2_6BB70240
Source: C:\Program Files (x86)\ChicaLogic\ChicaPC-Shield\cpcsgui.exeCode function: 12_2_6BB70140 CryptCreateHash,CryptHashData,CryptDestroyHash,CryptDeriveKey,CryptEncrypt,CryptDecrypt,CryptDestroyKey,CryptDestroyHash,12_2_6BB70140
Source: C:\Program Files (x86)\ChicaLogic\ChicaPC-Shield\cpcsgui.exeCode function: 12_2_6F85E570 CryptCreateHash,CryptHashData,CryptDestroyHash,CryptDeriveKey,CryptEncrypt,CryptDecrypt,CryptDestroyKey,CryptDestroyHash,12_2_6F85E570
Source: C:\Program Files (x86)\ChicaLogic\ChicaPC-Shield\cpcsgui.exeCode function: 12_2_6F85E400 CryptAcquireContextW,12_2_6F85E400
Source: C:\Program Files (x86)\ChicaLogic\ChicaPC-Shield\cpcsgui.exeCode function: 12_2_6F852FB9 _wcstoul,CryptGenRandom,CryptGenRandom,12_2_6F852FB9
Source: C:\Program Files (x86)\ChicaLogic\ChicaPC-Shield\cpcsgui.exeCode function: 12_2_6F852ED0 CryptGenRandom,_wcstoul,CryptGenRandom,CryptGenRandom,12_2_6F852ED0
Source: C:\Program Files (x86)\ChicaLogic\ChicaPC-Shield\cpcsgui.exeCode function: 12_2_6F85E670 CryptCreateHash,CryptHashData,CryptDestroyHash,CryptGetHashParam,CryptDestroyHash,CryptDestroyHash,12_2_6F85E670
Source: C:\Program Files (x86)\ChicaLogic\ChicaPC-Shield\cpcsgui.exeCode function: 12_2_6F869C00 CryptGenRandom,12_2_6F869C00
Source: C:\Program Files (x86)\ChicaLogic\ChicaPC-Shield\cpcsgui.exeCode function: 12_2_6F853130 CryptGenRandom,12_2_6F853130
Source: C:\Program Files (x86)\ChicaLogic\ChicaPC-Shield\cpcsscheduler.exeCode function: 14_2_008E71F0 CryptAcquireContextW,14_2_008E71F0
Source: C:\Program Files (x86)\ChicaLogic\ChicaPC-Shield\cpcsscheduler.exeCode function: 14_2_008E71C0 CryptGenRandom,14_2_008E71C0
Source: C:\Program Files (x86)\ChicaLogic\ChicaPC-Shield\cpcsscheduler.exeCode function: 14_2_6BB6FFD0 CryptAcquireContextW,14_2_6BB6FFD0
Source: C:\Program Files (x86)\ChicaLogic\ChicaPC-Shield\cpcsscheduler.exeCode function: 14_2_6BB54B60 _memset,SHGetValueW,lstrlenA,CryptUnprotectData,std::exception::exception,GetLastError,__CxxThrowException@8,LocalFree,14_2_6BB54B60
Source: C:\Program Files (x86)\ChicaLogic\ChicaPC-Shield\cpcsscheduler.exeCode function: 14_2_6BB70240 CryptCreateHash,CryptHashData,CryptDestroyHash,CryptGetHashParam,CryptDestroyHash,CryptDestroyHash,14_2_6BB70240
Source: C:\Program Files (x86)\ChicaLogic\ChicaPC-Shield\cpcsscheduler.exeCode function: 14_2_6BB70140 CryptCreateHash,CryptHashData,CryptDestroyHash,CryptDeriveKey,CryptEncrypt,CryptDecrypt,CryptDestroyKey,CryptDestroyHash,14_2_6BB70140
Source: C:\Program Files (x86)\ChicaLogic\ChicaPC-Shield\cpcsscheduler.exeCode function: 14_2_6F85E570 CryptCreateHash,CryptHashData,CryptDestroyHash,CryptDeriveKey,CryptEncrypt,CryptDecrypt,CryptDestroyKey,CryptDestroyHash,14_2_6F85E570
Source: C:\Program Files (x86)\ChicaLogic\ChicaPC-Shield\cpcsscheduler.exeCode function: 14_2_6F85E400 CryptAcquireContextW,14_2_6F85E400
Source: C:\Program Files (x86)\ChicaLogic\ChicaPC-Shield\cpcsscheduler.exeCode function: 14_2_6F852FB9 _wcstoul,CryptGenRandom,CryptGenRandom,14_2_6F852FB9
Source: C:\Program Files (x86)\ChicaLogic\ChicaPC-Shield\cpcsscheduler.exeCode function: 14_2_6F852ED0 CryptGenRandom,_wcstoul,CryptGenRandom,CryptGenRandom,14_2_6F852ED0
Source: C:\Program Files (x86)\ChicaLogic\ChicaPC-Shield\cpcsscheduler.exeCode function: 14_2_6F85E670 CryptCreateHash,CryptHashData,CryptDestroyHash,CryptGetHashParam,CryptDestroyHash,CryptDestroyHash,14_2_6F85E670
Source: C:\Program Files (x86)\ChicaLogic\ChicaPC-Shield\cpcsscheduler.exeCode function: 14_2_6F869C00 CryptGenRandom,14_2_6F869C00
Source: C:\Program Files (x86)\ChicaLogic\ChicaPC-Shield\cpcsscheduler.exeCode function: 14_2_6F853130 CryptGenRandom,14_2_6F853130
Source: chica-pc-shield-1-75-0-1300-en-win.exeStatic PE information: RELOCS_STRIPPED, EXECUTABLE_IMAGE, LINE_NUMS_STRIPPED, LOCAL_SYMS_STRIPPED, BYTES_REVERSED_LO, 32BIT_MACHINE, BYTES_REVERSED_HI
Source: unknownHTTPS traffic detected: 65.9.66.84:443 -> 192.168.2.5:49921 version: TLS 1.0
Source: unknownHTTPS traffic detected: 65.9.66.84:443 -> 192.168.2.5:49933 version: TLS 1.0
Source: unknownHTTPS traffic detected: 65.9.66.84:443 -> 192.168.2.5:49945 version: TLS 1.0
Source: unknownHTTPS traffic detected: 65.9.66.84:443 -> 192.168.2.5:49957 version: TLS 1.0
Source: unknownHTTPS traffic detected: 65.9.66.107:443 -> 192.168.2.5:49995 version: TLS 1.0
Source: unknownHTTPS traffic detected: 65.9.66.107:443 -> 192.168.2.5:49997 version: TLS 1.0
Source: unknownHTTPS traffic detected: 65.9.66.107:443 -> 192.168.2.5:49999 version: TLS 1.0
Source: unknownHTTPS traffic detected: 65.9.66.107:443 -> 192.168.2.5:50001 version: TLS 1.0
Source: chica-pc-shield-1-75-0-1300-en-win.exeStatic PE information: certificate valid
Source: Binary string: \ResBegleiter\obj\x86\Release\Devi.pdbb source: cpcs.exe, 00000009.00000003.2529281722.0000000009BA5000.00000004.00000020.00020000.00000000.sdmp
Source: Binary string: :\XRoot_Build\XC\Vm\Release\x86\StubExe.pdb source: cpcs.exe, 00000009.00000003.2533389394.000000000A5B5000.00000004.00000020.00020000.00000000.sdmp
Source: Binary string: Server.pdb source: cpcs.exe, 00000009.00000003.2535416200.000000000A6BE000.00000004.00000020.00020000.00000000.sdmp
Source: Binary string: \obj\Release\Welp.pdb source: cpcs.exe, 00000009.00000003.2534960911.000000000A621000.00000004.00000020.00020000.00000000.sdmp
Source: Binary string: \obj\Release\Welp.pdbY{ source: cpcs.exe, 00000009.00000003.2534960911.000000000A621000.00000004.00000020.00020000.00000000.sdmp
Source: Binary string: miniloader-patchdate-stub.pdb source: cpcs.exe, 00000009.00000003.2534960911.000000000A621000.00000004.00000020.00020000.00000000.sdmp
Source: Binary string: DarkShell\Server\svchost\Debug\Serverz.pdb source: cpcs.exe, 00000009.00000003.2529281722.0000000009BA5000.00000004.00000020.00020000.00000000.sdmp
Source: Binary string: w:\Project\!lego2new\lego_2011.xx.xx_2.xx\release\NSP.pdb source: cpcs.exe, 00000009.00000003.2533842656.000000000A4B5000.00000004.00000020.00020000.00000000.sdmp
Source: Binary string: se\NSP.pdb source: cpcs.exe, 00000009.00000003.2529369405.0000000009D87000.00000004.00000020.00020000.00000000.sdmp
Source: Binary string: C:\USERS\DEFAULT\APPDATA\LOCAL\TEMP\FACEBOOK\FACEBOOK STEALER.PDB source: cpcs.exe, 00000009.00000003.2545034326.000000000E01A000.00000004.00000020.00020000.00000000.sdmp
Source: Binary string: \sw_modem\HSF_HWICH\i386\HSFHWICH.pdb source: cpcs.exe, 00000009.00000003.2535574656.000000000A39A000.00000004.00000020.00020000.00000000.sdmp
Source: Binary string: cryptnet.pdb source: cpcs.exe, 00000009.00000003.2532883037.000000000A55F000.00000004.00000020.00020000.00000000.sdmp, cpcs.exe, 00000009.00000003.2529734518.000000000A248000.00000004.00000020.00020000.00000000.sdmp
Source: Binary string: C:\key\sar\Debug\sar.pdbre source: cpcs.exe, 00000009.00000003.2529281722.0000000009BA5000.00000004.00000020.00020000.00000000.sdmp
Source: Binary string: C:\SVN\mbam\dll\mbam.dll\build\mbam.pdb source: cpcsgui.exe, 0000000C.00000002.2571547852.000000006F8B1000.00000002.00000001.01000000.0000000F.sdmp
Source: Binary string: Intel Corporationse\NSP.pdb source: cpcs.exe, 00000009.00000003.2529369405.0000000009D87000.00000004.00000020.00020000.00000000.sdmp
Source: Binary string: vpamjon.pdb source: cpcs.exe, 00000009.00000003.2535574656.000000000A39A000.00000004.00000020.00020000.00000000.sdmp
Source: Binary string: NB10??????N????:\??????????\??W????????\????????????????????????????????????????G????\????????????\??????\????????????.pdbj source: cpcs.exe, 00000009.00000003.2532883037.000000000A55F000.00000004.00000020.00020000.00000000.sdmp
Source: Binary string: hnetmon.pdb source: cpcs.exe, 00000009.00000003.2533389394.000000000A54E000.00000004.00000020.00020000.00000000.sdmp, cpcs.exe, 00000009.00000003.2529734518.000000000A217000.00000004.00000020.00020000.00000000.sdmp, cpcs.exe, 00000009.00000003.2532883037.000000000A53D000.00000004.00000020.00020000.00000000.sdmp
Source: Binary string: sass.pdb source: cpcs.exe, 00000009.00000003.2529281722.0000000009BA5000.00000004.00000020.00020000.00000000.sdmp
Source: Binary string: c:\Cryptor\stub6\Release\stub6.pdb source: cpcs.exe, 00000009.00000003.2535574656.000000000A39A000.00000004.00000020.00020000.00000000.sdmp
Source: Binary string: !lego2new\lego_2011.xx.xx_2.xx\release\NSP.pdb source: cpcs.exe, 00000009.00000003.2533389394.000000000A5B5000.00000004.00000020.00020000.00000000.sdmp
Source: Binary string: :\UMPk.pdb source: cpcs.exe, 00000009.00000003.2535304844.0000000009F2B000.00000004.00000020.00020000.00000000.sdmp
Source: Binary string: C:\SVN\mbam\exe\mbampt.exe\build\mbampt.pdb%0A source: chica-pc-shield-1-75-0-1300-en-win.tmp, 00000001.00000003.2789847670.0000000004F26000.00000004.00001000.00020000.00000000.sdmp
Source: Binary string: C:\WINDOWS\SERVICEPROFILES\NETWORKSERVICE\APPDATA\LOCAL\TEMP\FACEBOOK\FACEBOOK STEALER.PDB source: cpcs.exe, 00000009.00000003.2545306895.000000000E06C000.00000004.00000020.00020000.00000000.sdmp
Source: Binary string: \Release\AvG.pdb source: cpcs.exe, 00000009.00000003.2534960911.000000000A621000.00000004.00000020.00020000.00000000.sdmp
Source: Binary string: \Release\AvG.pdb>M source: cpcs.exe, 00000009.00000003.2534960911.000000000A621000.00000004.00000020.00020000.00000000.sdmp
Source: Binary string: D:\TranceCo.pdb source: cpcs.exe, 00000009.00000003.2534960911.000000000A621000.00000004.00000020.00020000.00000000.sdmp
Source: Binary string: E:\WFD\Tools\Server\_Downloader\Share\SFX Package\Pack\obj\x86\Debug\Pack.pdbE source: cpcs.exe, 00000009.00000003.2529281722.0000000009BA5000.00000004.00000020.00020000.00000000.sdmp
Source: Binary string: C:\USERS\user\APPDATA\LOCAL\TEMP\FACEBOOK\FACEBOOK STEALER.PDB source: cpcs.exe, 00000009.00000003.2545034326.000000000E01A000.00000004.00000020.00020000.00000000.sdmp
Source: Binary string: fukmp.pdb source: cpcs.exe, 00000009.00000003.2535475306.000000000B056000.00000004.00000020.00020000.00000000.sdmp
Source: Binary string: NB10??????N????:\??????????\??W????????\????????????????????????????????????????G????\????????????\??????\????????????.pdb source: cpcs.exe, 00000009.00000003.2529734518.000000000A248000.00000004.00000020.00020000.00000000.sdmp
Source: Binary string: ????????????????.pdb source: cpcs.exe, 00000009.00000003.2533389394.000000000A5B5000.00000004.00000020.00020000.00000000.sdmp
Source: Binary string: aspergillus.pdb source: cpcs.exe, 00000009.00000003.2534960911.000000000A621000.00000004.00000020.00020000.00000000.sdmp
Source: Binary string: bk22\kloader\Release\i386\kloader.pdb source: cpcs.exe, 00000009.00000003.2529369405.0000000009D87000.00000004.00000020.00020000.00000000.sdmp
Source: Binary string: C:\Users\Dell\Desktop\SOMA.pdb source: cpcs.exe, 00000009.00000003.2534960911.000000000A621000.00000004.00000020.00020000.00000000.sdmp
Source: Binary string: fukmp.pdb% source: cpcs.exe, 00000009.00000003.2535475306.000000000B056000.00000004.00000020.00020000.00000000.sdmp
Source: Binary string: p:\vc5\x64\release\resident.pdb source: cpcs.exe, 00000009.00000003.2529281722.0000000009BA5000.00000004.00000020.00020000.00000000.sdmp
Source: Binary string: F:\NTDDK\DEMO\_DarkTest\i386\DarkTest.pdb source: cpcs.exe, 00000009.00000003.2529281722.0000000009BA5000.00000004.00000020.00020000.00000000.sdmp
Source: Binary string: C:\SVN\mbam\dll\mbam.dll\build\mbam.pdb` source: cpcsgui.exe, 0000000C.00000002.2571547852.000000006F8B1000.00000002.00000001.01000000.0000000F.sdmp
Source: Binary string: C:\dev\stuk_rar\release\setup.pdb source: cpcs.exe, 00000009.00000003.2533161271.000000000A44A000.00000004.00000020.00020000.00000000.sdmp
Source: Binary string: C:\SVN\mbam\exe\mbamscheduler.exe\build\mbamscheduler.pdb source: chica-pc-shield-1-75-0-1300-en-win.tmp, 00000001.00000003.2789847670.0000000004EC9000.00000004.00001000.00020000.00000000.sdmp
Source: Binary string: C:\WINDOWS\TEMP\FACEBOOK\FACEBOOK STEALER.PDB source: cpcs.exe, 00000009.00000003.2545034326.000000000DF4E000.00000004.00000020.00020000.00000000.sdmp
Source: Binary string: C:\PROGRAM FILES (X86)\FACEHACK\FACEHACK.PDB%vz$ source: cpcs.exe, 00000009.00000003.2546311082.000000000D10C000.00000004.00000020.00020000.00000000.sdmp
Source: Binary string: sfxrar32\Release\sfxrar.pdb source: cpcs.exe, 00000009.00000003.2532883037.000000000A55F000.00000004.00000020.00020000.00000000.sdmp
Source: Binary string: Socksbuilder\stub\release\stub.pdbeb source: cpcs.exe, 00000009.00000003.2529281722.0000000009BA5000.00000004.00000020.00020000.00000000.sdmp
Source: Binary string: ent.pdb0?0A source: cpcs.exe, 00000009.00000003.2533784758.000000000A13A000.00000004.00000020.00020000.00000000.sdmp
Source: Binary string: sxtyy.pdb source: cpcs.exe, 00000009.00000003.2535475306.000000000B056000.00000004.00000020.00020000.00000000.sdmp
Source: Binary string: ?????.pdbr source: cpcs.exe, 00000009.00000003.2529281722.0000000009BA5000.00000004.00000020.00020000.00000000.sdmp
Source: Binary string: EXTRA=Adware.Agent, %PROGRAMFILES%\Isilo\iSiloDisplaySample.pdb, DP source: cpcs.exe, 00000009.00000003.2556561426.0000000008334000.00000004.00000020.00020000.00000000.sdmp
Source: Binary string: db.pdb source: cpcs.exe, 00000009.00000003.2535574656.000000000A39A000.00000004.00000020.00020000.00000000.sdmp, cpcs.exe, 00000009.00000003.2534960911.000000000A69B000.00000004.00000020.00020000.00000000.sdmp
Source: Binary string: C:\Nuova cartella\myform\myform\obj\Release\myform.pdb source: cpcs.exe, 00000009.00000003.2533842656.000000000A4B5000.00000004.00000020.00020000.00000000.sdmp
Source: Binary string: $:\tmp\test.pdb source: cpcs.exe, 00000009.00000003.2529734518.000000000A248000.00000004.00000020.00020000.00000000.sdmp, cpcs.exe, 00000009.00000003.2529941329.000000000A2A1000.00000004.00000020.00020000.00000000.sdmp
Source: Binary string: :\??????????????????????????????????????.pdb source: cpcs.exe, 00000009.00000003.2535574656.000000000A39A000.00000004.00000020.00020000.00000000.sdmp, cpcs.exe, 00000009.00000003.2529281722.0000000009BA5000.00000004.00000020.00020000.00000000.sdmp
Source: Binary string: z(1)\stub\Release\stub.pdbtor source: cpcs.exe, 00000009.00000003.2529281722.0000000009BA5000.00000004.00000020.00020000.00000000.sdmp
Source: Binary string: ??:\??????????\??W????????\????????????????????????????????????????G????\????????????\??????\????????????.pdb source: cpcs.exe, 00000009.00000003.2532883037.000000000A55F000.00000004.00000020.00020000.00000000.sdmp, cpcs.exe, 00000009.00000003.2529734518.000000000A248000.00000004.00000020.00020000.00000000.sdmp
Source: Binary string: x:\werdon.pdb source: cpcs.exe, 00000009.00000003.2535304844.0000000009F2B000.00000004.00000020.00020000.00000000.sdmp
Source: Binary string: c:\d\objfre_wxp_x86\i386\HG.pdb source: cpcs.exe, 00000009.00000003.2528855901.000000000A101000.00000004.00000020.00020000.00000000.sdmp
Source: Binary string: z(1)\stub\Release\stub.pdb source: cpcs.exe, 00000009.00000003.2529281722.0000000009BA5000.00000004.00000020.00020000.00000000.sdmp
Source: Binary string: p:\vc5\x64\release\resident.pdbO6 source: cpcs.exe, 00000009.00000003.2529281722.0000000009BA5000.00000004.00000020.00020000.00000000.sdmp
Source: Binary string: ent.pdb source: cpcs.exe, 00000009.00000003.2533784758.000000000A13A000.00000004.00000020.00020000.00000000.sdmp
Source: Binary string: c:\work_temp\utf8\test2\Release\test2.pdb source: cpcs.exe, 00000009.00000003.2533161271.000000000A44A000.00000004.00000020.00020000.00000000.sdmp
Source: Binary string: e:\job\gh0st1.0\Release\Loader.pdb source: cpcs.exe, 00000009.00000003.2533161271.000000000A44A000.00000004.00000020.00020000.00000000.sdmp
Source: Binary string: URGABPW.pdb source: cpcs.exe, 00000009.00000003.2534960911.000000000A621000.00000004.00000020.00020000.00000000.sdmp
Source: Binary string: TDIMUED.pdb source: cpcs.exe, 00000009.00000003.2534960911.000000000A621000.00000004.00000020.00020000.00000000.sdmp
Source: Binary string: hnetmon.pdbU source: cpcs.exe, 00000009.00000003.2533389394.000000000A54E000.00000004.00000020.00020000.00000000.sdmp, cpcs.exe, 00000009.00000003.2532883037.000000000A53D000.00000004.00000020.00020000.00000000.sdmp
Source: Binary string: vpamjon.pdbd9 source: cpcs.exe, 00000009.00000003.2535574656.000000000A39A000.00000004.00000020.00020000.00000000.sdmp
Source: Binary string: \accs\accs\accs\obj\Release\accs.pdb source: cpcs.exe, 00000009.00000003.2534960911.000000000A621000.00000004.00000020.00020000.00000000.sdmp
Source: Binary string: REAPER\Stub\stub rc\obj\Release\stub rc.pdb source: cpcs.exe, 00000009.00000003.2529369405.0000000009D87000.00000004.00000020.00020000.00000000.sdmp
Source: Binary string: w:\Project\!lego2new\lego_2011.xx.xx_2.xx\release\NSP.pdb/ source: cpcs.exe, 00000009.00000003.2533842656.000000000A4B5000.00000004.00000020.00020000.00000000.sdmp
Source: Binary string: C:\key\sar\Debug\sar.pdb source: cpcs.exe, 00000009.00000003.2529281722.0000000009BA5000.00000004.00000020.00020000.00000000.sdmp
Source: Binary string: ryptnet.pdb source: cpcs.exe, 00000009.00000003.2532883037.000000000A55F000.00000004.00000020.00020000.00000000.sdmp, cpcs.exe, 00000009.00000003.2529734518.000000000A248000.00000004.00000020.00020000.00000000.sdmp, cpcs.exe, 00000009.00000003.2529941329.000000000A2A1000.00000004.00000020.00020000.00000000.sdmp, cpcs.exe, 00000009.00000003.2533526590.000000000A5A4000.00000004.00000020.00020000.00000000.sdmp
Source: Binary string: \Projects\reg\reg\obj\Debug\reg.pdbn source: cpcs.exe, 00000009.00000003.2529369405.0000000009D87000.00000004.00000020.00020000.00000000.sdmp
Source: Binary string: sxtyy.pdb source: cpcs.exe, 00000009.00000003.2535475306.000000000B056000.00000004.00000020.00020000.00000000.sdmp
Source: Binary string: WWMWCMGV.pdb source: cpcs.exe, 00000009.00000003.2534960911.000000000A621000.00000004.00000020.00020000.00000000.sdmp
Source: Binary string: cryptnet.pdbB source: cpcs.exe, 00000009.00000003.2529734518.000000000A248000.00000004.00000020.00020000.00000000.sdmp
Source: Binary string: \Projects\reg\reg\obj\Debug\reg.pdb source: cpcs.exe, 00000009.00000003.2534960911.000000000A621000.00000004.00000020.00020000.00000000.sdmp, cpcs.exe, 00000009.00000003.2529369405.0000000009D87000.00000004.00000020.00020000.00000000.sdmp
Source: Binary string: HookDllDriver\objfre\i386\hookdll.pdb source: cpcs.exe, 00000009.00000003.2535574656.000000000A39A000.00000004.00000020.00020000.00000000.sdmp
Source: Binary string: NGPCorp\DLL\Release\DLL.pdb source: cpcs.exe, 00000009.00000003.2534960911.000000000A621000.00000004.00000020.00020000.00000000.sdmp
Source: Binary string: sfxrar32\Release\sfxrar.pdbPY source: cpcs.exe, 00000009.00000003.2532883037.000000000A55F000.00000004.00000020.00020000.00000000.sdmp
Source: Binary string: Prevazatorul.pdb[ source: cpcs.exe, 00000009.00000003.2533526590.000000000A5C7000.00000004.00000020.00020000.00000000.sdmp, cpcs.exe, 00000009.00000003.2533704715.000000000A5CC000.00000004.00000020.00020000.00000000.sdmp
Source: Binary string: C:\Users\TP\AppData\Local\Temp\zy3gqjbl.pdb source: cpcs.exe, 00000009.00000003.2528855901.000000000A101000.00000004.00000020.00020000.00000000.sdmp
Source: Binary string: \AccountCreator.pdbk source: cpcs.exe, 00000009.00000003.2533389394.000000000A54E000.00000004.00000020.00020000.00000000.sdmp, cpcs.exe, 00000009.00000003.2532883037.000000000A53D000.00000004.00000020.00020000.00000000.sdmp
Source: Binary string: F:\NTDDK\DEMO\_DarkTest\i386\DarkTest.pdbem source: cpcs.exe, 00000009.00000003.2529281722.0000000009BA5000.00000004.00000020.00020000.00000000.sdmp
Source: Binary string: C:\Bacipy.pdb source: cpcs.exe, 00000009.00000003.2529369405.0000000009D87000.00000004.00000020.00020000.00000000.sdmp, cpcs.exe, 00000009.00000003.2533630438.000000000A445000.00000004.00000020.00020000.00000000.sdmp
Source: Binary string: IEXPLORE\Debug\wibvusd.pdb source: cpcs.exe, 00000009.00000003.2533161271.000000000A493000.00000004.00000020.00020000.00000000.sdmp, cpcs.exe, 00000009.00000003.2528855901.000000000A14E000.00000004.00000020.00020000.00000000.sdmp
Source: Binary string: 8$W:\w\Loader.pdb source: cpcs.exe, 00000009.00000003.2529281722.0000000009BA5000.00000004.00000020.00020000.00000000.sdmp
Source: Binary string: vCrypt Stub.pdb source: cpcs.exe, 00000009.00000003.2533526590.000000000A5C7000.00000004.00000020.00020000.00000000.sdmp, cpcs.exe, 00000009.00000003.2533704715.000000000A5CC000.00000004.00000020.00020000.00000000.sdmp
Source: Binary string: Prevazatorul.pdb source: cpcs.exe, 00000009.00000003.2533526590.000000000A5C7000.00000004.00000020.00020000.00000000.sdmp, cpcs.exe, 00000009.00000003.2533704715.000000000A5CC000.00000004.00000020.00020000.00000000.sdmp
Source: Binary string: &:\UMPk.pdb source: cpcs.exe, 00000009.00000003.2535304844.0000000009F2B000.00000004.00000020.00020000.00000000.sdmp
Source: Binary string: ?????.pdb source: cpcs.exe, 00000009.00000003.2535574656.000000000A39A000.00000004.00000020.00020000.00000000.sdmp, cpcs.exe, 00000009.00000003.2529281722.0000000009BA5000.00000004.00000020.00020000.00000000.sdmp
Source: Binary string: \ResBegleiter\obj\x86\Release\Devi.pdb source: cpcs.exe, 00000009.00000003.2529281722.0000000009BA5000.00000004.00000020.00020000.00000000.sdmp
Source: Binary string: :\tmp\test.pdb source: cpcs.exe, 00000009.00000003.2529734518.000000000A248000.00000004.00000020.00020000.00000000.sdmp, cpcs.exe, 00000009.00000003.2529941329.000000000A2A1000.00000004.00000020.00020000.00000000.sdmp
Source: Binary string: ld.pdb source: cpcs.exe, 00000009.00000003.2529734518.000000000A248000.00000004.00000020.00020000.00000000.sdmp, cpcs.exe, 00000009.00000003.2529941329.000000000A2A1000.00000004.00000020.00020000.00000000.sdmp
Source: Binary string: c:\work\utf8\test2\Release\test2.pdb source: cpcs.exe, 00000009.00000003.2533161271.000000000A44A000.00000004.00000020.00020000.00000000.sdmp
Source: Binary string: \AccountCreator.pdb source: cpcs.exe, 00000009.00000003.2533389394.000000000A54E000.00000004.00000020.00020000.00000000.sdmp, cpcs.exe, 00000009.00000003.2529734518.000000000A217000.00000004.00000020.00020000.00000000.sdmp, cpcs.exe, 00000009.00000003.2532883037.000000000A53D000.00000004.00000020.00020000.00000000.sdmp
Source: Binary string: XC\Vm\Release\x86\StubExe.pdb source: cpcs.exe, 00000009.00000003.2533389394.000000000A54E000.00000004.00000020.00020000.00000000.sdmp, cpcs.exe, 00000009.00000003.2529734518.000000000A217000.00000004.00000020.00020000.00000000.sdmp, cpcs.exe, 00000009.00000003.2532883037.000000000A53D000.00000004.00000020.00020000.00000000.sdmp
Source: Binary string: Z:\xampp\htdocs\project-727,Permutation\stable\tmp\PDBSIG.pdb source: cpcs.exe, 00000009.00000003.2533842656.000000000A4B5000.00000004.00000020.00020000.00000000.sdmp
Source: Binary string: :\Fecira.pdb source: cpcs.exe, 00000009.00000003.2535304844.0000000009F2B000.00000004.00000020.00020000.00000000.sdmp
Source: Binary string: C:\local0\asf\release\build-2.2.14\support\Release\ab.pdb)] source: cpcs.exe, 00000009.00000003.2528855901.000000000A101000.00000004.00000020.00020000.00000000.sdmp
Source: Binary string: \Project1\Project1\obj\Release\Project1.pdb<. source: cpcs.exe, 00000009.00000003.2533389394.000000000A5B5000.00000004.00000020.00020000.00000000.sdmp
Source: Binary string: W:\w\Loader.pdb source: cpcs.exe, 00000009.00000003.2529281722.0000000009BA5000.00000004.00000020.00020000.00000000.sdmp
Source: Binary string: bk22\kloader\Release\i386\kloader.pdbt,n source: cpcs.exe, 00000009.00000003.2529369405.0000000009D87000.00000004.00000020.00020000.00000000.sdmp
Source: Binary string: c:\work\test\test2\Release\test2.pdb< source: cpcs.exe, 00000009.00000003.2529454596.000000000A126000.00000004.00000020.00020000.00000000.sdmp
Source: Binary string: \Projects\War Crypter\Release\Stub.pdb source: cpcs.exe, 00000009.00000003.2533389394.000000000A5B5000.00000004.00000020.00020000.00000000.sdmp
Source: Binary string: D:\SVN Control Code\app_client\Loader\Release\Loader.pdb?_ source: cpcs.exe, 00000009.00000003.2528855901.000000000A101000.00000004.00000020.00020000.00000000.sdmp
Source: Binary string: \Project1\Project1\obj\Release\Project1.pdb source: cpcs.exe, 00000009.00000003.2533389394.000000000A5B5000.00000004.00000020.00020000.00000000.sdmp
Source: Binary string: WWMWCMGV.pdb=; source: cpcs.exe, 00000009.00000003.2534960911.000000000A621000.00000004.00000020.00020000.00000000.sdmp
Source: Binary string: ??@RSDS??????????????????????????????????o.pdb source: cpcs.exe, 00000009.00000003.2533842656.000000000A4B5000.00000004.00000020.00020000.00000000.sdmp
Source: Binary string: \w.a.t.c.h\w.a.t.c.h\obj\Release\w.a.t.c.h.pdb source: cpcs.exe, 00000009.00000003.2534960911.000000000A621000.00000004.00000020.00020000.00000000.sdmp, cpcs.exe, 00000009.00000003.2529369405.0000000009D87000.00000004.00000020.00020000.00000000.sdmp
Source: Binary string: e:\job\gh0st1.0\Release\Loader.pdb\ source: cpcs.exe, 00000009.00000003.2533161271.000000000A44A000.00000004.00000020.00020000.00000000.sdmp
Source: Binary string: C:\WINDOWS\SERVICEPROFILES\LOCALSERVICE\APPDATA\LOCAL\TEMP\FACEBOOK\FACEBOOK STEALER.PDB source: cpcs.exe, 00000009.00000003.2545306895.000000000E06C000.00000004.00000020.00020000.00000000.sdmp
Source: Binary string: c:\XRoot_Build\XC\Vm\Release\x86\StubExe.pdb source: cpcs.exe, 00000009.00000003.2534960911.000000000A621000.00000004.00000020.00020000.00000000.sdmp, cpcs.exe, 00000009.00000003.2529281722.0000000009BA5000.00000004.00000020.00020000.00000000.sdmp
Source: Binary string: c:\work\test\test2\Release\test2.pdb source: cpcs.exe, 00000009.00000003.2533161271.000000000A44A000.00000004.00000020.00020000.00000000.sdmp, cpcs.exe, 00000009.00000003.2529454596.000000000A126000.00000004.00000020.00020000.00000000.sdmp
Source: Binary string: \x86\Debug\Balle2.pdb source: cpcs.exe, 00000009.00000003.2534960911.000000000A621000.00000004.00000020.00020000.00000000.sdmp
Source: Binary string: E:\WFD\Tools\Server\_Downloader\Share\SFX Package\Pack\obj\x86\Debug\Pack.pdb source: cpcs.exe, 00000009.00000003.2529281722.0000000009BA5000.00000004.00000020.00020000.00000000.sdmp
Source: Binary string: \Emuhucuqih.pdb source: cpcs.exe, 00000009.00000003.2535475306.000000000B056000.00000004.00000020.00020000.00000000.sdmp
Source: Binary string: IEXPLORE\Debug\wibvusd.pdbR source: cpcs.exe, 00000009.00000003.2528855901.000000000A14E000.00000004.00000020.00020000.00000000.sdmp
Source: Binary string: XC\Vm\Release\x86\StubExe.pdbX source: cpcs.exe, 00000009.00000003.2533389394.000000000A54E000.00000004.00000020.00020000.00000000.sdmp, cpcs.exe, 00000009.00000003.2532883037.000000000A53D000.00000004.00000020.00020000.00000000.sdmp
Source: Binary string: c:\work\test\test2\Release\test2.pdbd source: cpcs.exe, 00000009.00000003.2533161271.000000000A44A000.00000004.00000020.00020000.00000000.sdmp
Source: Binary string: Tr0gdor\Rxbot 7.6\Debug\rBot.pdbz source: cpcs.exe, 00000009.00000003.2534960911.000000000A621000.00000004.00000020.00020000.00000000.sdmp
Source: Binary string: o.pdb source: cpcs.exe, 00000009.00000003.2533842656.000000000A4B5000.00000004.00000020.00020000.00000000.sdmp
Source: Binary string: note.pdb source: cpcs.exe, 00000009.00000003.2535475306.000000000B056000.00000004.00000020.00020000.00000000.sdmp
Source: Binary string: C:\dtcser\sys\i386\killvv.pdb source: cpcs.exe, 00000009.00000003.2533161271.000000000A493000.00000004.00000020.00020000.00000000.sdmp, cpcs.exe, 00000009.00000003.2528855901.000000000A14E000.00000004.00000020.00020000.00000000.sdmp
Source: Binary string: EXTRA=Password.Stealer, %TEMP%\Facebook\Facebook Stealer.pdb, DP source: cpcs.exe, 00000009.00000003.2556561426.0000000008334000.00000004.00000020.00020000.00000000.sdmp
Source: Binary string: C:\key\lasass\Debug\lasass.pdb source: cpcs.exe, 00000009.00000003.2529281722.0000000009BA5000.00000004.00000020.00020000.00000000.sdmp
Source: Binary string: vCrypt Stub.pdb7 source: cpcs.exe, 00000009.00000003.2533526590.000000000A5C7000.00000004.00000020.00020000.00000000.sdmp, cpcs.exe, 00000009.00000003.2533704715.000000000A5CC000.00000004.00000020.00020000.00000000.sdmp
Source: Binary string: C:\local0\asf\release\build-2.2.14\support\Release\ab.pdb source: cpcs.exe, 00000009.00000003.2528855901.000000000A101000.00000004.00000020.00020000.00000000.sdmp
Source: Binary string: D:\SVN Control Code\app_client\Loader\Release\Loader.pdb source: cpcs.exe, 00000009.00000003.2528855901.000000000A101000.00000004.00000020.00020000.00000000.sdmp
Source: Binary string: x:\werdon.pdb source: cpcs.exe, 00000009.00000003.2535304844.0000000009F2B000.00000004.00000020.00020000.00000000.sdmp
Source: Binary string: \MyProjects\eMule\Debug\eMule.pdb source: cpcs.exe, 00000009.00000003.2535574656.000000000A39A000.00000004.00000020.00020000.00000000.sdmp
Source: Binary string: C:\SVN\mbam\exe\mbampt.exe\build\mbampt.pdb source: chica-pc-shield-1-75-0-1300-en-win.tmp, 00000001.00000003.2789847670.0000000004F26000.00000004.00001000.00020000.00000000.sdmp
Source: Binary string: Socksbuilder\stub\release\stub.pdb source: cpcs.exe, 00000009.00000003.2535574656.000000000A39A000.00000004.00000020.00020000.00000000.sdmp, cpcs.exe, 00000009.00000003.2529281722.0000000009BA5000.00000004.00000020.00020000.00000000.sdmp
Source: Binary string: Tr0gdor\Rxbot 7.6\Debug\rBot.pdb source: cpcs.exe, 00000009.00000003.2534960911.000000000A621000.00000004.00000020.00020000.00000000.sdmp
Source: Binary string: cm_acl.pdb source: cpcs.exe, 00000009.00000003.2529281722.0000000009BA5000.00000004.00000020.00020000.00000000.sdmp
Source: Binary string: C:\dtcser\sys\i386\killvv.pdb+ source: cpcs.exe, 00000009.00000003.2533161271.000000000A493000.00000004.00000020.00020000.00000000.sdmp
Source: Binary string: Double Onesass.pdbx7 source: cpcs.exe, 00000009.00000003.2529281722.0000000009BA5000.00000004.00000020.00020000.00000000.sdmp
Source: C:\Program Files (x86)\ChicaLogic\ChicaPC-Shield\cpcs.exeFile opened: z:
Source: C:\Program Files (x86)\ChicaLogic\ChicaPC-Shield\cpcs.exeFile opened: x:
Source: C:\Program Files (x86)\ChicaLogic\ChicaPC-Shield\cpcs.exeFile opened: v:
Source: C:\Program Files (x86)\ChicaLogic\ChicaPC-Shield\cpcs.exeFile opened: t:
Source: C:\Program Files (x86)\ChicaLogic\ChicaPC-Shield\cpcs.exeFile opened: r:
Source: C:\Program Files (x86)\ChicaLogic\ChicaPC-Shield\cpcs.exeFile opened: p:
Source: C:\Program Files (x86)\ChicaLogic\ChicaPC-Shield\cpcs.exeFile opened: n:
Source: C:\Program Files (x86)\ChicaLogic\ChicaPC-Shield\cpcs.exeFile opened: l:
Source: C:\Program Files (x86)\ChicaLogic\ChicaPC-Shield\cpcs.exeFile opened: j:
Source: C:\Program Files (x86)\ChicaLogic\ChicaPC-Shield\cpcs.exeFile opened: h:
Source: C:\Program Files (x86)\ChicaLogic\ChicaPC-Shield\cpcs.exeFile opened: f:
Source: C:\Program Files (x86)\ChicaLogic\ChicaPC-Shield\cpcs.exeFile opened: b:
Source: C:\Program Files (x86)\ChicaLogic\ChicaPC-Shield\cpcs.exeFile opened: y:
Source: C:\Program Files (x86)\ChicaLogic\ChicaPC-Shield\cpcs.exeFile opened: w:
Source: C:\Program Files (x86)\ChicaLogic\ChicaPC-Shield\cpcs.exeFile opened: u:
Source: C:\Program Files (x86)\ChicaLogic\ChicaPC-Shield\cpcs.exeFile opened: s:
Source: C:\Program Files (x86)\ChicaLogic\ChicaPC-Shield\cpcs.exeFile opened: q:
Source: C:\Program Files (x86)\ChicaLogic\ChicaPC-Shield\cpcs.exeFile opened: o:
Source: C:\Program Files (x86)\ChicaLogic\ChicaPC-Shield\cpcs.exeFile opened: m:
Source: C:\Program Files (x86)\ChicaLogic\ChicaPC-Shield\cpcs.exeFile opened: k:
Source: C:\Program Files (x86)\ChicaLogic\ChicaPC-Shield\cpcs.exeFile opened: i:
Source: C:\Program Files (x86)\ChicaLogic\ChicaPC-Shield\cpcs.exeFile opened: g:
Source: C:\Program Files (x86)\ChicaLogic\ChicaPC-Shield\cpcs.exeFile opened: e:
Source: C:\Windows\System32\svchost.exeFile opened: c:
Source: C:\Program Files (x86)\ChicaLogic\ChicaPC-Shield\cpcs.exeFile opened: a:
Source: cpcs.exe, 00000009.00000003.2545034326.000000000DF4E000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: C:\PROGRAM FILES\OUTLOOK EXPRESS\AUTORUN.INF
Source: cpcs.exe, 00000009.00000003.2545034326.000000000DFD6000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: C:\PROGRAM FILES (X86)\OUTLOOK EXPRESS\AUTORUN.INFq
Source: cpcs.exe, 00000009.00000003.2556561426.0000000008334000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: EXTRA=Worm.AutoRun, %USERROOT%\Documentsautorun.inf
Source: cpcs.exe, 00000009.00000003.2556561426.0000000008334000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: EXTRA=Malware.Trace, %PROGRAMFILES%\Outlook Express\autorun.inf
Source: cpcs.exe, 00000009.00000003.2529734518.000000000A248000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: Autorun.inf
Source: cpcs.exe, 00000009.00000003.2535574656.000000000A39A000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: [autorun]
Source: cpcs.exe, 00000009.00000003.2535574656.000000000A39A000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: [AUTORUN]
Source: cpcs.exe, 00000009.00000003.2529281722.0000000009BA5000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: [autorun]
Source: cpcs.exe, 00000009.00000003.2543791751.000000000DC90000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: C:\WINDOWS\SYSTEM32\CONFIG\SYSTEMPROFILE\DOCUMENTSAUTORUN.INF@
Source: cpcs.exe, 00000009.00000003.2543791751.000000000DC90000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: C:\WINDOWS\SERVICEPROFILES\LOCALSERVICE\DOCUMENTSAUTORUN.INF
Source: cpcs.exe, 00000009.00000003.2543791751.000000000DC90000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: C:\WINDOWS\SERVICEPROFILES\NETWORKSERVICE\DOCUMENTSAUTORUN.INFc
Source: cpcs.exe, 00000009.00000003.2533842656.000000000A4B5000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: \autorun.inf
Source: cpcs.exe, 00000009.00000003.2533842656.000000000A4B5000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: Autorun.infc
Source: C:\Users\user\AppData\Local\Temp\is-LBG9E.tmp\chica-pc-shield-1-75-0-1300-en-win.tmpCode function: 1_2_00452A60 FindFirstFileA,GetLastError,1_2_00452A60
Source: C:\Users\user\AppData\Local\Temp\is-LBG9E.tmp\chica-pc-shield-1-75-0-1300-en-win.tmpCode function: 1_2_00474E64 FindFirstFileA,FindNextFileA,FindClose,1_2_00474E64
Source: C:\Users\user\AppData\Local\Temp\is-LBG9E.tmp\chica-pc-shield-1-75-0-1300-en-win.tmpCode function: 1_2_00464030 SetErrorMode,FindFirstFileA,FindNextFileA,FindClose,SetErrorMode,1_2_00464030
Source: C:\Users\user\AppData\Local\Temp\is-LBG9E.tmp\chica-pc-shield-1-75-0-1300-en-win.tmpCode function: 1_2_00462628 FindFirstFileA,FindNextFileA,FindClose,1_2_00462628
Source: C:\Users\user\AppData\Local\Temp\is-LBG9E.tmp\chica-pc-shield-1-75-0-1300-en-win.tmpCode function: 1_2_00463BB4 SetErrorMode,FindFirstFileA,FindNextFileA,FindClose,SetErrorMode,1_2_00463BB4
Source: C:\Users\user\AppData\Local\Temp\is-LBG9E.tmp\chica-pc-shield-1-75-0-1300-en-win.tmpCode function: 1_2_00497C84 FindFirstFileA,SetFileAttributesA,FindNextFileA,FindClose,1_2_00497C84
Source: C:\Program Files (x86)\ChicaLogic\ChicaPC-Shield\cpcsgui.exeCode function: 12_2_005BBAD0 FindFirstFileW,FindNextFileW,FindClose,12_2_005BBAD0
Source: C:\Program Files (x86)\ChicaLogic\ChicaPC-Shield\cpcsgui.exeCode function: 12_2_6BB592B0 FindFirstFileW,FindNextFileW,FindClose,12_2_6BB592B0
Source: C:\Program Files (x86)\ChicaLogic\ChicaPC-Shield\cpcsgui.exeCode function: 12_2_6F8625E0 FindFirstFileW,FindNextFileW,FindClose,12_2_6F8625E0
Source: C:\Program Files (x86)\ChicaLogic\ChicaPC-Shield\cpcsscheduler.exeCode function: 14_2_6BB592B0 FindFirstFileW,FindNextFileW,FindClose,14_2_6BB592B0
Source: C:\Program Files (x86)\ChicaLogic\ChicaPC-Shield\cpcsscheduler.exeCode function: 14_2_6F8625E0 FindFirstFileW,FindNextFileW,FindClose,14_2_6F8625E0
Source: Joe Sandbox ViewIP Address: 65.9.66.107 65.9.66.107
Source: unknownHTTPS traffic detected: 65.9.66.84:443 -> 192.168.2.5:49921 version: TLS 1.0
Source: unknownHTTPS traffic detected: 65.9.66.84:443 -> 192.168.2.5:49933 version: TLS 1.0
Source: unknownHTTPS traffic detected: 65.9.66.84:443 -> 192.168.2.5:49945 version: TLS 1.0
Source: unknownHTTPS traffic detected: 65.9.66.84:443 -> 192.168.2.5:49957 version: TLS 1.0
Source: unknownHTTPS traffic detected: 65.9.66.107:443 -> 192.168.2.5:49995 version: TLS 1.0
Source: unknownHTTPS traffic detected: 65.9.66.107:443 -> 192.168.2.5:49997 version: TLS 1.0
Source: unknownHTTPS traffic detected: 65.9.66.107:443 -> 192.168.2.5:49999 version: TLS 1.0
Source: unknownHTTPS traffic detected: 65.9.66.107:443 -> 192.168.2.5:50001 version: TLS 1.0
Source: unknownUDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknownUDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknownUDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknownUDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknownUDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknownUDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknownUDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknownUDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknownUDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknownUDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknownUDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknownUDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknownUDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknownUDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknownUDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknownUDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknownUDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknownUDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknownUDP traffic detected without corresponding DNS query: 1.1.1.1
Source: global trafficHTTP traffic detected: GET /v1/config/chicalogic/version.chk HTTP/1.1Accept-Encoding: gzipConnection: CloseHost: data-cdn.mbamupdates.comUser-Agent: mbam - chicalogic_trial (scanner) - base:1.75.0.1300 - rules:v2013.04.04.07
Source: global trafficHTTP traffic detected: GET /v1/news/chicalogic/version.chk HTTP/1.1Accept-Encoding: gzipConnection: CloseHost: data-cdn.mbamupdates.comUser-Agent: mbam - chicalogic_trial (scanner) - base:1.75.0.1300 - rules:v2013.04.04.07
Source: global trafficHTTP traffic detected: GET /v1/custom/chicalogic/version.chk HTTP/1.1Accept-Encoding: gzipConnection: CloseHost: data-cdn.mbamupdates.comUser-Agent: mbam - chicalogic_trial (scanner) - base:1.75.0.1300 - rules:v2013.04.04.07
Source: global trafficHTTP traffic detected: GET /v0/clients/chicalogic/mbam.check.program HTTP/1.1Accept-Encoding: gzipConnection: CloseHost: data-cdn.mbamupdates.comUser-Agent: mbam - chicalogic_trial (scanner) - base:1.75.0.1300 - rules:v2013.04.04.07
Source: global trafficHTTP traffic detected: GET /v1/config/chicalogic/version.chk HTTP/1.1Accept-Encoding: gzipConnection: CloseHost: data-cdn.mbamupdates.comUser-Agent: mbam - chicalogic_trial (scanner) - base:1.75.0.1300 - rules:v2013.04.04.07
Source: global trafficHTTP traffic detected: GET /v1/news/chicalogic/version.chk HTTP/1.1Accept-Encoding: gzipConnection: CloseHost: data-cdn.mbamupdates.comUser-Agent: mbam - chicalogic_trial (scanner) - base:1.75.0.1300 - rules:v2013.04.04.07
Source: global trafficHTTP traffic detected: GET /v1/custom/chicalogic/version.chk HTTP/1.1Accept-Encoding: gzipConnection: CloseHost: data-cdn.mbamupdates.comUser-Agent: mbam - chicalogic_trial (scanner) - base:1.75.0.1300 - rules:v2013.04.04.07
Source: global trafficHTTP traffic detected: GET /v0/clients/chicalogic/mbam.check.program HTTP/1.1Accept-Encoding: gzipConnection: CloseHost: data-cdn.mbamupdates.comUser-Agent: mbam - chicalogic_trial (scanner) - base:1.75.0.1300 - rules:v2013.04.04.07
Source: cpcs.exe, 00000009.00000003.2529281722.0000000009BA5000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: **\IM#####.JPG-WWW.MYSPACE.COM*.EXE equals www.myspace.com (Myspace)
Source: cpcs.exe, 00000009.00000003.2529734518.000000000A248000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: **\IMAGE-WWW.FACEBOOK.COM-####-*.JPG.EXEDC4E equals www.facebook.com (Facebook)
Source: cpcs.exe, 00000009.00000003.2529281722.0000000009BA5000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: **\PIC##*##-JPG-WWW.FACEBOOK.COM.EXEt equals www.facebook.com (Facebook)
Source: cpcs.exe, 00000012.00000003.2840443937.000000000E02A000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: C:\USERS\user\APPDATA\LOCAL\TEMP\I_AM_EMO.GIF---WWW.FACEBOOK.COM equals www.facebook.com (Facebook)
Source: cpcs.exe, 00000012.00000003.2840443937.000000000E02A000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: C:\USERS\DEFAULT\APPDATA\LOCAL\TEMP\I_AM_EMO.GIF---WWW.FACEBOOK.COM equals www.facebook.com (Facebook)
Source: cpcs.exe, 00000009.00000003.2544897121.000000000DD58000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: C:\WINDOWS\SERVICEPROFILES\LOCALSERVICE\APPDATA\LOCAL\TEMP\I_AM_EMO.GIF---WWW.FACEBOOK.COM equals www.facebook.com (Facebook)
Source: cpcs.exe, 00000009.00000003.2544897121.000000000DD58000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: C:\WINDOWS\SERVICEPROFILES\NETWORKSERVICE\APPDATA\LOCAL\TEMP\I_AM_EMO.GIF---WWW.FACEBOOK.COM equals www.facebook.com (Facebook)
Source: cpcs.exe, 00000009.00000003.2543791751.000000000DC0A000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: C:\WINDOWS\SYSTEM32\TASKMDE.YOUTUBE.SUPERPOP.HTTP.WWW.YOUTUBE.COM equals www.youtube.com (Youtube)
Source: cpcs.exe, 00000009.00000003.2543791751.000000000DC0A000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: C:\WINDOWS\SYSWOW64\TASKMDE.YOUTUBE.SUPERPOP.HTTP.WWW.YOUTUBE.COM equals www.youtube.com (Youtube)
Source: cpcs.exe, 00000009.00000003.2544105021.000000000DEC8000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: C:\WINDOWS\TEMP\I_AM_EMO.GIF---WWW.FACEBOOK.COM equals www.facebook.com (Facebook)
Source: cpcs.exe, 00000009.00000003.2556561426.0000000008334000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: EXTRA=Trojan.Agent, %SYSDIR%\taskmde.youtube.superpop.http.www.youtube.com equals www.youtube.com (Youtube)
Source: cpcs.exe, 00000009.00000003.2556561426.0000000008334000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: EXTRA=Trojan.Agent, HKLM\SYSTEM\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\AuthorizedApplications\List|*www.facebook.scr equals www.facebook.com (Facebook)
Source: cpcs.exe, 00000009.00000003.2556561426.0000000008334000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: EXTRA=Trojan.Backdoor, HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\Run|Firewall Administrating=*www.myspace.com* equals www.myspace.com (Myspace)
Source: cpcs.exe, 00000009.00000003.2556561426.0000000008334000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: EXTRA=Trojan.Backdoor, HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Terminal Server\Install\Software\Microsoft\Windows\CurrentVersion\Run|Firewall Administrating=*www.myspace.com* equals www.myspace.com (Myspace)
Source: cpcs.exe, 00000009.00000003.2556561426.0000000008334000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: EXTRA=Trojan.Backdoor, HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Run|Firewall Administrating=*www.myspace.com* equals www.myspace.com (Myspace)
Source: cpcs.exe, 00000009.00000003.2556561426.0000000008334000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: EXTRA=Trojan.Downloader, %TEMP%\I_AM_EMO.gif---www.facebook.com equals www.facebook.com (Facebook)
Source: cpcs.exe, 00000009.00000003.2556561426.0000000006534000.00000004.00000020.00020000.00000000.sdmp, cpcs.exe, 00000009.00000003.2561266540.0000000003D26000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: POLY=Backdoor.Bot.Gen && PATTERN=**\*.JPG-www.facebook.com.exe && VERSION=FALSE && STRINGS=0, 4D5A equals www.facebook.com (Facebook)
Source: cpcs.exe, 00000009.00000003.2556561426.0000000006534000.00000004.00000020.00020000.00000000.sdmp, cpcs.exe, 00000009.00000003.2561266540.0000000003D26000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: POLY=IM.Worm && PATTERN=**\IMAGE-www.facebook.com-####-*.JPG.exe && STRINGS=992, 55505821 equals www.facebook.com (Facebook)
Source: cpcs.exe, 00000009.00000003.2561266540.0000000003D26000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: POLY=PasswordStealer.Kurit && VERSION=1, %NULL% && VERSION=2, www.hotmail.com && VERSION=3, 1?0?0?0 && VERSION=5, Microsoft Corporation equals www.hotmail.com (Hotmail)
Source: cpcs.exe, 00000009.00000003.2556561426.0000000006534000.00000004.00000020.00020000.00000000.sdmp, cpcs.exe, 00000009.00000003.2561266540.0000000003D26000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: POLY=Trojan.Agent && PATTERN=**\PIC##*##-JPG-www.facebook.com.exe && VERSION=FALSE && STRINGS=0, 4D5A equals www.facebook.com (Facebook)
Source: cpcs.exe, 00000009.00000003.2556561426.0000000006534000.00000004.00000020.00020000.00000000.sdmp, cpcs.exe, 00000009.00000003.2561266540.0000000003D26000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: POLY=Trojan.Agent && VERSION=1, Www.Yahoo-i.Com && VERSION=2, %NULL% && VERSION=3, 1.00 && VERSION=5, %NULL% && VERSION=7, Yahoo.exe equals www.yahoo.com (Yahoo)
Source: cpcs.exe, 00000009.00000003.2556561426.0000000006534000.00000004.00000020.00020000.00000000.sdmp, cpcs.exe, 00000009.00000003.2561266540.0000000003D26000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: POLY=Trojan.Agent.Gen && PATTERN=**\IM#####?JPG-www.myspace.com.exe && STRINGS=0, 4D5A equals www.myspace.com (Myspace)
Source: cpcs.exe, 00000009.00000003.2556561426.0000000006534000.00000004.00000020.00020000.00000000.sdmp, cpcs.exe, 00000009.00000003.2561266540.0000000003D26000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: POLY=Trojan.Agent.Gen && PATTERN=**\IM*.JPG?www.myspace.com.exe && VERSION=FALSE && STRINGS=78, 546869732070726F6772616D2063616E6E6F742062652072756E20696E20444F53206D6F6465 equals www.myspace.com (Myspace)
Source: cpcs.exe, 00000009.00000003.2556561426.0000000006534000.00000004.00000020.00020000.00000000.sdmp, cpcs.exe, 00000009.00000003.2561266540.0000000003D26000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: POLY=Trojan.Agent.Gen && PATTERN=**\PIC##########-JPG-www.facebook.com && VERSION=FALSE && STRINGS=0, 4D5A equals www.facebook.com (Facebook)
Source: cpcs.exe, 00000009.00000003.2556561426.0000000006534000.00000004.00000020.00020000.00000000.sdmp, cpcs.exe, 00000009.00000003.2561266540.0000000003D26000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: POLY=Trojan.AgentBypass && PATTERN=*.JPG-www.myspace.com.exe && VERSION=FALSE && STRINGS=0, 4D5A90 equals www.myspace.com (Myspace)
Source: cpcs.exe, 00000009.00000003.2556561426.0000000006534000.00000004.00000020.00020000.00000000.sdmp, cpcs.exe, 00000009.00000003.2561266540.0000000003D26000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: POLY=Trojan.Downloader && PATTERN=**\*www.facebook.com.exe && STRINGS=0, 4D5A equals www.facebook.com (Facebook)
Source: cpcs.exe, 00000009.00000003.2556561426.0000000006534000.00000004.00000020.00020000.00000000.sdmp, cpcs.exe, 00000009.00000003.2561266540.0000000003D26000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: POLY=Trojan.Email.Gen && PATTERN=**\*IM######?JPG#?www.myspace.com.exe && STRINGS=0, 4D5A equals www.myspace.com (Myspace)
Source: cpcs.exe, 00000009.00000003.2561266540.0000000003D26000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: POLY=Trojan.MSIL && VERSION=1, www.facebook.com && VERSION=7, facebook tools.exe equals www.facebook.com (Facebook)
Source: cpcs.exe, 00000009.00000003.2556561426.0000000006534000.00000004.00000020.00020000.00000000.sdmp, cpcs.exe, 00000009.00000003.2561266540.0000000003D26000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: POLY=Trojan.MSIL && VERSION=1, www.facebook.com && VERSION=7, facebook_hack.exe equals www.facebook.com (Facebook)
Source: cpcs.exe, 00000009.00000003.2556561426.0000000006534000.00000004.00000020.00020000.00000000.sdmp, cpcs.exe, 00000009.00000003.2561266540.0000000003D26000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: POLY=Worm.Palevo && PATTERN=**\*.JPG-www.facebook.exe && VERSION=FALSE equals www.facebook.com (Facebook)
Source: cpcs.exe, 00000009.00000003.2556561426.0000000006534000.00000004.00000020.00020000.00000000.sdmp, cpcs.exe, 00000009.00000003.2561266540.0000000003D26000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: POLY=Worm.Palevo && PATTERN=**\IM#####.JPG-www.myspace.com*.exe && VERSION=FALSE && STRINGS=1082, 000083F801746C85C0742AC7042408000000FFD0BBFFFFFFFF89D88B75FC8B5DF889EC5DC204003D930000C074BD3D940000C074BB89D88B75FC8B5DF889EC5DC204008D76003D050000C075E8C704240B00000031F689742404E8 equals www.myspace.com (Myspace)
Source: cpcs.exe, 00000009.00000003.2556561426.0000000006534000.00000004.00000020.00020000.00000000.sdmp, cpcs.exe, 00000009.00000003.2561266540.0000000003D26000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: POLY=Worm.Palevo.Gen && PATTERN=*www.facebook.com.scr && VERSION=FALSE && STRINGS=1568, 5589E583EC08C7042401000000FF1508414200 && STRINGS=496, 2E62737300000000??????????????000000000000000000000000000000000000000000??0000?? equals www.facebook.com (Facebook)
Source: cpcs.exe, 00000009.00000003.2556561426.0000000006534000.00000004.00000020.00020000.00000000.sdmp, cpcs.exe, 00000009.00000003.2561266540.0000000003D26000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: POLY=Worm.Palevo.Gen && SIZE=24000, 100000 && PATTERN=**\n########_##.JPG-www.facebook.exe && STRINGS=0, 4D5A equals www.facebook.com (Facebook)
Source: cpcs.exe, 00000009.00000003.2534960911.000000000A621000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: www.facebook.comn equals www.facebook.com (Facebook)
Source: cpcs.exe, 00000009.00000003.2533526590.000000000A5C7000.00000004.00000020.00020000.00000000.sdmp, cpcs.exe, 00000009.00000003.2533704715.000000000A5CC000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: www.hotmail.com6 equals www.hotmail.com (Hotmail)
Source: global trafficDNS traffic detected: DNS query: stats.mbamupdates.com
Source: global trafficDNS traffic detected: DNS query: data-cdn.mbamupdates.com
Source: global trafficDNS traffic detected: DNS query: edge.data-cdn.mbamupdates.com
Source: global trafficDNS traffic detected: DNS query: hw.data-cdn.mbamupdates.com
Source: global trafficDNS traffic detected: DNS query: llnw.data-cdn.mbamupdates.com
Source: cpcs.exe, 00000009.00000003.2546029145.000000000D31E000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: HTTP://WWW.WW-XXOOXX-CH.NET
Source: cpcs.exe, 00000009.00000003.2556561426.0000000006534000.00000004.00000020.00020000.00000000.sdmp, cpcs.exe, 00000009.00000003.2561266540.0000000003D26000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: Http://WwW.YlmF.CoM
Source: cpcs.exe, 00000009.00000003.2529231058.0000000009F11000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://1002.03r.info:338/13.jpg
Source: cpcs.exe, 00000009.00000003.2528855901.000000000A101000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://182.237.1.106:333/32.exe
Source: cpcs.exe, 00000009.00000003.2529231058.0000000009F11000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://77.78.240.87/ebb.php
Source: cpcs.exe, 00000009.00000003.2561266540.0000000003D26000.00000004.00000020.00020000.00000000.sdmp, cpcs.exe, 00000009.00000003.2533389394.000000000A5B5000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://Photos.MSN.com
Source: cpcs.exe, 00000009.00000003.2561266540.0000000003D26000.00000004.00000020.00020000.00000000.sdmp, cpcs.exe, 00000009.00000003.2533842656.000000000A4B5000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://anthneic.blogspot.com/
Source: cpcs.exe, 00000009.00000003.2556561426.0000000008334000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://as.starware.com
Source: cpcs.exe, 00000009.00000003.2535574656.000000000A39A000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://b.ez173.com/
Source: cpcs.exe, 00000009.00000003.2534960911.000000000A621000.00000004.00000020.00020000.00000000.sdmp, cpcs.exe, 00000009.00000003.2561266540.0000000003D26000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://best-pc.co.kr
Source: cpcs.exe, 00000009.00000003.2529281722.0000000009BA5000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://bsalsa.com/
Source: cpcs.exe, 00000009.00000003.2535574656.000000000A39A000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://c.ez173.com/
Source: cpcs.exe, 00000009.00000003.2510009992.0000000003565000.00000004.00000020.00020000.00000000.sdmp, cpcs.exe, 00000009.00000003.2510085331.000000000355F000.00000004.00000020.00020000.00000000.sdmp, cpcs.exe, 00000009.00000003.2509982383.000000000355F000.00000004.00000020.00020000.00000000.sdmp, cpcs.exe, 00000009.00000003.2509409389.0000000003565000.00000004.00000020.00020000.00000000.sdmp, cpcs.exe, 00000009.00000003.2509325799.000000000355F000.00000004.00000020.00020000.00000000.sdmp, cpcs.exe, 00000009.00000003.2509920343.000000000354D000.00000004.00000020.00020000.00000000.sdmp, cpcsgui.exeString found in binary or memory: http://cdn.stat
Source: cpcs.exe, 00000009.00000003.2509521137.0000000003556000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://cdn.static.mal
Source: cpcsgui.exeString found in binary or memory: http://cdn.static.malwa
Source: cpcs.exe, 00000009.00000003.2509409389.0000000003565000.00000004.00000020.00020000.00000000.sdmp, cpcs.exe, 00000009.00000003.2509325799.000000000355F000.00000004.00000020.00020000.00000000.sdmp, cpcsgui.exeString found in binary or memory: http://cdn.static.malwareb
Source: cpcs.exe, 00000009.00000003.2509521137.0000000003553000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://cdn.static.malwareb-
Source: cpcsgui.exeString found in binary or memory: http://cdn.static.malwareby
Source: cpcsgui.exeString found in binary or memory: http://cdn.static.malwarebytes
Source: cpcsgui.exeString found in binary or memory: http://cdn.static.malwarebytes.org/clie
Source: cpcsgui.exeString found in binary or memory: http://cdn.static.malwarebytes.org/client_r
Source: cpcs.exe, 00000009.00000003.2509409389.0000000003565000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://cdn.static.malwarebytes.org/client_resources/1.7/images/Chameleon_64x64.png
Source: cpcsgui.exeString found in binary or memory: http://cdn.static.malwarebytes.org/client_resources/1.7/images/FileAssassin_64x64.png
Source: cpcs.exe, 00000009.00000003.2510041575.000000000354D000.00000004.00000020.00020000.00000000.sdmp, cpcs.exe, 00000009.00000003.2510085331.000000000355F000.00000004.00000020.00020000.00000000.sdmp, cpcs.exe, 00000009.00000003.2509409389.0000000003565000.00000004.00000020.00020000.00000000.sdmp, cpcs.exe, 00000009.00000003.2509521137.0000000003556000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://cdn.static.malwarebytes.org/client_resources/1.7/images/StartupLite_64x64.png
Source: cpcsgui.exeString found in binary or memory: http://cdn.static.malwarebytes.org/client_resources/1.7/images/anti_rootkit_64x64.png
Source: cpcs.exe, 00000009.00000003.2509521137.0000000003556000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://cdn.stb
Source: cpcs.exe, 00000009.00000003.2528855901.000000000A101000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://cha.91mt.com/asp/xg.asp
Source: cpcs.exe, 00000009.00000003.2535574656.000000000A39A000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://d1.kuai8.com
Source: cpcs.exe, 00000009.00000003.2509920343.000000000354D000.00000004.00000020.00020000.00000000.sdmp, cpcsgui.exeString found in binary or memory: http://downloads.malwarebytes.org/mbam-download.php
Source: cpcs.exe, 00000009.00000003.2510085331.000000000355F000.00000004.00000020.00020000.00000000.sdmp, cpcs.exe, 00000009.00000003.2509982383.000000000355F000.00000004.00000020.00020000.00000000.sdmp, cpcs.exe, 00000009.00000003.2509920343.000000000354D000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://downloads.malwarebytes.org/mbam-download.phpon
Source: cpcs.exe, 00000009.00000003.2556561426.0000000008334000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://edits.mywebsearch.com
Source: cpcs.exe, 00000009.00000003.2529281722.0000000009BA5000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://geral.gratixhost.com.br/publicidade/publicidade.js
Source: cpcs.exe, 00000009.00000003.2529281722.0000000009BA5000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://http.proxy.icq.com/hello
Source: cpcs.exe, 00000009.00000003.2529281722.0000000009BA5000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://knock-knock-knock.info/export/code2.php?c=
Source: cpcs.exe, 00000009.00000003.2529281722.0000000009BA5000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://knock-knock-knock.info/export/code2.php?c=0000000
Source: cpcs.exe, 00000009.00000003.2529281722.0000000009BA5000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://knock-knock-knock.info/export/code2.php?c=1000000
Source: cpcs.exe, 00000009.00000003.2561266540.0000000003D26000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://koxp.alcazer.com
Source: cpcs.exe, 00000009.00000003.2535574656.000000000A39A000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://link0125baixa2010.fromru.com/arroxa.exe
Source: cpcs.exe, 00000009.00000003.2535574656.000000000A39A000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://link0125baixa2010.fromru.com/arroxa.exeC:
Source: cpcs.exe, 00000009.00000003.2535574656.000000000A39A000.00000004.00000020.00020000.00000000.sdmp, cpcs.exe, 00000009.00000003.2529281722.0000000009BA5000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://redirecionamentosb.com/sw4.pac
Source: cpcs.exe, 00000009.00000003.2529281722.0000000009BA5000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://redirecionamentosb.com/sw4.packer
Source: cpcs.exe, 00000009.00000003.2556561426.0000000008334000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://saskentbbq.com/sasmate
Source: cpcs.exe, 00000009.00000003.2529281722.0000000009BA5000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://sms911.ru
Source: cpcs.exe, 00000009.00000003.2556561426.0000000006534000.00000004.00000020.00020000.00000000.sdmp, cpcs.exe, 00000009.00000003.2561266540.0000000003D26000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://snake.gnuchina.org
Source: cpcs.exe, 00000009.00000003.2529281722.0000000009BA5000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://topagacilaboratuari.com/topagaci.com
Source: cpcs.exe, 00000009.00000003.2556561426.0000000006534000.00000004.00000020.00020000.00000000.sdmp, cpcs.exe, 00000009.00000003.2561266540.0000000003D26000.00000004.00000020.00020000.00000000.sdmp, cpcs.exe, 00000009.00000003.2556561426.0000000007934000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://upx.sf.net
Source: cpcs.exe, 00000009.00000003.2529231058.0000000009F11000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://w.clic
Source: cpcs.exe, 00000009.00000003.2535574656.000000000A39A000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://wara6.homeftp.org/c
Source: cpcs.exe, 00000009.00000003.2535574656.000000000A39A000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://wfef5.mine.nu/config.asp
Source: cpcs.exe, 00000009.00000003.2561266540.0000000003D26000.00000004.00000020.00020000.00000000.sdmp, cpcs.exe, 00000009.00000003.2533842656.000000000A4B5000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://wsy539.myrice.com
Source: cpcs.exe, 00000009.00000003.2535574656.000000000A39A000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://www.6071.com/
Source: cpcs.exe, 00000009.00000003.2533161271.000000000A44A000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://www.8es.cn/code/adview_pic.php
Source: cpcs.exe, 00000009.00000003.2529281722.0000000009BA5000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://www.GoCasino.com
Source: cpcs.exe, 00000009.00000003.2529281722.0000000009BA5000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://www.GoCasino.com11
Source: cpcs.exe, 00000009.00000003.2561266540.0000000003D26000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://www.Parodieront.com
Source: cpcs.exe, 00000009.00000003.2529281722.0000000009BA5000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://www.a0?a.co0
Source: cpcs.exe, 00000009.00000003.2529281722.0000000009BA5000.00000004.00000020.00020000.00000000.sdmp, cpcs.exe, 00000009.00000003.2529369405.0000000009D87000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://www.abyssmedia.com
Source: cpcs.exe, 00000009.00000003.2529369405.0000000009D87000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://www.abyssmedia.comion
Source: cpcs.exe, 00000009.00000003.2529369405.0000000009D87000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://www.abyssmedia.comz
Source: cpcs.exe, 00000009.00000003.2556561426.0000000006534000.00000004.00000020.00020000.00000000.sdmp, cpcs.exe, 00000009.00000003.2561266540.0000000003D26000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://www.aimp.ru
Source: cpcs.exe, 00000009.00000003.2561266540.0000000003D26000.00000004.00000020.00020000.00000000.sdmp, cpcs.exe, 00000009.00000003.2529734518.000000000A248000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://www.ankord.com/)
Source: cpcsscheduler.exe, 0000000E.00000002.3285698951.000000006BCC3000.00000002.00000001.01000000.00000015.sdmpString found in binary or memory: http://www.appinf.com/features/enable-partial-reads
Source: cpcsscheduler.exe, 0000000E.00000002.3285698951.000000006BCC3000.00000002.00000001.01000000.00000015.sdmpString found in binary or memory: http://www.appinf.com/features/no-whitespace-in-element-content
Source: cpcsscheduler.exe, 0000000E.00000002.3285698951.000000006BCC3000.00000002.00000001.01000000.00000015.sdmpString found in binary or memory: http://www.appinf.com/features/no-whitespace-in-element-contenthttp://xml.org/sax/features/validatio
Source: cpcs.exe, 00000009.00000003.2533161271.000000000A493000.00000004.00000020.00020000.00000000.sdmp, cpcs.exe, 00000009.00000003.2528855901.000000000A14E000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://www.baidu.com
Source: cpcs.exe, 00000009.00000003.2556561426.0000000008334000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://www.best-pc.co.kr
Source: chica-pc-shield-1-75-0-1300-en-win.exe, 00000000.00000003.2032168361.00000000023F0000.00000004.00001000.00020000.00000000.sdmp, chica-pc-shield-1-75-0-1300-en-win.exe, 00000000.00000003.2795341385.0000000002100000.00000004.00001000.00020000.00000000.sdmp, chica-pc-shield-1-75-0-1300-en-win.exe, 00000000.00000003.2032244303.00000000020F4000.00000004.00001000.00020000.00000000.sdmp, chica-pc-shield-1-75-0-1300-en-win.tmp, chica-pc-shield-1-75-0-1300-en-win.tmp, 00000001.00000003.2034370148.000000000213C000.00000004.00001000.00020000.00000000.sdmp, chica-pc-shield-1-75-0-1300-en-win.tmp, 00000001.00000003.2034264033.0000000003110000.00000004.00001000.00020000.00000000.sdmp, chica-pc-shield-1-75-0-1300-en-win.tmp, 00000001.00000003.2791392614.0000000002140000.00000004.00001000.00020000.00000000.sdmp, chica-pc-shield-1-75-0-1300-en-win.tmp, 00000001.00000003.2792550502.0000000002144000.00000004.00001000.00020000.00000000.sdmp, chica-pc-shield-1-75-0-1300-en-win.tmp, 00000001.00000003.2791262908.000000000213C000.00000004.00001000.00020000.00000000.sdmpString found in binary or memory: http://www.chicalogic.com
Source: cpcsgui.exeString found in binary or memory: http://www.chicalogic.com/pc-shield-re
Source: cpcs.exe, 00000009.00000003.2510085331.000000000355F000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://www.chicalogic.com/pc-shield-re9
Source: cpcs.exe, 00000009.00000003.2510009992.0000000003565000.00000004.00000020.00020000.00000000.sdmp, cpcs.exe, 00000009.00000003.2510085331.000000000355F000.00000004.00000020.00020000.00000000.sdmp, cpcs.exe, 00000009.00000003.2509982383.000000000355F000.00000004.00000020.00020000.00000000.sdmp, cpcs.exe, 00000009.00000003.2509920343.000000000354D000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://www.chicalogic.com/pc-shield-reJ
Source: cpcs.exe, 00000009.00000003.2500648179.0000000002B4E000.00000004.00000020.00020000.00000000.sdmp, cpcs.exe, 00000009.00000003.2500622555.0000000002B48000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://www.chicalogic.com/pc-shield-rei
Source: cpcs.exe, 00000009.00000003.2510009992.0000000003565000.00000004.00000020.00020000.00000000.sdmp, cpcs.exe, 00000009.00000003.2510085331.000000000355F000.00000004.00000020.00020000.00000000.sdmp, cpcs.exe, 00000009.00000003.2509982383.000000000355F000.00000004.00000020.00020000.00000000.sdmp, cpcs.exe, 00000009.00000003.2509920343.000000000354D000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://www.chicalogic.com/pc-shield-rel
Source: cpcs.exe, 00000009.00000003.2510009992.0000000003565000.00000004.00000020.00020000.00000000.sdmp, cpcs.exe, 00000009.00000003.2509982383.000000000355F000.00000004.00000020.00020000.00000000.sdmp, cpcs.exe, 00000009.00000003.2509920343.000000000354D000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://www.chicalogic.com/pc-shield-rew
Source: cpcs.exe, 00000009.00000003.2529281722.0000000009BA5000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://www.chukotka.kz/cache/msn.php?id=0
Source: cpcs.exe, 00000009.00000003.2534960911.000000000A69B000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://www.contoso.com/PostAccepter.aspxQ5
Source: cpcs.exe, 00000009.00000003.2533161271.000000000A44A000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://www.cookst.com/sentry/api/20110306.exe
Source: cpcs.exe, 00000009.00000003.2533161271.000000000A44A000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://www.cookst.com/sentry/api/20110306.exeW
Source: cpcs.exe, 00000009.00000003.2561266540.0000000003D26000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://www.czsoft.go1.icpcn.com/
Source: cpcs.exe, 00000009.00000003.2561266540.0000000003D26000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://www.desksave.de
Source: cpcs.exe, 00000009.00000003.2556561426.0000000007934000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://www.emule-project.net
Source: cpcs.exe, 00000009.00000003.2556561426.0000000007934000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://www.eyuyan.com)
Source: cpcs.exe, 00000009.00000003.2529281722.0000000009BA5000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://www.go2000.cn
Source: cpcs.exe, 00000009.00000003.2529281722.0000000009BA5000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://www.go2000.cn.&
Source: cpcs.exe, 00000009.00000003.2529281722.0000000009BA5000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://www.google.com0
Source: cpcs.exe, 00000009.00000003.2529281722.0000000009BA5000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://www.google.com039~$
Source: cpcs.exe, 00000009.00000003.2529281722.0000000009BA5000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://www.grandesgans.com/Vista.com
Source: cpcs.exe, 00000009.00000003.2529281722.0000000009BA5000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://www.grandesgans.com/Vista.comr.
Source: cpcs.exe, 00000009.00000003.2556561426.0000000006534000.00000004.00000020.00020000.00000000.sdmp, cpcs.exe, 00000009.00000003.2561266540.0000000003D26000.00000004.00000020.00020000.00000000.sdmp, cpcs.exe, 00000009.00000003.2533630438.000000000A445000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://www.heaventools.com)
Source: chica-pc-shield-1-75-0-1300-en-win.tmp, chica-pc-shield-1-75-0-1300-en-win.tmp, 00000001.00000000.2033381655.0000000000401000.00000020.00000001.01000000.00000004.sdmpString found in binary or memory: http://www.innosetup.com/
Source: cpcs.exe, 00000009.00000003.2529281722.0000000009BA5000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://www.jetswap.comD
Source: cpcs.exe, 00000009.00000003.2509521137.0000000003556000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://www.malwarebytes.o
Source: cpcs.exe, 00000009.00000003.2509521137.0000000003553000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://www.malwarebytes.oY
Source: cpcsgui.exeString found in binary or memory: http://www.malwarebytes.or
Source: cpcs.exe, 00000009.00000003.2510009992.0000000003565000.00000004.00000020.00020000.00000000.sdmp, cpcs.exe, 00000009.00000003.2510085331.000000000355F000.00000004.00000020.00020000.00000000.sdmp, cpcs.exe, 00000009.00000003.2509982383.000000000355F000.00000004.00000020.00020000.00000000.sdmp, cpcs.exe, 00000009.00000003.2509409389.0000000003565000.00000004.00000020.00020000.00000000.sdmp, cpcs.exe, 00000009.00000003.2509325799.000000000355F000.00000004.00000020.00020000.00000000.sdmp, cpcs.exe, 00000009.00000003.2509920343.000000000354D000.00000004.00000020.00020000.00000000.sdmp, cpcsgui.exeString found in binary or memory: http://www.malwarebytes.org
Source: cpcsgui.exeString found in binary or memory: http://www.malwarebytes.org/products
Source: cpcsgui.exeString found in binary or memory: http://www.malwarebytes.org/products/
Source: cpcsgui.exeString found in binary or memory: http://www.malwarebytes.org/products/chameleon
Source: cpcsgui.exeString found in binary or memory: http://www.malwarebytes.org/products/fil
Source: cpcsgui.exeString found in binary or memory: http://www.malwarebytes.org/products/file
Source: cpcsgui.exeString found in binary or memory: http://www.malwarebytes.org/products/fileass
Source: cpcsgui.exeString found in binary or memory: http://www.malwarebytes.org/products/fileassassin
Source: cpcsgui.exeString found in binary or memory: http://www.malwarebytes.org/products/mbar
Source: cpcsgui.exeString found in binary or memory: http://www.malwarebytes.org/products/startuplite
Source: cpcs.exe, 00000009.00000003.2528855901.000000000A101000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://www.niudoudou.com/web/download/
Source: cpcs.exe, 00000009.00000003.2528855901.000000000A101000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://www.niudoudou.com/web/download/=H
Source: cpcs.exe, 00000009.00000003.2529231058.0000000009F11000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://www.ntkrnl.com
Source: cpcs.exe, 00000009.00000003.2529231058.0000000009F11000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://www.ntkrnl.comy
Source: cpcs.exe, 00000009.00000003.2561266540.0000000003D26000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://www.pdfforge.org/
Source: cpcs.exe, 00000009.00000003.2556561426.0000000006534000.00000004.00000020.00020000.00000000.sdmp, cpcs.exe, 00000009.00000003.2561266540.0000000003D26000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://www.qqceo.net
Source: chica-pc-shield-1-75-0-1300-en-win.exe, 00000000.00000003.2032976073.0000000002128000.00000004.00001000.00020000.00000000.sdmp, chica-pc-shield-1-75-0-1300-en-win.exe, 00000000.00000003.2032819935.00000000023F0000.00000004.00001000.00020000.00000000.sdmp, chica-pc-shield-1-75-0-1300-en-win.tmp, chica-pc-shield-1-75-0-1300-en-win.tmp, 00000001.00000000.2033381655.0000000000401000.00000020.00000001.01000000.00000004.sdmpString found in binary or memory: http://www.remobjects.com/ps
Source: chica-pc-shield-1-75-0-1300-en-win.exe, 00000000.00000003.2032976073.0000000002128000.00000004.00001000.00020000.00000000.sdmp, chica-pc-shield-1-75-0-1300-en-win.exe, 00000000.00000003.2032819935.00000000023F0000.00000004.00001000.00020000.00000000.sdmp, chica-pc-shield-1-75-0-1300-en-win.tmp, 00000001.00000000.2033381655.0000000000401000.00000020.00000001.01000000.00000004.sdmpString found in binary or memory: http://www.remobjects.com/psU
Source: cpcs.exe, 00000009.00000003.2529369405.0000000009D87000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://www.rivalgaming.com/ClientPrivacyPolicy.rg0
Source: cpcs.exe, 00000009.00000003.2561266540.0000000003D26000.00000004.00000020.00020000.00000000.sdmp, cpcs.exe, 00000009.00000003.2533842656.000000000A4B5000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://www.skrsoftware.com/
Source: cpcs.exe, 00000009.00000003.2535574656.000000000A39A000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://www.super-ec.cnhttp://wghai.com/echttp://qsyou.com
Source: cpcs.exe, 00000009.00000003.2509409389.0000000003565000.00000004.00000020.00020000.00000000.sdmp, cpcs.exe, 00000009.00000003.2509325799.000000000355F000.00000004.00000020.00020000.00000000.sdmp, cpcsgui.exeString found in binary or memory: http://www.w3.
Source: cpcs.exe, 00000009.00000003.2556561426.0000000008334000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://www.ww-xxooxx-ch.net
Source: cpcs.exe, 00000009.00000003.2529281722.0000000009BA5000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://www.zippay.ru/robo-pay.php?lang=
Source: cpcs.exe, 00000009.00000003.2529281722.0000000009BA5000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://xdinheirox.rememberit.com.au/
Source: cpcsscheduler.exe, 0000000E.00000002.3285698951.000000006BCC3000.00000002.00000001.01000000.00000015.sdmpString found in binary or memory: http://xml.org/sax/features/external-general-entities
Source: cpcsscheduler.exe, 0000000E.00000002.3285698951.000000006BCC3000.00000002.00000001.01000000.00000015.sdmpString found in binary or memory: http://xml.org/sax/features/external-parameter-entities
Source: cpcsscheduler.exe, 0000000E.00000002.3285698951.000000006BCC3000.00000002.00000001.01000000.00000015.sdmpString found in binary or memory: http://xml.org/sax/features/namespace-prefixes
Source: cpcsscheduler.exe, 0000000E.00000002.3285698951.000000006BCC3000.00000002.00000001.01000000.00000015.sdmpString found in binary or memory: http://xml.org/sax/features/namespaces
Source: cpcsscheduler.exe, 0000000E.00000002.3285698951.000000006BCC3000.00000002.00000001.01000000.00000015.sdmpString found in binary or memory: http://xml.org/sax/features/string-interning
Source: cpcsscheduler.exe, 0000000E.00000002.3285698951.000000006BCC3000.00000002.00000001.01000000.00000015.sdmpString found in binary or memory: http://xml.org/sax/features/validation
Source: cpcsscheduler.exe, 0000000E.00000002.3285698951.000000006BCC3000.00000002.00000001.01000000.00000015.sdmpString found in binary or memory: http://xml.org/sax/properties/declaration-handler
Source: cpcsscheduler.exe, 0000000E.00000002.3285698951.000000006BCC3000.00000002.00000001.01000000.00000015.sdmpString found in binary or memory: http://xml.org/sax/properties/lexical-handler
Source: unknownNetwork traffic detected: HTTP traffic on port 49997 -> 443
Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49997
Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49995
Source: unknownNetwork traffic detected: HTTP traffic on port 49995 -> 443
Source: unknownNetwork traffic detected: HTTP traffic on port 49945 -> 443
Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 50001
Source: unknownNetwork traffic detected: HTTP traffic on port 50001 -> 443
Source: unknownNetwork traffic detected: HTTP traffic on port 49933 -> 443
Source: unknownNetwork traffic detected: HTTP traffic on port 49957 -> 443
Source: unknownNetwork traffic detected: HTTP traffic on port 49921 -> 443
Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49957
Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49945
Source: unknownNetwork traffic detected: HTTP traffic on port 49999 -> 443
Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49933
Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49999
Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49921

Spam, unwanted Advertisements and Ransom Demands

barindex
Yara detected KillMBR
Source: Yara matchFile source: Process Memory Space: cpcs.exe PID: 2412, type: MEMORYSTR

Operating System Destruction

barindex
Yara detected KillMBR
Source: Yara matchFile source: Process Memory Space: cpcs.exe PID: 2412, type: MEMORYSTR

System Summary

barindex
Malicious sample detected (through community Yara rule)
Source: 00000012.00000003.2839561000.000000000CFD9000.00000004.00000020.00020000.00000000.sdmp, type: MEMORYMatched rule: Xtrem RAT v3.5 Author: Jean-Philippe Teissier / @Jipe_
Source: 00000009.00000003.2529281722.0000000009BA5000.00000004.00000020.00020000.00000000.sdmp, type: MEMORYMatched rule: thequickbrow_APT1 Author: AlienVault Labs
Source: 00000009.00000003.2546777163.000000000C828000.00000004.00000020.00020000.00000000.sdmp, type: MEMORYMatched rule: Xtrem RAT v3.5 Author: Jean-Philippe Teissier / @Jipe_
Source: 00000009.00000003.2545861202.000000000D4FA000.00000004.00000020.00020000.00000000.sdmp, type: MEMORYMatched rule: Xtrem RAT v3.5 Author: Jean-Philippe Teissier / @Jipe_
Source: 00000012.00000003.2839681114.000000000D42B000.00000004.00000020.00020000.00000000.sdmp, type: MEMORYMatched rule: Xtrem RAT v3.5 Author: Jean-Philippe Teissier / @Jipe_
Source: 0000000F.00000003.2652428311.0000000004663000.00000004.00000020.00020000.00000000.sdmp, type: MEMORYMatched rule: 9002 Identifying Strings Author: Seth Hardy
Source: 00000009.00000003.2556561426.0000000008334000.00000004.00000020.00020000.00000000.sdmp, type: MEMORYMatched rule: Detects Fireball malware - file clearlog.dll Author: Florian Roth
Source: 00000012.00000003.2843530652.000000000847A000.00000004.00000020.00020000.00000000.sdmp, type: MEMORYMatched rule: Detects Fireball malware - file clearlog.dll Author: Florian Roth
Source: 0000000F.00000003.2648389472.0000000008271000.00000004.00000020.00020000.00000000.sdmp, type: MEMORYMatched rule: Detects Fireball malware - file clearlog.dll Author: Florian Roth
Source: Process Memory Space: cpcs.exe PID: 2412, type: MEMORYSTRMatched rule: thequickbrow_APT1 Author: AlienVault Labs
Source: Process Memory Space: cpcs.exe PID: 2412, type: MEMORYSTRMatched rule: 9002 Identifying Strings Author: Seth Hardy
Yara detected Xtreme RAT
Source: Yara matchFile source: Process Memory Space: cpcs.exe PID: 2412, type: MEMORYSTR
Found PHP interpreter
Source: cpcs.exe, 00000009.00000003.2556561426.0000000006534000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: POLY=Backdoor.Tidserv && VERSION=1, The PHP Group && VERSION=7, php.exe && STRINGS=590, 00405F77696E6F63
Source: cpcs.exe, 00000009.00000003.2556561426.0000000006534000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: POLY=Rootkit.TDSS && VERSION=1, The PHP Group && VERSION=7, php.exe && STRINGS=23973, 616669735C7300637264725C256F3F2E62007664655B726C5C735D7C6D63765C67003F645D0000005A006F72747325
Source: cpcs.exe, 00000009.00000003.2556561426.0000000006534000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: POLY=Rootkit.TDSS.Gen && SIZE=70000, 1500000 && VERSION=1, The PHP Group && VERSION=3, 5.2.11.11 && VERSION=7, php.exe
Source: cpcs.exe, 00000009.00000003.2561266540.0000000003D26000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: POLY=Backdoor.Tidserv && VERSION=1, The PHP Group && VERSION=7, php.exe && STRINGS=590, 00405F77696E6F63
Source: cpcs.exe, 00000009.00000003.2561266540.0000000003D26000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: POLY=Rootkit.TDSS && VERSION=1, The PHP Group && VERSION=7, php.exe && STRINGS=23973, 616669735C7300637264725C256F3F2E62007664655B726C5C735D7C6D63765C67003F645D0000005A006F72747325
Source: cpcs.exe, 00000009.00000003.2561266540.0000000003D26000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: POLY=Rootkit.TDSS.Gen && SIZE=70000, 1500000 && VERSION=1, The PHP Group && VERSION=3, 5.2.11.11 && VERSION=7, php.exe
Source: cpcs.exe, 00000009.00000003.2529231058.0000000009F11000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: The PHP Group
Source: C:\Users\user\AppData\Local\Temp\is-LBG9E.tmp\chica-pc-shield-1-75-0-1300-en-win.tmpCode function: 1_2_0042F520 NtdllDefWindowProc_A,1_2_0042F520
Source: C:\Users\user\AppData\Local\Temp\is-LBG9E.tmp\chica-pc-shield-1-75-0-1300-en-win.tmpCode function: 1_2_00423B84 NtdllDefWindowProc_A,1_2_00423B84
Source: C:\Users\user\AppData\Local\Temp\is-LBG9E.tmp\chica-pc-shield-1-75-0-1300-en-win.tmpCode function: 1_2_004125D8 NtdllDefWindowProc_A,1_2_004125D8
Source: C:\Users\user\AppData\Local\Temp\is-LBG9E.tmp\chica-pc-shield-1-75-0-1300-en-win.tmpCode function: 1_2_00478648 NtdllDefWindowProc_A,1_2_00478648
Source: C:\Users\user\AppData\Local\Temp\is-LBG9E.tmp\chica-pc-shield-1-75-0-1300-en-win.tmpCode function: 1_2_0045746C PostMessageA,PostMessageA,SetForegroundWindow,NtdllDefWindowProc_A,1_2_0045746C
Source: C:\Users\user\AppData\Local\Temp\is-LBG9E.tmp\chica-pc-shield-1-75-0-1300-en-win.tmpCode function: 1_2_0042E934: CreateFileA,DeviceIoControl,GetLastError,CloseHandle,SetLastError,1_2_0042E934
Source: C:\Program Files (x86)\ChicaLogic\ChicaPC-Shield\cpcsgui.exeCode function: 12_2_6F872930 CloseServiceHandle,ControlService,DeleteService,CloseServiceHandle,Sleep,CloseServiceHandle,CloseServiceHandle,12_2_6F872930
Source: C:\Program Files (x86)\ChicaLogic\ChicaPC-Shield\cpcsscheduler.exeCode function: 14_2_008E5DD0 DuplicateTokenEx,CloseHandle,CloseHandle,CloseHandle,CreateEnvironmentBlock,CloseHandle,_memset,CreateProcessAsUserW,DestroyEnvironmentBlock,CloseHandle,DestroyEnvironmentBlock,CloseHandle,CloseHandle,CloseHandle,14_2_008E5DD0
Source: C:\Users\user\Desktop\chica-pc-shield-1-75-0-1300-en-win.exeCode function: 0_2_00409448 GetCurrentProcess,OpenProcessToken,LookupPrivilegeValueA,AdjustTokenPrivileges,GetLastError,ExitWindowsEx,0_2_00409448
Source: C:\Users\user\AppData\Local\Temp\is-LBG9E.tmp\chica-pc-shield-1-75-0-1300-en-win.tmpCode function: 1_2_004555E4 GetCurrentProcess,OpenProcessToken,LookupPrivilegeValueA,AdjustTokenPrivileges,GetLastError,ExitWindowsEx,1_2_004555E4
Source: C:\Users\user\AppData\Local\Temp\is-LBG9E.tmp\chica-pc-shield-1-75-0-1300-en-win.tmpFile created: C:\Windows\system32\drivers\is-VCK25.tmpJump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-LBG9E.tmp\chica-pc-shield-1-75-0-1300-en-win.tmpFile created: C:\Windows\system32\drivers\is-VCK25.tmpJump to behavior
Source: C:\Windows\System32\svchost.exeFile created: C:\Windows\ServiceProfiles\LocalService\AppData\Local\FontCache\Fonts\Download-1.tmp
Source: C:\Users\user\Desktop\chica-pc-shield-1-75-0-1300-en-win.exeCode function: 0_2_0040840C0_2_0040840C
Source: C:\Users\user\AppData\Local\Temp\is-LBG9E.tmp\chica-pc-shield-1-75-0-1300-en-win.tmpCode function: 1_2_0048053F1_2_0048053F
Source: C:\Users\user\AppData\Local\Temp\is-LBG9E.tmp\chica-pc-shield-1-75-0-1300-en-win.tmpCode function: 1_2_004705841_2_00470584
Source: C:\Users\user\AppData\Local\Temp\is-LBG9E.tmp\chica-pc-shield-1-75-0-1300-en-win.tmpCode function: 1_2_0046727C1_2_0046727C
Source: C:\Users\user\AppData\Local\Temp\is-LBG9E.tmp\chica-pc-shield-1-75-0-1300-en-win.tmpCode function: 1_2_004352C81_2_004352C8
Source: C:\Users\user\AppData\Local\Temp\is-LBG9E.tmp\chica-pc-shield-1-75-0-1300-en-win.tmpCode function: 1_2_0048DA5C1_2_0048DA5C
Source: C:\Users\user\AppData\Local\Temp\is-LBG9E.tmp\chica-pc-shield-1-75-0-1300-en-win.tmpCode function: 1_2_0043035C1_2_0043035C
Source: C:\Users\user\AppData\Local\Temp\is-LBG9E.tmp\chica-pc-shield-1-75-0-1300-en-win.tmpCode function: 1_2_004444C81_2_004444C8
Source: C:\Users\user\AppData\Local\Temp\is-LBG9E.tmp\chica-pc-shield-1-75-0-1300-en-win.tmpCode function: 1_2_004345C41_2_004345C4
Source: C:\Users\user\AppData\Local\Temp\is-LBG9E.tmp\chica-pc-shield-1-75-0-1300-en-win.tmpCode function: 1_2_004867201_2_00486720
Source: C:\Users\user\AppData\Local\Temp\is-LBG9E.tmp\chica-pc-shield-1-75-0-1300-en-win.tmpCode function: 1_2_00444A701_2_00444A70
Source: C:\Users\user\AppData\Local\Temp\is-LBG9E.tmp\chica-pc-shield-1-75-0-1300-en-win.tmpCode function: 1_2_00430EE81_2_00430EE8
Source: C:\Users\user\AppData\Local\Temp\is-LBG9E.tmp\chica-pc-shield-1-75-0-1300-en-win.tmpCode function: 1_2_0045EF9C1_2_0045EF9C
Source: C:\Users\user\AppData\Local\Temp\is-LBG9E.tmp\chica-pc-shield-1-75-0-1300-en-win.tmpCode function: 1_2_0045B04C1_2_0045B04C
Source: C:\Users\user\AppData\Local\Temp\is-LBG9E.tmp\chica-pc-shield-1-75-0-1300-en-win.tmpCode function: 1_2_004451681_2_00445168
Source: C:\Users\user\AppData\Local\Temp\is-LBG9E.tmp\chica-pc-shield-1-75-0-1300-en-win.tmpCode function: 1_2_004692DC1_2_004692DC
Source: C:\Users\user\AppData\Local\Temp\is-LBG9E.tmp\chica-pc-shield-1-75-0-1300-en-win.tmpCode function: 1_2_004455741_2_00445574
Source: C:\Users\user\AppData\Local\Temp\is-LBG9E.tmp\chica-pc-shield-1-75-0-1300-en-win.tmpCode function: 1_2_004876801_2_00487680
Source: C:\Users\user\AppData\Local\Temp\is-LBG9E.tmp\chica-pc-shield-1-75-0-1300-en-win.tmpCode function: 1_2_004519BC1_2_004519BC
Source: C:\Users\user\AppData\Local\Temp\is-LBG9E.tmp\chica-pc-shield-1-75-0-1300-en-win.tmpCode function: 1_2_0043DD501_2_0043DD50
Source: C:\Program Files (x86)\ChicaLogic\ChicaPC-Shield\cpcsgui.exeCode function: 12_2_005DA21012_2_005DA210
Source: C:\Program Files (x86)\ChicaLogic\ChicaPC-Shield\cpcsgui.exeCode function: 12_2_005F22DD12_2_005F22DD
Source: C:\Program Files (x86)\ChicaLogic\ChicaPC-Shield\cpcsgui.exeCode function: 12_2_005EE28112_2_005EE281
Source: C:\Program Files (x86)\ChicaLogic\ChicaPC-Shield\cpcsgui.exeCode function: 12_2_005BC3C012_2_005BC3C0
Source: C:\Program Files (x86)\ChicaLogic\ChicaPC-Shield\cpcsgui.exeCode function: 12_2_005E841012_2_005E8410
Source: C:\Program Files (x86)\ChicaLogic\ChicaPC-Shield\cpcsgui.exeCode function: 12_2_005FC4E412_2_005FC4E4
Source: C:\Program Files (x86)\ChicaLogic\ChicaPC-Shield\cpcsgui.exeCode function: 12_2_005F267B12_2_005F267B
Source: C:\Program Files (x86)\ChicaLogic\ChicaPC-Shield\cpcsgui.exeCode function: 12_2_005FA62E12_2_005FA62E
Source: C:\Program Files (x86)\ChicaLogic\ChicaPC-Shield\cpcsgui.exeCode function: 12_2_005DE6F012_2_005DE6F0
Source: C:\Program Files (x86)\ChicaLogic\ChicaPC-Shield\cpcsgui.exeCode function: 12_2_005E47F012_2_005E47F0
Source: C:\Program Files (x86)\ChicaLogic\ChicaPC-Shield\cpcsgui.exeCode function: 12_2_005C479012_2_005C4790
Source: C:\Program Files (x86)\ChicaLogic\ChicaPC-Shield\cpcsgui.exeCode function: 12_2_005F2A4D12_2_005F2A4D
Source: C:\Program Files (x86)\ChicaLogic\ChicaPC-Shield\cpcsgui.exeCode function: 12_2_005FAB7F12_2_005FAB7F
Source: C:\Program Files (x86)\ChicaLogic\ChicaPC-Shield\cpcsgui.exeCode function: 12_2_005B4CD012_2_005B4CD0
Source: C:\Program Files (x86)\ChicaLogic\ChicaPC-Shield\cpcsgui.exeCode function: 12_2_005F8D9012_2_005F8D90
Source: C:\Program Files (x86)\ChicaLogic\ChicaPC-Shield\cpcsgui.exeCode function: 12_2_005F2E3512_2_005F2E35
Source: C:\Program Files (x86)\ChicaLogic\ChicaPC-Shield\cpcsgui.exeCode function: 12_2_005FB0D012_2_005FB0D0
Source: C:\Program Files (x86)\ChicaLogic\ChicaPC-Shield\cpcsgui.exeCode function: 12_2_005E511012_2_005E5110
Source: C:\Program Files (x86)\ChicaLogic\ChicaPC-Shield\cpcsgui.exeCode function: 12_2_005DF3B012_2_005DF3B0
Source: C:\Program Files (x86)\ChicaLogic\ChicaPC-Shield\cpcsgui.exeCode function: 12_2_005B141012_2_005B1410
Source: C:\Program Files (x86)\ChicaLogic\ChicaPC-Shield\cpcsgui.exeCode function: 12_2_005B556012_2_005B5560
Source: C:\Program Files (x86)\ChicaLogic\ChicaPC-Shield\cpcsgui.exeCode function: 12_2_005FB7AC12_2_005FB7AC
Source: C:\Program Files (x86)\ChicaLogic\ChicaPC-Shield\cpcsgui.exeCode function: 12_2_005B586012_2_005B5860
Source: C:\Program Files (x86)\ChicaLogic\ChicaPC-Shield\cpcsgui.exeCode function: 12_2_005D993012_2_005D9930
Source: C:\Program Files (x86)\ChicaLogic\ChicaPC-Shield\cpcsgui.exeCode function: 12_2_005B79E012_2_005B79E0
Source: C:\Program Files (x86)\ChicaLogic\ChicaPC-Shield\cpcsgui.exeCode function: 12_2_005DBB3012_2_005DBB30
Source: C:\Program Files (x86)\ChicaLogic\ChicaPC-Shield\cpcsgui.exeCode function: 12_2_005B5D4012_2_005B5D40
Source: C:\Program Files (x86)\ChicaLogic\ChicaPC-Shield\cpcsgui.exeCode function: 12_2_005F1E4812_2_005F1E48
Source: C:\Program Files (x86)\ChicaLogic\ChicaPC-Shield\cpcsgui.exeCode function: 12_2_005C3E4012_2_005C3E40
Source: C:\Program Files (x86)\ChicaLogic\ChicaPC-Shield\cpcsgui.exeCode function: 12_2_005B1EF012_2_005B1EF0
Source: C:\Program Files (x86)\ChicaLogic\ChicaPC-Shield\cpcsgui.exeCode function: 12_2_6BB950F012_2_6BB950F0
Source: C:\Program Files (x86)\ChicaLogic\ChicaPC-Shield\cpcsgui.exeCode function: 12_2_6BB5702012_2_6BB57020
Source: C:\Program Files (x86)\ChicaLogic\ChicaPC-Shield\cpcsgui.exeCode function: 12_2_6BB76B1012_2_6BB76B10
Source: C:\Program Files (x86)\ChicaLogic\ChicaPC-Shield\cpcsgui.exeCode function: 12_2_6BB5BB5012_2_6BB5BB50
Source: C:\Program Files (x86)\ChicaLogic\ChicaPC-Shield\cpcsgui.exeCode function: 12_2_6BB51AE012_2_6BB51AE0
Source: C:\Program Files (x86)\ChicaLogic\ChicaPC-Shield\cpcsgui.exeCode function: 12_2_6BB5390012_2_6BB53900
Source: C:\Program Files (x86)\ChicaLogic\ChicaPC-Shield\cpcsgui.exeCode function: 12_2_6BB5E8D012_2_6BB5E8D0
Source: C:\Program Files (x86)\ChicaLogic\ChicaPC-Shield\cpcsgui.exeCode function: 12_2_6BB68F9712_2_6BB68F97
Source: C:\Program Files (x86)\ChicaLogic\ChicaPC-Shield\cpcsgui.exeCode function: 12_2_6BB9EFF412_2_6BB9EFF4
Source: C:\Program Files (x86)\ChicaLogic\ChicaPC-Shield\cpcsgui.exeCode function: 12_2_6BB76F2012_2_6BB76F20
Source: C:\Program Files (x86)\ChicaLogic\ChicaPC-Shield\cpcsgui.exeCode function: 12_2_6BB9BF2012_2_6BB9BF20
Source: C:\Program Files (x86)\ChicaLogic\ChicaPC-Shield\cpcsgui.exeCode function: 12_2_6BBAEF4412_2_6BBAEF44
Source: C:\Program Files (x86)\ChicaLogic\ChicaPC-Shield\cpcsgui.exeCode function: 12_2_6BB95DB012_2_6BB95DB0
Source: C:\Program Files (x86)\ChicaLogic\ChicaPC-Shield\cpcsgui.exeCode function: 12_2_6BB90CD012_2_6BB90CD0
Source: C:\Program Files (x86)\ChicaLogic\ChicaPC-Shield\cpcsgui.exeCode function: 12_2_6BB903E012_2_6BB903E0
Source: C:\Program Files (x86)\ChicaLogic\ChicaPC-Shield\cpcsgui.exeCode function: 12_2_6BB5324012_2_6BB53240
Source: C:\Program Files (x86)\ChicaLogic\ChicaPC-Shield\cpcsgui.exeCode function: 12_2_6BB671A012_2_6BB671A0
Source: C:\Program Files (x86)\ChicaLogic\ChicaPC-Shield\cpcsgui.exeCode function: 12_2_6BB5413312_2_6BB54133
Source: C:\Program Files (x86)\ChicaLogic\ChicaPC-Shield\cpcsgui.exeCode function: 12_2_6BB6608012_2_6BB66080
Source: C:\Program Files (x86)\ChicaLogic\ChicaPC-Shield\cpcsgui.exeCode function: 12_2_6BB5F00012_2_6BB5F000
Source: C:\Program Files (x86)\ChicaLogic\ChicaPC-Shield\cpcsgui.exeCode function: 12_2_6BB6804512_2_6BB68045
Source: C:\Program Files (x86)\ChicaLogic\ChicaPC-Shield\cpcsgui.exeCode function: 12_2_6BB5F7CC12_2_6BB5F7CC
Source: C:\Program Files (x86)\ChicaLogic\ChicaPC-Shield\cpcsgui.exeCode function: 12_2_6BB6376C12_2_6BB6376C
Source: C:\Program Files (x86)\ChicaLogic\ChicaPC-Shield\cpcsgui.exeCode function: 12_2_6BB925C012_2_6BB925C0
Source: C:\Program Files (x86)\ChicaLogic\ChicaPC-Shield\cpcsgui.exeCode function: 12_2_6BB5C48012_2_6BB5C480
Source: C:\Program Files (x86)\ChicaLogic\ChicaPC-Shield\cpcsgui.exeCode function: 12_2_6BB5240012_2_6BB52400
Source: C:\Program Files (x86)\ChicaLogic\ChicaPC-Shield\cpcsgui.exeCode function: 12_2_6BB6245012_2_6BB62450
Source: C:\Program Files (x86)\ChicaLogic\ChicaPC-Shield\cpcsgui.exeCode function: 12_2_6F88CDF012_2_6F88CDF0
Source: C:\Program Files (x86)\ChicaLogic\ChicaPC-Shield\cpcsgui.exeCode function: 12_2_6F85B9E012_2_6F85B9E0
Source: C:\Program Files (x86)\ChicaLogic\ChicaPC-Shield\cpcsgui.exeCode function: 12_2_6F852ED012_2_6F852ED0
Source: C:\Program Files (x86)\ChicaLogic\ChicaPC-Shield\cpcsgui.exeCode function: 12_2_6F896C8412_2_6F896C84
Source: C:\Program Files (x86)\ChicaLogic\ChicaPC-Shield\cpcsgui.exeCode function: 12_2_6F854C5012_2_6F854C50
Source: C:\Program Files (x86)\ChicaLogic\ChicaPC-Shield\cpcsgui.exeCode function: 12_2_6F888C7012_2_6F888C70
Source: C:\Program Files (x86)\ChicaLogic\ChicaPC-Shield\cpcsgui.exeCode function: 12_2_6F8A4BD012_2_6F8A4BD0
Source: C:\Program Files (x86)\ChicaLogic\ChicaPC-Shield\cpcsgui.exeCode function: 12_2_6F864AE012_2_6F864AE0
Source: C:\Program Files (x86)\ChicaLogic\ChicaPC-Shield\cpcsgui.exeCode function: 12_2_6F8A289012_2_6F8A2890
Source: C:\Program Files (x86)\ChicaLogic\ChicaPC-Shield\cpcsgui.exeCode function: 12_2_6F86A7D012_2_6F86A7D0
Source: C:\Program Files (x86)\ChicaLogic\ChicaPC-Shield\cpcsgui.exeCode function: 12_2_6F85C7E012_2_6F85C7E0
Source: C:\Program Files (x86)\ChicaLogic\ChicaPC-Shield\cpcsgui.exeCode function: 12_2_6F86E69012_2_6F86E690
Source: C:\Program Files (x86)\ChicaLogic\ChicaPC-Shield\cpcsgui.exeCode function: 12_2_6F8A467F12_2_6F8A467F
Source: C:\Program Files (x86)\ChicaLogic\ChicaPC-Shield\cpcsgui.exeCode function: 12_2_6F88A59012_2_6F88A590
Source: C:\Program Files (x86)\ChicaLogic\ChicaPC-Shield\cpcsgui.exeCode function: 12_2_6F89C4D512_2_6F89C4D5
Source: C:\Program Files (x86)\ChicaLogic\ChicaPC-Shield\cpcsgui.exeCode function: 12_2_6F85242012_2_6F852420
Source: C:\Program Files (x86)\ChicaLogic\ChicaPC-Shield\cpcsgui.exeCode function: 12_2_6F88839012_2_6F888390
Source: C:\Program Files (x86)\ChicaLogic\ChicaPC-Shield\cpcsgui.exeCode function: 12_2_6F89231012_2_6F892310
Source: C:\Program Files (x86)\ChicaLogic\ChicaPC-Shield\cpcsgui.exeCode function: 12_2_6F86A1F012_2_6F86A1F0
Source: C:\Program Files (x86)\ChicaLogic\ChicaPC-Shield\cpcsgui.exeCode function: 12_2_6F8A412E12_2_6F8A412E
Source: C:\Program Files (x86)\ChicaLogic\ChicaPC-Shield\cpcsgui.exeCode function: 12_2_6F8700A012_2_6F8700A0
Source: C:\Program Files (x86)\ChicaLogic\ChicaPC-Shield\cpcsgui.exeCode function: 12_2_6F89C0ED12_2_6F89C0ED
Source: C:\Program Files (x86)\ChicaLogic\ChicaPC-Shield\cpcsgui.exeCode function: 12_2_6F8A5FE412_2_6F8A5FE4
Source: C:\Program Files (x86)\ChicaLogic\ChicaPC-Shield\cpcsgui.exeCode function: 12_2_6F89BD1B12_2_6F89BD1B
Source: C:\Program Files (x86)\ChicaLogic\ChicaPC-Shield\cpcsgui.exeCode function: 12_2_6F86BD6012_2_6F86BD60
Source: C:\Program Files (x86)\ChicaLogic\ChicaPC-Shield\cpcsgui.exeCode function: 12_2_6F869C0012_2_6F869C00
Source: C:\Program Files (x86)\ChicaLogic\ChicaPC-Shield\cpcsgui.exeCode function: 12_2_6F86FAA012_2_6F86FAA0
Source: C:\Program Files (x86)\ChicaLogic\ChicaPC-Shield\cpcsgui.exeCode function: 12_2_6F88DAB012_2_6F88DAB0
Source: C:\Program Files (x86)\ChicaLogic\ChicaPC-Shield\cpcsgui.exeCode function: 12_2_6F8739F012_2_6F8739F0
Source: C:\Program Files (x86)\ChicaLogic\ChicaPC-Shield\cpcsgui.exeCode function: 12_2_6F89B97D12_2_6F89B97D
Source: C:\Program Files (x86)\ChicaLogic\ChicaPC-Shield\cpcsgui.exeCode function: 12_2_6F86172012_2_6F861720
Source: C:\Program Files (x86)\ChicaLogic\ChicaPC-Shield\cpcsgui.exeCode function: 12_2_6F87372012_2_6F873720
Source: C:\Program Files (x86)\ChicaLogic\ChicaPC-Shield\cpcsgui.exeCode function: 12_2_6F89B4E812_2_6F89B4E8
Source: C:\Program Files (x86)\ChicaLogic\ChicaPC-Shield\cpcsgui.exeCode function: 12_2_6F86B37012_2_6F86B370
Source: C:\Program Files (x86)\ChicaLogic\ChicaPC-Shield\cpcsgui.exeCode function: 12_2_6F8A52AC12_2_6F8A52AC
Source: C:\Program Files (x86)\ChicaLogic\ChicaPC-Shield\cpcsgui.exeCode function: 12_2_6F86F26012_2_6F86F260
Source: C:\Program Files (x86)\ChicaLogic\ChicaPC-Shield\cpcsgui.exeCode function: 12_2_6F8511E012_2_6F8511E0
Source: C:\Program Files (x86)\ChicaLogic\ChicaPC-Shield\cpcsgui.exeCode function: 12_3_033C236A12_3_033C236A
Source: C:\Program Files (x86)\ChicaLogic\ChicaPC-Shield\cpcsscheduler.exeCode function: 14_2_008EC0D014_2_008EC0D0
Source: C:\Program Files (x86)\ChicaLogic\ChicaPC-Shield\cpcsscheduler.exeCode function: 14_2_0091B02714_2_0091B027
Source: C:\Program Files (x86)\ChicaLogic\ChicaPC-Shield\cpcsscheduler.exeCode function: 14_2_009091D014_2_009091D0
Source: C:\Program Files (x86)\ChicaLogic\ChicaPC-Shield\cpcsscheduler.exeCode function: 14_2_009211DF14_2_009211DF
Source: C:\Program Files (x86)\ChicaLogic\ChicaPC-Shield\cpcsscheduler.exeCode function: 14_2_008EE14014_2_008EE140
Source: C:\Program Files (x86)\ChicaLogic\ChicaPC-Shield\cpcsscheduler.exeCode function: 14_2_0091D3F014_2_0091D3F0
Source: C:\Program Files (x86)\ChicaLogic\ChicaPC-Shield\cpcsscheduler.exeCode function: 14_2_0091F3F014_2_0091F3F0
Source: C:\Program Files (x86)\ChicaLogic\ChicaPC-Shield\cpcsscheduler.exeCode function: 14_2_009103F014_2_009103F0
Source: C:\Program Files (x86)\ChicaLogic\ChicaPC-Shield\cpcsscheduler.exeCode function: 14_2_0091B3F914_2_0091B3F9
Source: C:\Program Files (x86)\ChicaLogic\ChicaPC-Shield\cpcsscheduler.exeCode function: 14_2_008E352014_2_008E3520
Source: C:\Program Files (x86)\ChicaLogic\ChicaPC-Shield\cpcsscheduler.exeCode function: 14_2_0091A7F414_2_0091A7F4
Source: C:\Program Files (x86)\ChicaLogic\ChicaPC-Shield\cpcsscheduler.exeCode function: 14_2_0091B7E114_2_0091B7E1
Source: C:\Program Files (x86)\ChicaLogic\ChicaPC-Shield\cpcsscheduler.exeCode function: 14_2_0092173014_2_00921730
Source: C:\Program Files (x86)\ChicaLogic\ChicaPC-Shield\cpcsscheduler.exeCode function: 14_2_0090C74014_2_0090C740
Source: C:\Program Files (x86)\ChicaLogic\ChicaPC-Shield\cpcsscheduler.exeCode function: 14_2_0090787014_2_00907870
Source: C:\Program Files (x86)\ChicaLogic\ChicaPC-Shield\cpcsscheduler.exeCode function: 14_2_00922B4414_2_00922B44
Source: C:\Program Files (x86)\ChicaLogic\ChicaPC-Shield\cpcsscheduler.exeCode function: 14_2_0091AC8914_2_0091AC89
Source: C:\Program Files (x86)\ChicaLogic\ChicaPC-Shield\cpcsscheduler.exeCode function: 14_2_00920C8E14_2_00920C8E
Source: C:\Program Files (x86)\ChicaLogic\ChicaPC-Shield\cpcsscheduler.exeCode function: 14_2_00921E0C14_2_00921E0C
Source: C:\Program Files (x86)\ChicaLogic\ChicaPC-Shield\cpcsscheduler.exeCode function: 14_2_00906F9014_2_00906F90
Source: C:\Program Files (x86)\ChicaLogic\ChicaPC-Shield\cpcsscheduler.exeCode function: 14_2_6BB950F014_2_6BB950F0
Source: C:\Program Files (x86)\ChicaLogic\ChicaPC-Shield\cpcsscheduler.exeCode function: 14_2_6BB5702014_2_6BB57020
Source: C:\Program Files (x86)\ChicaLogic\ChicaPC-Shield\cpcsscheduler.exeCode function: 14_2_6BB76B1014_2_6BB76B10
Source: C:\Program Files (x86)\ChicaLogic\ChicaPC-Shield\cpcsscheduler.exeCode function: 14_2_6BB5BB5014_2_6BB5BB50
Source: C:\Program Files (x86)\ChicaLogic\ChicaPC-Shield\cpcsscheduler.exeCode function: 14_2_6BB51AE014_2_6BB51AE0
Source: C:\Program Files (x86)\ChicaLogic\ChicaPC-Shield\cpcsscheduler.exeCode function: 14_2_6BB5390014_2_6BB53900
Source: C:\Program Files (x86)\ChicaLogic\ChicaPC-Shield\cpcsscheduler.exeCode function: 14_2_6BB5E8D014_2_6BB5E8D0
Source: C:\Program Files (x86)\ChicaLogic\ChicaPC-Shield\cpcsscheduler.exeCode function: 14_2_6BB68F9714_2_6BB68F97
Source: C:\Program Files (x86)\ChicaLogic\ChicaPC-Shield\cpcsscheduler.exeCode function: 14_2_6BB9EFF414_2_6BB9EFF4
Source: C:\Program Files (x86)\ChicaLogic\ChicaPC-Shield\cpcsscheduler.exeCode function: 14_2_6BB76F2014_2_6BB76F20
Source: C:\Program Files (x86)\ChicaLogic\ChicaPC-Shield\cpcsscheduler.exeCode function: 14_2_6BB9BF2014_2_6BB9BF20
Source: C:\Program Files (x86)\ChicaLogic\ChicaPC-Shield\cpcsscheduler.exeCode function: 14_2_6BBAEF4414_2_6BBAEF44
Source: C:\Program Files (x86)\ChicaLogic\ChicaPC-Shield\cpcsscheduler.exeCode function: 14_2_6BB95DB014_2_6BB95DB0
Source: C:\Program Files (x86)\ChicaLogic\ChicaPC-Shield\cpcsscheduler.exeCode function: 14_2_6BB90CD014_2_6BB90CD0
Source: C:\Program Files (x86)\ChicaLogic\ChicaPC-Shield\cpcsscheduler.exeCode function: 14_2_6BB903E014_2_6BB903E0
Source: C:\Program Files (x86)\ChicaLogic\ChicaPC-Shield\cpcsscheduler.exeCode function: 14_2_6BB5324014_2_6BB53240
Source: C:\Program Files (x86)\ChicaLogic\ChicaPC-Shield\cpcsscheduler.exeCode function: 14_2_6BB671A014_2_6BB671A0
Source: C:\Program Files (x86)\ChicaLogic\ChicaPC-Shield\cpcsscheduler.exeCode function: 14_2_6BB5413314_2_6BB54133
Source: C:\Program Files (x86)\ChicaLogic\ChicaPC-Shield\cpcsscheduler.exeCode function: 14_2_6BB6608014_2_6BB66080
Source: C:\Program Files (x86)\ChicaLogic\ChicaPC-Shield\cpcsscheduler.exeCode function: 14_2_6BB5F00014_2_6BB5F000
Source: C:\Program Files (x86)\ChicaLogic\ChicaPC-Shield\cpcsscheduler.exeCode function: 14_2_6BB6804514_2_6BB68045
Source: C:\Program Files (x86)\ChicaLogic\ChicaPC-Shield\cpcsscheduler.exeCode function: 14_2_6BB5F7CC14_2_6BB5F7CC
Source: C:\Program Files (x86)\ChicaLogic\ChicaPC-Shield\cpcsscheduler.exeCode function: 14_2_6BB6376C14_2_6BB6376C
Source: C:\Program Files (x86)\ChicaLogic\ChicaPC-Shield\cpcsscheduler.exeCode function: 14_2_6BB925C014_2_6BB925C0
Source: C:\Program Files (x86)\ChicaLogic\ChicaPC-Shield\cpcsscheduler.exeCode function: 14_2_6BB5C48014_2_6BB5C480
Source: C:\Program Files (x86)\ChicaLogic\ChicaPC-Shield\cpcsscheduler.exeCode function: 14_2_6BB5240014_2_6BB52400
Source: C:\Program Files (x86)\ChicaLogic\ChicaPC-Shield\cpcsscheduler.exeCode function: 14_2_6BB6245014_2_6BB62450
Source: C:\Program Files (x86)\ChicaLogic\ChicaPC-Shield\cpcsscheduler.exeCode function: 14_2_6F88CDF014_2_6F88CDF0
Source: C:\Program Files (x86)\ChicaLogic\ChicaPC-Shield\cpcsscheduler.exeCode function: 14_2_6F85B9E014_2_6F85B9E0
Source: C:\Program Files (x86)\ChicaLogic\ChicaPC-Shield\cpcsscheduler.exeCode function: 14_2_6F852ED014_2_6F852ED0
Source: C:\Program Files (x86)\ChicaLogic\ChicaPC-Shield\cpcsscheduler.exeCode function: 14_2_6F896C8414_2_6F896C84
Source: C:\Program Files (x86)\ChicaLogic\ChicaPC-Shield\cpcsscheduler.exeCode function: 14_2_6F854C5014_2_6F854C50
Source: C:\Program Files (x86)\ChicaLogic\ChicaPC-Shield\cpcsscheduler.exeCode function: 14_2_6F888C7014_2_6F888C70
Source: C:\Program Files (x86)\ChicaLogic\ChicaPC-Shield\cpcsscheduler.exeCode function: 14_2_6F8A4BD014_2_6F8A4BD0
Source: C:\Program Files (x86)\ChicaLogic\ChicaPC-Shield\cpcsscheduler.exeCode function: 14_2_6F864AE014_2_6F864AE0
Source: C:\Program Files (x86)\ChicaLogic\ChicaPC-Shield\cpcsscheduler.exeCode function: 14_2_6F8A289014_2_6F8A2890
Source: C:\Program Files (x86)\ChicaLogic\ChicaPC-Shield\cpcsscheduler.exeCode function: 14_2_6F86A7D014_2_6F86A7D0
Source: C:\Program Files (x86)\ChicaLogic\ChicaPC-Shield\cpcsscheduler.exeCode function: 14_2_6F85C7E014_2_6F85C7E0
Source: C:\Program Files (x86)\ChicaLogic\ChicaPC-Shield\cpcsscheduler.exeCode function: 14_2_6F86E69014_2_6F86E690
Source: C:\Program Files (x86)\ChicaLogic\ChicaPC-Shield\cpcsscheduler.exeCode function: 14_2_6F8A467F14_2_6F8A467F
Source: C:\Program Files (x86)\ChicaLogic\ChicaPC-Shield\cpcsscheduler.exeCode function: 14_2_6F88A59014_2_6F88A590
Source: C:\Program Files (x86)\ChicaLogic\ChicaPC-Shield\cpcsscheduler.exeCode function: 14_2_6F89C4D514_2_6F89C4D5
Source: C:\Program Files (x86)\ChicaLogic\ChicaPC-Shield\cpcsscheduler.exeCode function: 14_2_6F85242014_2_6F852420
Source: C:\Program Files (x86)\ChicaLogic\ChicaPC-Shield\cpcsscheduler.exeCode function: 14_2_6F88839014_2_6F888390
Source: C:\Program Files (x86)\ChicaLogic\ChicaPC-Shield\cpcsscheduler.exeCode function: 14_2_6F89231014_2_6F892310
Source: C:\Program Files (x86)\ChicaLogic\ChicaPC-Shield\cpcsscheduler.exeCode function: 14_2_6F86A1F014_2_6F86A1F0
Source: C:\Program Files (x86)\ChicaLogic\ChicaPC-Shield\cpcsscheduler.exeCode function: 14_2_6F8A412E14_2_6F8A412E
Source: C:\Program Files (x86)\ChicaLogic\ChicaPC-Shield\cpcsscheduler.exeCode function: 14_2_6F8700A014_2_6F8700A0
Source: C:\Program Files (x86)\ChicaLogic\ChicaPC-Shield\cpcsscheduler.exeCode function: 14_2_6F89C0ED14_2_6F89C0ED
Source: C:\Program Files (x86)\ChicaLogic\ChicaPC-Shield\cpcsscheduler.exeCode function: 14_2_6F8A5FE414_2_6F8A5FE4
Source: C:\Program Files (x86)\ChicaLogic\ChicaPC-Shield\cpcsscheduler.exeCode function: 14_2_6F89BD1B14_2_6F89BD1B
Source: C:\Program Files (x86)\ChicaLogic\ChicaPC-Shield\cpcsscheduler.exeCode function: 14_2_6F86BD6014_2_6F86BD60
Source: C:\Program Files (x86)\ChicaLogic\ChicaPC-Shield\cpcsscheduler.exeCode function: 14_2_6F869C0014_2_6F869C00
Source: C:\Program Files (x86)\ChicaLogic\ChicaPC-Shield\cpcsscheduler.exeCode function: 14_2_6F86FAA014_2_6F86FAA0
Source: C:\Program Files (x86)\ChicaLogic\ChicaPC-Shield\cpcsscheduler.exeCode function: 14_2_6F88DAB014_2_6F88DAB0
Source: C:\Program Files (x86)\ChicaLogic\ChicaPC-Shield\cpcsscheduler.exeCode function: 14_2_6F8739F014_2_6F8739F0
Source: C:\Program Files (x86)\ChicaLogic\ChicaPC-Shield\cpcsscheduler.exeCode function: 14_2_6F89B97D14_2_6F89B97D
Source: C:\Program Files (x86)\ChicaLogic\ChicaPC-Shield\cpcsscheduler.exeCode function: 14_2_6F86172014_2_6F861720
Source: C:\Program Files (x86)\ChicaLogic\ChicaPC-Shield\cpcsscheduler.exeCode function: 14_2_6F87372014_2_6F873720
Source: C:\Program Files (x86)\ChicaLogic\ChicaPC-Shield\cpcsscheduler.exeCode function: 14_2_6F89B4E814_2_6F89B4E8
Source: C:\Program Files (x86)\ChicaLogic\ChicaPC-Shield\cpcsscheduler.exeCode function: 14_2_6F86B37014_2_6F86B370
Source: C:\Program Files (x86)\ChicaLogic\ChicaPC-Shield\cpcsscheduler.exeCode function: 14_2_6F8A52AC14_2_6F8A52AC
Source: C:\Program Files (x86)\ChicaLogic\ChicaPC-Shield\cpcsscheduler.exeCode function: 14_2_6F86F26014_2_6F86F260
Source: C:\Program Files (x86)\ChicaLogic\ChicaPC-Shield\cpcsscheduler.exeCode function: 14_2_6F8511E014_2_6F8511E0
Source: C:\Users\user\AppData\Local\Temp\is-LBG9E.tmp\chica-pc-shield-1-75-0-1300-en-win.tmpCode function: String function: 00408C0C appears 45 times
Source: C:\Users\user\AppData\Local\Temp\is-LBG9E.tmp\chica-pc-shield-1-75-0-1300-en-win.tmpCode function: String function: 00406AC4 appears 43 times
Source: C:\Users\user\AppData\Local\Temp\is-LBG9E.tmp\chica-pc-shield-1-75-0-1300-en-win.tmpCode function: String function: 0040595C appears 117 times
Source: C:\Users\user\AppData\Local\Temp\is-LBG9E.tmp\chica-pc-shield-1-75-0-1300-en-win.tmpCode function: String function: 00403400 appears 60 times
Source: C:\Users\user\AppData\Local\Temp\is-LBG9E.tmp\chica-pc-shield-1-75-0-1300-en-win.tmpCode function: String function: 00445DD4 appears 45 times
Source: C:\Users\user\AppData\Local\Temp\is-LBG9E.tmp\chica-pc-shield-1-75-0-1300-en-win.tmpCode function: String function: 004344DC appears 32 times
Source: C:\Users\user\AppData\Local\Temp\is-LBG9E.tmp\chica-pc-shield-1-75-0-1300-en-win.tmpCode function: String function: 004078F4 appears 42 times
Source: C:\Users\user\AppData\Local\Temp\is-LBG9E.tmp\chica-pc-shield-1-75-0-1300-en-win.tmpCode function: String function: 00403494 appears 82 times
Source: C:\Users\user\AppData\Local\Temp\is-LBG9E.tmp\chica-pc-shield-1-75-0-1300-en-win.tmpCode function: String function: 00457DF4 appears 73 times
Source: C:\Users\user\AppData\Local\Temp\is-LBG9E.tmp\chica-pc-shield-1-75-0-1300-en-win.tmpCode function: String function: 00457BE8 appears 94 times
Source: C:\Users\user\AppData\Local\Temp\is-LBG9E.tmp\chica-pc-shield-1-75-0-1300-en-win.tmpCode function: String function: 00403684 appears 224 times
Source: C:\Users\user\AppData\Local\Temp\is-LBG9E.tmp\chica-pc-shield-1-75-0-1300-en-win.tmpCode function: String function: 00453344 appears 94 times
Source: C:\Users\user\AppData\Local\Temp\is-LBG9E.tmp\chica-pc-shield-1-75-0-1300-en-win.tmpCode function: String function: 004460A4 appears 59 times
Source: C:\Program Files (x86)\ChicaLogic\ChicaPC-Shield\cpcsscheduler.exeCode function: String function: 6F895C50 appears 36 times
Source: C:\Program Files (x86)\ChicaLogic\ChicaPC-Shield\cpcsscheduler.exeCode function: String function: 6BBB1303 appears 78 times
Source: C:\Program Files (x86)\ChicaLogic\ChicaPC-Shield\cpcsscheduler.exeCode function: String function: 6F853910 appears 41 times
Source: C:\Program Files (x86)\ChicaLogic\ChicaPC-Shield\cpcsscheduler.exeCode function: String function: 0090D53A appears 64 times
Source: C:\Program Files (x86)\ChicaLogic\ChicaPC-Shield\cpcsscheduler.exeCode function: String function: 0090EF60 appears 33 times
Source: C:\Program Files (x86)\ChicaLogic\ChicaPC-Shield\cpcsscheduler.exeCode function: String function: 008E1450 appears 138 times
Source: C:\Program Files (x86)\ChicaLogic\ChicaPC-Shield\cpcsscheduler.exeCode function: String function: 6F856530 appears 139 times
Source: C:\Program Files (x86)\ChicaLogic\ChicaPC-Shield\cpcsscheduler.exeCode function: String function: 6F88F635 appears 79 times
Source: C:\Program Files (x86)\ChicaLogic\ChicaPC-Shield\cpcsgui.exeCode function: String function: 005ECC60 appears 34 times
Source: C:\Program Files (x86)\ChicaLogic\ChicaPC-Shield\cpcsgui.exeCode function: String function: 6F895C50 appears 36 times
Source: C:\Program Files (x86)\ChicaLogic\ChicaPC-Shield\cpcsgui.exeCode function: String function: 6BBB1303 appears 78 times
Source: C:\Program Files (x86)\ChicaLogic\ChicaPC-Shield\cpcsgui.exeCode function: String function: 6F853910 appears 41 times
Source: C:\Program Files (x86)\ChicaLogic\ChicaPC-Shield\cpcsgui.exeCode function: String function: 005E6ABC appears 70 times
Source: C:\Program Files (x86)\ChicaLogic\ChicaPC-Shield\cpcsgui.exeCode function: String function: 6F88F635 appears 79 times
Source: chica-pc-shield-1-75-0-1300-en-win.exeStatic PE information: Resource name: RT_VERSION type: COM executable for DOS
Source: chica-pc-shield-1-75-0-1300-en-win.tmp.0.drStatic PE information: Resource name: RT_RCDATA type: PE32+ executable (console) x86-64, for MS Windows
Source: chica-pc-shield-1-75-0-1300-en-win.tmp.0.drStatic PE information: Resource name: RT_RCDATA type: PE32 executable (DLL) (GUI) Intel 80386 (stripped to external PDB), for MS Windows
Source: chica-pc-shield-1-75-0-1300-en-win.tmp.0.drStatic PE information: Resource name: RT_VERSION type: 370 sysV pure executable not stripped
Source: is-L12IJ.tmp.1.drStatic PE information: Resource name: DRIVERTYPE type: PE32 executable (native) Intel 80386, for MS Windows
Source: is-L12IJ.tmp.1.drStatic PE information: Resource name: DRIVERTYPE type: PE32 executable (native) Intel 80386, for MS Windows
Source: is-DB4G5.tmp.1.drStatic PE information: Resource name: RT_RCDATA type: PE32+ executable (console) x86-64, for MS Windows
Source: is-DB4G5.tmp.1.drStatic PE information: Resource name: RT_RCDATA type: PE32 executable (DLL) (GUI) Intel 80386 (stripped to external PDB), for MS Windows
Source: is-DB4G5.tmp.1.drStatic PE information: Resource name: RT_VERSION type: 370 sysV pure executable not stripped
Source: chica-pc-shield-1-75-0-1300-en-win.exe, 00000000.00000003.2032976073.0000000002128000.00000004.00001000.00020000.00000000.sdmpBinary or memory string: OriginalFilenameshfolder.dll~/ vs chica-pc-shield-1-75-0-1300-en-win.exe
Source: chica-pc-shield-1-75-0-1300-en-win.exe, 00000000.00000003.2032819935.00000000023F0000.00000004.00001000.00020000.00000000.sdmpBinary or memory string: OriginalFilenameshfolder.dll~/ vs chica-pc-shield-1-75-0-1300-en-win.exe
Source: chica-pc-shield-1-75-0-1300-en-win.exeStatic PE information: RELOCS_STRIPPED, EXECUTABLE_IMAGE, LINE_NUMS_STRIPPED, LOCAL_SYMS_STRIPPED, BYTES_REVERSED_LO, 32BIT_MACHINE, BYTES_REVERSED_HI
Source: 00000012.00000003.2839561000.000000000CFD9000.00000004.00000020.00020000.00000000.sdmp, type: MEMORYMatched rule: xtremrat date = 2012-07-12, filetype = memory, author = Jean-Philippe Teissier / @Jipe_, description = Xtrem RAT v3.5, version = 1.0
Source: 00000009.00000003.2529281722.0000000009BA5000.00000004.00000020.00020000.00000000.sdmp, type: MEMORYMatched rule: thequickbrow_APT1 author = AlienVault Labs, info = CommentCrew-threat-apt1
Source: 00000009.00000003.2546777163.000000000C828000.00000004.00000020.00020000.00000000.sdmp, type: MEMORYMatched rule: xtremrat date = 2012-07-12, filetype = memory, author = Jean-Philippe Teissier / @Jipe_, description = Xtrem RAT v3.5, version = 1.0
Source: 00000009.00000003.2545861202.000000000D4FA000.00000004.00000020.00020000.00000000.sdmp, type: MEMORYMatched rule: xtremrat date = 2012-07-12, filetype = memory, author = Jean-Philippe Teissier / @Jipe_, description = Xtrem RAT v3.5, version = 1.0
Source: 00000012.00000003.2839681114.000000000D42B000.00000004.00000020.00020000.00000000.sdmp, type: MEMORYMatched rule: xtremrat date = 2012-07-12, filetype = memory, author = Jean-Philippe Teissier / @Jipe_, description = Xtrem RAT v3.5, version = 1.0
Source: 0000000F.00000003.2652428311.0000000004663000.00000004.00000020.00020000.00000000.sdmp, type: MEMORYMatched rule: APT9002Strings author = Seth Hardy, description = 9002 Identifying Strings, last_modified = 2014-06-25
Source: 00000009.00000003.2556561426.0000000008334000.00000004.00000020.00020000.00000000.sdmp, type: MEMORYMatched rule: clearlog date = 2017-06-02, hash1 = 14093ce6d0fe8ab60963771f48937c669103842a0400b8d97f829b33c420f7e3, author = Florian Roth, description = Detects Fireball malware - file clearlog.dll, reference = https://goo.gl/4pTkGQ, license = https://creativecommons.org/licenses/by-nc/4.0/
Source: 00000012.00000003.2843530652.000000000847A000.00000004.00000020.00020000.00000000.sdmp, type: MEMORYMatched rule: clearlog date = 2017-06-02, hash1 = 14093ce6d0fe8ab60963771f48937c669103842a0400b8d97f829b33c420f7e3, author = Florian Roth, description = Detects Fireball malware - file clearlog.dll, reference = https://goo.gl/4pTkGQ, license = https://creativecommons.org/licenses/by-nc/4.0/
Source: 0000000F.00000003.2648389472.0000000008271000.00000004.00000020.00020000.00000000.sdmp, type: MEMORYMatched rule: clearlog date = 2017-06-02, hash1 = 14093ce6d0fe8ab60963771f48937c669103842a0400b8d97f829b33c420f7e3, author = Florian Roth, description = Detects Fireball malware - file clearlog.dll, reference = https://goo.gl/4pTkGQ, license = https://creativecommons.org/licenses/by-nc/4.0/
Source: Process Memory Space: cpcs.exe PID: 2412, type: MEMORYSTRMatched rule: thequickbrow_APT1 author = AlienVault Labs, info = CommentCrew-threat-apt1
Source: Process Memory Space: cpcs.exe PID: 2412, type: MEMORYSTRMatched rule: APT9002Strings author = Seth Hardy, description = 9002 Identifying Strings, last_modified = 2014-06-25
Source: cpcs.exe, 00000009.00000003.2533389394.000000000A5B5000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: V2\custom\Project1.vbpQ
Source: cpcs.exe, 00000009.00000003.2534960911.000000000A621000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: 3)\Project1.vbp
Source: cpcs.exe, 00000009.00000003.2534960911.000000000A621000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: +tub.vbp
Source: cpcs.exe, 00000009.00000003.2533842656.000000000A4B5000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: Basic\nLoader\Projekt1.vbp3
Source: cpcs.exe, 00000009.00000003.2533842656.000000000A4B5000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: 20 Prof Updater\Project1.vbpo
Source: cpcs.exe, 00000009.00000003.2529231058.0000000009F11000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: C:\????????????.vbp
Source: cpcs.exe, 00000009.00000003.2533842656.000000000A4B5000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: ouveau dossier (3)\Project1.vbp
Source: cpcs.exe, 00000009.00000003.2529231058.0000000009F11000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: AD:\??????.vbpyc
Source: cpcs.exe, 00000009.00000003.2534960911.000000000A621000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: v5\Server\Project1.vbp
Source: cpcs.exe, 00000009.00000003.2529231058.0000000009F11000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: AC:\????????.vbp>d
Source: cpcs.exe, 00000009.00000003.2532883037.000000000A55F000.00000004.00000020.00020000.00000000.sdmp, cpcs.exe, 00000009.00000003.2529734518.000000000A248000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: C:\Windows.vbp
Source: cpcs.exe, 00000009.00000003.2533842656.000000000A4B5000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: \Logoff.vbp
Source: cpcs.exe, 00000009.00000003.2533630438.000000000A445000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: Documents and Settings\Administrador\Desktop\new project\New_Project1.vbp?
Source: cpcs.exe, 00000009.00000003.2529369405.0000000009D87000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: N\IEAdBlocker.vbp%
Source: cpcs.exe, 00000009.00000003.2529231058.0000000009F11000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: C:\????????????.vbpOc
Source: cpcs.exe, 00000009.00000003.2529231058.0000000009F11000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: *\AC:\??????.vbp
Source: cpcs.exe, 00000009.00000003.2533842656.000000000A4B5000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: AJ:\Jhocko\Loader\Loader.vbpw
Source: chica-pc-shield-1-75-0-1300-en-win.tmp, 00000001.00000003.2789847670.0000000004E63000.00000004.00001000.00020000.00000000.sdmpBinary or memory string: (*\AC:\SteveMac\VB6\Controls\S-Grid5\pVBALGrid6.vbpH\
Source: cpcs.exe, 00000009.00000003.2529231058.0000000009F11000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: C:\??????.vbp?c
Source: cpcs.exe, 00000009.00000003.2529281722.0000000009BA5000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: ????.vbp
Source: cpcs.exe, 00000009.00000003.2533842656.000000000A4B5000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: uveau dossier (3)\Project1.vbp
Source: cpcs.exe, 00000009.00000003.2534960911.000000000A621000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: \calculator.vbp
Source: cpcs.exe, 00000009.00000003.2529281722.0000000009BA5000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: C:\GroundPlayer.vbpen#
Source: cpcs.exe, 00000009.00000003.2529231058.0000000009F11000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: C:\DZYA.vbp
Source: cpcs.exe, 00000009.00000003.2534960911.000000000A621000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: z1.vbpY
Source: cpcs.exe, 00000009.00000003.2556561426.0000000006534000.00000004.00000020.00020000.00000000.sdmp, cpcs.exe, 00000009.00000003.2561266540.0000000003D26000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: POLY=Trojan.VBPacked && SIZE=240000, 265000 && RESOURCE=RT_ICON, 1403, AAD517AAD504CBEE04CBEE04CBEE04CBEE3ABEDA32AA6492454D92454DA6666A2D3ECC4E77D72B42D42831CA2D3ECC2D3ECC2F9059 && PESECTION=1, * && VOFFSET=424, 8, 15, 504543
Source: cpcs.exe, 00000009.00000003.2529231058.0000000009F11000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: C:\pzFBNe.vbp
Source: cpcs.exe, 00000009.00000003.2533842656.000000000A4B5000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: _Generated-3\Project1.vbp
Source: cpcs.exe, 00000009.00000003.2533389394.000000000A5B5000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: \Server\winlog.vbp
Source: cpcs.exe, 00000009.00000003.2529281722.0000000009BA5000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: C:\????????????????????.vbpe1WH4
Source: cpcs.exe, 00000009.00000003.2529281722.0000000009BA5000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: *\AC:\????????????????\Modif\ica\??????????????\Computer ???? ??????ica d orp\???????????? ???????????? ??r EMINEMOr????????a.vbp
Source: cpcs.exe, 00000009.00000003.2529281722.0000000009BA5000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: mmmm?.vbp
Source: cpcs.exe, 00000009.00000003.2533389394.000000000A5B5000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: \M3\Desktop\CR\ST\S.vbp
Source: cpcs.exe, 00000009.00000003.2533842656.000000000A4B5000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: Santos\Desktop\Stub\stub.vbp
Source: cpcs.exe, 00000009.00000003.2529734518.000000000A248000.00000004.00000020.00020000.00000000.sdmp, cpcs.exe, 00000009.00000003.2532883037.000000000A53D000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: *\AF:\untitled01\new\7\tools\backup\Project1.vbp
Source: cpcs.exe, 00000009.00000003.2533389394.000000000A5B5000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: itc\it_inst\Project1.vbp=,
Source: cpcs.exe, 00000009.00000003.2528855901.000000000A101000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: AZ:\q\q.vbp
Source: cpcs.exe, 00000009.00000003.2529231058.0000000009F11000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: C:\??????.vbp
Source: cpcs.exe, 00000009.00000003.2533161271.000000000A44A000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: AC:\sethc.vbpu
Source: cpcs.exe, 00000009.00000003.2529281722.0000000009BA5000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: Mdx 0\Osigsnad drsydcao1.vbp0000
Source: cpcs.exe, 00000009.00000003.2533389394.000000000A5B5000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: oGachi to Gachito.vbpC.
Source: cpcs.exe, 00000009.00000003.2533842656.000000000A4B5000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: M3\Desktop\Machine\Setup.vbpZ
Source: cpcs.exe, 00000009.00000003.2529734518.000000000A248000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: @*\AC:\Project1.vbpown65
Source: cpcs.exe, 00000009.00000003.2529231058.0000000009F11000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: C:\??????????.vbp^c
Source: cpcs.exe, 00000009.00000003.2529231058.0000000009F11000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: C:\??????.vbpEc
Source: cpcs.exe, 00000009.00000003.2528855901.000000000A101000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: Win11\DirtyBusinessNewMod.vbp
Source: cpcs.exe, 00000009.00000003.2529231058.0000000009F11000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: C:\dTtI.vbpbp
Source: cpcs.exe, 00000009.00000003.2533389394.000000000A5B5000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: \EXE\Project1.vbp
Source: cpcs.exe, 00000009.00000003.2529281722.0000000009BA5000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: AH:\V1.0\Project1.vbp
Source: cpcs.exe, 00000009.00000003.2529231058.0000000009F11000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: D:\????????.vbp!
Source: cpcs.exe, 00000009.00000003.2529734518.000000000A248000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: \Bureau\Copie de Nouveau dossier (3)\Project1.vbp
Source: cpcs.exe, 00000009.00000003.2534960911.000000000A621000.00000004.00000020.00020000.00000000.sdmp, cpcs.exe, 00000009.00000003.2529281722.0000000009BA5000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: CommonDialog_Class.vbp
Source: cpcs.exe, 00000009.00000003.2533526590.000000000A5DD000.00000004.00000020.00020000.00000000.sdmp, cpcs.exe, 00000009.00000003.2534960911.000000000A5DD000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: \Bureau\Copie de Nouveau dossier (3)\Project1.vbpQ
Source: cpcs.exe, 00000009.00000003.2533842656.000000000A4B5000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: john\Desktop\Stub\stub.vbpN
Source: cpcs.exe, 00000009.00000003.2534960911.000000000A621000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: NYHOMv.vbpN~
Source: cpcs.exe, 00000009.00000003.2533389394.000000000A5B5000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: Priv8\Project1.vbp
Source: cpcs.exe, 00000009.00000003.2529369405.0000000009D87000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: \GoogleGroupsBHO.vbpW
Source: cpcs.exe, 00000009.00000003.2533389394.000000000A5B5000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: *\AD:\Projekt1.vbp
Source: cpcs.exe, 00000009.00000003.2534960911.000000000A621000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: \GoogleGroupsBHO.vbp
Source: cpcs.exe, 00000009.00000003.2529231058.0000000009F11000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: C:\????????????.vbpcc
Source: cpcs.exe, 00000009.00000003.2533389394.000000000A5B5000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: New Folder\Project1.vbp
Source: chica-pc-shield-1-75-0-1300-en-win.tmp, 00000001.00000003.2789847670.0000000004E5C000.00000004.00001000.00020000.00000000.sdmpBinary or memory string: .*\AC:\SteveMac\VB6\XHELPE~1\SSubTmr\SubTimer6.vbp
Source: cpcs.exe, 00000009.00000003.2529281722.0000000009BA5000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: 0zcyfqrkkdgt opgz|kxrcbpWqe|oml6.vbp
Source: cpcs.exe, 00000009.00000003.2533389394.000000000A5B5000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: fgf.vbp
Source: cpcs.exe, 00000009.00000003.2534960911.000000000A621000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: \newwish\uniedit.vbp
Source: cpcs.exe, 00000009.00000003.2533389394.000000000A5B5000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: \serv\Project1.vbp
Source: cpcs.exe, 00000009.00000003.2529369405.0000000009D87000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: C:\??????????????.vbp?A
Source: cpcs.exe, 00000009.00000003.2534960911.000000000A621000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: \JKMobile.vbp
Source: cpcs.exe, 00000009.00000003.2529281722.0000000009BA5000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: z1.vbper
Source: cpcs.exe, 00000009.00000003.2534960911.000000000A621000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: Simple\Stub\stub.vbp8
Source: cpcs.exe, 00000009.00000003.2529231058.0000000009F11000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: AC:\????????.vbp"c
Source: cpcs.exe, 00000009.00000003.2529231058.0000000009F11000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: C:\????????.vbpHc
Source: cpcs.exe, 00000009.00000003.2534960911.000000000A621000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: io\deho\deho.vbp
Source: cpcs.exe, 00000009.00000003.2529369405.0000000009D87000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: C:\??????????????????.vbp
Source: cpcs.exe, 00000009.00000003.2529231058.0000000009F11000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: AC:\??????.vbp,c
Source: cpcs.exe, 00000009.00000003.2533842656.000000000A4B5000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: *\AC:\Stub3\GqtM3.vbp
Source: cpcs.exe, 00000009.00000003.2534960911.000000000A621000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: C:\Nero.vbp
Source: cpcs.exe, 00000009.00000003.2529281722.0000000009BA5000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: \newwish\uniedit.vbpxe
Source: cpcs.exe, 00000009.00000003.2556561426.0000000007934000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: POLY=Trojan.VBPassSteal && STRINGS=1169, 62737465616C65725F6C6F6164 && STRINGS=128, B71207DBF3736988F3736988F3736988 && STRINGS=987, 332E30300055505821
Source: cpcs.exe, 00000009.00000003.2533389394.000000000A5B5000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: \puxa vb\viks.vbp7
Source: cpcs.exe, 00000009.00000003.2529369405.0000000009D87000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: \Server\winlog.vbpn
Source: cpcs.exe, 00000009.00000003.2528855901.000000000A101000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: Tool Febrero\Proyecto1.vbp
Source: cpcs.exe, 00000009.00000003.2533161271.000000000A44A000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: sax 0\Pdoaeatsd.vbpq
Source: cpcs.exe, 00000009.00000003.2528855901.000000000A101000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: C:\????????????????????????????.vbpTY
Source: cpcs.exe, 00000009.00000003.2533389394.000000000A5B5000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: PCsig2\stub\STUB.vbp'
Source: cpcs.exe, 00000009.00000003.2533842656.000000000A4B5000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: *\AE:\Projekt1.vbp9
Source: cpcs.exe, 00000009.00000003.2534960911.000000000A621000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: \Santa\Project1.vbpU
Source: cpcs.exe, 00000009.00000003.2529231058.0000000009F11000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: C:\??????.vbprc
Source: cpcs.exe, 00000009.00000003.2528855901.000000000A101000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: Mdx 0\Osigsnad drsydcao1.vbpsL
Source: cpcs.exe, 00000009.00000003.2533842656.000000000A4B5000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: \_new3_test_006\project1.vbp
Source: cpcs.exe, 00000009.00000003.2529231058.0000000009F11000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: C:\????????.vbp
Source: cpcs.exe, 00000009.00000003.2534960911.000000000A621000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: \IMPORTANT.vbp>s
Source: cpcs.exe, 00000009.00000003.2529281722.0000000009BA5000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: X\Server\Project1.vbpn
Source: cpcs.exe, 00000009.00000003.2528855901.000000000A101000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: Y:\code\prog\my\mycall.vbp
Source: cpcs.exe, 00000009.00000003.2533161271.000000000A44A000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: free\leader\driver.vbp
Source: cpcs.exe, 00000009.00000003.2533842656.000000000A4D7000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: Generated-1\Project1.vbp^
Source: cpcs.exe, 00000009.00000003.2533161271.000000000A44A000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: C:\ssss\VEhvdQTbQ.vbp
Source: cpcs.exe, 00000009.00000003.2529231058.0000000009F11000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: AC:\??????????.vbp
Source: classification engineClassification label: mal54.rans.troj.evad.winEXE@30/92@19/3
Source: C:\Users\user\Desktop\chica-pc-shield-1-75-0-1300-en-win.exeCode function: 0_2_00409448 GetCurrentProcess,OpenProcessToken,LookupPrivilegeValueA,AdjustTokenPrivileges,GetLastError,ExitWindowsEx,0_2_00409448
Source: C:\Users\user\AppData\Local\Temp\is-LBG9E.tmp\chica-pc-shield-1-75-0-1300-en-win.tmpCode function: 1_2_004555E4 GetCurrentProcess,OpenProcessToken,LookupPrivilegeValueA,AdjustTokenPrivileges,GetLastError,ExitWindowsEx,1_2_004555E4
Source: C:\Program Files (x86)\ChicaLogic\ChicaPC-Shield\cpcsgui.exeCode function: 12_2_6F85FAE0 GetCurrentProcess,OpenProcessToken,LookupPrivilegeValueW,CloseHandle,AdjustTokenPrivileges,CloseHandle,CloseHandle,12_2_6F85FAE0
Source: C:\Program Files (x86)\ChicaLogic\ChicaPC-Shield\cpcsscheduler.exeCode function: 14_2_6F85FAE0 GetCurrentProcess,OpenProcessToken,LookupPrivilegeValueW,CloseHandle,AdjustTokenPrivileges,CloseHandle,CloseHandle,14_2_6F85FAE0
Source: C:\Users\user\AppData\Local\Temp\is-LBG9E.tmp\chica-pc-shield-1-75-0-1300-en-win.tmpCode function: 1_2_00455E0C GetModuleHandleA,GetProcAddress,GetDiskFreeSpaceExA,GetDiskFreeSpaceA,1_2_00455E0C
Source: C:\Program Files (x86)\ChicaLogic\ChicaPC-Shield\cpcsgui.exeCode function: CloseServiceHandle,CreateServiceW,GetLastError,OpenServiceW,12_2_6F88EBA0
Source: C:\Program Files (x86)\ChicaLogic\ChicaPC-Shield\cpcsscheduler.exeCode function: CloseServiceHandle,CreateServiceW,GetLastError,OpenServiceW,14_2_6F88EBA0
Source: C:\Program Files (x86)\ChicaLogic\ChicaPC-Shield\cpcsgui.exeCode function: 12_2_005BB070 CharUpperW,CreateToolhelp32Snapshot,Process32FirstW,CharUpperW,Process32NextW,CloseHandle,12_2_005BB070
Source: C:\Users\user\AppData\Local\Temp\is-LBG9E.tmp\chica-pc-shield-1-75-0-1300-en-win.tmpCode function: 1_2_00456574 CoCreateInstance,CoCreateInstance,SysFreeString,SysFreeString,1_2_00456574
Source: C:\Users\user\Desktop\chica-pc-shield-1-75-0-1300-en-win.exeCode function: 0_2_00409BEC FindResourceA,SizeofResource,LoadResource,LockResource,0_2_00409BEC
Source: C:\Program Files (x86)\ChicaLogic\ChicaPC-Shield\cpcsgui.exeCode function: 12_2_6F872F00 CloseServiceHandle,ChangeServiceConfigW,CloseServiceHandle,CloseServiceHandle,12_2_6F872F00
Source: C:\Program Files (x86)\ChicaLogic\ChicaPC-Shield\cpcsscheduler.exeCode function: 14_2_008E1E80 StartServiceCtrlDispatcherW,14_2_008E1E80
Source: C:\Users\user\AppData\Local\Temp\is-LBG9E.tmp\chica-pc-shield-1-75-0-1300-en-win.tmpFile created: C:\Program Files (x86)\ChicaLogicJump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-LBG9E.tmp\chica-pc-shield-1-75-0-1300-en-win.tmpFile created: C:\Users\user\AppData\Local\ProgramsJump to behavior
Source: C:\Windows\SysWOW64\regsvr32.exeMutant created: NULL
Source: C:\Program Files (x86)\ChicaLogic\ChicaPC-Shield\cpcs.exeMutant created: \Sessions\1\BaseNamedObjects\CPCSScannerMutex
Source: C:\Users\user\Desktop\chica-pc-shield-1-75-0-1300-en-win.exeFile created: C:\Users\user\AppData\Local\Temp\is-LBG9E.tmpJump to behavior
Source: C:\Program Files (x86)\ChicaLogic\ChicaPC-Shield\cpcsgui.exeCommand line argument: kernel32.dll12_2_005B3D10
Source: C:\Program Files (x86)\ChicaLogic\ChicaPC-Shield\cpcsgui.exeCommand line argument: /silent12_2_005B3D10
Source: C:\Program Files (x86)\ChicaLogic\ChicaPC-Shield\cpcsgui.exeCommand line argument: /install12_2_005B3D10
Source: C:\Program Files (x86)\ChicaLogic\ChicaPC-Shield\cpcsgui.exeCommand line argument: /uninstall12_2_005B3D10
Source: C:\Program Files (x86)\ChicaLogic\ChicaPC-Shield\cpcsgui.exeCommand line argument: /stop12_2_005B3D10
Source: C:\Program Files (x86)\ChicaLogic\ChicaPC-Shield\cpcsgui.exeCommand line argument: /starttray12_2_005B3D10
Source: C:\Program Files (x86)\ChicaLogic\ChicaPC-Shield\cpcsgui.exeCommand line argument: /startalways12_2_005B3D10
Source: C:\Program Files (x86)\ChicaLogic\ChicaPC-Shield\cpcsgui.exeCommand line argument: PK_12_2_005F4AA0
Source: C:\Users\user\AppData\Local\Temp\is-LBG9E.tmp\chica-pc-shield-1-75-0-1300-en-win.tmpFile read: C:\Windows\win.iniJump to behavior
Source: C:\Users\user\Desktop\chica-pc-shield-1-75-0-1300-en-win.exeKey opened: HKEY_CURRENT_USER\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiersJump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-LBG9E.tmp\chica-pc-shield-1-75-0-1300-en-win.tmpKey value created or modified: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion RegisteredOrganizationJump to behavior
Source: cpcsgui.exeString found in binary or memory: /stop
Source: cpcsgui.exeString found in binary or memory: /stop
Source: cpcsgui.exeString found in binary or memory: /install
Source: C:\Users\user\Desktop\chica-pc-shield-1-75-0-1300-en-win.exeFile read: C:\Users\user\Desktop\chica-pc-shield-1-75-0-1300-en-win.exeJump to behavior
Source: unknownProcess created: C:\Users\user\Desktop\chica-pc-shield-1-75-0-1300-en-win.exe "C:\Users\user\Desktop\chica-pc-shield-1-75-0-1300-en-win.exe"
Source: C:\Users\user\Desktop\chica-pc-shield-1-75-0-1300-en-win.exeProcess created: C:\Users\user\AppData\Local\Temp\is-LBG9E.tmp\chica-pc-shield-1-75-0-1300-en-win.tmp "C:\Users\user\AppData\Local\Temp\is-LBG9E.tmp\chica-pc-shield-1-75-0-1300-en-win.tmp" /SL5="$20430,8630815,54272,C:\Users\user\Desktop\chica-pc-shield-1-75-0-1300-en-win.exe"
Source: C:\Users\user\AppData\Local\Temp\is-LBG9E.tmp\chica-pc-shield-1-75-0-1300-en-win.tmpProcess created: C:\Windows\System32\regsvr32.exe "C:\Windows\system32\regsvr32.exe" /s "C:\Program Files (x86)\ChicaLogic\ChicaPC-Shield\mbamext.dll"
Source: C:\Users\user\AppData\Local\Temp\is-LBG9E.tmp\chica-pc-shield-1-75-0-1300-en-win.tmpProcess created: C:\Windows\SysWOW64\regsvr32.exe "C:\Windows\system32\regsvr32.exe" /s "C:\Program Files (x86)\ChicaLogic\ChicaPC-Shield\ssubtmr6.dll"
Source: C:\Users\user\AppData\Local\Temp\is-LBG9E.tmp\chica-pc-shield-1-75-0-1300-en-win.tmpProcess created: C:\Windows\SysWOW64\regsvr32.exe "C:\Windows\system32\regsvr32.exe" /s "C:\Program Files (x86)\ChicaLogic\ChicaPC-Shield\vbalsgrid6.ocx"
Source: C:\Users\user\AppData\Local\Temp\is-LBG9E.tmp\chica-pc-shield-1-75-0-1300-en-win.tmpProcess created: C:\Program Files (x86)\ChicaLogic\ChicaPC-Shield\cpcs.exe "C:\Program Files (x86)\ChicaLogic\ChicaPC-Shield\cpcs.exe" /starttrial
Source: C:\Program Files (x86)\ChicaLogic\ChicaPC-Shield\cpcs.exeProcess created: C:\Windows\SysWOW64\regsvr32.exe regsvr32.exe /s "C:\Program Files (x86)\ChicaLogic\ChicaPC-Shield\ssubtmr6.dll"
Source: C:\Program Files (x86)\ChicaLogic\ChicaPC-Shield\cpcs.exeProcess created: C:\Windows\SysWOW64\regsvr32.exe regsvr32.exe /s "C:\Program Files (x86)\ChicaLogic\ChicaPC-Shield\vbalsgrid6.ocx"
Source: unknownProcess created: C:\Program Files (x86)\ChicaLogic\ChicaPC-Shield\cpcsgui.exe "C:\Program Files (x86)\ChicaLogic\ChicaPC-Shield\cpcsgui.exe" /install /silent
Source: unknownProcess created: C:\Windows\System32\svchost.exe C:\Windows\System32\svchost.exe -k netsvcs -p -s BITS
Source: unknownProcess created: C:\Program Files (x86)\ChicaLogic\ChicaPC-Shield\cpcsscheduler.exe "C:\Program Files (x86)\ChicaLogic\ChicaPC-Shield\cpcsscheduler.exe"
Source: C:\Users\user\AppData\Local\Temp\is-LBG9E.tmp\chica-pc-shield-1-75-0-1300-en-win.tmpProcess created: C:\Program Files (x86)\ChicaLogic\ChicaPC-Shield\cpcs.exe "C:\Program Files (x86)\ChicaLogic\ChicaPC-Shield\cpcs.exe" /update
Source: C:\Program Files (x86)\ChicaLogic\ChicaPC-Shield\cpcs.exeProcess created: C:\Windows\SysWOW64\regsvr32.exe regsvr32.exe /s "C:\Program Files (x86)\ChicaLogic\ChicaPC-Shield\ssubtmr6.dll"
Source: C:\Program Files (x86)\ChicaLogic\ChicaPC-Shield\cpcs.exeProcess created: C:\Windows\SysWOW64\regsvr32.exe regsvr32.exe /s "C:\Program Files (x86)\ChicaLogic\ChicaPC-Shield\vbalsgrid6.ocx"
Source: C:\Users\user\AppData\Local\Temp\is-LBG9E.tmp\chica-pc-shield-1-75-0-1300-en-win.tmpProcess created: C:\Program Files (x86)\ChicaLogic\ChicaPC-Shield\cpcs.exe "C:\Program Files (x86)\ChicaLogic\ChicaPC-Shield\cpcs.exe"
Source: C:\Program Files (x86)\ChicaLogic\ChicaPC-Shield\cpcs.exeProcess created: C:\Windows\SysWOW64\regsvr32.exe regsvr32.exe /s "C:\Program Files (x86)\ChicaLogic\ChicaPC-Shield\ssubtmr6.dll"
Source: C:\Program Files (x86)\ChicaLogic\ChicaPC-Shield\cpcs.exeProcess created: C:\Windows\SysWOW64\regsvr32.exe regsvr32.exe /s "C:\Program Files (x86)\ChicaLogic\ChicaPC-Shield\vbalsgrid6.ocx"
Source: C:\Users\user\Desktop\chica-pc-shield-1-75-0-1300-en-win.exeProcess created: C:\Users\user\AppData\Local\Temp\is-LBG9E.tmp\chica-pc-shield-1-75-0-1300-en-win.tmp "C:\Users\user\AppData\Local\Temp\is-LBG9E.tmp\chica-pc-shield-1-75-0-1300-en-win.tmp" /SL5="$20430,8630815,54272,C:\Users\user\Desktop\chica-pc-shield-1-75-0-1300-en-win.exe" Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-LBG9E.tmp\chica-pc-shield-1-75-0-1300-en-win.tmpProcess created: C:\Windows\System32\regsvr32.exe "C:\Windows\system32\regsvr32.exe" /s "C:\Program Files (x86)\ChicaLogic\ChicaPC-Shield\mbamext.dll"Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-LBG9E.tmp\chica-pc-shield-1-75-0-1300-en-win.tmpProcess created: C:\Windows\SysWOW64\regsvr32.exe "C:\Windows\system32\regsvr32.exe" /s "C:\Program Files (x86)\ChicaLogic\ChicaPC-Shield\ssubtmr6.dll"Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-LBG9E.tmp\chica-pc-shield-1-75-0-1300-en-win.tmpProcess created: C:\Windows\SysWOW64\regsvr32.exe "C:\Windows\system32\regsvr32.exe" /s "C:\Program Files (x86)\ChicaLogic\ChicaPC-Shield\vbalsgrid6.ocx"Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-LBG9E.tmp\chica-pc-shield-1-75-0-1300-en-win.tmpProcess created: C:\Program Files (x86)\ChicaLogic\ChicaPC-Shield\cpcs.exe "C:\Program Files (x86)\ChicaLogic\ChicaPC-Shield\cpcs.exe" /starttrialJump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-LBG9E.tmp\chica-pc-shield-1-75-0-1300-en-win.tmpProcess created: C:\Program Files (x86)\ChicaLogic\ChicaPC-Shield\cpcs.exe "C:\Program Files (x86)\ChicaLogic\ChicaPC-Shield\cpcs.exe" /updateJump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-LBG9E.tmp\chica-pc-shield-1-75-0-1300-en-win.tmpProcess created: C:\Program Files (x86)\ChicaLogic\ChicaPC-Shield\cpcs.exe "C:\Program Files (x86)\ChicaLogic\ChicaPC-Shield\cpcs.exe"Jump to behavior
Source: C:\Program Files (x86)\ChicaLogic\ChicaPC-Shield\cpcs.exeProcess created: C:\Windows\SysWOW64\regsvr32.exe regsvr32.exe /s "C:\Program Files (x86)\ChicaLogic\ChicaPC-Shield\ssubtmr6.dll"Jump to behavior
Source: C:\Program Files (x86)\ChicaLogic\ChicaPC-Shield\cpcs.exeProcess created: C:\Windows\SysWOW64\regsvr32.exe regsvr32.exe /s "C:\Program Files (x86)\ChicaLogic\ChicaPC-Shield\vbalsgrid6.ocx"Jump to behavior
Source: C:\Program Files (x86)\ChicaLogic\ChicaPC-Shield\cpcs.exeProcess created: C:\Windows\SysWOW64\regsvr32.exe regsvr32.exe /s "C:\Program Files (x86)\ChicaLogic\ChicaPC-Shield\ssubtmr6.dll"
Source: C:\Program Files (x86)\ChicaLogic\ChicaPC-Shield\cpcs.exeProcess created: C:\Windows\SysWOW64\regsvr32.exe regsvr32.exe /s "C:\Program Files (x86)\ChicaLogic\ChicaPC-Shield\vbalsgrid6.ocx"
Source: C:\Program Files (x86)\ChicaLogic\ChicaPC-Shield\cpcs.exeProcess created: C:\Windows\SysWOW64\regsvr32.exe regsvr32.exe /s "C:\Program Files (x86)\ChicaLogic\ChicaPC-Shield\ssubtmr6.dll"
Source: C:\Program Files (x86)\ChicaLogic\ChicaPC-Shield\cpcs.exeProcess created: C:\Windows\SysWOW64\regsvr32.exe regsvr32.exe /s "C:\Program Files (x86)\ChicaLogic\ChicaPC-Shield\vbalsgrid6.ocx"
Source: C:\Users\user\Desktop\chica-pc-shield-1-75-0-1300-en-win.exeSection loaded: apphelp.dllJump to behavior
Source: C:\Users\user\Desktop\chica-pc-shield-1-75-0-1300-en-win.exeSection loaded: uxtheme.dllJump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-LBG9E.tmp\chica-pc-shield-1-75-0-1300-en-win.tmpSection loaded: apphelp.dllJump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-LBG9E.tmp\chica-pc-shield-1-75-0-1300-en-win.tmpSection loaded: mpr.dllJump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-LBG9E.tmp\chica-pc-shield-1-75-0-1300-en-win.tmpSection loaded: version.dllJump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-LBG9E.tmp\chica-pc-shield-1-75-0-1300-en-win.tmpSection loaded: uxtheme.dllJump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-LBG9E.tmp\chica-pc-shield-1-75-0-1300-en-win.tmpSection loaded: kernel.appcore.dllJump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-LBG9E.tmp\chica-pc-shield-1-75-0-1300-en-win.tmpSection loaded: textinputframework.dllJump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-LBG9E.tmp\chica-pc-shield-1-75-0-1300-en-win.tmpSection loaded: coreuicomponents.dllJump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-LBG9E.tmp\chica-pc-shield-1-75-0-1300-en-win.tmpSection loaded: coremessaging.dllJump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-LBG9E.tmp\chica-pc-shield-1-75-0-1300-en-win.tmpSection loaded: ntmarta.dllJump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-LBG9E.tmp\chica-pc-shield-1-75-0-1300-en-win.tmpSection loaded: coremessaging.dllJump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-LBG9E.tmp\chica-pc-shield-1-75-0-1300-en-win.tmpSection loaded: wintypes.dllJump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-LBG9E.tmp\chica-pc-shield-1-75-0-1300-en-win.tmpSection loaded: wintypes.dllJump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-LBG9E.tmp\chica-pc-shield-1-75-0-1300-en-win.tmpSection loaded: wintypes.dllJump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-LBG9E.tmp\chica-pc-shield-1-75-0-1300-en-win.tmpSection loaded: textshaping.dllJump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-LBG9E.tmp\chica-pc-shield-1-75-0-1300-en-win.tmpSection loaded: windows.storage.dllJump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-LBG9E.tmp\chica-pc-shield-1-75-0-1300-en-win.tmpSection loaded: wldp.dllJump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-LBG9E.tmp\chica-pc-shield-1-75-0-1300-en-win.tmpSection loaded: profapi.dllJump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-LBG9E.tmp\chica-pc-shield-1-75-0-1300-en-win.tmpSection loaded: shfolder.dllJump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-LBG9E.tmp\chica-pc-shield-1-75-0-1300-en-win.tmpSection loaded: riched20.dllJump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-LBG9E.tmp\chica-pc-shield-1-75-0-1300-en-win.tmpSection loaded: usp10.dllJump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-LBG9E.tmp\chica-pc-shield-1-75-0-1300-en-win.tmpSection loaded: msls31.dllJump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-LBG9E.tmp\chica-pc-shield-1-75-0-1300-en-win.tmpSection loaded: sspicli.dllJump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-LBG9E.tmp\chica-pc-shield-1-75-0-1300-en-win.tmpSection loaded: explorerframe.dllJump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-LBG9E.tmp\chica-pc-shield-1-75-0-1300-en-win.tmpSection loaded: sfc.dllJump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-LBG9E.tmp\chica-pc-shield-1-75-0-1300-en-win.tmpSection loaded: sfc_os.dllJump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-LBG9E.tmp\chica-pc-shield-1-75-0-1300-en-win.tmpSection loaded: propsys.dllJump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-LBG9E.tmp\chica-pc-shield-1-75-0-1300-en-win.tmpSection loaded: linkinfo.dllJump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-LBG9E.tmp\chica-pc-shield-1-75-0-1300-en-win.tmpSection loaded: ntshrui.dllJump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-LBG9E.tmp\chica-pc-shield-1-75-0-1300-en-win.tmpSection loaded: srvcli.dllJump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-LBG9E.tmp\chica-pc-shield-1-75-0-1300-en-win.tmpSection loaded: cscapi.dllJump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-LBG9E.tmp\chica-pc-shield-1-75-0-1300-en-win.tmpSection loaded: netutils.dllJump to behavior
Source: C:\Windows\System32\regsvr32.exeSection loaded: apphelp.dllJump to behavior
Source: C:\Windows\System32\regsvr32.exeSection loaded: aclayers.dllJump to behavior
Source: C:\Windows\System32\regsvr32.exeSection loaded: sfc.dllJump to behavior
Source: C:\Windows\System32\regsvr32.exeSection loaded: sfc_os.dllJump to behavior
Source: C:\Windows\System32\regsvr32.exeSection loaded: kernel.appcore.dllJump to behavior
Source: C:\Windows\System32\regsvr32.exeSection loaded: uxtheme.dllJump to behavior
Source: C:\Windows\System32\regsvr32.exeSection loaded: atl.dllJump to behavior
Source: C:\Windows\System32\regsvr32.exeSection loaded: windows.storage.dllJump to behavior
Source: C:\Windows\System32\regsvr32.exeSection loaded: wldp.dllJump to behavior
Source: C:\Windows\SysWOW64\regsvr32.exeSection loaded: apphelp.dllJump to behavior
Source: C:\Windows\SysWOW64\regsvr32.exeSection loaded: aclayers.dllJump to behavior
Source: C:\Windows\SysWOW64\regsvr32.exeSection loaded: mpr.dllJump to behavior
Source: C:\Windows\SysWOW64\regsvr32.exeSection loaded: sfc.dllJump to behavior
Source: C:\Windows\SysWOW64\regsvr32.exeSection loaded: sfc_os.dllJump to behavior
Source: C:\Windows\SysWOW64\regsvr32.exeSection loaded: kernel.appcore.dllJump to behavior
Source: C:\Windows\SysWOW64\regsvr32.exeSection loaded: uxtheme.dllJump to behavior
Source: C:\Windows\SysWOW64\regsvr32.exeSection loaded: msvbvm60.dllJump to behavior
Source: C:\Windows\SysWOW64\regsvr32.exeSection loaded: apphelp.dllJump to behavior
Source: C:\Windows\SysWOW64\regsvr32.exeSection loaded: aclayers.dllJump to behavior
Source: C:\Windows\SysWOW64\regsvr32.exeSection loaded: mpr.dllJump to behavior
Source: C:\Windows\SysWOW64\regsvr32.exeSection loaded: sfc.dllJump to behavior
Source: C:\Windows\SysWOW64\regsvr32.exeSection loaded: sfc_os.dllJump to behavior
Source: C:\Windows\SysWOW64\regsvr32.exeSection loaded: kernel.appcore.dllJump to behavior
Source: C:\Windows\SysWOW64\regsvr32.exeSection loaded: uxtheme.dllJump to behavior
Source: C:\Windows\SysWOW64\regsvr32.exeSection loaded: msvbvm60.dllJump to behavior
Source: C:\Program Files (x86)\ChicaLogic\ChicaPC-Shield\cpcs.exeSection loaded: apphelp.dllJump to behavior
Source: C:\Program Files (x86)\ChicaLogic\ChicaPC-Shield\cpcs.exeSection loaded: msvbvm60.dllJump to behavior
Source: C:\Program Files (x86)\ChicaLogic\ChicaPC-Shield\cpcs.exeSection loaded: vb6zz.dllJump to behavior
Source: C:\Program Files (x86)\ChicaLogic\ChicaPC-Shield\cpcs.exeSection loaded: kernel.appcore.dllJump to behavior
Source: C:\Program Files (x86)\ChicaLogic\ChicaPC-Shield\cpcs.exeSection loaded: uxtheme.dllJump to behavior
Source: C:\Program Files (x86)\ChicaLogic\ChicaPC-Shield\cpcs.exeSection loaded: sxs.dllJump to behavior
Source: C:\Program Files (x86)\ChicaLogic\ChicaPC-Shield\cpcs.exeSection loaded: mbam.dllJump to behavior
Source: C:\Program Files (x86)\ChicaLogic\ChicaPC-Shield\cpcs.exeSection loaded: version.dllJump to behavior
Source: C:\Program Files (x86)\ChicaLogic\ChicaPC-Shield\cpcs.exeSection loaded: windows.storage.dllJump to behavior
Source: C:\Program Files (x86)\ChicaLogic\ChicaPC-Shield\cpcs.exeSection loaded: wldp.dllJump to behavior
Source: C:\Program Files (x86)\ChicaLogic\ChicaPC-Shield\cpcs.exeSection loaded: profapi.dllJump to behavior
Source: C:\Program Files (x86)\ChicaLogic\ChicaPC-Shield\cpcs.exeSection loaded: cryptsp.dllJump to behavior
Source: C:\Program Files (x86)\ChicaLogic\ChicaPC-Shield\cpcs.exeSection loaded: rsaenh.dllJump to behavior
Source: C:\Program Files (x86)\ChicaLogic\ChicaPC-Shield\cpcs.exeSection loaded: cryptbase.dllJump to behavior
Source: C:\Program Files (x86)\ChicaLogic\ChicaPC-Shield\cpcs.exeSection loaded: advpack.dllJump to behavior
Source: C:\Program Files (x86)\ChicaLogic\ChicaPC-Shield\cpcs.exeSection loaded: olepro32.dllJump to behavior
Source: C:\Program Files (x86)\ChicaLogic\ChicaPC-Shield\cpcs.exeSection loaded: asycfilt.dllJump to behavior
Source: C:\Program Files (x86)\ChicaLogic\ChicaPC-Shield\cpcs.exeSection loaded: mbamcore.dllJump to behavior
Source: C:\Program Files (x86)\ChicaLogic\ChicaPC-Shield\cpcs.exeSection loaded: userenv.dllJump to behavior
Source: C:\Program Files (x86)\ChicaLogic\ChicaPC-Shield\cpcs.exeSection loaded: mpr.dllJump to behavior
Source: C:\Program Files (x86)\ChicaLogic\ChicaPC-Shield\cpcs.exeSection loaded: wtsapi32.dllJump to behavior
Source: C:\Program Files (x86)\ChicaLogic\ChicaPC-Shield\cpcs.exeSection loaded: msasn1.dllJump to behavior
Source: C:\Program Files (x86)\ChicaLogic\ChicaPC-Shield\cpcs.exeSection loaded: winsta.dllJump to behavior
Source: C:\Program Files (x86)\ChicaLogic\ChicaPC-Shield\cpcs.exeSection loaded: sspicli.dllJump to behavior
Source: C:\Program Files (x86)\ChicaLogic\ChicaPC-Shield\cpcs.exeSection loaded: ntmarta.dllJump to behavior
Source: C:\Program Files (x86)\ChicaLogic\ChicaPC-Shield\cpcs.exeSection loaded: dataexchange.dllJump to behavior
Source: C:\Program Files (x86)\ChicaLogic\ChicaPC-Shield\cpcs.exeSection loaded: d3d11.dllJump to behavior
Source: C:\Program Files (x86)\ChicaLogic\ChicaPC-Shield\cpcs.exeSection loaded: dcomp.dllJump to behavior
Source: C:\Program Files (x86)\ChicaLogic\ChicaPC-Shield\cpcs.exeSection loaded: dxgi.dllJump to behavior
Source: C:\Program Files (x86)\ChicaLogic\ChicaPC-Shield\cpcs.exeSection loaded: twinapi.appcore.dllJump to behavior
Source: C:\Program Files (x86)\ChicaLogic\ChicaPC-Shield\cpcs.exeSection loaded: textshaping.dllJump to behavior
Source: C:\Program Files (x86)\ChicaLogic\ChicaPC-Shield\cpcs.exeSection loaded: ieframe.dllJump to behavior
Source: C:\Program Files (x86)\ChicaLogic\ChicaPC-Shield\cpcs.exeSection loaded: iertutil.dllJump to behavior
Source: C:\Program Files (x86)\ChicaLogic\ChicaPC-Shield\cpcs.exeSection loaded: netapi32.dllJump to behavior
Source: C:\Program Files (x86)\ChicaLogic\ChicaPC-Shield\cpcs.exeSection loaded: winhttp.dllJump to behavior
Source: C:\Program Files (x86)\ChicaLogic\ChicaPC-Shield\cpcs.exeSection loaded: wkscli.dllJump to behavior
Source: C:\Program Files (x86)\ChicaLogic\ChicaPC-Shield\cpcs.exeSection loaded: netutils.dllJump to behavior
Source: C:\Program Files (x86)\ChicaLogic\ChicaPC-Shield\cpcs.exeSection loaded: propsys.dllJump to behavior
Source: C:\Program Files (x86)\ChicaLogic\ChicaPC-Shield\cpcs.exeSection loaded: urlmon.dllJump to behavior
Source: C:\Program Files (x86)\ChicaLogic\ChicaPC-Shield\cpcs.exeSection loaded: srvcli.dllJump to behavior
Source: C:\Program Files (x86)\ChicaLogic\ChicaPC-Shield\cpcs.exeSection loaded: msiso.dllJump to behavior
Source: C:\Program Files (x86)\ChicaLogic\ChicaPC-Shield\cpcs.exeSection loaded: mshtml.dllJump to behavior
Source: C:\Program Files (x86)\ChicaLogic\ChicaPC-Shield\cpcs.exeSection loaded: powrprof.dllJump to behavior
Source: C:\Program Files (x86)\ChicaLogic\ChicaPC-Shield\cpcs.exeSection loaded: umpdc.dllJump to behavior
Source: C:\Program Files (x86)\ChicaLogic\ChicaPC-Shield\cpcs.exeSection loaded: srpapi.dllJump to behavior
Source: C:\Program Files (x86)\ChicaLogic\ChicaPC-Shield\cpcs.exeSection loaded: textinputframework.dllJump to behavior
Source: C:\Program Files (x86)\ChicaLogic\ChicaPC-Shield\cpcs.exeSection loaded: coreuicomponents.dllJump to behavior
Source: C:\Program Files (x86)\ChicaLogic\ChicaPC-Shield\cpcs.exeSection loaded: coremessaging.dllJump to behavior
Source: C:\Program Files (x86)\ChicaLogic\ChicaPC-Shield\cpcs.exeSection loaded: wintypes.dllJump to behavior
Source: C:\Program Files (x86)\ChicaLogic\ChicaPC-Shield\cpcs.exeSection loaded: wintypes.dllJump to behavior
Source: C:\Program Files (x86)\ChicaLogic\ChicaPC-Shield\cpcs.exeSection loaded: wintypes.dllJump to behavior
Source: C:\Program Files (x86)\ChicaLogic\ChicaPC-Shield\cpcs.exeSection loaded: mbamnet.dllJump to behavior
Source: C:\Program Files (x86)\ChicaLogic\ChicaPC-Shield\cpcs.exeSection loaded: iphlpapi.dllJump to behavior
Source: C:\Program Files (x86)\ChicaLogic\ChicaPC-Shield\cpcs.exeSection loaded: msimtf.dllJump to behavior
Source: C:\Program Files (x86)\ChicaLogic\ChicaPC-Shield\cpcs.exeSection loaded: msls31.dllJump to behavior
Source: C:\Program Files (x86)\ChicaLogic\ChicaPC-Shield\cpcs.exeSection loaded: d2d1.dllJump to behavior
Source: C:\Program Files (x86)\ChicaLogic\ChicaPC-Shield\cpcs.exeSection loaded: dwrite.dllJump to behavior
Source: C:\Program Files (x86)\ChicaLogic\ChicaPC-Shield\cpcs.exeSection loaded: resourcepolicyclient.dllJump to behavior
Source: C:\Program Files (x86)\ChicaLogic\ChicaPC-Shield\cpcs.exeSection loaded: d3d10warp.dllJump to behavior
Source: C:\Program Files (x86)\ChicaLogic\ChicaPC-Shield\cpcs.exeSection loaded: dxcore.dllJump to behavior
Source: C:\Program Files (x86)\ChicaLogic\ChicaPC-Shield\cpcs.exeSection loaded: secur32.dllJump to behavior
Source: C:\Program Files (x86)\ChicaLogic\ChicaPC-Shield\cpcs.exeSection loaded: mlang.dllJump to behavior
Source: C:\Program Files (x86)\ChicaLogic\ChicaPC-Shield\cpcs.exeSection loaded: wininet.dllJump to behavior
Source: C:\Program Files (x86)\ChicaLogic\ChicaPC-Shield\cpcs.exeSection loaded: dhcpcsvc.dllJump to behavior
Source: C:\Program Files (x86)\ChicaLogic\ChicaPC-Shield\cpcs.exeSection loaded: mswsock.dllJump to behavior
Source: C:\Program Files (x86)\ChicaLogic\ChicaPC-Shield\cpcs.exeSection loaded: dnsapi.dllJump to behavior
Source: C:\Program Files (x86)\ChicaLogic\ChicaPC-Shield\cpcs.exeSection loaded: rasadhlp.dllJump to behavior
Source: C:\Program Files (x86)\ChicaLogic\ChicaPC-Shield\cpcs.exeSection loaded: ondemandconnroutehelper.dllJump to behavior
Source: C:\Program Files (x86)\ChicaLogic\ChicaPC-Shield\cpcs.exeSection loaded: winnsi.dllJump to behavior
Source: C:\Windows\SysWOW64\regsvr32.exeSection loaded: apphelp.dllJump to behavior
Source: C:\Windows\SysWOW64\regsvr32.exeSection loaded: aclayers.dllJump to behavior
Source: C:\Windows\SysWOW64\regsvr32.exeSection loaded: mpr.dllJump to behavior
Source: C:\Windows\SysWOW64\regsvr32.exeSection loaded: sfc.dllJump to behavior
Source: C:\Windows\SysWOW64\regsvr32.exeSection loaded: sfc_os.dllJump to behavior
Source: C:\Windows\SysWOW64\regsvr32.exeSection loaded: kernel.appcore.dllJump to behavior
Source: C:\Windows\SysWOW64\regsvr32.exeSection loaded: uxtheme.dllJump to behavior
Source: C:\Windows\SysWOW64\regsvr32.exeSection loaded: msvbvm60.dllJump to behavior
Source: C:\Windows\SysWOW64\regsvr32.exeSection loaded: apphelp.dllJump to behavior
Source: C:\Windows\SysWOW64\regsvr32.exeSection loaded: aclayers.dllJump to behavior
Source: C:\Windows\SysWOW64\regsvr32.exeSection loaded: mpr.dllJump to behavior
Source: C:\Windows\SysWOW64\regsvr32.exeSection loaded: sfc.dllJump to behavior
Source: C:\Windows\SysWOW64\regsvr32.exeSection loaded: sfc_os.dllJump to behavior
Source: C:\Windows\SysWOW64\regsvr32.exeSection loaded: kernel.appcore.dllJump to behavior
Source: C:\Windows\SysWOW64\regsvr32.exeSection loaded: uxtheme.dllJump to behavior
Source: C:\Windows\SysWOW64\regsvr32.exeSection loaded: msvbvm60.dllJump to behavior
Source: C:\Program Files (x86)\ChicaLogic\ChicaPC-Shield\cpcsgui.exeSection loaded: apphelp.dll
Source: C:\Program Files (x86)\ChicaLogic\ChicaPC-Shield\cpcsgui.exeSection loaded: mbam.dll
Source: C:\Program Files (x86)\ChicaLogic\ChicaPC-Shield\cpcsgui.exeSection loaded: mbamnet.dll
Source: C:\Program Files (x86)\ChicaLogic\ChicaPC-Shield\cpcsgui.exeSection loaded: version.dll
Source: C:\Program Files (x86)\ChicaLogic\ChicaPC-Shield\cpcsgui.exeSection loaded: version.dll
Source: C:\Program Files (x86)\ChicaLogic\ChicaPC-Shield\cpcsgui.exeSection loaded: iphlpapi.dll
Source: C:\Program Files (x86)\ChicaLogic\ChicaPC-Shield\cpcsgui.exeSection loaded: version.dll
Source: C:\Program Files (x86)\ChicaLogic\ChicaPC-Shield\cpcsgui.exeSection loaded: wtsapi32.dll
Source: C:\Program Files (x86)\ChicaLogic\ChicaPC-Shield\cpcsgui.exeSection loaded: windows.storage.dll
Source: C:\Program Files (x86)\ChicaLogic\ChicaPC-Shield\cpcsgui.exeSection loaded: wldp.dll
Source: C:\Program Files (x86)\ChicaLogic\ChicaPC-Shield\cpcsgui.exeSection loaded: profapi.dll
Source: C:\Program Files (x86)\ChicaLogic\ChicaPC-Shield\cpcsgui.exeSection loaded: cryptsp.dll
Source: C:\Program Files (x86)\ChicaLogic\ChicaPC-Shield\cpcsgui.exeSection loaded: rsaenh.dll
Source: C:\Program Files (x86)\ChicaLogic\ChicaPC-Shield\cpcsgui.exeSection loaded: cryptbase.dll
Source: C:\Windows\System32\svchost.exeSection loaded: kernel.appcore.dll
Source: C:\Windows\System32\svchost.exeSection loaded: qmgr.dll
Source: C:\Windows\System32\svchost.exeSection loaded: bitsperf.dll
Source: C:\Windows\System32\svchost.exeSection loaded: powrprof.dll
Source: C:\Windows\System32\svchost.exeSection loaded: xmllite.dll
Source: C:\Windows\System32\svchost.exeSection loaded: firewallapi.dll
Source: C:\Windows\System32\svchost.exeSection loaded: esent.dll
Source: C:\Windows\System32\svchost.exeSection loaded: umpdc.dll
Source: C:\Windows\System32\svchost.exeSection loaded: dnsapi.dll
Source: C:\Windows\System32\svchost.exeSection loaded: iphlpapi.dll
Source: C:\Windows\System32\svchost.exeSection loaded: fwbase.dll
Source: C:\Windows\System32\svchost.exeSection loaded: wldp.dll
Source: C:\Windows\System32\svchost.exeSection loaded: ntmarta.dll
Source: C:\Windows\System32\svchost.exeSection loaded: profapi.dll
Source: C:\Windows\System32\svchost.exeSection loaded: flightsettings.dll
Source: C:\Windows\System32\svchost.exeSection loaded: policymanager.dll
Source: C:\Windows\System32\svchost.exeSection loaded: msvcp110_win.dll
Source: C:\Windows\System32\svchost.exeSection loaded: netprofm.dll
Source: C:\Windows\System32\svchost.exeSection loaded: npmproxy.dll
Source: C:\Windows\System32\svchost.exeSection loaded: bitsigd.dll
Source: C:\Windows\System32\svchost.exeSection loaded: upnp.dll
Source: C:\Windows\System32\svchost.exeSection loaded: winhttp.dll
Source: C:\Windows\System32\svchost.exeSection loaded: ssdpapi.dll
Source: C:\Windows\System32\svchost.exeSection loaded: urlmon.dll
Source: C:\Windows\System32\svchost.exeSection loaded: iertutil.dll
Source: C:\Windows\System32\svchost.exeSection loaded: srvcli.dll
Source: C:\Windows\System32\svchost.exeSection loaded: netutils.dll
Source: C:\Windows\System32\svchost.exeSection loaded: appxdeploymentclient.dll
Source: C:\Windows\System32\svchost.exeSection loaded: cryptbase.dll
Source: C:\Windows\System32\svchost.exeSection loaded: wsmauto.dll
Source: C:\Windows\System32\svchost.exeSection loaded: miutils.dll
Source: C:\Windows\System32\svchost.exeSection loaded: wsmsvc.dll
Source: C:\Windows\System32\svchost.exeSection loaded: dsrole.dll
Source: C:\Windows\System32\svchost.exeSection loaded: pcwum.dll
Source: C:\Windows\System32\svchost.exeSection loaded: mi.dll
Source: C:\Windows\System32\svchost.exeSection loaded: userenv.dll
Source: C:\Windows\System32\svchost.exeSection loaded: gpapi.dll
Source: C:\Windows\System32\svchost.exeSection loaded: winhttp.dll
Source: C:\Windows\System32\svchost.exeSection loaded: wkscli.dll
Source: C:\Windows\System32\svchost.exeSection loaded: netutils.dll
Source: C:\Windows\System32\svchost.exeSection loaded: sspicli.dll
Source: C:\Windows\System32\svchost.exeSection loaded: ondemandconnroutehelper.dll
Source: C:\Windows\System32\svchost.exeSection loaded: msv1_0.dll
Source: C:\Windows\System32\svchost.exeSection loaded: ntlmshared.dll
Source: C:\Windows\System32\svchost.exeSection loaded: cryptdll.dll
Source: C:\Windows\System32\svchost.exeSection loaded: webio.dll
Source: C:\Windows\System32\svchost.exeSection loaded: mswsock.dll
Source: C:\Windows\System32\svchost.exeSection loaded: winnsi.dll
Source: C:\Windows\System32\svchost.exeSection loaded: fwpuclnt.dll
Source: C:\Windows\System32\svchost.exeSection loaded: rasadhlp.dll
Source: C:\Windows\System32\svchost.exeSection loaded: rmclient.dll
Source: C:\Windows\System32\svchost.exeSection loaded: usermgrcli.dll
Source: C:\Windows\System32\svchost.exeSection loaded: execmodelclient.dll
Source: C:\Windows\System32\svchost.exeSection loaded: propsys.dll
Source: C:\Windows\System32\svchost.exeSection loaded: coremessaging.dll
Source: C:\Windows\System32\svchost.exeSection loaded: twinapi.appcore.dll
Source: C:\Windows\System32\svchost.exeSection loaded: onecorecommonproxystub.dll
Source: C:\Windows\System32\svchost.exeSection loaded: execmodelproxy.dll
Source: C:\Windows\System32\svchost.exeSection loaded: resourcepolicyclient.dll
Source: C:\Windows\System32\svchost.exeSection loaded: vssapi.dll
Source: C:\Windows\System32\svchost.exeSection loaded: vsstrace.dll
Source: C:\Windows\System32\svchost.exeSection loaded: samcli.dll
Source: C:\Windows\System32\svchost.exeSection loaded: samlib.dll
Source: C:\Windows\System32\svchost.exeSection loaded: es.dll
Source: C:\Windows\System32\svchost.exeSection loaded: bitsproxy.dll
Source: C:\Windows\System32\svchost.exeSection loaded: ondemandconnroutehelper.dll
Source: C:\Windows\System32\svchost.exeSection loaded: dhcpcsvc6.dll
Source: C:\Windows\System32\svchost.exeSection loaded: dhcpcsvc.dll
Source: C:\Windows\System32\svchost.exeSection loaded: schannel.dll
Source: C:\Windows\System32\svchost.exeSection loaded: mskeyprotect.dll
Source: C:\Windows\System32\svchost.exeSection loaded: ntasn1.dll
Source: C:\Windows\System32\svchost.exeSection loaded: ncrypt.dll
Source: C:\Windows\System32\svchost.exeSection loaded: ncryptsslp.dll
Source: C:\Windows\System32\svchost.exeSection loaded: msasn1.dll
Source: C:\Windows\System32\svchost.exeSection loaded: cryptsp.dll
Source: C:\Windows\System32\svchost.exeSection loaded: rsaenh.dll
Source: C:\Windows\System32\svchost.exeSection loaded: dpapi.dll
Source: C:\Windows\System32\svchost.exeSection loaded: mpr.dll
Source: C:\Program Files (x86)\ChicaLogic\ChicaPC-Shield\cpcsscheduler.exeSection loaded: apphelp.dll
Source: C:\Program Files (x86)\ChicaLogic\ChicaPC-Shield\cpcsscheduler.exeSection loaded: mbam.dll
Source: C:\Program Files (x86)\ChicaLogic\ChicaPC-Shield\cpcsscheduler.exeSection loaded: mbamnet.dll
Source: C:\Program Files (x86)\ChicaLogic\ChicaPC-Shield\cpcsscheduler.exeSection loaded: userenv.dll
Source: C:\Program Files (x86)\ChicaLogic\ChicaPC-Shield\cpcsscheduler.exeSection loaded: wtsapi32.dll
Source: C:\Program Files (x86)\ChicaLogic\ChicaPC-Shield\cpcsscheduler.exeSection loaded: iphlpapi.dll
Source: C:\Program Files (x86)\ChicaLogic\ChicaPC-Shield\cpcsscheduler.exeSection loaded: version.dll
Source: C:\Program Files (x86)\ChicaLogic\ChicaPC-Shield\cpcsscheduler.exeSection loaded: wtsapi32.dll
Source: C:\Program Files (x86)\ChicaLogic\ChicaPC-Shield\cpcsscheduler.exeSection loaded: version.dll
Source: C:\Program Files (x86)\ChicaLogic\ChicaPC-Shield\cpcsscheduler.exeSection loaded: windows.storage.dll
Source: C:\Program Files (x86)\ChicaLogic\ChicaPC-Shield\cpcsscheduler.exeSection loaded: wldp.dll
Source: C:\Program Files (x86)\ChicaLogic\ChicaPC-Shield\cpcsscheduler.exeSection loaded: profapi.dll
Source: C:\Program Files (x86)\ChicaLogic\ChicaPC-Shield\cpcsscheduler.exeSection loaded: cryptsp.dll
Source: C:\Program Files (x86)\ChicaLogic\ChicaPC-Shield\cpcsscheduler.exeSection loaded: rsaenh.dll
Source: C:\Program Files (x86)\ChicaLogic\ChicaPC-Shield\cpcsscheduler.exeSection loaded: cryptbase.dll
Source: C:\Program Files (x86)\ChicaLogic\ChicaPC-Shield\cpcs.exeSection loaded: msvbvm60.dll
Source: C:\Program Files (x86)\ChicaLogic\ChicaPC-Shield\cpcs.exeSection loaded: vb6zz.dll
Source: C:\Program Files (x86)\ChicaLogic\ChicaPC-Shield\cpcs.exeSection loaded: kernel.appcore.dll
Source: C:\Program Files (x86)\ChicaLogic\ChicaPC-Shield\cpcs.exeSection loaded: uxtheme.dll
Source: C:\Program Files (x86)\ChicaLogic\ChicaPC-Shield\cpcs.exeSection loaded: sxs.dll
Source: C:\Program Files (x86)\ChicaLogic\ChicaPC-Shield\cpcs.exeSection loaded: mbam.dll
Source: C:\Program Files (x86)\ChicaLogic\ChicaPC-Shield\cpcs.exeSection loaded: version.dll
Source: C:\Program Files (x86)\ChicaLogic\ChicaPC-Shield\cpcs.exeSection loaded: windows.storage.dll
Source: C:\Program Files (x86)\ChicaLogic\ChicaPC-Shield\cpcs.exeSection loaded: wldp.dll
Source: C:\Program Files (x86)\ChicaLogic\ChicaPC-Shield\cpcs.exeSection loaded: profapi.dll
Source: C:\Program Files (x86)\ChicaLogic\ChicaPC-Shield\cpcs.exeSection loaded: cryptsp.dll
Source: C:\Program Files (x86)\ChicaLogic\ChicaPC-Shield\cpcs.exeSection loaded: rsaenh.dll
Source: C:\Program Files (x86)\ChicaLogic\ChicaPC-Shield\cpcs.exeSection loaded: cryptbase.dll
Source: C:\Program Files (x86)\ChicaLogic\ChicaPC-Shield\cpcs.exeSection loaded: apphelp.dll
Source: C:\Program Files (x86)\ChicaLogic\ChicaPC-Shield\cpcs.exeSection loaded: advpack.dll
Source: C:\Program Files (x86)\ChicaLogic\ChicaPC-Shield\cpcs.exeSection loaded: olepro32.dll
Source: C:\Program Files (x86)\ChicaLogic\ChicaPC-Shield\cpcs.exeSection loaded: asycfilt.dll
Source: C:\Program Files (x86)\ChicaLogic\ChicaPC-Shield\cpcs.exeSection loaded: mbamcore.dll
Source: C:\Program Files (x86)\ChicaLogic\ChicaPC-Shield\cpcs.exeSection loaded: userenv.dll
Source: C:\Program Files (x86)\ChicaLogic\ChicaPC-Shield\cpcs.exeSection loaded: mpr.dll
Source: C:\Program Files (x86)\ChicaLogic\ChicaPC-Shield\cpcs.exeSection loaded: wtsapi32.dll
Source: C:\Program Files (x86)\ChicaLogic\ChicaPC-Shield\cpcs.exeSection loaded: msasn1.dll
Source: C:\Program Files (x86)\ChicaLogic\ChicaPC-Shield\cpcs.exeSection loaded: winsta.dll
Source: C:\Program Files (x86)\ChicaLogic\ChicaPC-Shield\cpcs.exeSection loaded: sspicli.dll
Source: C:\Program Files (x86)\ChicaLogic\ChicaPC-Shield\cpcs.exeSection loaded: ntmarta.dll
Source: C:\Program Files (x86)\ChicaLogic\ChicaPC-Shield\cpcs.exeSection loaded: dataexchange.dll
Source: C:\Program Files (x86)\ChicaLogic\ChicaPC-Shield\cpcs.exeSection loaded: d3d11.dll
Source: C:\Program Files (x86)\ChicaLogic\ChicaPC-Shield\cpcs.exeSection loaded: dcomp.dll
Source: C:\Program Files (x86)\ChicaLogic\ChicaPC-Shield\cpcs.exeSection loaded: dxgi.dll
Source: C:\Program Files (x86)\ChicaLogic\ChicaPC-Shield\cpcs.exeSection loaded: twinapi.appcore.dll
Source: C:\Program Files (x86)\ChicaLogic\ChicaPC-Shield\cpcs.exeSection loaded: textshaping.dll
Source: C:\Program Files (x86)\ChicaLogic\ChicaPC-Shield\cpcs.exeSection loaded: ieframe.dll
Source: C:\Program Files (x86)\ChicaLogic\ChicaPC-Shield\cpcs.exeSection loaded: iertutil.dll
Source: C:\Program Files (x86)\ChicaLogic\ChicaPC-Shield\cpcs.exeSection loaded: netapi32.dll
Source: C:\Program Files (x86)\ChicaLogic\ChicaPC-Shield\cpcs.exeSection loaded: winhttp.dll
Source: C:\Program Files (x86)\ChicaLogic\ChicaPC-Shield\cpcs.exeSection loaded: wkscli.dll
Source: C:\Program Files (x86)\ChicaLogic\ChicaPC-Shield\cpcs.exeSection loaded: netutils.dll
Source: C:\Program Files (x86)\ChicaLogic\ChicaPC-Shield\cpcs.exeSection loaded: propsys.dll
Source: C:\Program Files (x86)\ChicaLogic\ChicaPC-Shield\cpcs.exeSection loaded: urlmon.dll
Source: C:\Program Files (x86)\ChicaLogic\ChicaPC-Shield\cpcs.exeSection loaded: srvcli.dll
Source: C:\Program Files (x86)\ChicaLogic\ChicaPC-Shield\cpcs.exeSection loaded: msiso.dll
Source: C:\Program Files (x86)\ChicaLogic\ChicaPC-Shield\cpcs.exeSection loaded: mshtml.dll
Source: C:\Program Files (x86)\ChicaLogic\ChicaPC-Shield\cpcs.exeSection loaded: powrprof.dll
Source: C:\Program Files (x86)\ChicaLogic\ChicaPC-Shield\cpcs.exeSection loaded: umpdc.dll
Source: C:\Program Files (x86)\ChicaLogic\ChicaPC-Shield\cpcs.exeSection loaded: srpapi.dll
Source: C:\Program Files (x86)\ChicaLogic\ChicaPC-Shield\cpcs.exeSection loaded: textinputframework.dll
Source: C:\Program Files (x86)\ChicaLogic\ChicaPC-Shield\cpcs.exeSection loaded: coreuicomponents.dll
Source: C:\Program Files (x86)\ChicaLogic\ChicaPC-Shield\cpcs.exeSection loaded: coremessaging.dll
Source: C:\Program Files (x86)\ChicaLogic\ChicaPC-Shield\cpcs.exeSection loaded: coremessaging.dll
Source: C:\Program Files (x86)\ChicaLogic\ChicaPC-Shield\cpcs.exeSection loaded: wintypes.dll
Source: C:\Program Files (x86)\ChicaLogic\ChicaPC-Shield\cpcs.exeSection loaded: wintypes.dll
Source: C:\Program Files (x86)\ChicaLogic\ChicaPC-Shield\cpcs.exeSection loaded: wintypes.dll
Source: C:\Program Files (x86)\ChicaLogic\ChicaPC-Shield\cpcs.exeSection loaded: mbamnet.dll
Source: C:\Program Files (x86)\ChicaLogic\ChicaPC-Shield\cpcs.exeSection loaded: iphlpapi.dll
Source: C:\Program Files (x86)\ChicaLogic\ChicaPC-Shield\cpcs.exeSection loaded: msimtf.dll
Source: C:\Program Files (x86)\ChicaLogic\ChicaPC-Shield\cpcs.exeSection loaded: msls31.dll
Source: C:\Program Files (x86)\ChicaLogic\ChicaPC-Shield\cpcs.exeSection loaded: d2d1.dll
Source: C:\Program Files (x86)\ChicaLogic\ChicaPC-Shield\cpcs.exeSection loaded: dwrite.dll
Source: C:\Program Files (x86)\ChicaLogic\ChicaPC-Shield\cpcs.exeSection loaded: resourcepolicyclient.dll
Source: C:\Program Files (x86)\ChicaLogic\ChicaPC-Shield\cpcs.exeSection loaded: d3d10warp.dll
Source: C:\Program Files (x86)\ChicaLogic\ChicaPC-Shield\cpcs.exeSection loaded: dxcore.dll
Source: C:\Program Files (x86)\ChicaLogic\ChicaPC-Shield\cpcs.exeSection loaded: secur32.dll
Source: C:\Program Files (x86)\ChicaLogic\ChicaPC-Shield\cpcs.exeSection loaded: mlang.dll
Source: C:\Program Files (x86)\ChicaLogic\ChicaPC-Shield\cpcs.exeSection loaded: wininet.dll
Source: C:\Program Files (x86)\ChicaLogic\ChicaPC-Shield\cpcs.exeSection loaded: dhcpcsvc.dll
Source: C:\Program Files (x86)\ChicaLogic\ChicaPC-Shield\cpcs.exeSection loaded: mswsock.dll
Source: C:\Program Files (x86)\ChicaLogic\ChicaPC-Shield\cpcs.exeSection loaded: dnsapi.dll
Source: C:\Program Files (x86)\ChicaLogic\ChicaPC-Shield\cpcs.exeSection loaded: rasadhlp.dll
Source: C:\Program Files (x86)\ChicaLogic\ChicaPC-Shield\cpcs.exeSection loaded: fwpuclnt.dll
Source: C:\Program Files (x86)\ChicaLogic\ChicaPC-Shield\cpcs.exeSection loaded: fwpuclnt.dll
Source: C:\Program Files (x86)\ChicaLogic\ChicaPC-Shield\cpcs.exeSection loaded: fwpuclnt.dll
Source: C:\Program Files (x86)\ChicaLogic\ChicaPC-Shield\cpcs.exeSection loaded: fwpuclnt.dll
Source: C:\Program Files (x86)\ChicaLogic\ChicaPC-Shield\cpcs.exeSection loaded: ondemandconnroutehelper.dll
Source: C:\Program Files (x86)\ChicaLogic\ChicaPC-Shield\cpcs.exeSection loaded: winnsi.dll
Source: C:\Windows\SysWOW64\regsvr32.exeSection loaded: apphelp.dll
Source: C:\Windows\SysWOW64\regsvr32.exeSection loaded: aclayers.dll
Source: C:\Windows\SysWOW64\regsvr32.exeSection loaded: mpr.dll
Source: C:\Windows\SysWOW64\regsvr32.exeSection loaded: sfc.dll
Source: C:\Windows\SysWOW64\regsvr32.exeSection loaded: sfc_os.dll
Source: C:\Windows\SysWOW64\regsvr32.exeSection loaded: kernel.appcore.dll
Source: C:\Windows\SysWOW64\regsvr32.exeSection loaded: uxtheme.dll
Source: C:\Windows\SysWOW64\regsvr32.exeSection loaded: msvbvm60.dll
Source: C:\Windows\SysWOW64\regsvr32.exeSection loaded: apphelp.dll
Source: C:\Windows\SysWOW64\regsvr32.exeSection loaded: aclayers.dll
Source: C:\Windows\SysWOW64\regsvr32.exeSection loaded: mpr.dll
Source: C:\Windows\SysWOW64\regsvr32.exeSection loaded: sfc.dll
Source: C:\Windows\SysWOW64\regsvr32.exeSection loaded: sfc_os.dll
Source: C:\Windows\SysWOW64\regsvr32.exeSection loaded: kernel.appcore.dll
Source: C:\Windows\SysWOW64\regsvr32.exeSection loaded: uxtheme.dll
Source: C:\Windows\SysWOW64\regsvr32.exeSection loaded: msvbvm60.dll
Source: C:\Program Files (x86)\ChicaLogic\ChicaPC-Shield\cpcs.exeSection loaded: msvbvm60.dll
Source: C:\Program Files (x86)\ChicaLogic\ChicaPC-Shield\cpcs.exeSection loaded: vb6zz.dll
Source: C:\Program Files (x86)\ChicaLogic\ChicaPC-Shield\cpcs.exeSection loaded: kernel.appcore.dll
Source: C:\Program Files (x86)\ChicaLogic\ChicaPC-Shield\cpcs.exeSection loaded: uxtheme.dll
Source: C:\Program Files (x86)\ChicaLogic\ChicaPC-Shield\cpcs.exeSection loaded: sxs.dll
Source: C:\Program Files (x86)\ChicaLogic\ChicaPC-Shield\cpcs.exeSection loaded: mbam.dll
Source: C:\Program Files (x86)\ChicaLogic\ChicaPC-Shield\cpcs.exeSection loaded: version.dll
Source: C:\Program Files (x86)\ChicaLogic\ChicaPC-Shield\cpcs.exeSection loaded: windows.storage.dll
Source: C:\Program Files (x86)\ChicaLogic\ChicaPC-Shield\cpcs.exeSection loaded: wldp.dll
Source: C:\Program Files (x86)\ChicaLogic\ChicaPC-Shield\cpcs.exeSection loaded: profapi.dll
Source: C:\Program Files (x86)\ChicaLogic\ChicaPC-Shield\cpcs.exeSection loaded: cryptsp.dll
Source: C:\Program Files (x86)\ChicaLogic\ChicaPC-Shield\cpcs.exeSection loaded: rsaenh.dll
Source: C:\Program Files (x86)\ChicaLogic\ChicaPC-Shield\cpcs.exeSection loaded: cryptbase.dll
Source: C:\Program Files (x86)\ChicaLogic\ChicaPC-Shield\cpcs.exeSection loaded: apphelp.dll
Source: C:\Program Files (x86)\ChicaLogic\ChicaPC-Shield\cpcs.exeSection loaded: advpack.dll
Source: C:\Program Files (x86)\ChicaLogic\ChicaPC-Shield\cpcs.exeSection loaded: olepro32.dll
Source: C:\Program Files (x86)\ChicaLogic\ChicaPC-Shield\cpcs.exeSection loaded: asycfilt.dll
Source: C:\Program Files (x86)\ChicaLogic\ChicaPC-Shield\cpcs.exeSection loaded: mbamcore.dll
Source: C:\Program Files (x86)\ChicaLogic\ChicaPC-Shield\cpcs.exeSection loaded: userenv.dll
Source: C:\Program Files (x86)\ChicaLogic\ChicaPC-Shield\cpcs.exeSection loaded: mpr.dll
Source: C:\Program Files (x86)\ChicaLogic\ChicaPC-Shield\cpcs.exeSection loaded: wtsapi32.dll
Source: C:\Program Files (x86)\ChicaLogic\ChicaPC-Shield\cpcs.exeSection loaded: msasn1.dll
Source: C:\Program Files (x86)\ChicaLogic\ChicaPC-Shield\cpcs.exeSection loaded: winsta.dll
Source: C:\Program Files (x86)\ChicaLogic\ChicaPC-Shield\cpcs.exeSection loaded: sspicli.dll
Source: C:\Program Files (x86)\ChicaLogic\ChicaPC-Shield\cpcs.exeSection loaded: ntmarta.dll
Source: C:\Program Files (x86)\ChicaLogic\ChicaPC-Shield\cpcs.exeSection loaded: dataexchange.dll
Source: C:\Program Files (x86)\ChicaLogic\ChicaPC-Shield\cpcs.exeSection loaded: d3d11.dll
Source: C:\Program Files (x86)\ChicaLogic\ChicaPC-Shield\cpcs.exeSection loaded: dcomp.dll
Source: C:\Program Files (x86)\ChicaLogic\ChicaPC-Shield\cpcs.exeSection loaded: dxgi.dll
Source: C:\Program Files (x86)\ChicaLogic\ChicaPC-Shield\cpcs.exeSection loaded: twinapi.appcore.dll
Source: C:\Program Files (x86)\ChicaLogic\ChicaPC-Shield\cpcs.exeSection loaded: textshaping.dll
Source: C:\Program Files (x86)\ChicaLogic\ChicaPC-Shield\cpcs.exeSection loaded: ieframe.dll
Source: C:\Program Files (x86)\ChicaLogic\ChicaPC-Shield\cpcs.exeSection loaded: iertutil.dll
Source: C:\Program Files (x86)\ChicaLogic\ChicaPC-Shield\cpcs.exeSection loaded: netapi32.dll
Source: C:\Program Files (x86)\ChicaLogic\ChicaPC-Shield\cpcs.exeSection loaded: winhttp.dll
Source: C:\Program Files (x86)\ChicaLogic\ChicaPC-Shield\cpcs.exeSection loaded: wkscli.dll
Source: C:\Program Files (x86)\ChicaLogic\ChicaPC-Shield\cpcs.exeSection loaded: netutils.dll
Source: C:\Program Files (x86)\ChicaLogic\ChicaPC-Shield\cpcs.exeSection loaded: propsys.dll
Source: C:\Program Files (x86)\ChicaLogic\ChicaPC-Shield\cpcs.exeSection loaded: urlmon.dll
Source: C:\Program Files (x86)\ChicaLogic\ChicaPC-Shield\cpcs.exeSection loaded: srvcli.dll
Source: C:\Program Files (x86)\ChicaLogic\ChicaPC-Shield\cpcs.exeSection loaded: msiso.dll
Source: C:\Program Files (x86)\ChicaLogic\ChicaPC-Shield\cpcs.exeSection loaded: mshtml.dll
Source: C:\Program Files (x86)\ChicaLogic\ChicaPC-Shield\cpcs.exeSection loaded: powrprof.dll
Source: C:\Program Files (x86)\ChicaLogic\ChicaPC-Shield\cpcs.exeSection loaded: umpdc.dll
Source: C:\Program Files (x86)\ChicaLogic\ChicaPC-Shield\cpcs.exeSection loaded: textinputframework.dll
Source: C:\Program Files (x86)\ChicaLogic\ChicaPC-Shield\cpcs.exeSection loaded: coreuicomponents.dll
Source: C:\Program Files (x86)\ChicaLogic\ChicaPC-Shield\cpcs.exeSection loaded: coremessaging.dll
Source: C:\Program Files (x86)\ChicaLogic\ChicaPC-Shield\cpcs.exeSection loaded: coremessaging.dll
Source: C:\Program Files (x86)\ChicaLogic\ChicaPC-Shield\cpcs.exeSection loaded: wintypes.dll
Source: C:\Program Files (x86)\ChicaLogic\ChicaPC-Shield\cpcs.exeSection loaded: wintypes.dll
Source: C:\Program Files (x86)\ChicaLogic\ChicaPC-Shield\cpcs.exeSection loaded: wintypes.dll
Source: C:\Program Files (x86)\ChicaLogic\ChicaPC-Shield\cpcs.exeSection loaded: srpapi.dll
Source: C:\Program Files (x86)\ChicaLogic\ChicaPC-Shield\cpcs.exeSection loaded: mbamnet.dll
Source: C:\Program Files (x86)\ChicaLogic\ChicaPC-Shield\cpcs.exeSection loaded: iphlpapi.dll
Source: C:\Program Files (x86)\ChicaLogic\ChicaPC-Shield\cpcs.exeSection loaded: msimtf.dll
Source: C:\Program Files (x86)\ChicaLogic\ChicaPC-Shield\cpcs.exeSection loaded: msls31.dll
Source: C:\Program Files (x86)\ChicaLogic\ChicaPC-Shield\cpcs.exeSection loaded: d2d1.dll
Source: C:\Program Files (x86)\ChicaLogic\ChicaPC-Shield\cpcs.exeSection loaded: dwrite.dll
Source: C:\Program Files (x86)\ChicaLogic\ChicaPC-Shield\cpcs.exeSection loaded: resourcepolicyclient.dll
Source: C:\Program Files (x86)\ChicaLogic\ChicaPC-Shield\cpcs.exeSection loaded: d3d10warp.dll
Source: C:\Program Files (x86)\ChicaLogic\ChicaPC-Shield\cpcs.exeSection loaded: dxcore.dll
Source: C:\Program Files (x86)\ChicaLogic\ChicaPC-Shield\cpcs.exeSection loaded: secur32.dll
Source: C:\Program Files (x86)\ChicaLogic\ChicaPC-Shield\cpcs.exeSection loaded: mlang.dll
Source: C:\Program Files (x86)\ChicaLogic\ChicaPC-Shield\cpcs.exeSection loaded: wininet.dll
Source: C:\Program Files (x86)\ChicaLogic\ChicaPC-Shield\cpcs.exeSection loaded: dhcpcsvc.dll
Source: C:\Program Files (x86)\ChicaLogic\ChicaPC-Shield\cpcs.exeSection loaded: mswsock.dll
Source: C:\Program Files (x86)\ChicaLogic\ChicaPC-Shield\cpcs.exeSection loaded: dnsapi.dll
Source: C:\Program Files (x86)\ChicaLogic\ChicaPC-Shield\cpcs.exeSection loaded: rasadhlp.dll
Source: C:\Program Files (x86)\ChicaLogic\ChicaPC-Shield\cpcs.exeSection loaded: fwpuclnt.dll
Source: C:\Program Files (x86)\ChicaLogic\ChicaPC-Shield\cpcs.exeSection loaded: fwpuclnt.dll
Source: C:\Program Files (x86)\ChicaLogic\ChicaPC-Shield\cpcs.exeSection loaded: fwpuclnt.dll
Source: C:\Program Files (x86)\ChicaLogic\ChicaPC-Shield\cpcs.exeSection loaded: fwpuclnt.dll
Source: C:\Windows\SysWOW64\regsvr32.exeSection loaded: apphelp.dll
Source: C:\Windows\SysWOW64\regsvr32.exeSection loaded: aclayers.dll
Source: C:\Windows\SysWOW64\regsvr32.exeSection loaded: mpr.dll
Source: C:\Windows\SysWOW64\regsvr32.exeSection loaded: sfc.dll
Source: C:\Windows\SysWOW64\regsvr32.exeSection loaded: sfc_os.dll
Source: C:\Windows\SysWOW64\regsvr32.exeSection loaded: kernel.appcore.dll
Source: C:\Windows\SysWOW64\regsvr32.exeSection loaded: uxtheme.dll
Source: C:\Windows\SysWOW64\regsvr32.exeSection loaded: msvbvm60.dll
Source: C:\Windows\SysWOW64\regsvr32.exeSection loaded: apphelp.dll
Source: C:\Windows\SysWOW64\regsvr32.exeSection loaded: aclayers.dll
Source: C:\Windows\SysWOW64\regsvr32.exeSection loaded: mpr.dll
Source: C:\Windows\SysWOW64\regsvr32.exeSection loaded: sfc.dll
Source: C:\Windows\SysWOW64\regsvr32.exeSection loaded: sfc_os.dll
Source: C:\Windows\SysWOW64\regsvr32.exeSection loaded: kernel.appcore.dll
Source: C:\Windows\SysWOW64\regsvr32.exeSection loaded: uxtheme.dll
Source: C:\Windows\SysWOW64\regsvr32.exeSection loaded: msvbvm60.dll
Source: C:\Users\user\AppData\Local\Temp\is-LBG9E.tmp\chica-pc-shield-1-75-0-1300-en-win.tmpKey value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{00BB2765-6A77-11D0-A535-00C04FD7D062}\InProcServer32Jump to behavior
Source: ChicaPC-Shield Notifications.lnk.1.drLNK file: ..\..\..\..\..\..\..\Program Files (x86)\ChicaLogic\ChicaPC-Shield\cpcsgui.exe
Source: Uninstall ChicaPC-Shield.lnk.1.drLNK file: ..\..\..\..\..\..\..\Program Files (x86)\ChicaLogic\ChicaPC-Shield\unins000.exe
Source: ChicaPC-Shield.lnk.1.drLNK file: ..\..\..\Program Files (x86)\ChicaLogic\ChicaPC-Shield\cpcs.exe
Source: ChicaPC-Shield.lnk0.1.drLNK file: ..\..\..\..\..\..\..\Program Files (x86)\ChicaLogic\ChicaPC-Shield\cpcs.exe
Source: C:\Users\user\AppData\Local\Temp\is-LBG9E.tmp\chica-pc-shield-1-75-0-1300-en-win.tmpKey value created or modified: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion RegisteredOwnerJump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-LBG9E.tmp\chica-pc-shield-1-75-0-1300-en-win.tmpWindow found: window name: TSelectLanguageFormJump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-LBG9E.tmp\chica-pc-shield-1-75-0-1300-en-win.tmpAutomated click: OK
Source: C:\Users\user\AppData\Local\Temp\is-LBG9E.tmp\chica-pc-shield-1-75-0-1300-en-win.tmpAutomated click: Next >
Source: C:\Users\user\AppData\Local\Temp\is-LBG9E.tmp\chica-pc-shield-1-75-0-1300-en-win.tmpAutomated click: I accept the agreement
Source: C:\Users\user\AppData\Local\Temp\is-LBG9E.tmp\chica-pc-shield-1-75-0-1300-en-win.tmpAutomated click: Next >
Source: C:\Users\user\AppData\Local\Temp\is-LBG9E.tmp\chica-pc-shield-1-75-0-1300-en-win.tmpAutomated click: I accept the agreement
Source: C:\Users\user\AppData\Local\Temp\is-LBG9E.tmp\chica-pc-shield-1-75-0-1300-en-win.tmpAutomated click: Next >
Source: C:\Users\user\AppData\Local\Temp\is-LBG9E.tmp\chica-pc-shield-1-75-0-1300-en-win.tmpAutomated click: Next >
Source: C:\Users\user\AppData\Local\Temp\is-LBG9E.tmp\chica-pc-shield-1-75-0-1300-en-win.tmpAutomated click: I accept the agreement
Source: C:\Users\user\AppData\Local\Temp\is-LBG9E.tmp\chica-pc-shield-1-75-0-1300-en-win.tmpAutomated click: Next >
Source: C:\Users\user\AppData\Local\Temp\is-LBG9E.tmp\chica-pc-shield-1-75-0-1300-en-win.tmpAutomated click: I accept the agreement
Source: C:\Users\user\AppData\Local\Temp\is-LBG9E.tmp\chica-pc-shield-1-75-0-1300-en-win.tmpAutomated click: Next >
Source: C:\Users\user\AppData\Local\Temp\is-LBG9E.tmp\chica-pc-shield-1-75-0-1300-en-win.tmpAutomated click: I accept the agreement
Source: C:\Users\user\AppData\Local\Temp\is-LBG9E.tmp\chica-pc-shield-1-75-0-1300-en-win.tmpAutomated click: Install
Source: C:\Users\user\AppData\Local\Temp\is-LBG9E.tmp\chica-pc-shield-1-75-0-1300-en-win.tmpAutomated click: I accept the agreement
Source: C:\Program Files (x86)\ChicaLogic\ChicaPC-Shield\cpcs.exeAutomated click: OK
Source: C:\Program Files (x86)\ChicaLogic\ChicaPC-Shield\cpcs.exeAutomated click: OK
Source: Window RecorderWindow detected: More than 3 window changes detected
Source: chica-pc-shield-1-75-0-1300-en-win.exeStatic PE information: certificate valid
Source: chica-pc-shield-1-75-0-1300-en-win.exeStatic file information: File size 8967808 > 1048576
Source: Binary string: \ResBegleiter\obj\x86\Release\Devi.pdbb source: cpcs.exe, 00000009.00000003.2529281722.0000000009BA5000.00000004.00000020.00020000.00000000.sdmp
Source: Binary string: :\XRoot_Build\XC\Vm\Release\x86\StubExe.pdb source: cpcs.exe, 00000009.00000003.2533389394.000000000A5B5000.00000004.00000020.00020000.00000000.sdmp
Source: Binary string: Server.pdb source: cpcs.exe, 00000009.00000003.2535416200.000000000A6BE000.00000004.00000020.00020000.00000000.sdmp
Source: Binary string: \obj\Release\Welp.pdb source: cpcs.exe, 00000009.00000003.2534960911.000000000A621000.00000004.00000020.00020000.00000000.sdmp
Source: Binary string: \obj\Release\Welp.pdbY{ source: cpcs.exe, 00000009.00000003.2534960911.000000000A621000.00000004.00000020.00020000.00000000.sdmp
Source: Binary string: miniloader-patchdate-stub.pdb source: cpcs.exe, 00000009.00000003.2534960911.000000000A621000.00000004.00000020.00020000.00000000.sdmp
Source: Binary string: DarkShell\Server\svchost\Debug\Serverz.pdb source: cpcs.exe, 00000009.00000003.2529281722.0000000009BA5000.00000004.00000020.00020000.00000000.sdmp
Source: Binary string: w:\Project\!lego2new\lego_2011.xx.xx_2.xx\release\NSP.pdb source: cpcs.exe, 00000009.00000003.2533842656.000000000A4B5000.00000004.00000020.00020000.00000000.sdmp
Source: Binary string: se\NSP.pdb source: cpcs.exe, 00000009.00000003.2529369405.0000000009D87000.00000004.00000020.00020000.00000000.sdmp
Source: Binary string: C:\USERS\DEFAULT\APPDATA\LOCAL\TEMP\FACEBOOK\FACEBOOK STEALER.PDB source: cpcs.exe, 00000009.00000003.2545034326.000000000E01A000.00000004.00000020.00020000.00000000.sdmp
Source: Binary string: \sw_modem\HSF_HWICH\i386\HSFHWICH.pdb source: cpcs.exe, 00000009.00000003.2535574656.000000000A39A000.00000004.00000020.00020000.00000000.sdmp
Source: Binary string: cryptnet.pdb source: cpcs.exe, 00000009.00000003.2532883037.000000000A55F000.00000004.00000020.00020000.00000000.sdmp, cpcs.exe, 00000009.00000003.2529734518.000000000A248000.00000004.00000020.00020000.00000000.sdmp
Source: Binary string: C:\key\sar\Debug\sar.pdbre source: cpcs.exe, 00000009.00000003.2529281722.0000000009BA5000.00000004.00000020.00020000.00000000.sdmp
Source: Binary string: C:\SVN\mbam\dll\mbam.dll\build\mbam.pdb source: cpcsgui.exe, 0000000C.00000002.2571547852.000000006F8B1000.00000002.00000001.01000000.0000000F.sdmp
Source: Binary string: Intel Corporationse\NSP.pdb source: cpcs.exe, 00000009.00000003.2529369405.0000000009D87000.00000004.00000020.00020000.00000000.sdmp
Source: Binary string: vpamjon.pdb source: cpcs.exe, 00000009.00000003.2535574656.000000000A39A000.00000004.00000020.00020000.00000000.sdmp
Source: Binary string: NB10??????N????:\??????????\??W????????\????????????????????????????????????????G????\????????????\??????\????????????.pdbj source: cpcs.exe, 00000009.00000003.2532883037.000000000A55F000.00000004.00000020.00020000.00000000.sdmp
Source: Binary string: hnetmon.pdb source: cpcs.exe, 00000009.00000003.2533389394.000000000A54E000.00000004.00000020.00020000.00000000.sdmp, cpcs.exe, 00000009.00000003.2529734518.000000000A217000.00000004.00000020.00020000.00000000.sdmp, cpcs.exe, 00000009.00000003.2532883037.000000000A53D000.00000004.00000020.00020000.00000000.sdmp
Source: Binary string: sass.pdb source: cpcs.exe, 00000009.00000003.2529281722.0000000009BA5000.00000004.00000020.00020000.00000000.sdmp
Source: Binary string: c:\Cryptor\stub6\Release\stub6.pdb source: cpcs.exe, 00000009.00000003.2535574656.000000000A39A000.00000004.00000020.00020000.00000000.sdmp
Source: Binary string: !lego2new\lego_2011.xx.xx_2.xx\release\NSP.pdb source: cpcs.exe, 00000009.00000003.2533389394.000000000A5B5000.00000004.00000020.00020000.00000000.sdmp
Source: Binary string: :\UMPk.pdb source: cpcs.exe, 00000009.00000003.2535304844.0000000009F2B000.00000004.00000020.00020000.00000000.sdmp
Source: Binary string: C:\SVN\mbam\exe\mbampt.exe\build\mbampt.pdb%0A source: chica-pc-shield-1-75-0-1300-en-win.tmp, 00000001.00000003.2789847670.0000000004F26000.00000004.00001000.00020000.00000000.sdmp
Source: Binary string: C:\WINDOWS\SERVICEPROFILES\NETWORKSERVICE\APPDATA\LOCAL\TEMP\FACEBOOK\FACEBOOK STEALER.PDB source: cpcs.exe, 00000009.00000003.2545306895.000000000E06C000.00000004.00000020.00020000.00000000.sdmp
Source: Binary string: \Release\AvG.pdb source: cpcs.exe, 00000009.00000003.2534960911.000000000A621000.00000004.00000020.00020000.00000000.sdmp
Source: Binary string: \Release\AvG.pdb>M source: cpcs.exe, 00000009.00000003.2534960911.000000000A621000.00000004.00000020.00020000.00000000.sdmp
Source: Binary string: D:\TranceCo.pdb source: cpcs.exe, 00000009.00000003.2534960911.000000000A621000.00000004.00000020.00020000.00000000.sdmp
Source: Binary string: E:\WFD\Tools\Server\_Downloader\Share\SFX Package\Pack\obj\x86\Debug\Pack.pdbE source: cpcs.exe, 00000009.00000003.2529281722.0000000009BA5000.00000004.00000020.00020000.00000000.sdmp
Source: Binary string: C:\USERS\user\APPDATA\LOCAL\TEMP\FACEBOOK\FACEBOOK STEALER.PDB source: cpcs.exe, 00000009.00000003.2545034326.000000000E01A000.00000004.00000020.00020000.00000000.sdmp
Source: Binary string: fukmp.pdb source: cpcs.exe, 00000009.00000003.2535475306.000000000B056000.00000004.00000020.00020000.00000000.sdmp
Source: Binary string: NB10??????N????:\??????????\??W????????\????????????????????????????????????????G????\????????????\??????\????????????.pdb source: cpcs.exe, 00000009.00000003.2529734518.000000000A248000.00000004.00000020.00020000.00000000.sdmp
Source: Binary string: ????????????????.pdb source: cpcs.exe, 00000009.00000003.2533389394.000000000A5B5000.00000004.00000020.00020000.00000000.sdmp
Source: Binary string: aspergillus.pdb source: cpcs.exe, 00000009.00000003.2534960911.000000000A621000.00000004.00000020.00020000.00000000.sdmp
Source: Binary string: bk22\kloader\Release\i386\kloader.pdb source: cpcs.exe, 00000009.00000003.2529369405.0000000009D87000.00000004.00000020.00020000.00000000.sdmp
Source: Binary string: C:\Users\Dell\Desktop\SOMA.pdb source: cpcs.exe, 00000009.00000003.2534960911.000000000A621000.00000004.00000020.00020000.00000000.sdmp
Source: Binary string: fukmp.pdb% source: cpcs.exe, 00000009.00000003.2535475306.000000000B056000.00000004.00000020.00020000.00000000.sdmp
Source: Binary string: p:\vc5\x64\release\resident.pdb source: cpcs.exe, 00000009.00000003.2529281722.0000000009BA5000.00000004.00000020.00020000.00000000.sdmp
Source: Binary string: F:\NTDDK\DEMO\_DarkTest\i386\DarkTest.pdb source: cpcs.exe, 00000009.00000003.2529281722.0000000009BA5000.00000004.00000020.00020000.00000000.sdmp
Source: Binary string: C:\SVN\mbam\dll\mbam.dll\build\mbam.pdb` source: cpcsgui.exe, 0000000C.00000002.2571547852.000000006F8B1000.00000002.00000001.01000000.0000000F.sdmp
Source: Binary string: C:\dev\stuk_rar\release\setup.pdb source: cpcs.exe, 00000009.00000003.2533161271.000000000A44A000.00000004.00000020.00020000.00000000.sdmp
Source: Binary string: C:\SVN\mbam\exe\mbamscheduler.exe\build\mbamscheduler.pdb source: chica-pc-shield-1-75-0-1300-en-win.tmp, 00000001.00000003.2789847670.0000000004EC9000.00000004.00001000.00020000.00000000.sdmp
Source: Binary string: C:\WINDOWS\TEMP\FACEBOOK\FACEBOOK STEALER.PDB source: cpcs.exe, 00000009.00000003.2545034326.000000000DF4E000.00000004.00000020.00020000.00000000.sdmp
Source: Binary string: C:\PROGRAM FILES (X86)\FACEHACK\FACEHACK.PDB%vz$ source: cpcs.exe, 00000009.00000003.2546311082.000000000D10C000.00000004.00000020.00020000.00000000.sdmp
Source: Binary string: sfxrar32\Release\sfxrar.pdb source: cpcs.exe, 00000009.00000003.2532883037.000000000A55F000.00000004.00000020.00020000.00000000.sdmp
Source: Binary string: Socksbuilder\stub\release\stub.pdbeb source: cpcs.exe, 00000009.00000003.2529281722.0000000009BA5000.00000004.00000020.00020000.00000000.sdmp
Source: Binary string: ent.pdb0?0A source: cpcs.exe, 00000009.00000003.2533784758.000000000A13A000.00000004.00000020.00020000.00000000.sdmp
Source: Binary string: sxtyy.pdb source: cpcs.exe, 00000009.00000003.2535475306.000000000B056000.00000004.00000020.00020000.00000000.sdmp
Source: Binary string: ?????.pdbr source: cpcs.exe, 00000009.00000003.2529281722.0000000009BA5000.00000004.00000020.00020000.00000000.sdmp
Source: Binary string: EXTRA=Adware.Agent, %PROGRAMFILES%\Isilo\iSiloDisplaySample.pdb, DP source: cpcs.exe, 00000009.00000003.2556561426.0000000008334000.00000004.00000020.00020000.00000000.sdmp
Source: Binary string: db.pdb source: cpcs.exe, 00000009.00000003.2535574656.000000000A39A000.00000004.00000020.00020000.00000000.sdmp, cpcs.exe, 00000009.00000003.2534960911.000000000A69B000.00000004.00000020.00020000.00000000.sdmp
Source: Binary string: C:\Nuova cartella\myform\myform\obj\Release\myform.pdb source: cpcs.exe, 00000009.00000003.2533842656.000000000A4B5000.00000004.00000020.00020000.00000000.sdmp
Source: Binary string: $:\tmp\test.pdb source: cpcs.exe, 00000009.00000003.2529734518.000000000A248000.00000004.00000020.00020000.00000000.sdmp, cpcs.exe, 00000009.00000003.2529941329.000000000A2A1000.00000004.00000020.00020000.00000000.sdmp
Source: Binary string: :\??????????????????????????????????????.pdb source: cpcs.exe, 00000009.00000003.2535574656.000000000A39A000.00000004.00000020.00020000.00000000.sdmp, cpcs.exe, 00000009.00000003.2529281722.0000000009BA5000.00000004.00000020.00020000.00000000.sdmp
Source: Binary string: z(1)\stub\Release\stub.pdbtor source: cpcs.exe, 00000009.00000003.2529281722.0000000009BA5000.00000004.00000020.00020000.00000000.sdmp
Source: Binary string: ??:\??????????\??W????????\????????????????????????????????????????G????\????????????\??????\????????????.pdb source: cpcs.exe, 00000009.00000003.2532883037.000000000A55F000.00000004.00000020.00020000.00000000.sdmp, cpcs.exe, 00000009.00000003.2529734518.000000000A248000.00000004.00000020.00020000.00000000.sdmp
Source: Binary string: x:\werdon.pdb source: cpcs.exe, 00000009.00000003.2535304844.0000000009F2B000.00000004.00000020.00020000.00000000.sdmp
Source: Binary string: c:\d\objfre_wxp_x86\i386\HG.pdb source: cpcs.exe, 00000009.00000003.2528855901.000000000A101000.00000004.00000020.00020000.00000000.sdmp
Source: Binary string: z(1)\stub\Release\stub.pdb source: cpcs.exe, 00000009.00000003.2529281722.0000000009BA5000.00000004.00000020.00020000.00000000.sdmp
Source: Binary string: p:\vc5\x64\release\resident.pdbO6 source: cpcs.exe, 00000009.00000003.2529281722.0000000009BA5000.00000004.00000020.00020000.00000000.sdmp
Source: Binary string: ent.pdb source: cpcs.exe, 00000009.00000003.2533784758.000000000A13A000.00000004.00000020.00020000.00000000.sdmp
Source: Binary string: c:\work_temp\utf8\test2\Release\test2.pdb source: cpcs.exe, 00000009.00000003.2533161271.000000000A44A000.00000004.00000020.00020000.00000000.sdmp
Source: Binary string: e:\job\gh0st1.0\Release\Loader.pdb source: cpcs.exe, 00000009.00000003.2533161271.000000000A44A000.00000004.00000020.00020000.00000000.sdmp
Source: Binary string: URGABPW.pdb source: cpcs.exe, 00000009.00000003.2534960911.000000000A621000.00000004.00000020.00020000.00000000.sdmp
Source: Binary string: TDIMUED.pdb source: cpcs.exe, 00000009.00000003.2534960911.000000000A621000.00000004.00000020.00020000.00000000.sdmp
Source: Binary string: hnetmon.pdbU source: cpcs.exe, 00000009.00000003.2533389394.000000000A54E000.00000004.00000020.00020000.00000000.sdmp, cpcs.exe, 00000009.00000003.2532883037.000000000A53D000.00000004.00000020.00020000.00000000.sdmp
Source: Binary string: vpamjon.pdbd9 source: cpcs.exe, 00000009.00000003.2535574656.000000000A39A000.00000004.00000020.00020000.00000000.sdmp
Source: Binary string: \accs\accs\accs\obj\Release\accs.pdb source: cpcs.exe, 00000009.00000003.2534960911.000000000A621000.00000004.00000020.00020000.00000000.sdmp
Source: Binary string: REAPER\Stub\stub rc\obj\Release\stub rc.pdb source: cpcs.exe, 00000009.00000003.2529369405.0000000009D87000.00000004.00000020.00020000.00000000.sdmp
Source: Binary string: w:\Project\!lego2new\lego_2011.xx.xx_2.xx\release\NSP.pdb/ source: cpcs.exe, 00000009.00000003.2533842656.000000000A4B5000.00000004.00000020.00020000.00000000.sdmp
Source: Binary string: C:\key\sar\Debug\sar.pdb source: cpcs.exe, 00000009.00000003.2529281722.0000000009BA5000.00000004.00000020.00020000.00000000.sdmp
Source: Binary string: ryptnet.pdb source: cpcs.exe, 00000009.00000003.2532883037.000000000A55F000.00000004.00000020.00020000.00000000.sdmp, cpcs.exe, 00000009.00000003.2529734518.000000000A248000.00000004.00000020.00020000.00000000.sdmp, cpcs.exe, 00000009.00000003.2529941329.000000000A2A1000.00000004.00000020.00020000.00000000.sdmp, cpcs.exe, 00000009.00000003.2533526590.000000000A5A4000.00000004.00000020.00020000.00000000.sdmp
Source: Binary string: \Projects\reg\reg\obj\Debug\reg.pdbn source: cpcs.exe, 00000009.00000003.2529369405.0000000009D87000.00000004.00000020.00020000.00000000.sdmp
Source: Binary string: sxtyy.pdb source: cpcs.exe, 00000009.00000003.2535475306.000000000B056000.00000004.00000020.00020000.00000000.sdmp
Source: Binary string: WWMWCMGV.pdb source: cpcs.exe, 00000009.00000003.2534960911.000000000A621000.00000004.00000020.00020000.00000000.sdmp
Source: Binary string: cryptnet.pdbB source: cpcs.exe, 00000009.00000003.2529734518.000000000A248000.00000004.00000020.00020000.00000000.sdmp
Source: Binary string: \Projects\reg\reg\obj\Debug\reg.pdb source: cpcs.exe, 00000009.00000003.2534960911.000000000A621000.00000004.00000020.00020000.00000000.sdmp, cpcs.exe, 00000009.00000003.2529369405.0000000009D87000.00000004.00000020.00020000.00000000.sdmp
Source: Binary string: HookDllDriver\objfre\i386\hookdll.pdb source: cpcs.exe, 00000009.00000003.2535574656.000000000A39A000.00000004.00000020.00020000.00000000.sdmp
Source: Binary string: NGPCorp\DLL\Release\DLL.pdb source: cpcs.exe, 00000009.00000003.2534960911.000000000A621000.00000004.00000020.00020000.00000000.sdmp
Source: Binary string: sfxrar32\Release\sfxrar.pdbPY source: cpcs.exe, 00000009.00000003.2532883037.000000000A55F000.00000004.00000020.00020000.00000000.sdmp
Source: Binary string: Prevazatorul.pdb[ source: cpcs.exe, 00000009.00000003.2533526590.000000000A5C7000.00000004.00000020.00020000.00000000.sdmp, cpcs.exe, 00000009.00000003.2533704715.000000000A5CC000.00000004.00000020.00020000.00000000.sdmp
Source: Binary string: C:\Users\TP\AppData\Local\Temp\zy3gqjbl.pdb source: cpcs.exe, 00000009.00000003.2528855901.000000000A101000.00000004.00000020.00020000.00000000.sdmp
Source: Binary string: \AccountCreator.pdbk source: cpcs.exe, 00000009.00000003.2533389394.000000000A54E000.00000004.00000020.00020000.00000000.sdmp, cpcs.exe, 00000009.00000003.2532883037.000000000A53D000.00000004.00000020.00020000.00000000.sdmp
Source: Binary string: F:\NTDDK\DEMO\_DarkTest\i386\DarkTest.pdbem source: cpcs.exe, 00000009.00000003.2529281722.0000000009BA5000.00000004.00000020.00020000.00000000.sdmp
Source: Binary string: C:\Bacipy.pdb source: cpcs.exe, 00000009.00000003.2529369405.0000000009D87000.00000004.00000020.00020000.00000000.sdmp, cpcs.exe, 00000009.00000003.2533630438.000000000A445000.00000004.00000020.00020000.00000000.sdmp
Source: Binary string: IEXPLORE\Debug\wibvusd.pdb source: cpcs.exe, 00000009.00000003.2533161271.000000000A493000.00000004.00000020.00020000.00000000.sdmp, cpcs.exe, 00000009.00000003.2528855901.000000000A14E000.00000004.00000020.00020000.00000000.sdmp
Source: Binary string: 8$W:\w\Loader.pdb source: cpcs.exe, 00000009.00000003.2529281722.0000000009BA5000.00000004.00000020.00020000.00000000.sdmp
Source: Binary string: vCrypt Stub.pdb source: cpcs.exe, 00000009.00000003.2533526590.000000000A5C7000.00000004.00000020.00020000.00000000.sdmp, cpcs.exe, 00000009.00000003.2533704715.000000000A5CC000.00000004.00000020.00020000.00000000.sdmp
Source: Binary string: Prevazatorul.pdb source: cpcs.exe, 00000009.00000003.2533526590.000000000A5C7000.00000004.00000020.00020000.00000000.sdmp, cpcs.exe, 00000009.00000003.2533704715.000000000A5CC000.00000004.00000020.00020000.00000000.sdmp
Source: Binary string: &:\UMPk.pdb source: cpcs.exe, 00000009.00000003.2535304844.0000000009F2B000.00000004.00000020.00020000.00000000.sdmp
Source: Binary string: ?????.pdb source: cpcs.exe, 00000009.00000003.2535574656.000000000A39A000.00000004.00000020.00020000.00000000.sdmp, cpcs.exe, 00000009.00000003.2529281722.0000000009BA5000.00000004.00000020.00020000.00000000.sdmp
Source: Binary string: \ResBegleiter\obj\x86\Release\Devi.pdb source: cpcs.exe, 00000009.00000003.2529281722.0000000009BA5000.00000004.00000020.00020000.00000000.sdmp
Source: Binary string: :\tmp\test.pdb source: cpcs.exe, 00000009.00000003.2529734518.000000000A248000.00000004.00000020.00020000.00000000.sdmp, cpcs.exe, 00000009.00000003.2529941329.000000000A2A1000.00000004.00000020.00020000.00000000.sdmp
Source: Binary string: ld.pdb source: cpcs.exe, 00000009.00000003.2529734518.000000000A248000.00000004.00000020.00020000.00000000.sdmp, cpcs.exe, 00000009.00000003.2529941329.000000000A2A1000.00000004.00000020.00020000.00000000.sdmp
Source: Binary string: c:\work\utf8\test2\Release\test2.pdb source: cpcs.exe, 00000009.00000003.2533161271.000000000A44A000.00000004.00000020.00020000.00000000.sdmp
Source: Binary string: \AccountCreator.pdb source: cpcs.exe, 00000009.00000003.2533389394.000000000A54E000.00000004.00000020.00020000.00000000.sdmp, cpcs.exe, 00000009.00000003.2529734518.000000000A217000.00000004.00000020.00020000.00000000.sdmp, cpcs.exe, 00000009.00000003.2532883037.000000000A53D000.00000004.00000020.00020000.00000000.sdmp
Source: Binary string: XC\Vm\Release\x86\StubExe.pdb source: cpcs.exe, 00000009.00000003.2533389394.000000000A54E000.00000004.00000020.00020000.00000000.sdmp, cpcs.exe, 00000009.00000003.2529734518.000000000A217000.00000004.00000020.00020000.00000000.sdmp, cpcs.exe, 00000009.00000003.2532883037.000000000A53D000.00000004.00000020.00020000.00000000.sdmp
Source: Binary string: Z:\xampp\htdocs\project-727,Permutation\stable\tmp\PDBSIG.pdb source: cpcs.exe, 00000009.00000003.2533842656.000000000A4B5000.00000004.00000020.00020000.00000000.sdmp
Source: Binary string: :\Fecira.pdb source: cpcs.exe, 00000009.00000003.2535304844.0000000009F2B000.00000004.00000020.00020000.00000000.sdmp
Source: Binary string: C:\local0\asf\release\build-2.2.14\support\Release\ab.pdb)] source: cpcs.exe, 00000009.00000003.2528855901.000000000A101000.00000004.00000020.00020000.00000000.sdmp
Source: Binary string: \Project1\Project1\obj\Release\Project1.pdb<. source: cpcs.exe, 00000009.00000003.2533389394.000000000A5B5000.00000004.00000020.00020000.00000000.sdmp
Source: Binary string: W:\w\Loader.pdb source: cpcs.exe, 00000009.00000003.2529281722.0000000009BA5000.00000004.00000020.00020000.00000000.sdmp
Source: Binary string: bk22\kloader\Release\i386\kloader.pdbt,n source: cpcs.exe, 00000009.00000003.2529369405.0000000009D87000.00000004.00000020.00020000.00000000.sdmp
Source: Binary string: c:\work\test\test2\Release\test2.pdb< source: cpcs.exe, 00000009.00000003.2529454596.000000000A126000.00000004.00000020.00020000.00000000.sdmp
Source: Binary string: \Projects\War Crypter\Release\Stub.pdb source: cpcs.exe, 00000009.00000003.2533389394.000000000A5B5000.00000004.00000020.00020000.00000000.sdmp
Source: Binary string: D:\SVN Control Code\app_client\Loader\Release\Loader.pdb?_ source: cpcs.exe, 00000009.00000003.2528855901.000000000A101000.00000004.00000020.00020000.00000000.sdmp
Source: Binary string: \Project1\Project1\obj\Release\Project1.pdb source: cpcs.exe, 00000009.00000003.2533389394.000000000A5B5000.00000004.00000020.00020000.00000000.sdmp
Source: Binary string: WWMWCMGV.pdb=; source: cpcs.exe, 00000009.00000003.2534960911.000000000A621000.00000004.00000020.00020000.00000000.sdmp
Source: Binary string: ??@RSDS??????????????????????????????????o.pdb source: cpcs.exe, 00000009.00000003.2533842656.000000000A4B5000.00000004.00000020.00020000.00000000.sdmp
Source: Binary string: \w.a.t.c.h\w.a.t.c.h\obj\Release\w.a.t.c.h.pdb source: cpcs.exe, 00000009.00000003.2534960911.000000000A621000.00000004.00000020.00020000.00000000.sdmp, cpcs.exe, 00000009.00000003.2529369405.0000000009D87000.00000004.00000020.00020000.00000000.sdmp
Source: Binary string: e:\job\gh0st1.0\Release\Loader.pdb\ source: cpcs.exe, 00000009.00000003.2533161271.000000000A44A000.00000004.00000020.00020000.00000000.sdmp
Source: Binary string: C:\WINDOWS\SERVICEPROFILES\LOCALSERVICE\APPDATA\LOCAL\TEMP\FACEBOOK\FACEBOOK STEALER.PDB source: cpcs.exe, 00000009.00000003.2545306895.000000000E06C000.00000004.00000020.00020000.00000000.sdmp
Source: Binary string: c:\XRoot_Build\XC\Vm\Release\x86\StubExe.pdb source: cpcs.exe, 00000009.00000003.2534960911.000000000A621000.00000004.00000020.00020000.00000000.sdmp, cpcs.exe, 00000009.00000003.2529281722.0000000009BA5000.00000004.00000020.00020000.00000000.sdmp
Source: Binary string: c:\work\test\test2\Release\test2.pdb source: cpcs.exe, 00000009.00000003.2533161271.000000000A44A000.00000004.00000020.00020000.00000000.sdmp, cpcs.exe, 00000009.00000003.2529454596.000000000A126000.00000004.00000020.00020000.00000000.sdmp
Source: Binary string: \x86\Debug\Balle2.pdb source: cpcs.exe, 00000009.00000003.2534960911.000000000A621000.00000004.00000020.00020000.00000000.sdmp
Source: Binary string: E:\WFD\Tools\Server\_Downloader\Share\SFX Package\Pack\obj\x86\Debug\Pack.pdb source: cpcs.exe, 00000009.00000003.2529281722.0000000009BA5000.00000004.00000020.00020000.00000000.sdmp
Source: Binary string: \Emuhucuqih.pdb source: cpcs.exe, 00000009.00000003.2535475306.000000000B056000.00000004.00000020.00020000.00000000.sdmp
Source: Binary string: IEXPLORE\Debug\wibvusd.pdbR source: cpcs.exe, 00000009.00000003.2528855901.000000000A14E000.00000004.00000020.00020000.00000000.sdmp
Source: Binary string: XC\Vm\Release\x86\StubExe.pdbX source: cpcs.exe, 00000009.00000003.2533389394.000000000A54E000.00000004.00000020.00020000.00000000.sdmp, cpcs.exe, 00000009.00000003.2532883037.000000000A53D000.00000004.00000020.00020000.00000000.sdmp
Source: Binary string: c:\work\test\test2\Release\test2.pdbd source: cpcs.exe, 00000009.00000003.2533161271.000000000A44A000.00000004.00000020.00020000.00000000.sdmp
Source: Binary string: Tr0gdor\Rxbot 7.6\Debug\rBot.pdbz source: cpcs.exe, 00000009.00000003.2534960911.000000000A621000.00000004.00000020.00020000.00000000.sdmp
Source: Binary string: o.pdb source: cpcs.exe, 00000009.00000003.2533842656.000000000A4B5000.00000004.00000020.00020000.00000000.sdmp
Source: Binary string: note.pdb source: cpcs.exe, 00000009.00000003.2535475306.000000000B056000.00000004.00000020.00020000.00000000.sdmp
Source: Binary string: C:\dtcser\sys\i386\killvv.pdb source: cpcs.exe, 00000009.00000003.2533161271.000000000A493000.00000004.00000020.00020000.00000000.sdmp, cpcs.exe, 00000009.00000003.2528855901.000000000A14E000.00000004.00000020.00020000.00000000.sdmp
Source: Binary string: EXTRA=Password.Stealer, %TEMP%\Facebook\Facebook Stealer.pdb, DP source: cpcs.exe, 00000009.00000003.2556561426.0000000008334000.00000004.00000020.00020000.00000000.sdmp
Source: Binary string: C:\key\lasass\Debug\lasass.pdb source: cpcs.exe, 00000009.00000003.2529281722.0000000009BA5000.00000004.00000020.00020000.00000000.sdmp
Source: Binary string: vCrypt Stub.pdb7 source: cpcs.exe, 00000009.00000003.2533526590.000000000A5C7000.00000004.00000020.00020000.00000000.sdmp, cpcs.exe, 00000009.00000003.2533704715.000000000A5CC000.00000004.00000020.00020000.00000000.sdmp
Source: Binary string: C:\local0\asf\release\build-2.2.14\support\Release\ab.pdb source: cpcs.exe, 00000009.00000003.2528855901.000000000A101000.00000004.00000020.00020000.00000000.sdmp
Source: Binary string: D:\SVN Control Code\app_client\Loader\Release\Loader.pdb source: cpcs.exe, 00000009.00000003.2528855901.000000000A101000.00000004.00000020.00020000.00000000.sdmp
Source: Binary string: x:\werdon.pdb source: cpcs.exe, 00000009.00000003.2535304844.0000000009F2B000.00000004.00000020.00020000.00000000.sdmp
Source: Binary string: \MyProjects\eMule\Debug\eMule.pdb source: cpcs.exe, 00000009.00000003.2535574656.000000000A39A000.00000004.00000020.00020000.00000000.sdmp
Source: Binary string: C:\SVN\mbam\exe\mbampt.exe\build\mbampt.pdb source: chica-pc-shield-1-75-0-1300-en-win.tmp, 00000001.00000003.2789847670.0000000004F26000.00000004.00001000.00020000.00000000.sdmp
Source: Binary string: Socksbuilder\stub\release\stub.pdb source: cpcs.exe, 00000009.00000003.2535574656.000000000A39A000.00000004.00000020.00020000.00000000.sdmp, cpcs.exe, 00000009.00000003.2529281722.0000000009BA5000.00000004.00000020.00020000.00000000.sdmp
Source: Binary string: Tr0gdor\Rxbot 7.6\Debug\rBot.pdb source: cpcs.exe, 00000009.00000003.2534960911.000000000A621000.00000004.00000020.00020000.00000000.sdmp
Source: Binary string: cm_acl.pdb source: cpcs.exe, 00000009.00000003.2529281722.0000000009BA5000.00000004.00000020.00020000.00000000.sdmp
Source: Binary string: C:\dtcser\sys\i386\killvv.pdb+ source: cpcs.exe, 00000009.00000003.2533161271.000000000A493000.00000004.00000020.00020000.00000000.sdmp
Source: Binary string: Double Onesass.pdbx7 source: cpcs.exe, 00000009.00000003.2529281722.0000000009BA5000.00000004.00000020.00020000.00000000.sdmp
Source: C:\Users\user\AppData\Local\Temp\is-LBG9E.tmp\chica-pc-shield-1-75-0-1300-en-win.tmpCode function: 1_2_0044852C LoadLibraryExA,LoadLibraryA,GetProcAddress,1_2_0044852C
Source: is-6PN99.tmp.1.drStatic PE information: section name: .sxdata
Source: C:\Users\user\AppData\Local\Temp\is-LBG9E.tmp\chica-pc-shield-1-75-0-1300-en-win.tmpProcess created: C:\Windows\System32\regsvr32.exe "C:\Windows\system32\regsvr32.exe" /s "C:\Program Files (x86)\ChicaLogic\ChicaPC-Shield\mbamext.dll"
Source: C:\Users\user\Desktop\chica-pc-shield-1-75-0-1300-en-win.exeCode function: 0_2_004065C8 push 00406605h; ret 0_2_004065FD
Source: C:\Users\user\Desktop\chica-pc-shield-1-75-0-1300-en-win.exeCode function: 0_2_004040B5 push eax; ret 0_2_004040F1
Source: C:\Users\user\Desktop\chica-pc-shield-1-75-0-1300-en-win.exeCode function: 0_2_00408104 push ecx; mov dword ptr [esp], eax0_2_00408109
Source: C:\Users\user\Desktop\chica-pc-shield-1-75-0-1300-en-win.exeCode function: 0_2_00404185 push 00404391h; ret 0_2_00404389
Source: C:\Users\user\Desktop\chica-pc-shield-1-75-0-1300-en-win.exeCode function: 0_2_00404206 push 00404391h; ret 0_2_00404389
Source: C:\Users\user\Desktop\chica-pc-shield-1-75-0-1300-en-win.exeCode function: 0_2_0040C218 push eax; ret 0_2_0040C219
Source: C:\Users\user\Desktop\chica-pc-shield-1-75-0-1300-en-win.exeCode function: 0_2_004042E8 push 00404391h; ret 0_2_00404389
Source: C:\Users\user\Desktop\chica-pc-shield-1-75-0-1300-en-win.exeCode function: 0_2_00404283 push 00404391h; ret 0_2_00404389
Source: C:\Users\user\Desktop\chica-pc-shield-1-75-0-1300-en-win.exeCode function: 0_2_00408F38 push 00408F6Bh; ret 0_2_00408F63
Source: C:\Users\user\AppData\Local\Temp\is-LBG9E.tmp\chica-pc-shield-1-75-0-1300-en-win.tmpCode function: 1_3_021A3ED7 push 4002145Eh; ret 1_3_021A4005
Source: C:\Users\user\AppData\Local\Temp\is-LBG9E.tmp\chica-pc-shield-1-75-0-1300-en-win.tmpCode function: 1_3_021A3ED7 push 4002145Eh; ret 1_3_021A4005
Source: C:\Users\user\AppData\Local\Temp\is-LBG9E.tmp\chica-pc-shield-1-75-0-1300-en-win.tmpCode function: 1_3_02142704 pushad ; retn 0046h1_3_02142705
Source: C:\Users\user\AppData\Local\Temp\is-LBG9E.tmp\chica-pc-shield-1-75-0-1300-en-win.tmpCode function: 1_3_021A3ED7 push 4002145Eh; ret 1_3_021A4005
Source: C:\Users\user\AppData\Local\Temp\is-LBG9E.tmp\chica-pc-shield-1-75-0-1300-en-win.tmpCode function: 1_3_021A3ED7 push 4002145Eh; ret 1_3_021A4005
Source: C:\Users\user\AppData\Local\Temp\is-LBG9E.tmp\chica-pc-shield-1-75-0-1300-en-win.tmpCode function: 1_3_021A3ED7 push 4002145Eh; ret 1_3_021A4005
Source: C:\Users\user\AppData\Local\Temp\is-LBG9E.tmp\chica-pc-shield-1-75-0-1300-en-win.tmpCode function: 1_3_021A3ED7 push 4002145Eh; ret 1_3_021A4005
Source: C:\Users\user\AppData\Local\Temp\is-LBG9E.tmp\chica-pc-shield-1-75-0-1300-en-win.tmpCode function: 1_3_021A4000 push 4002145Eh; ret 1_3_021A4005
Source: C:\Users\user\AppData\Local\Temp\is-LBG9E.tmp\chica-pc-shield-1-75-0-1300-en-win.tmpCode function: 1_2_0040994C push 00409989h; ret 1_2_00409981
Source: C:\Users\user\AppData\Local\Temp\is-LBG9E.tmp\chica-pc-shield-1-75-0-1300-en-win.tmpCode function: 1_2_00483AD8 push 00483BE6h; ret 1_2_00483BDE
Source: C:\Users\user\AppData\Local\Temp\is-LBG9E.tmp\chica-pc-shield-1-75-0-1300-en-win.tmpCode function: 1_2_004062B4 push ecx; mov dword ptr [esp], eax1_2_004062B5
Source: C:\Users\user\AppData\Local\Temp\is-LBG9E.tmp\chica-pc-shield-1-75-0-1300-en-win.tmpCode function: 1_2_004104E0 push ecx; mov dword ptr [esp], edx1_2_004104E5
Source: C:\Users\user\AppData\Local\Temp\is-LBG9E.tmp\chica-pc-shield-1-75-0-1300-en-win.tmpCode function: 1_2_00494888 push ecx; mov dword ptr [esp], ecx1_2_0049488D
Source: C:\Users\user\AppData\Local\Temp\is-LBG9E.tmp\chica-pc-shield-1-75-0-1300-en-win.tmpCode function: 1_2_00412928 push 0041298Bh; ret 1_2_00412983
Source: C:\Users\user\AppData\Local\Temp\is-LBG9E.tmp\chica-pc-shield-1-75-0-1300-en-win.tmpCode function: 1_2_0040CE38 push ecx; mov dword ptr [esp], edx1_2_0040CE3A
Source: C:\Users\user\AppData\Local\Temp\is-LBG9E.tmp\chica-pc-shield-1-75-0-1300-en-win.tmpCode function: 1_2_004851C8 push ecx; mov dword ptr [esp], ecx1_2_004851CD
Source: C:\Users\user\AppData\Local\Temp\is-LBG9E.tmp\chica-pc-shield-1-75-0-1300-en-win.tmpCode function: 1_2_004591A8 push 004591ECh; ret 1_2_004591E4
Source: C:\Users\user\AppData\Local\Temp\is-LBG9E.tmp\chica-pc-shield-1-75-0-1300-en-win.tmpCode function: 1_2_0040F398 push ecx; mov dword ptr [esp], edx1_2_0040F39A
Source: C:\Users\user\AppData\Local\Temp\is-LBG9E.tmp\chica-pc-shield-1-75-0-1300-en-win.tmpCode function: 1_2_00443440 push ecx; mov dword ptr [esp], ecx1_2_00443444
Source: C:\Users\user\AppData\Local\Temp\is-LBG9E.tmp\chica-pc-shield-1-75-0-1300-en-win.tmpCode function: 1_2_0040546D push eax; ret 1_2_004054A9
Source: C:\Users\user\AppData\Local\Temp\is-LBG9E.tmp\chica-pc-shield-1-75-0-1300-en-win.tmpCode function: 1_2_0040553D push 00405749h; ret 1_2_00405741
Source: C:\Users\user\AppData\Local\Temp\is-LBG9E.tmp\chica-pc-shield-1-75-0-1300-en-win.tmpCode function: 1_2_004055BE push 00405749h; ret 1_2_00405741

Persistence and Installation Behavior

barindex
Creates a FSFilter Anti-Virus service
Source: C:\Program Files (x86)\ChicaLogic\ChicaPC-Shield\cpcs.exeRegistry value created: HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Services\CPCSProtector\Instances\CPCSProtector Instance AltitudeJump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-LBG9E.tmp\chica-pc-shield-1-75-0-1300-en-win.tmpFile created: C:\Program Files (x86)\ChicaLogic\ChicaPC-Shield\is-L12IJ.tmpJump to dropped file
Source: C:\Users\user\AppData\Local\Temp\is-LBG9E.tmp\chica-pc-shield-1-75-0-1300-en-win.tmpFile created: C:\Program Files (x86)\ChicaLogic\ChicaPC-Shield\mbamtoast.dll (copy)Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\is-LBG9E.tmp\chica-pc-shield-1-75-0-1300-en-win.tmpFile created: C:\Program Files (x86)\ChicaLogic\ChicaPC-Shield\mbam.dll (copy)Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\is-LBG9E.tmp\chica-pc-shield-1-75-0-1300-en-win.tmpFile created: C:\Program Files (x86)\ChicaLogic\ChicaPC-Shield\ssubtmr6.dll (copy)Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\is-LBG9E.tmp\chica-pc-shield-1-75-0-1300-en-win.tmpFile created: C:\Program Files (x86)\ChicaLogic\ChicaPC-Shield\7z.dll (copy)Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\is-LBG9E.tmp\chica-pc-shield-1-75-0-1300-en-win.tmpFile created: C:\Program Files (x86)\ChicaLogic\ChicaPC-Shield\mbamcore.dll (copy)Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\is-LBG9E.tmp\chica-pc-shield-1-75-0-1300-en-win.tmpFile created: C:\Program Files (x86)\ChicaLogic\ChicaPC-Shield\unins000.exe (copy)Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\is-LBG9E.tmp\chica-pc-shield-1-75-0-1300-en-win.tmpFile created: C:\Program Files (x86)\ChicaLogic\ChicaPC-Shield\cpcsservice.exe (copy)Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\is-LBG9E.tmp\chica-pc-shield-1-75-0-1300-en-win.tmpFile created: C:\Program Files (x86)\ChicaLogic\ChicaPC-Shield\is-6PN99.tmpJump to dropped file
Source: C:\Users\user\AppData\Local\Temp\is-LBG9E.tmp\chica-pc-shield-1-75-0-1300-en-win.tmpFile created: C:\Users\user\AppData\Local\Temp\is-93AED.tmp\_isetup\_shfoldr.dllJump to dropped file
Source: C:\Users\user\AppData\Local\Temp\is-LBG9E.tmp\chica-pc-shield-1-75-0-1300-en-win.tmpFile created: C:\Program Files (x86)\ChicaLogic\ChicaPC-Shield\vbalsgrid6.ocx (copy)Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\is-LBG9E.tmp\chica-pc-shield-1-75-0-1300-en-win.tmpFile created: C:\Program Files (x86)\ChicaLogic\ChicaPC-Shield\is-SJQ69.tmpJump to dropped file
Source: C:\Users\user\AppData\Local\Temp\is-LBG9E.tmp\chica-pc-shield-1-75-0-1300-en-win.tmpFile created: C:\Program Files (x86)\ChicaLogic\ChicaPC-Shield\is-6H2TN.tmpJump to dropped file
Source: C:\Users\user\AppData\Local\Temp\is-LBG9E.tmp\chica-pc-shield-1-75-0-1300-en-win.tmpFile created: C:\Program Files (x86)\ChicaLogic\ChicaPC-Shield\cpcspt.exe (copy)Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\is-LBG9E.tmp\chica-pc-shield-1-75-0-1300-en-win.tmpFile created: C:\Program Files (x86)\ChicaLogic\ChicaPC-Shield\is-K9CAE.tmpJump to dropped file
Source: C:\Users\user\AppData\Local\Temp\is-LBG9E.tmp\chica-pc-shield-1-75-0-1300-en-win.tmpFile created: C:\Program Files (x86)\ChicaLogic\ChicaPC-Shield\is-9INTD.tmpJump to dropped file
Source: C:\Users\user\AppData\Local\Temp\is-LBG9E.tmp\chica-pc-shield-1-75-0-1300-en-win.tmpFile created: C:\Program Files (x86)\ChicaLogic\ChicaPC-Shield\is-KP3IJ.tmpJump to dropped file
Source: C:\Users\user\AppData\Local\Temp\is-LBG9E.tmp\chica-pc-shield-1-75-0-1300-en-win.tmpFile created: C:\Users\user\AppData\Local\Temp\is-93AED.tmp\_isetup\_setup64.tmpJump to dropped file
Source: C:\Users\user\AppData\Local\Temp\is-LBG9E.tmp\chica-pc-shield-1-75-0-1300-en-win.tmpFile created: C:\Program Files (x86)\ChicaLogic\ChicaPC-Shield\is-UQ1R3.tmpJump to dropped file
Source: C:\Users\user\AppData\Local\Temp\is-LBG9E.tmp\chica-pc-shield-1-75-0-1300-en-win.tmpFile created: C:\Program Files (x86)\ChicaLogic\ChicaPC-Shield\cpcs.exe (copy)Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\is-LBG9E.tmp\chica-pc-shield-1-75-0-1300-en-win.tmpFile created: C:\Program Files (x86)\ChicaLogic\ChicaPC-Shield\is-CI4PM.tmpJump to dropped file
Source: C:\Users\user\AppData\Local\Temp\is-LBG9E.tmp\chica-pc-shield-1-75-0-1300-en-win.tmpFile created: C:\Windows\System32\drivers\is-VCK25.tmpJump to dropped file
Source: C:\Users\user\AppData\Local\Temp\is-LBG9E.tmp\chica-pc-shield-1-75-0-1300-en-win.tmpFile created: C:\Program Files (x86)\ChicaLogic\ChicaPC-Shield\is-0DUR6.tmpJump to dropped file
Source: C:\Users\user\AppData\Local\Temp\is-LBG9E.tmp\chica-pc-shield-1-75-0-1300-en-win.tmpFile created: C:\Program Files (x86)\ChicaLogic\ChicaPC-Shield\mbamext.dll (copy)Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\is-LBG9E.tmp\chica-pc-shield-1-75-0-1300-en-win.tmpFile created: C:\Users\user\AppData\Local\Temp\is-93AED.tmp\mbam.dllJump to dropped file
Source: C:\Users\user\AppData\Local\Temp\is-LBG9E.tmp\chica-pc-shield-1-75-0-1300-en-win.tmpFile created: C:\Program Files (x86)\ChicaLogic\ChicaPC-Shield\cpcsscheduler.exe (copy)Jump to dropped file
Source: C:\Users\user\Desktop\chica-pc-shield-1-75-0-1300-en-win.exeFile created: C:\Users\user\AppData\Local\Temp\is-LBG9E.tmp\chica-pc-shield-1-75-0-1300-en-win.tmpJump to dropped file
Source: C:\Users\user\AppData\Local\Temp\is-LBG9E.tmp\chica-pc-shield-1-75-0-1300-en-win.tmpFile created: C:\Windows\system32\drivers\cpcs.sys (copy)Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\is-LBG9E.tmp\chica-pc-shield-1-75-0-1300-en-win.tmpFile created: C:\Program Files (x86)\ChicaLogic\ChicaPC-Shield\mbamnet.dll (copy)Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\is-LBG9E.tmp\chica-pc-shield-1-75-0-1300-en-win.tmpFile created: C:\Program Files (x86)\ChicaLogic\ChicaPC-Shield\cpcsgui.exe (copy)Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\is-LBG9E.tmp\chica-pc-shield-1-75-0-1300-en-win.tmpFile created: C:\Program Files (x86)\ChicaLogic\ChicaPC-Shield\is-DB4G5.tmpJump to dropped file
Source: C:\Users\user\AppData\Local\Temp\is-LBG9E.tmp\chica-pc-shield-1-75-0-1300-en-win.tmpFile created: C:\Program Files (x86)\ChicaLogic\ChicaPC-Shield\is-J2CDD.tmpJump to dropped file
Source: C:\Users\user\AppData\Local\Temp\is-LBG9E.tmp\chica-pc-shield-1-75-0-1300-en-win.tmpFile created: C:\Program Files (x86)\ChicaLogic\ChicaPC-Shield\is-S0PAI.tmpJump to dropped file
Source: C:\Users\user\AppData\Local\Temp\is-LBG9E.tmp\chica-pc-shield-1-75-0-1300-en-win.tmpFile created: C:\Program Files (x86)\ChicaLogic\ChicaPC-Shield\is-CU77C.tmpJump to dropped file
Source: C:\Users\user\AppData\Local\Temp\is-LBG9E.tmp\chica-pc-shield-1-75-0-1300-en-win.tmpFile created: C:\Windows\System32\drivers\is-VCK25.tmpJump to dropped file
Source: C:\Users\user\AppData\Local\Temp\is-LBG9E.tmp\chica-pc-shield-1-75-0-1300-en-win.tmpFile created: C:\Windows\system32\drivers\cpcs.sys (copy)Jump to dropped file

Boot Survival

barindex
Creates an undocumented autostart registry key
Source: C:\Windows\System32\regsvr32.exeKey value created or modified: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\AllFilesystemObjects\shellex\ContextMenuHandlers\MBAMShlExt NULLJump to behavior
Source: C:\Windows\System32\regsvr32.exeKey value created or modified: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\AllFilesystemObjects\shellex\ContextMenuHandlers\MBAMShlExt NULLJump to behavior
Source: C:\Program Files (x86)\ChicaLogic\ChicaPC-Shield\cpcs.exeRegistry key created: HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Services\CPCSProtector\InstancesJump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-LBG9E.tmp\chica-pc-shield-1-75-0-1300-en-win.tmpFile created: C:\ProgramData\Microsoft\Windows\Start Menu\Programs\ChicaLogicJump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-LBG9E.tmp\chica-pc-shield-1-75-0-1300-en-win.tmpFile created: C:\ProgramData\Microsoft\Windows\Start Menu\Programs\ChicaLogic\ChicaPC-ShieldJump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-LBG9E.tmp\chica-pc-shield-1-75-0-1300-en-win.tmpFile created: C:\ProgramData\Microsoft\Windows\Start Menu\Programs\ChicaLogic\ChicaPC-Shield\ChicaPC-Shield.lnkJump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-LBG9E.tmp\chica-pc-shield-1-75-0-1300-en-win.tmpFile created: C:\ProgramData\Microsoft\Windows\Start Menu\Programs\ChicaLogic\ChicaPC-Shield\ChicaPC-Shield Notifications.lnkJump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-LBG9E.tmp\chica-pc-shield-1-75-0-1300-en-win.tmpFile created: C:\ProgramData\Microsoft\Windows\Start Menu\Programs\ChicaLogic\ChicaPC-Shield\Uninstall ChicaPC-Shield.lnkJump to behavior
Source: C:\Program Files (x86)\ChicaLogic\ChicaPC-Shield\cpcsgui.exeCode function: 12_2_6F88F120 ChangeServiceConfig2W,StartServiceW,GetLastError,12_2_6F88F120
Source: C:\Users\user\AppData\Local\Temp\is-LBG9E.tmp\chica-pc-shield-1-75-0-1300-en-win.tmpRegistry value created or modified: HKEY_LOCAL_MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce ChicaPC-ShieldJump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-LBG9E.tmp\chica-pc-shield-1-75-0-1300-en-win.tmpRegistry value created or modified: HKEY_LOCAL_MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce ChicaPC-ShieldJump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-LBG9E.tmp\chica-pc-shield-1-75-0-1300-en-win.tmpRegistry value created or modified: HKEY_LOCAL_MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce ChicaPC-ShieldJump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-LBG9E.tmp\chica-pc-shield-1-75-0-1300-en-win.tmpRegistry value created or modified: HKEY_LOCAL_MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce ChicaPC-ShieldJump to behavior

Hooking and other Techniques for Hiding and Protection

barindex
Contains functionality to hide user accounts
Source: cpcs.exe, 00000009.00000003.2556561426.0000000008334000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: EXTRA=Trojan.Backdoor, HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\SpecialAccounts\UserList|NT_AUTORITY
May modify the system service descriptor table (often done to hook functions)
Source: cpcs.exe, 00000009.00000003.2529281722.0000000009BA5000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: KeServiceDescriptorTable
Source: C:\Users\user\AppData\Local\Temp\is-LBG9E.tmp\chica-pc-shield-1-75-0-1300-en-win.tmpCode function: 1_2_0042285C SendMessageA,ShowWindow,ShowWindow,CallWindowProcA,SendMessageA,ShowWindow,SetWindowPos,GetActiveWindow,IsIconic,SetWindowPos,SetActiveWindow,ShowWindow,1_2_0042285C
Source: C:\Users\user\AppData\Local\Temp\is-LBG9E.tmp\chica-pc-shield-1-75-0-1300-en-win.tmpCode function: 1_2_00423C0C IsIconic,PostMessageA,PostMessageA,PostMessageA,SendMessageA,IsWindowEnabled,IsWindowEnabled,IsWindowVisible,GetFocus,SetFocus,SetFocus,IsIconic,GetFocus,SetFocus,1_2_00423C0C
Source: C:\Users\user\AppData\Local\Temp\is-LBG9E.tmp\chica-pc-shield-1-75-0-1300-en-win.tmpCode function: 1_2_00423C0C IsIconic,PostMessageA,PostMessageA,PostMessageA,SendMessageA,IsWindowEnabled,IsWindowEnabled,IsWindowVisible,GetFocus,SetFocus,SetFocus,IsIconic,GetFocus,SetFocus,1_2_00423C0C
Source: C:\Users\user\AppData\Local\Temp\is-LBG9E.tmp\chica-pc-shield-1-75-0-1300-en-win.tmpCode function: 1_2_004241DC IsIconic,SetActiveWindow,SetFocus,1_2_004241DC
Source: C:\Users\user\AppData\Local\Temp\is-LBG9E.tmp\chica-pc-shield-1-75-0-1300-en-win.tmpCode function: 1_2_00424194 IsIconic,SetActiveWindow,1_2_00424194
Source: C:\Users\user\AppData\Local\Temp\is-LBG9E.tmp\chica-pc-shield-1-75-0-1300-en-win.tmpCode function: 1_2_00418384 IsIconic,GetWindowPlacement,GetWindowRect,GetWindowLongA,GetWindowLongA,ScreenToClient,ScreenToClient,1_2_00418384
Source: C:\Users\user\AppData\Local\Temp\is-LBG9E.tmp\chica-pc-shield-1-75-0-1300-en-win.tmpCode function: 1_2_0048348C IsIconic,GetWindowLongA,ShowWindow,ShowWindow,1_2_0048348C
Source: C:\Users\user\AppData\Local\Temp\is-LBG9E.tmp\chica-pc-shield-1-75-0-1300-en-win.tmpCode function: 1_2_00417598 IsIconic,GetCapture,1_2_00417598
Source: C:\Users\user\AppData\Local\Temp\is-LBG9E.tmp\chica-pc-shield-1-75-0-1300-en-win.tmpCode function: 1_2_00417CCE IsIconic,SetWindowPos,1_2_00417CCE
Source: C:\Users\user\AppData\Local\Temp\is-LBG9E.tmp\chica-pc-shield-1-75-0-1300-en-win.tmpCode function: 1_2_00417CD0 IsIconic,SetWindowPos,GetWindowPlacement,SetWindowPlacement,1_2_00417CD0
Source: C:\Users\user\AppData\Local\Temp\is-LBG9E.tmp\chica-pc-shield-1-75-0-1300-en-win.tmpCode function: 1_2_0041F118 GetVersion,SetErrorMode,LoadLibraryA,SetErrorMode,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,FreeLibrary,1_2_0041F118
Source: C:\Users\user\Desktop\chica-pc-shield-1-75-0-1300-en-win.exeProcess information set: FAILCRITICALERRORS | NOOPENFILEERRORBOXJump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-LBG9E.tmp\chica-pc-shield-1-75-0-1300-en-win.tmpProcess information set: FAILCRITICALERRORS | NOOPENFILEERRORBOXJump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-LBG9E.tmp\chica-pc-shield-1-75-0-1300-en-win.tmpProcess information set: FAILCRITICALERRORS | NOOPENFILEERRORBOXJump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-LBG9E.tmp\chica-pc-shield-1-75-0-1300-en-win.tmpProcess information set: FAILCRITICALERRORS | NOOPENFILEERRORBOXJump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-LBG9E.tmp\chica-pc-shield-1-75-0-1300-en-win.tmpProcess information set: FAILCRITICALERRORS | NOOPENFILEERRORBOXJump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-LBG9E.tmp\chica-pc-shield-1-75-0-1300-en-win.tmpProcess information set: FAILCRITICALERRORS | NOOPENFILEERRORBOXJump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-LBG9E.tmp\chica-pc-shield-1-75-0-1300-en-win.tmpProcess information set: FAILCRITICALERRORS | NOOPENFILEERRORBOXJump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-LBG9E.tmp\chica-pc-shield-1-75-0-1300-en-win.tmpProcess information set: FAILCRITICALERRORS | NOOPENFILEERRORBOXJump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-LBG9E.tmp\chica-pc-shield-1-75-0-1300-en-win.tmpProcess information set: FAILCRITICALERRORS | NOOPENFILEERRORBOXJump to behavior
Source: C:\Program Files (x86)\ChicaLogic\ChicaPC-Shield\cpcs.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Program Files (x86)\ChicaLogic\ChicaPC-Shield\cpcs.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Program Files (x86)\ChicaLogic\ChicaPC-Shield\cpcs.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Program Files (x86)\ChicaLogic\ChicaPC-Shield\cpcs.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Program Files (x86)\ChicaLogic\ChicaPC-Shield\cpcs.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Program Files (x86)\ChicaLogic\ChicaPC-Shield\cpcs.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Program Files (x86)\ChicaLogic\ChicaPC-Shield\cpcs.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Program Files (x86)\ChicaLogic\ChicaPC-Shield\cpcs.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Program Files (x86)\ChicaLogic\ChicaPC-Shield\cpcs.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Program Files (x86)\ChicaLogic\ChicaPC-Shield\cpcs.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Program Files (x86)\ChicaLogic\ChicaPC-Shield\cpcs.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Program Files (x86)\ChicaLogic\ChicaPC-Shield\cpcs.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Program Files (x86)\ChicaLogic\ChicaPC-Shield\cpcs.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Program Files (x86)\ChicaLogic\ChicaPC-Shield\cpcs.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Program Files (x86)\ChicaLogic\ChicaPC-Shield\cpcs.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Program Files (x86)\ChicaLogic\ChicaPC-Shield\cpcs.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Program Files (x86)\ChicaLogic\ChicaPC-Shield\cpcs.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Program Files (x86)\ChicaLogic\ChicaPC-Shield\cpcs.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Program Files (x86)\ChicaLogic\ChicaPC-Shield\cpcs.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Program Files (x86)\ChicaLogic\ChicaPC-Shield\cpcs.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Program Files (x86)\ChicaLogic\ChicaPC-Shield\cpcs.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Program Files (x86)\ChicaLogic\ChicaPC-Shield\cpcs.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Program Files (x86)\ChicaLogic\ChicaPC-Shield\cpcs.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Program Files (x86)\ChicaLogic\ChicaPC-Shield\cpcs.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Program Files (x86)\ChicaLogic\ChicaPC-Shield\cpcs.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Program Files (x86)\ChicaLogic\ChicaPC-Shield\cpcs.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Program Files (x86)\ChicaLogic\ChicaPC-Shield\cpcs.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Program Files (x86)\ChicaLogic\ChicaPC-Shield\cpcs.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Program Files (x86)\ChicaLogic\ChicaPC-Shield\cpcs.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Program Files (x86)\ChicaLogic\ChicaPC-Shield\cpcs.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Program Files (x86)\ChicaLogic\ChicaPC-Shield\cpcs.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Program Files (x86)\ChicaLogic\ChicaPC-Shield\cpcs.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Program Files (x86)\ChicaLogic\ChicaPC-Shield\cpcs.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Program Files (x86)\ChicaLogic\ChicaPC-Shield\cpcs.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Program Files (x86)\ChicaLogic\ChicaPC-Shield\cpcs.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Program Files (x86)\ChicaLogic\ChicaPC-Shield\cpcs.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Program Files (x86)\ChicaLogic\ChicaPC-Shield\cpcs.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Program Files (x86)\ChicaLogic\ChicaPC-Shield\cpcs.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Program Files (x86)\ChicaLogic\ChicaPC-Shield\cpcs.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Program Files (x86)\ChicaLogic\ChicaPC-Shield\cpcs.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Program Files (x86)\ChicaLogic\ChicaPC-Shield\cpcs.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Program Files (x86)\ChicaLogic\ChicaPC-Shield\cpcs.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Program Files (x86)\ChicaLogic\ChicaPC-Shield\cpcs.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Program Files (x86)\ChicaLogic\ChicaPC-Shield\cpcs.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Program Files (x86)\ChicaLogic\ChicaPC-Shield\cpcs.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Program Files (x86)\ChicaLogic\ChicaPC-Shield\cpcs.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Program Files (x86)\ChicaLogic\ChicaPC-Shield\cpcs.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Program Files (x86)\ChicaLogic\ChicaPC-Shield\cpcs.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Program Files (x86)\ChicaLogic\ChicaPC-Shield\cpcs.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Program Files (x86)\ChicaLogic\ChicaPC-Shield\cpcs.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Program Files (x86)\ChicaLogic\ChicaPC-Shield\cpcs.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Program Files (x86)\ChicaLogic\ChicaPC-Shield\cpcs.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Program Files (x86)\ChicaLogic\ChicaPC-Shield\cpcs.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Program Files (x86)\ChicaLogic\ChicaPC-Shield\cpcs.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Program Files (x86)\ChicaLogic\ChicaPC-Shield\cpcs.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Program Files (x86)\ChicaLogic\ChicaPC-Shield\cpcs.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Program Files (x86)\ChicaLogic\ChicaPC-Shield\cpcs.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Program Files (x86)\ChicaLogic\ChicaPC-Shield\cpcs.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Program Files (x86)\ChicaLogic\ChicaPC-Shield\cpcs.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Program Files (x86)\ChicaLogic\ChicaPC-Shield\cpcs.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Program Files (x86)\ChicaLogic\ChicaPC-Shield\cpcs.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Program Files (x86)\ChicaLogic\ChicaPC-Shield\cpcs.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Program Files (x86)\ChicaLogic\ChicaPC-Shield\cpcs.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Program Files (x86)\ChicaLogic\ChicaPC-Shield\cpcs.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Program Files (x86)\ChicaLogic\ChicaPC-Shield\cpcs.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Program Files (x86)\ChicaLogic\ChicaPC-Shield\cpcs.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Program Files (x86)\ChicaLogic\ChicaPC-Shield\cpcs.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Program Files (x86)\ChicaLogic\ChicaPC-Shield\cpcs.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Program Files (x86)\ChicaLogic\ChicaPC-Shield\cpcs.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Program Files (x86)\ChicaLogic\ChicaPC-Shield\cpcs.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Program Files (x86)\ChicaLogic\ChicaPC-Shield\cpcs.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Program Files (x86)\ChicaLogic\ChicaPC-Shield\cpcs.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Program Files (x86)\ChicaLogic\ChicaPC-Shield\cpcs.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Program Files (x86)\ChicaLogic\ChicaPC-Shield\cpcs.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Program Files (x86)\ChicaLogic\ChicaPC-Shield\cpcs.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Program Files (x86)\ChicaLogic\ChicaPC-Shield\cpcs.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\ChicaLogic\ChicaPC-Shield\cpcs.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\ChicaLogic\ChicaPC-Shield\cpcs.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\ChicaLogic\ChicaPC-Shield\cpcs.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\ChicaLogic\ChicaPC-Shield\cpcs.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\ChicaLogic\ChicaPC-Shield\cpcs.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\ChicaLogic\ChicaPC-Shield\cpcs.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\ChicaLogic\ChicaPC-Shield\cpcs.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\ChicaLogic\ChicaPC-Shield\cpcs.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\ChicaLogic\ChicaPC-Shield\cpcs.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\ChicaLogic\ChicaPC-Shield\cpcs.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\ChicaLogic\ChicaPC-Shield\cpcs.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\ChicaLogic\ChicaPC-Shield\cpcs.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\ChicaLogic\ChicaPC-Shield\cpcs.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\ChicaLogic\ChicaPC-Shield\cpcs.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\ChicaLogic\ChicaPC-Shield\cpcs.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\ChicaLogic\ChicaPC-Shield\cpcs.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\ChicaLogic\ChicaPC-Shield\cpcs.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\ChicaLogic\ChicaPC-Shield\cpcs.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\ChicaLogic\ChicaPC-Shield\cpcs.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\ChicaLogic\ChicaPC-Shield\cpcs.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\ChicaLogic\ChicaPC-Shield\cpcs.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\ChicaLogic\ChicaPC-Shield\cpcs.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\ChicaLogic\ChicaPC-Shield\cpcs.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\ChicaLogic\ChicaPC-Shield\cpcs.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\ChicaLogic\ChicaPC-Shield\cpcs.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\ChicaLogic\ChicaPC-Shield\cpcs.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\ChicaLogic\ChicaPC-Shield\cpcs.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\ChicaLogic\ChicaPC-Shield\cpcs.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\ChicaLogic\ChicaPC-Shield\cpcs.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\ChicaLogic\ChicaPC-Shield\cpcs.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\ChicaLogic\ChicaPC-Shield\cpcs.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\ChicaLogic\ChicaPC-Shield\cpcs.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\ChicaLogic\ChicaPC-Shield\cpcs.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\ChicaLogic\ChicaPC-Shield\cpcs.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\ChicaLogic\ChicaPC-Shield\cpcs.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\ChicaLogic\ChicaPC-Shield\cpcs.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\ChicaLogic\ChicaPC-Shield\cpcs.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\ChicaLogic\ChicaPC-Shield\cpcs.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\ChicaLogic\ChicaPC-Shield\cpcs.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\ChicaLogic\ChicaPC-Shield\cpcs.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\ChicaLogic\ChicaPC-Shield\cpcs.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\ChicaLogic\ChicaPC-Shield\cpcs.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\ChicaLogic\ChicaPC-Shield\cpcs.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\ChicaLogic\ChicaPC-Shield\cpcs.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\ChicaLogic\ChicaPC-Shield\cpcs.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\ChicaLogic\ChicaPC-Shield\cpcs.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\ChicaLogic\ChicaPC-Shield\cpcs.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\ChicaLogic\ChicaPC-Shield\cpcs.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\ChicaLogic\ChicaPC-Shield\cpcs.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\ChicaLogic\ChicaPC-Shield\cpcs.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\ChicaLogic\ChicaPC-Shield\cpcs.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\ChicaLogic\ChicaPC-Shield\cpcs.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\ChicaLogic\ChicaPC-Shield\cpcs.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\ChicaLogic\ChicaPC-Shield\cpcs.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\ChicaLogic\ChicaPC-Shield\cpcs.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\ChicaLogic\ChicaPC-Shield\cpcs.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\ChicaLogic\ChicaPC-Shield\cpcs.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\ChicaLogic\ChicaPC-Shield\cpcs.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\ChicaLogic\ChicaPC-Shield\cpcs.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\ChicaLogic\ChicaPC-Shield\cpcs.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\ChicaLogic\ChicaPC-Shield\cpcs.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\ChicaLogic\ChicaPC-Shield\cpcs.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\ChicaLogic\ChicaPC-Shield\cpcs.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\ChicaLogic\ChicaPC-Shield\cpcs.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\ChicaLogic\ChicaPC-Shield\cpcs.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\ChicaLogic\ChicaPC-Shield\cpcs.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\ChicaLogic\ChicaPC-Shield\cpcs.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\ChicaLogic\ChicaPC-Shield\cpcs.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\ChicaLogic\ChicaPC-Shield\cpcs.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\ChicaLogic\ChicaPC-Shield\cpcs.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\ChicaLogic\ChicaPC-Shield\cpcs.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\ChicaLogic\ChicaPC-Shield\cpcs.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\ChicaLogic\ChicaPC-Shield\cpcs.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\ChicaLogic\ChicaPC-Shield\cpcs.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\ChicaLogic\ChicaPC-Shield\cpcs.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\ChicaLogic\ChicaPC-Shield\cpcs.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\ChicaLogic\ChicaPC-Shield\cpcs.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\ChicaLogic\ChicaPC-Shield\cpcs.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\ChicaLogic\ChicaPC-Shield\cpcs.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\ChicaLogic\ChicaPC-Shield\cpcs.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\ChicaLogic\ChicaPC-Shield\cpcs.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\ChicaLogic\ChicaPC-Shield\cpcs.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\ChicaLogic\ChicaPC-Shield\cpcs.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\ChicaLogic\ChicaPC-Shield\cpcs.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\ChicaLogic\ChicaPC-Shield\cpcs.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\ChicaLogic\ChicaPC-Shield\cpcs.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\ChicaLogic\ChicaPC-Shield\cpcs.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\ChicaLogic\ChicaPC-Shield\cpcs.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\ChicaLogic\ChicaPC-Shield\cpcs.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\ChicaLogic\ChicaPC-Shield\cpcs.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\ChicaLogic\ChicaPC-Shield\cpcs.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\ChicaLogic\ChicaPC-Shield\cpcs.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\ChicaLogic\ChicaPC-Shield\cpcs.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\ChicaLogic\ChicaPC-Shield\cpcs.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\ChicaLogic\ChicaPC-Shield\cpcs.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\ChicaLogic\ChicaPC-Shield\cpcs.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\ChicaLogic\ChicaPC-Shield\cpcs.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\ChicaLogic\ChicaPC-Shield\cpcs.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\ChicaLogic\ChicaPC-Shield\cpcs.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\ChicaLogic\ChicaPC-Shield\cpcs.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\ChicaLogic\ChicaPC-Shield\cpcs.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\ChicaLogic\ChicaPC-Shield\cpcs.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\ChicaLogic\ChicaPC-Shield\cpcs.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\ChicaLogic\ChicaPC-Shield\cpcs.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\ChicaLogic\ChicaPC-Shield\cpcs.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\ChicaLogic\ChicaPC-Shield\cpcs.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\ChicaLogic\ChicaPC-Shield\cpcs.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\ChicaLogic\ChicaPC-Shield\cpcs.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\ChicaLogic\ChicaPC-Shield\cpcs.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\ChicaLogic\ChicaPC-Shield\cpcs.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\ChicaLogic\ChicaPC-Shield\cpcs.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\ChicaLogic\ChicaPC-Shield\cpcs.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\ChicaLogic\ChicaPC-Shield\cpcs.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\ChicaLogic\ChicaPC-Shield\cpcs.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\ChicaLogic\ChicaPC-Shield\cpcs.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\ChicaLogic\ChicaPC-Shield\cpcs.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\ChicaLogic\ChicaPC-Shield\cpcs.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\ChicaLogic\ChicaPC-Shield\cpcs.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\ChicaLogic\ChicaPC-Shield\cpcs.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\ChicaLogic\ChicaPC-Shield\cpcs.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\ChicaLogic\ChicaPC-Shield\cpcs.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\ChicaLogic\ChicaPC-Shield\cpcs.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\ChicaLogic\ChicaPC-Shield\cpcs.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\ChicaLogic\ChicaPC-Shield\cpcs.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\ChicaLogic\ChicaPC-Shield\cpcs.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\ChicaLogic\ChicaPC-Shield\cpcs.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\ChicaLogic\ChicaPC-Shield\cpcs.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\ChicaLogic\ChicaPC-Shield\cpcs.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\ChicaLogic\ChicaPC-Shield\cpcs.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\ChicaLogic\ChicaPC-Shield\cpcs.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\ChicaLogic\ChicaPC-Shield\cpcs.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\ChicaLogic\ChicaPC-Shield\cpcs.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\ChicaLogic\ChicaPC-Shield\cpcs.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\ChicaLogic\ChicaPC-Shield\cpcs.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\ChicaLogic\ChicaPC-Shield\cpcs.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\ChicaLogic\ChicaPC-Shield\cpcs.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\ChicaLogic\ChicaPC-Shield\cpcs.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\ChicaLogic\ChicaPC-Shield\cpcs.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\ChicaLogic\ChicaPC-Shield\cpcs.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\ChicaLogic\ChicaPC-Shield\cpcs.exeProcess information set: NOOPENFILEERRORBOX

Malware Analysis System Evasion

barindex
Yara detected AntiVM3
Source: Yara matchFile source: 0000000F.00000003.2652428311.0000000004663000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara matchFile source: 00000009.00000003.2556561426.0000000008334000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara matchFile source: 00000012.00000003.2843530652.000000000847A000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara matchFile source: 0000000F.00000003.2648389472.0000000008271000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara matchFile source: Process Memory Space: cpcs.exe PID: 2412, type: MEMORYSTR
Tries to detect sandboxes and other dynamic analysis tools (process name or module or function)
Source: cpcs.exe, 00000009.00000003.2556561426.0000000006534000.00000004.00000020.00020000.00000000.sdmp, cpcs.exe, 00000009.00000003.2561266540.0000000003D26000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: POLY=TROJAN.AGENT && SIZE=96304, 123880 && VERSION=1, HEX-RAYS SA && VERSION=3, 5.5.0.925 && VERSION=7, IDAG.EXE && RESOURCE=RT_GROUP_ICON, 0, 000001000100??????000100??00????00000100
Source: cpcs.exe, 00000009.00000003.2561266540.0000000003D26000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: POLY=TROJAN.SPYEYES && SIZE=80000, 420000 && VERSION=1, DATARESCUE SA/NV && VERSION=3, 5.2.0.908 && VERSION=7, IDAG.EXE && VERSION=8, THE INTERACTIVE DISASSEMBLER && STRINGS=456, 504543327A4F
Source: cpcs.exe, 00000009.00000003.2534960911.000000000A621000.00000004.00000020.00020000.00000000.sdmp, cpcs.exe, 00000009.00000003.2533389394.000000000A54E000.00000004.00000020.00020000.00000000.sdmp, cpcs.exe, 00000009.00000003.2529734518.000000000A217000.00000004.00000020.00020000.00000000.sdmp, cpcs.exe, 00000009.00000003.2532883037.000000000A53D000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: IDAG.EXE
Source: cpcs.exe, 00000009.00000003.2556561426.0000000008334000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: EXTRA=SECURITY.HIJACK, HKLM\SOFTWARE\MICROSOFT\WINDOWS NT\CURRENTVERSION\IMAGE FILE EXECUTION OPTIONS\OLLYDBG.EXE
Source: cpcs.exe, 00000009.00000003.2556561426.0000000008334000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: EXTRA=WORM.NEERIS, %TEMP%\WINDUMP.EXE, NV
Source: cpcs.exe, 00000009.00000003.2556561426.0000000006534000.00000004.00000020.00020000.00000000.sdmp, cpcs.exe, 00000009.00000003.2561266540.0000000003D26000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: POLY=TROJAN.AGENT && SIZE=1000, 1000000 && VERSION=1, DANIEL PISTELLI && VERSION=3, 7.9.0.0 && VERSION=7, CFF EXPLORER.EXE
Source: cpcs.exe, 00000009.00000003.2533389394.000000000A54E000.00000004.00000020.00020000.00000000.sdmp, cpcs.exe, 00000009.00000003.2532883037.000000000A53D000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: COBSERVER.EXE"
Source: cpcs.exe, 00000009.00000003.2533389394.000000000A5B5000.00000004.00000020.00020000.00000000.sdmp, cpcs.exe, 00000009.00000003.2529369405.0000000009D87000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: API_LOG.DLL
Source: cpcs.exe, 00000009.00000003.2545740501.000000000E112000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: C:\USERS\DEFAULT\APPDATA\LOCAL\TEMP\PROCMON.EXE
Source: cpcs.exe, 00000009.00000003.2546029145.000000000D31E000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: C:\PROGRAM FILES\MICROSOFT\SBIESVC.EXE
Source: cpcs.exe, 00000009.00000003.2544105021.000000000DEC8000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: C:\USERS\DEFAULT\APPDATA\LOCAL\TEMP\WINDUMP.EXE
Source: cpcs.exe, 00000009.00000003.2556561426.0000000008334000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: EXTRA=SECURITY.HIJACK, HKLM\SOFTWARE\MICROSOFT\WINDOWS NT\CURRENTVERSION\IMAGE FILE EXECUTION OPTIONS\REGMON.EXE
Source: cpcs.exe, 00000009.00000003.2556561426.0000000008334000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: EXTRA=TROJAN.AGENT, %PROGRAMFILES%\MICROSOFT\SBIESVC.EXE
Source: cpcs.exe, 00000009.00000003.2556561426.0000000008334000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: EXTRA=SECURITY.HIJACK, HKLM\SOFTWARE\MICROSOFT\WINDOWS NT\CURRENTVERSION\IMAGE FILE EXECUTION OPTIONS\IDAG.EXE|DEBUGGER, DP
Source: cpcs.exe, 00000009.00000003.2556561426.0000000008334000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: EXTRA=SECURITY.HIJACK, HKLM\SOFTWARE\MICROSOFT\WINDOWS NT\CURRENTVERSION\IMAGE FILE EXECUTION OPTIONS\ABREGMON.EXE.EXE
Source: cpcs.exe, 00000009.00000003.2556561426.0000000006534000.00000004.00000020.00020000.00000000.sdmp, cpcs.exe, 00000009.00000003.2561266540.0000000003D26000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: POLY=TROJAN.DOWNLOADER.MDN && VERSION=1, HEX-RAYS SA && VERSION=7, IDAG.EXE && RESOURCE=RT_VERSION, 134, 30003400310039 && STRINGS=%PE3% + 952, 637279707465642E657865
Source: cpcs.exe, 00000009.00000003.2534960911.000000000A621000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: C:\FILE.EXESBIEDLL.DLL3;
Source: cpcs.exe, 00000009.00000003.2556561426.0000000008334000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: EXTRA=SECURITY.HIJACK, HKLM\SOFTWARE\MICROSOFT\WINDOWS NT\CURRENTVERSION\IMAGE FILE EXECUTION OPTIONS\SUPERANTISPYWARE.EXE
Source: cpcs.exe, 00000009.00000003.2544105021.000000000DEC8000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: C:\USERS\user\APPDATA\LOCAL\TEMP\WINDUMP.EXE
Source: cpcs.exe, 00000009.00000003.2556561426.0000000008334000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: EXTRA=HIJACK.DISALLOWRUN, HKCU\SOFTWARE\MICROSOFT\WINDOWS\CURRENTVERSION\POLICIES\EXPLORER\DISALLOWRUN|FOLDERSNIFFER=FOLDERSNIFFER.EXE
Source: cpcs.exe, 00000009.00000003.2556561426.0000000008334000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: EXTRA=SECURITY.HIJACK, HKLM\SOFTWARE\MICROSOFT\WINDOWS NT\CURRENTVERSION\IMAGE FILE EXECUTION OPTIONS\FILEMON.EXE
Source: cpcs.exe, 00000009.00000003.2545306895.000000000E06C000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: C:\WINDOWS\SERVICEPROFILES\NETWORKSERVICE\APPDATA\LOCAL\TEMP\PROCMON.EXETDH6N
Source: cpcs.exe, 00000009.00000003.2561266540.0000000003D26000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: POLY=TROJAN.SPYEYES && VERSION=1, UNDERGROUND INFORMATION CENTER && VERSION=3, 1.5.800.2006 RC7 && VERSION=4, PE TOOLS V1.5 RC7 && VERSION=7, PETOOLS.EXE && STRINGS=%PE2% + 306, 50004D00560059004B0055004A0046004C0037 && STRINGS=472, 50454332774F
Source: cpcs.exe, 00000009.00000003.2556561426.0000000006534000.00000004.00000020.00020000.00000000.sdmp, cpcs.exe, 00000009.00000003.2561266540.0000000003D26000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: POLY=TROJAN.AGENT && VERSION=5, JIQKZMOK && VERSION=7, COBSERVER.EXE
Source: cpcs.exe, 00000009.00000003.2545740501.000000000E112000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: C:\USERS\user\APPDATA\LOCAL\TEMP\PROCMON.EXE
Source: cpcs.exe, 00000009.00000003.2545034326.000000000E01A000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: C:\WINDOWS\SERVICEPROFILES\LOCALSERVICE\APPDATA\LOCAL\TEMP\PROCMON.EXE
Source: cpcs.exe, 00000009.00000003.2534960911.000000000A621000.00000004.00000020.00020000.00000000.sdmp, cpcs.exe, 00000009.00000003.2533389394.000000000A5B5000.00000004.00000020.00020000.00000000.sdmp, cpcs.exe, 00000009.00000003.2529369405.0000000009D87000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: SBIEDLL.DLL
Source: cpcs.exe, 00000009.00000003.2533161271.000000000A44A000.00000004.00000020.00020000.00000000.sdmp, cpcs.exe, 00000009.00000003.2529454596.000000000A126000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: SANDBOXIERPCSS.EXE
Source: cpcs.exe, 00000009.00000003.2533161271.000000000A44A000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: CFF EXPLORER.EXE2
Source: cpcs.exe, 00000009.00000003.2556561426.0000000008334000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: EXTRA=TROJAN.FRAUDLOAD, %SYSDIR%\WINDUMP.EXE, NV
Source: cpcs.exe, 00000009.00000003.2556561426.0000000008334000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: EXTRA=TROJAN.AGENT, HKLM\SOFTWARE\MICROSOFT\WINDOWS\CURRENTVERSION\POLICIES\EXPLORER\RUN|SBIESVC.EXE=*\MICROSOFT\SBIESVC.EXE*
Source: cpcs.exe, 00000009.00000003.2534960911.000000000A621000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: SBIEDLL.DLLDBGHELP
Source: cpcs.exe, 00000009.00000003.2533526590.000000000A5C7000.00000004.00000020.00020000.00000000.sdmp, cpcs.exe, 00000009.00000003.2533704715.000000000A5CC000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: PETOOLS.EXE
Source: cpcs.exe, 00000009.00000003.2556561426.0000000008334000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: EXTRA=TROJAN.AGENT, %APPDATA%\WINDBG\WINDBG.EXE
Source: cpcs.exe, 00000009.00000003.2529231058.0000000009F11000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: VNETSNIFFER.EXE
Source: cpcs.exe, 00000009.00000003.2556561426.0000000006534000.00000004.00000020.00020000.00000000.sdmp, cpcs.exe, 00000009.00000003.2561266540.0000000003D26000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: POLY=TROJAN.FAKEALERT && VERSION=7, VNETSNIFFER.EXE && STRINGS=128, 136F6768570E093B570E093B570E093B5202563B730E093B5202063B5C0E093B4406543B550E093BD406543B500E093B570E083B230E093B5202693B540E093BBB05573B560E093B5202533B560E093B
Source: cpcs.exe, 00000009.00000003.2529369405.0000000009D87000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: API_LOG.DLLSBIEDLL.DLLCURRENTUSERANDY
Source: cpcs.exe, 00000009.00000003.2556561426.0000000008334000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: EXTRA=SECURITY.HIJACK, HKLM\SOFTWARE\MICROSOFT\WINDOWS NT\CURRENTVERSION\IMAGE FILE EXECUTION OPTIONS\PROCMON.EXE
Source: cpcs.exe, 00000009.00000003.2556561426.0000000008334000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: EXTRA=SECURITY.HIJACK, HKLM\SOFTWARE\MICROSOFT\WINDOWS NT\CURRENTVERSION\IMAGE FILE EXECUTION OPTIONS\WINDBG.EXE
Source: cpcs.exe, 00000009.00000003.2529734518.000000000A217000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: COBSERVER.EXE
Source: cpcs.exe, 00000009.00000003.2556561426.0000000008334000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: EXTRA=TROJAN.AGENT, HKLM\SOFTWARE\MICROSOFT\WINDOWS NT\CURRENTVERSION\IMAGE FILE EXECUTION OPTIONS\AUTORUNS.EXE
Source: cpcs.exe, 00000009.00000003.2556561426.0000000008334000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: EXTRA=SECURITY.HIJACK, HKLM\SOFTWARE\MICROSOFT\WINDOWS NT\CURRENTVERSION\IMAGE FILE EXECUTION OPTIONS\AUTORUNSC.EXE
Source: cpcs.exe, 00000009.00000003.2556561426.0000000008334000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: EXTRA=TROJAN.DOWNLOADER, %TEMP%\PROCMON.EXE, NV
Source: cpcs.exe, 00000012.00000003.2840443937.000000000E02A000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: C:\WINDOWS\SERVICEPROFILES\LOCALSERVICE\APPDATA\LOCAL\TEMP\WINDUMP.EXE
Source: C:\Program Files (x86)\ChicaLogic\ChicaPC-Shield\cpcs.exeMemory allocated: 5EA0000 memory reserve | memory write watchJump to behavior
Source: C:\Program Files (x86)\ChicaLogic\ChicaPC-Shield\cpcs.exeMemory allocated: 45B0000 memory reserve | memory write watch
Source: C:\Program Files (x86)\ChicaLogic\ChicaPC-Shield\cpcs.exeMemory allocated: 4830000 memory reserve | memory write watch
Source: C:\Program Files (x86)\ChicaLogic\ChicaPC-Shield\cpcsgui.exeCode function: GetAdaptersInfo,GetAdaptersInfo,GetAdaptersInfo,inet_addr,12_2_6BB55B90
Source: C:\Program Files (x86)\ChicaLogic\ChicaPC-Shield\cpcsgui.exeCode function: GetAdaptersInfo,GetAdaptersInfo,12_2_6BBB2620
Source: C:\Program Files (x86)\ChicaLogic\ChicaPC-Shield\cpcsscheduler.exeCode function: GetAdaptersInfo,GetAdaptersInfo,GetAdaptersInfo,inet_addr,14_2_6BB55B90
Source: C:\Program Files (x86)\ChicaLogic\ChicaPC-Shield\cpcsscheduler.exeCode function: GetAdaptersInfo,GetAdaptersInfo,14_2_6BBB2620
Source: C:\Users\user\AppData\Local\Temp\is-LBG9E.tmp\chica-pc-shield-1-75-0-1300-en-win.tmpDropped PE file which has not been started: C:\Windows\System32\drivers\is-VCK25.tmpJump to dropped file
Source: C:\Users\user\AppData\Local\Temp\is-LBG9E.tmp\chica-pc-shield-1-75-0-1300-en-win.tmpDropped PE file which has not been started: C:\Program Files (x86)\ChicaLogic\ChicaPC-Shield\is-CI4PM.tmpJump to dropped file
Source: C:\Users\user\AppData\Local\Temp\is-LBG9E.tmp\chica-pc-shield-1-75-0-1300-en-win.tmpDropped PE file which has not been started: C:\Program Files (x86)\ChicaLogic\ChicaPC-Shield\is-L12IJ.tmpJump to dropped file
Source: C:\Users\user\AppData\Local\Temp\is-LBG9E.tmp\chica-pc-shield-1-75-0-1300-en-win.tmpDropped PE file which has not been started: C:\Program Files (x86)\ChicaLogic\ChicaPC-Shield\mbamext.dll (copy)Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\is-LBG9E.tmp\chica-pc-shield-1-75-0-1300-en-win.tmpDropped PE file which has not been started: C:\Program Files (x86)\ChicaLogic\ChicaPC-Shield\mbamtoast.dll (copy)Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\is-LBG9E.tmp\chica-pc-shield-1-75-0-1300-en-win.tmpDropped PE file which has not been started: C:\Program Files (x86)\ChicaLogic\ChicaPC-Shield\ssubtmr6.dll (copy)Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\is-LBG9E.tmp\chica-pc-shield-1-75-0-1300-en-win.tmpDropped PE file which has not been started: C:\Program Files (x86)\ChicaLogic\ChicaPC-Shield\7z.dll (copy)Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\is-LBG9E.tmp\chica-pc-shield-1-75-0-1300-en-win.tmpDropped PE file which has not been started: C:\Program Files (x86)\ChicaLogic\ChicaPC-Shield\cpcsservice.exe (copy)Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\is-LBG9E.tmp\chica-pc-shield-1-75-0-1300-en-win.tmpDropped PE file which has not been started: C:\Program Files (x86)\ChicaLogic\ChicaPC-Shield\is-6PN99.tmpJump to dropped file
Source: C:\Users\user\AppData\Local\Temp\is-LBG9E.tmp\chica-pc-shield-1-75-0-1300-en-win.tmpDropped PE file which has not been started: C:\Windows\system32\drivers\cpcs.sys (copy)Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\is-LBG9E.tmp\chica-pc-shield-1-75-0-1300-en-win.tmpDropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\is-93AED.tmp\_isetup\_shfoldr.dllJump to dropped file
Source: C:\Users\user\AppData\Local\Temp\is-LBG9E.tmp\chica-pc-shield-1-75-0-1300-en-win.tmpDropped PE file which has not been started: C:\Program Files (x86)\ChicaLogic\ChicaPC-Shield\vbalsgrid6.ocx (copy)Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\is-LBG9E.tmp\chica-pc-shield-1-75-0-1300-en-win.tmpDropped PE file which has not been started: C:\Program Files (x86)\ChicaLogic\ChicaPC-Shield\is-SJQ69.tmpJump to dropped file
Source: C:\Users\user\AppData\Local\Temp\is-LBG9E.tmp\chica-pc-shield-1-75-0-1300-en-win.tmpDropped PE file which has not been started: C:\Program Files (x86)\ChicaLogic\ChicaPC-Shield\is-6H2TN.tmpJump to dropped file
Source: C:\Users\user\AppData\Local\Temp\is-LBG9E.tmp\chica-pc-shield-1-75-0-1300-en-win.tmpDropped PE file which has not been started: C:\Program Files (x86)\ChicaLogic\ChicaPC-Shield\is-J2CDD.tmpJump to dropped file
Source: C:\Users\user\AppData\Local\Temp\is-LBG9E.tmp\chica-pc-shield-1-75-0-1300-en-win.tmpDropped PE file which has not been started: C:\Program Files (x86)\ChicaLogic\ChicaPC-Shield\cpcspt.exe (copy)Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\is-LBG9E.tmp\chica-pc-shield-1-75-0-1300-en-win.tmpDropped PE file which has not been started: C:\Program Files (x86)\ChicaLogic\ChicaPC-Shield\is-K9CAE.tmpJump to dropped file
Source: C:\Users\user\AppData\Local\Temp\is-LBG9E.tmp\chica-pc-shield-1-75-0-1300-en-win.tmpDropped PE file which has not been started: C:\Program Files (x86)\ChicaLogic\ChicaPC-Shield\is-UQ1R3.tmpJump to dropped file
Source: C:\Users\user\AppData\Local\Temp\is-LBG9E.tmp\chica-pc-shield-1-75-0-1300-en-win.tmpDropped PE file which has not been started: C:\Program Files (x86)\ChicaLogic\ChicaPC-Shield\is-9INTD.tmpJump to dropped file
Source: C:\Users\user\AppData\Local\Temp\is-LBG9E.tmp\chica-pc-shield-1-75-0-1300-en-win.tmpDropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\is-93AED.tmp\_isetup\_setup64.tmpJump to dropped file
Source: C:\Users\user\AppData\Local\Temp\is-LBG9E.tmp\chica-pc-shield-1-75-0-1300-en-win.tmpDropped PE file which has not been started: C:\Program Files (x86)\ChicaLogic\ChicaPC-Shield\is-CU77C.tmpJump to dropped file
Source: C:\Users\user\Desktop\chica-pc-shield-1-75-0-1300-en-win.exeEvasive API call chain: GetSystemTime,DecisionNodesgraph_0-5539
Source: C:\Program Files (x86)\ChicaLogic\ChicaPC-Shield\cpcsgui.exeEvasive API call chain: GetModuleFileName,DecisionNodes,ExitProcessgraph_12-110001
Source: C:\Program Files (x86)\ChicaLogic\ChicaPC-Shield\cpcsgui.exeAPI coverage: 6.5 %
Source: C:\Program Files (x86)\ChicaLogic\ChicaPC-Shield\cpcsscheduler.exeAPI coverage: 8.9 %
Source: C:\Windows\System32\svchost.exe TID: 5800Thread sleep time: -30000s >= -30000s
Source: C:\Windows\System32\svchost.exeFile opened: PhysicalDrive0
Source: C:\Program Files (x86)\ChicaLogic\ChicaPC-Shield\cpcs.exeLast function: Thread delayed
Source: C:\Program Files (x86)\ChicaLogic\ChicaPC-Shield\cpcsgui.exeCode function: 12_2_6F856A20 GetSystemTimeAsFileTime followed by cmp: cmp dword ptr [esp+3ch], 08h and CTI: jc 6F856C16h12_2_6F856A20
Source: C:\Program Files (x86)\ChicaLogic\ChicaPC-Shield\cpcsscheduler.exeCode function: 14_2_6F856A20 GetSystemTimeAsFileTime followed by cmp: cmp dword ptr [esp+3ch], 08h and CTI: jc 6F856C16h14_2_6F856A20
Source: C:\Users\user\AppData\Local\Temp\is-LBG9E.tmp\chica-pc-shield-1-75-0-1300-en-win.tmpCode function: 1_2_00452A60 FindFirstFileA,GetLastError,1_2_00452A60
Source: C:\Users\user\AppData\Local\Temp\is-LBG9E.tmp\chica-pc-shield-1-75-0-1300-en-win.tmpCode function: 1_2_00474E64 FindFirstFileA,FindNextFileA,FindClose,1_2_00474E64
Source: C:\Users\user\AppData\Local\Temp\is-LBG9E.tmp\chica-pc-shield-1-75-0-1300-en-win.tmpCode function: 1_2_00464030 SetErrorMode,FindFirstFileA,FindNextFileA,FindClose,SetErrorMode,1_2_00464030
Source: C:\Users\user\AppData\Local\Temp\is-LBG9E.tmp\chica-pc-shield-1-75-0-1300-en-win.tmpCode function: 1_2_00462628 FindFirstFileA,FindNextFileA,FindClose,1_2_00462628
Source: C:\Users\user\AppData\Local\Temp\is-LBG9E.tmp\chica-pc-shield-1-75-0-1300-en-win.tmpCode function: 1_2_00463BB4 SetErrorMode,FindFirstFileA,FindNextFileA,FindClose,SetErrorMode,1_2_00463BB4
Source: C:\Users\user\AppData\Local\Temp\is-LBG9E.tmp\chica-pc-shield-1-75-0-1300-en-win.tmpCode function: 1_2_00497C84 FindFirstFileA,SetFileAttributesA,FindNextFileA,FindClose,1_2_00497C84
Source: C:\Program Files (x86)\ChicaLogic\ChicaPC-Shield\cpcsgui.exeCode function: 12_2_005BBAD0 FindFirstFileW,FindNextFileW,FindClose,12_2_005BBAD0
Source: C:\Program Files (x86)\ChicaLogic\ChicaPC-Shield\cpcsgui.exeCode function: 12_2_6BB592B0 FindFirstFileW,FindNextFileW,FindClose,12_2_6BB592B0
Source: C:\Program Files (x86)\ChicaLogic\ChicaPC-Shield\cpcsgui.exeCode function: 12_2_6F8625E0 FindFirstFileW,FindNextFileW,FindClose,12_2_6F8625E0
Source: C:\Program Files (x86)\ChicaLogic\ChicaPC-Shield\cpcsscheduler.exeCode function: 14_2_6BB592B0 FindFirstFileW,FindNextFileW,FindClose,14_2_6BB592B0
Source: C:\Program Files (x86)\ChicaLogic\ChicaPC-Shield\cpcsscheduler.exeCode function: 14_2_6F8625E0 FindFirstFileW,FindNextFileW,FindClose,14_2_6F8625E0
Source: C:\Users\user\Desktop\chica-pc-shield-1-75-0-1300-en-win.exeCode function: 0_2_00409B30 GetSystemInfo,VirtualQuery,VirtualProtect,VirtualProtect,VirtualQuery,0_2_00409B30
Source: cpcs.exe, 00000009.00000003.2532883037.000000000A53D000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: VMwareUser.exe
Source: cpcs.exe, 00000009.00000003.2561266540.0000000003D26000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: POLY=Trojan.Agent && SIZE=10000000, 15000000 && VERSION=1, VMware? Inc. && VERSION=3, 6.0.2 build-59824 && VERSION=7, vmware.exe
Source: cpcs.exe, 00000009.00000003.2561266540.0000000003D26000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: POLY=Trojan.Agent && SIZE=20000, 150000 && VERSION=1, VMware? Inc. && VERSION=3, 8.4.5.14951 && VERSION=7, VMwareTray.exe && STRINGS=464, 50454332764F
Source: cpcs.exe, 00000009.00000003.2561266540.0000000003D26000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: POLY=Trojan.Agent && VERSION=7, VMwareUser.exe && STRINGS=6592, 5045436F6D7061637432
Source: cpcs.exe, 00000009.00000003.2556561426.0000000008334000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: EXTRA=Trojan.FakeAlert, HKCR\VMwareApp.VMware*
Source: cpcs.exe, 00000009.00000003.2556561426.0000000008334000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: EXTRA=Backdoor.Bot, HKLM\System\CurrentControlSet\Services\VMwareService
Source: cpcs.exe, 00000009.00000003.2561266540.0000000003D26000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: POLY=Trojan.Agent && SIZE=25000, 300000 && VERSION=1, VMware? Inc. && VERSION=3, 6.0.2 build-59824 && VERSION=7, vmware.exe
Source: cpcs.exe, 00000009.00000003.2533704715.000000000A5CC000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: VMWARE
Source: cpcs.exe, 00000009.00000003.2556561426.0000000007934000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: POLY=Backdoor.Bot && DIGISIG=FALSE && VERSION=1, %NULL% && VERSION=4, vmnethcp.exe && STRINGS=%PE2% - 1276, 420069006F004300720065006400500072006F0076002E006500780065 && STRINGS=128, 504500004C010300 && STRINGS=216, 00000000
Source: cpcs.exe, 00000009.00000003.2556561426.0000000008334000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: EXTRA=Trojan.Agent, HKLM\SYSTEM\CurrentControlSet\Services\NetDDEVMTools
Source: cpcs.exe, 00000009.00000003.2556561426.0000000008334000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: EXTRA=Trojan.Agent, HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Run|VMware process Tool=*\help.exe*
Source: cpcs.exe, 00000009.00000003.2556561426.0000000008334000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: EXTRA=Trojan.Agent, %USERROOT%\Local Settings\VMwareDnD\QTTask.exe
Source: cpcs.exe, 00000009.00000003.2561266540.0000000003D26000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: POLY=Worm.KoobFace && VERSION=1, VMware? Inc.* && STRINGS=48, 000000000000000000000000D80000000E1FBA0E00B409CD21B8014CCD21546869732070726F6772616D2063616E6E6F742062652072756E20696E20444F53206D6F64652E0D0D0A2400000000000000????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????52696368????????0000000000000000504500004C010400????????0000000000000000E0000F010B01????00??000000??000000????00????00000010000000??00000000400000100000000200000400000005000100040000000000000000????0000040000????0100020000800000??0000??00000000??0000??000000000000100000000000000000000000????0000????000000????00????0000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000????0000??000000??????00??000000000000000000000000??0000??0000000000000000000000000000000000000000000000000000002E636F6465000000????00000010000000??000000040000000000000000000000000000200000602E64617461000000????000000??000000??000000??0000000000000000000000000000400000C02E72646174610000????000000????0000??000000??000000000000000000000000000040000040??????????????????????0000????0000????0000??0000000000000000000000000000C0000040
Source: cpcs.exe, 00000009.00000003.2561266540.0000000003D26000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: POLY=Spyware.Zbot && VERSION=2, VMware Tools Core Service && STRINGS=128, AB5FE84BEF3E8618EF3E8618EF3E86186C228818EE3E861886218F18F33E861806218B18EE3E861852696368EF3E8618 && STRINGS=432, 2E7465787400000000F0040000100000008A02000002000050454332774F000000000000600000E02E72737263000000
Source: cpcs.exe, 00000009.00000003.2561266540.0000000003D26000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: POLY=Trojan.Spybot && VERSION=1, VMware? Inc. && VERSION=3, 8.4.6.16648 && VERSION=7, VMUpgradeHelper.exe && PESECTION=2, .rsrc
Source: cpcs.exe, 00000009.00000003.2556561426.0000000008334000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: EXTRA=Trojan.Backdoor, %PROGRAMFILES%\VMware NAT\kav.dll
Source: cpcs.exe, 00000009.00000003.2556561426.0000000008334000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: EXTRA=Trojan.Agent.VM, HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Run|VMWARE=*\read.exe*
Source: cpcs.exe, 00000009.00000003.2556561426.0000000008334000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: EXTRA=Backdoor.Agent, HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\Run|hgfsg
Source: cpcs.exe, 00000009.00000003.2533389394.000000000A5B5000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: VMware WorkstationrL=
Source: cpcs.exe, 00000009.00000003.2528855901.000000000A101000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: VMwareUser.exeSd
Source: cpcs.exe, 00000009.00000003.2529734518.000000000A217000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: VMware? Inc.um
Source: cpcs.exe, 00000009.00000003.2561266540.0000000003D26000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: POLY=Backdoor.PcClient && SIZE=1605590, 1665590 && VERSION=7, Copyright 1998-2010 VMware?Inc.
Source: cpcs.exe, 00000009.00000003.2556561426.0000000008334000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: EXTRA=Backdoor.SpyNet, %SYSDIR%\Resource\VMware.exe
Source: cpcs.exe, 00000009.00000003.2561266540.0000000003D26000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: POLY=Worm.KoobFace && VERSION=7, VMwareUser.exe && VOFFSET=448, 8, 4, 504543 && STRINGS=128, 98BCE83BDCDD8668DCDD8668DCDD86685FC18868DDDD866893FF8F68C1DD8668EAFB8B68DDDD866852696368DCDD8668
Source: cpcs.exe, 00000009.00000003.2561266540.0000000003D26000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: POLY=Trojan.ServStart && VERSION=1, ? && VERSION=4, VMware Workstationr && VERSION=8, VMware Workstationd
Source: cpcs.exe, 00000009.00000003.2561266540.0000000003D26000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: POLY=Backdoor.Messa && VERSION=1, %NULL% && VERSION=7, */VMWare Machine/Desktop/* && VERSION=8, %NULL%
Source: cpcs.exe, 00000009.00000003.2556561426.0000000008334000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: EXTRA=Trojan.Agent, HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Run|VMware * process=*\kernel##.exe*
Source: cpcs.exe, 00000009.00000003.2556561426.0000000009734000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: WHITE=\VMware\VMware Server\vmapplib.dll
Source: cpcs.exe, 00000009.00000003.2534960911.000000000A621000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: VMSrvc.exeY&
Source: cpcs.exe, 00000009.00000003.2532883037.000000000A53D000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: VMware? Inc.
Source: cpcs.exe, 00000009.00000003.2561266540.0000000003D26000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: POLY=Backdoor.Agent && VERSION=1, VMware? Inc. && VERSION=2, %NULL% && VERSION=3, 22.01.#### && VERSION=5, %NULL% && VERSION=7, #.exe && PESECTION=1, UPX0
Source: cpcs.exe, 00000009.00000003.2561266540.0000000003D26000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: POLY=Trojan.FakeMS && VERSION=1, Microsoft Corporation && VERSION=7, VMSrvc.exe && PESECTION=1, .code_01 && VOFFSET=230, 8, 3, 0221
Source: cpcs.exe, 00000009.00000003.2561266540.0000000003D26000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: POLY=Trojan.Agent && VERSION=7, VMwareUser.exe && STRINGS=7820, 5045436F6D7061637432
Source: cpcs.exe, 00000009.00000003.2545034326.000000000DFB4000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: C:\WINDOWS\SYSTEM\VMWARESERVICE.EXE C"n
Source: cpcs.exe, 00000009.00000003.2556561426.0000000008334000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: EXTRA=Trojan.Zlob, HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run|VMware hptray
Source: cpcs.exe, 00000009.00000003.2556561426.0000000008334000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: EXTRA=Trojan.Agent, %PROGRAMFILES%\VMware\Windows Messenger\tao.ico, DP
Source: cpcs.exe, 00000009.00000003.2561266540.0000000003D26000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: POLY=Trojan.Agent && PATTERN=**\go.exe && VERSION=1, VMware? Inc. && VERSION=7, usbRun.exe
Source: cpcs.exe, 00000009.00000003.2556561426.0000000008334000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: EXTRA=Backdoor.Bot, %WINDIR%\System\VMwareService.exe
Source: cpcs.exe, 00000009.00000003.2556561426.0000000008334000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: EXTRA=Backdoor.Agent, HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run|VMware? Inc.
Source: cpcs.exe, 00000009.00000003.2556561426.0000000008334000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: EXTRA=Worm.AutoRun, HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Run|MwareUser=*\VMware Tools\MwareUser.exe*
Source: cpcs.exe, 00000009.00000003.2561266540.0000000003D26000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: POLY=Trojan.VB && SIZE=1000, 600000 && VERSION=1, VMware? Inc. && VERSION=3, 6.5.2 build-156735 && VERSION=7, ace_upgrade.exe
Source: cpcs.exe, 00000009.00000003.2556561426.0000000008334000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: EXTRA=Backdoor.Bot, %WINDIR%\vmware-tray.exe
Source: cpcs.exe, 00000009.00000003.2561266540.0000000003D26000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: POLY=Trojan.Agent && SIZE=400000, 600000 && VERSION=3, 8.4.5.14951 && VERSION=7, VMwareUser.exe
Source: cpcs.exe, 00000009.00000003.2529734518.000000000A217000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: VMware? Inc.&
Source: cpcs.exe, 00000009.00000003.2532883037.000000000A53D000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: VMware? Inc.,
Source: cpcs.exe, 00000009.00000003.2556561426.0000000008334000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: EXTRA=Trojan.Backdoor, HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Run|vmware remotemks=*System32\vmremotems.exe*
Source: cpcs.exe, 00000009.00000003.2533704715.000000000A5CC000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: VBoxService.exek
Source: cpcs.exe, 00000009.00000003.2528855901.000000000A101000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: VMware? Inc.0
Source: cpcs.exe, 00000009.00000003.2533842656.000000000A4B5000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: */VMWare Machine/Desktop/*$
Source: cpcs.exe, 00000009.00000003.2529231058.0000000009F11000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: vmware.exe
Source: cpcs.exe, 00000009.00000003.2556561426.0000000008334000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: EXTRA=Backdoor.Agent, HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run|VMware? Inc.
Source: cpcs.exe, 00000009.00000003.2561266540.0000000003D26000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: POLY=Trojan.Agent && VERSION=1, VMware? Inc. && VERSION=4, VMwareUser && STRINGS=11632, 5045436F6D7061637432
Source: cpcs.exe, 00000009.00000003.2533704715.000000000A5CC000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: VIRTUALVMWAREQEMU
Source: chica-pc-shield-1-75-0-1300-en-win.tmp, 00000001.00000003.2792960995.00000000006B2000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: \??\SCSI#CdRom&Ven_NECVMWar&Prod_VMware_SATA_CD00#4&224f42ef&0&000000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}\d
Source: cpcs.exe, 00000009.00000003.2529369405.0000000009D87000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: VMware Workstationdn
Source: cpcs.exe, 00000009.00000003.2556561426.0000000008334000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: EXTRA=Trojan.Agent, HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Run|VMware admin Tool=*\Fonts##.exe*
Source: cpcs.exe, 00000009.00000003.2533389394.000000000A5B5000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: VMware WorkstationdP=
Source: cpcs.exe, 00000009.00000003.2556561426.0000000008334000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: EXTRA=Infostealer.Gampass, %SYSDIR%\VMware.dll, NV
Source: cpcs.exe, 00000009.00000003.2533704715.000000000A5CC000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: vmware-hosts
Source: cpcs.exe, 00000009.00000003.2561266540.0000000003D26000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: POLY=Worm.KoobFace && VERSION=7, VMwareTray.exe && VOFFSET=448, 8, 4, 504543 && STRINGS=128, D1187782957919D1957919D1957919D1166517D1947919D1DA5B10D19B7919D1A35F14D1947919D152696368957919D1
Source: cpcs.exe, 00000009.00000003.2528855901.000000000A101000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: VMware? Inc.<
Source: cpcs.exe, 00000009.00000003.2556561426.0000000008334000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: EXTRA=Trojan.Agent, HKCU\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon|Shell=*vmnethcp.exe*
Source: cpcs.exe, 00000009.00000003.2561266540.0000000003D26000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: POLY=Spyware.Password && VERSION=1, VMware? Inc. && STRINGS=456, 50454332
Source: cpcs.exe, 00000009.00000003.2544527727.000000000D6DB000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: C:\PROGRAM FILES (X86)\VMWARE FILES\VMNETDHCP.EXE
Source: cpcs.exe, 00000009.00000003.2533161271.000000000A44A000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: VMWARE BEST VIRTUAL
Source: cpcs.exe, 00000009.00000003.2561266540.0000000003D26000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: POLY=Worm.KoobFace && VERSION=7, vmware-fullscreen.exe && STRINGS=128, 695EEBF12D3F85A22D3F85A2E16F95C222609AC2E36F95C22260CBC2A16E95C2
Source: cpcs.exe, 00000009.00000003.2561266540.0000000003D26000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: POLY=Trojan.Downloader && SIZE=10000, 400000 && VERSION=3, 7.0.1 build-227600 && VERSION=7, vmware.exe
Source: cpcs.exe, 00000009.00000003.2529369405.0000000009D87000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: VMware WorkstationrGeno
Source: cpcs.exe, 00000009.00000003.2561266540.0000000003D26000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: POLY=Trojan.Agent && VERSION=1, Photoshop && VERSION=7, Simon Inc.exe && VERSION=8, VMWARE BEST VIRTUAL
Source: cpcs.exe, 00000009.00000003.2533842656.000000000A4B5000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: VMware Tools Core Service
Source: cpcs.exe, 00000009.00000003.2533704715.000000000A5CC000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: VBoxService.exe
Source: cpcs.exe, 00000009.00000003.2556561426.0000000008334000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: EXTRA=Trojan.Downloader, HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run|hgfstikyc
Source: cpcs.exe, 00000009.00000003.2528855901.000000000A101000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: VMwareTray.exeZc
Source: cpcs.exe, 00000009.00000003.2561266540.0000000003D26000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: POLY=Trojan.Agent && VERSION=7, VMwareService.exe && STRINGS=128, C25247E5863329B6863329B6A27C95DF61739ADFA07C95DF785F89DFE27D95DF585F8CDFBF7C95DF61739ADFA37C95DF6173CADF807C95DF61739ADFAE7C95DF585F8CDFA37C95DF52696368863329B600000000000000005045
Source: cpcs.exe, 00000009.00000003.2561266540.0000000003D26000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: POLY=Trojan.Agent && VERSION=7, VMwareUser.exe && STRINGS=128, BD1FAAC9F97EC49AF97EC49AF97EC49A7A62CA9AF87EC49A9061CD9AD07EC49A1061C99AF87EC49A52696368F97EC49A && STRINGS=472, 50454332774F0000
Source: cpcs.exe, 00000009.00000003.2556561426.0000000008334000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: EXTRA=Trojan.Agent, %USERROOT%\Templates\vmnethcp.exe
Source: cpcs.exe, 00000009.00000003.2529231058.0000000009F11000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: VMware? Inc.=l
Source: cpcs.exe, 00000009.00000003.2546561141.000000000BF7E000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: VMWAREAPP.VMWARE*TE
Source: cpcs.exe, 00000009.00000003.2561266540.0000000003D26000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: POLY=Trojan.Zbot && VERSION=1, VMware? Inc. && STRINGS=584, 494E4954 && STRINGS=624, 2E7864617461
Source: cpcs.exe, 00000009.00000003.2545306895.000000000DFF8000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: C:\WINDOWS\VMWARE-TRAY.EXE
Source: cpcs.exe, 00000009.00000003.2528855901.000000000A101000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: VMwareUser.exeDc
Source: cpcs.exe, 00000009.00000003.2528855901.000000000A101000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: VMwareUser
Source: cpcs.exe, 00000009.00000003.2556561426.0000000008334000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: EXTRA=Trojan.Agent, HKLM\SYSTEM\CurrentControlSet\Services\ShellHWDetectionVMTools
Source: cpcs.exe, 00000009.00000003.2561266540.0000000003D26000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: POLY=Trojan.FakeAlert && VERSION=1, VMware? Inc. && VERSION=7, vmware.exe && PESECTION=1, UPX0 && STRINGS=%PE3% + 240, 426F6D65
Source: cpcs.exe, 00000009.00000003.2556561426.0000000008334000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: EXTRA=Trojan.Agent, HKCU\Software\Microsoft\Windows\CurrentVersion\Run|Microsoft Routing Utilities=*\vmnethcp.exe*
Source: cpcs.exe, 00000009.00000003.2561266540.0000000003D26000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: POLY=Trojan.VB && SIZE=80000, 900000 && VERSION=1, VMware? Inc. && VERSION=3, 6.5.2 build-156735 && VERSION=7, hqtray.exe
Source: cpcs.exe, 00000009.00000003.2529231058.0000000009F11000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: vmware.exe6l
Source: cpcs.exe, 00000009.00000003.2556561426.0000000008334000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: EXTRA=Trojan.JRQService, HKLM\SYSTEM\CurrentControlSet\SERVICES\VMWARE APPLICATIONSJRQ
Source: cpcs.exe, 00000009.00000003.2556561426.0000000008334000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: EXTRA=Trojan.Agent, HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Run|VMWARES=*\spooles.exe*
Source: C:\Program Files (x86)\ChicaLogic\ChicaPC-Shield\cpcsgui.exeAPI call chain: ExitProcess graph end nodegraph_12-109818
Source: C:\Program Files (x86)\ChicaLogic\ChicaPC-Shield\cpcsgui.exeAPI call chain: ExitProcess graph end nodegraph_12-109444
Source: C:\Program Files (x86)\ChicaLogic\ChicaPC-Shield\cpcsgui.exeAPI call chain: ExitProcess graph end nodegraph_12-110002
Source: C:\Program Files (x86)\ChicaLogic\ChicaPC-Shield\cpcsscheduler.exeAPI call chain: ExitProcess graph end node
Source: C:\Users\user\AppData\Local\Temp\is-LBG9E.tmp\chica-pc-shield-1-75-0-1300-en-win.tmpProcess information queried: ProcessInformationJump to behavior
Source: C:\Program Files (x86)\ChicaLogic\ChicaPC-Shield\cpcsgui.exeCode function: 12_2_005EC5A8 _memset,IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,12_2_005EC5A8
Source: C:\Users\user\AppData\Local\Temp\is-LBG9E.tmp\chica-pc-shield-1-75-0-1300-en-win.tmpCode function: 1_2_0044852C LoadLibraryExA,LoadLibraryA,GetProcAddress,1_2_0044852C
Source: C:\Program Files (x86)\ChicaLogic\ChicaPC-Shield\cpcs.exeProcess token adjusted: DebugJump to behavior
Source: C:\Program Files (x86)\ChicaLogic\ChicaPC-Shield\cpcs.exeProcess token adjusted: Debug
Source: C:\Program Files (x86)\ChicaLogic\ChicaPC-Shield\cpcs.exeProcess token adjusted: Debug
Source: C:\Program Files (x86)\ChicaLogic\ChicaPC-Shield\cpcsgui.exeCode function: 12_2_005EC5A8 _memset,IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,12_2_005EC5A8
Source: C:\Program Files (x86)\ChicaLogic\ChicaPC-Shield\cpcsgui.exeCode function: 12_2_005ED25A SetUnhandledExceptionFilter,12_2_005ED25A
Source: C:\Program Files (x86)\ChicaLogic\ChicaPC-Shield\cpcsgui.exeCode function: 12_2_005E74E5 IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,GetCurrentProcess,TerminateProcess,12_2_005E74E5
Source: C:\Program Files (x86)\ChicaLogic\ChicaPC-Shield\cpcsgui.exeCode function: 12_2_6BB9DAC1 _memset,IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,12_2_6BB9DAC1
Source: C:\Program Files (x86)\ChicaLogic\ChicaPC-Shield\cpcsgui.exeCode function: 12_2_6BB9AE8F IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,GetCurrentProcess,TerminateProcess,12_2_6BB9AE8F
Source: C:\Program Files (x86)\ChicaLogic\ChicaPC-Shield\cpcsgui.exeCode function: 12_2_6F890061 IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,GetCurrentProcess,TerminateProcess,12_2_6F890061
Source: C:\Program Files (x86)\ChicaLogic\ChicaPC-Shield\cpcsgui.exeCode function: 12_2_6F8957BE _memset,IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,12_2_6F8957BE
Source: C:\Program Files (x86)\ChicaLogic\ChicaPC-Shield\cpcsscheduler.exeCode function: 14_2_009100E5 _memset,IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,14_2_009100E5
Source: C:\Program Files (x86)\ChicaLogic\ChicaPC-Shield\cpcsscheduler.exeCode function: 14_2_00911507 SetUnhandledExceptionFilter,14_2_00911507
Source: C:\Program Files (x86)\ChicaLogic\ChicaPC-Shield\cpcsscheduler.exeCode function: 14_2_0090D600 IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,GetCurrentProcess,TerminateProcess,14_2_0090D600
Source: C:\Program Files (x86)\ChicaLogic\ChicaPC-Shield\cpcsscheduler.exeCode function: 14_2_6BB9DAC1 _memset,IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,14_2_6BB9DAC1
Source: C:\Program Files (x86)\ChicaLogic\ChicaPC-Shield\cpcsscheduler.exeCode function: 14_2_6BB9AE8F IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,GetCurrentProcess,TerminateProcess,14_2_6BB9AE8F
Source: C:\Program Files (x86)\ChicaLogic\ChicaPC-Shield\cpcsscheduler.exeCode function: 14_2_6F890061 IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,GetCurrentProcess,TerminateProcess,14_2_6F890061
Source: C:\Program Files (x86)\ChicaLogic\ChicaPC-Shield\cpcsscheduler.exeCode function: 14_2_6F8957BE _memset,IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,14_2_6F8957BE

HIPS / PFW / Operating System Protection Evasion

barindex
Contains functionality to automate explorer (e.g. start an application)
Source: C:\Program Files (x86)\ChicaLogic\ChicaPC-Shield\cpcsgui.exeCode function: 12_2_6F88F460 CloseServiceHandle,FindWindowExW,FindWindowExW,FindWindowExW,FindWindowExW,FindWindowExW,GetClientRect,SendMessageW,SendMessageW,12_2_6F88F460
Source: C:\Program Files (x86)\ChicaLogic\ChicaPC-Shield\cpcsscheduler.exeCode function: 14_2_6F88F460 CloseServiceHandle,FindWindowExW,FindWindowExW,FindWindowExW,FindWindowExW,FindWindowExW,GetClientRect,SendMessageW,SendMessageW,14_2_6F88F460
Source: C:\Program Files (x86)\ChicaLogic\ChicaPC-Shield\cpcsscheduler.exeCode function: OpenProcess,OpenProcessToken,CloseHandle, explorer.exe14_2_008E60F0
Source: C:\Users\user\AppData\Local\Temp\is-LBG9E.tmp\chica-pc-shield-1-75-0-1300-en-win.tmpCode function: 1_2_0047808C ShellExecuteEx,GetLastError,MsgWaitForMultipleObjects,GetExitCodeProcess,CloseHandle,1_2_0047808C
Source: C:\Program Files (x86)\ChicaLogic\ChicaPC-Shield\cpcs.exeProcess created: C:\Windows\SysWOW64\regsvr32.exe regsvr32.exe /s "C:\Program Files (x86)\ChicaLogic\ChicaPC-Shield\ssubtmr6.dll"Jump to behavior
Source: C:\Program Files (x86)\ChicaLogic\ChicaPC-Shield\cpcs.exeProcess created: C:\Windows\SysWOW64\regsvr32.exe regsvr32.exe /s "C:\Program Files (x86)\ChicaLogic\ChicaPC-Shield\vbalsgrid6.ocx"Jump to behavior
Source: C:\Program Files (x86)\ChicaLogic\ChicaPC-Shield\cpcs.exeProcess created: C:\Windows\SysWOW64\regsvr32.exe regsvr32.exe /s "C:\Program Files (x86)\ChicaLogic\ChicaPC-Shield\ssubtmr6.dll"
Source: C:\Program Files (x86)\ChicaLogic\ChicaPC-Shield\cpcs.exeProcess created: C:\Windows\SysWOW64\regsvr32.exe regsvr32.exe /s "C:\Program Files (x86)\ChicaLogic\ChicaPC-Shield\vbalsgrid6.ocx"
Source: C:\Program Files (x86)\ChicaLogic\ChicaPC-Shield\cpcs.exeProcess created: C:\Windows\SysWOW64\regsvr32.exe regsvr32.exe /s "C:\Program Files (x86)\ChicaLogic\ChicaPC-Shield\ssubtmr6.dll"
Source: C:\Program Files (x86)\ChicaLogic\ChicaPC-Shield\cpcs.exeProcess created: C:\Windows\SysWOW64\regsvr32.exe regsvr32.exe /s "C:\Program Files (x86)\ChicaLogic\ChicaPC-Shield\vbalsgrid6.ocx"
Source: C:\Program Files (x86)\ChicaLogic\ChicaPC-Shield\cpcsgui.exeCode function: 12_2_005BB550 InitializeSecurityDescriptor,SetSecurityDescriptorDacl,CreateNamedPipeW,12_2_005BB550
Source: C:\Users\user\AppData\Local\Temp\is-LBG9E.tmp\chica-pc-shield-1-75-0-1300-en-win.tmpCode function: 1_2_0042E09C AllocateAndInitializeSid,GetVersion,GetModuleHandleA,GetProcAddress,CheckTokenMembership,GetCurrentThread,OpenThreadToken,GetLastError,GetCurrentProcess,OpenProcessToken,GetTokenInformation,GetLastError,GetTokenInformation,EqualSid,CloseHandle,FreeSid,1_2_0042E09C
Source: cpcsgui.exe, cpcsscheduler.exeBinary or memory string: Shell_TrayWnd
Source: cpcsgui.exe, 0000000C.00000002.2571547852.000000006F8B1000.00000002.00000001.01000000.0000000F.sdmpBinary or memory string: oP&\InstancesHKLM\SYSTEM\CurrentControlSet\Services\ InstanceDefaultInstanceAltitudeFlags\\.\pipe\Notification AreaUser Promoted Notification AreaToolbarWindow32SysPagerTrayNotifyWndShell_TrayWndCouldn't load the library.Wow64DisableWow64FsRedirectionWow64RevertWow64FsRedirection
Source: cpcs.exe, 00000009.00000003.2556561426.0000000008334000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: EXTRA=Trojan.Ransom, HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\Run|MailAgent=??\Progman.exe*
Source: cpcs.exe, 00000009.00000003.2556561426.0000000006534000.00000004.00000020.00020000.00000000.sdmp, cpcs.exe, 00000009.00000003.2561266540.0000000003D26000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: POLY=Worm.Ambler && VERSION=1, Microsoft Corporation && VERSION=3, 9.32 && VERSION=8, Program manager
Source: C:\Users\user\Desktop\chica-pc-shield-1-75-0-1300-en-win.exeCode function: GetLocaleInfoA,0_2_0040520C
Source: C:\Users\user\Desktop\chica-pc-shield-1-75-0-1300-en-win.exeCode function: GetLocaleInfoA,0_2_00405258
Source: C:\Users\user\AppData\Local\Temp\is-LBG9E.tmp\chica-pc-shield-1-75-0-1300-en-win.tmpCode function: GetLocaleInfoA,1_2_00408568
Source: C:\Users\user\AppData\Local\Temp\is-LBG9E.tmp\chica-pc-shield-1-75-0-1300-en-win.tmpCode function: GetLocaleInfoA,1_2_004085B4
Source: C:\Program Files (x86)\ChicaLogic\ChicaPC-Shield\cpcsgui.exeCode function: ___getlocaleinfo,__malloc_crt,__calloc_crt,__calloc_crt,__calloc_crt,__calloc_crt,GetCPInfo,___crtGetStringTypeA,___crtLCMapStringA,___crtLCMapStringA,_memmove,_memmove,_memmove,InterlockedDecrement,_free,_free,_free,_free,_free,_free,_free,_free,_free,InterlockedDecrement,12_2_005E860D
Source: C:\Program Files (x86)\ChicaLogic\ChicaPC-Shield\cpcsgui.exeCode function: __calloc_crt,__malloc_crt,_free,__malloc_crt,_free,_free,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___free_lconv_num,InterlockedDecrement,InterlockedDecrement,InterlockedDecrement,_free,_free,12_2_005F06F9
Source: C:\Program Files (x86)\ChicaLogic\ChicaPC-Shield\cpcsgui.exeCode function: GetLocaleInfoA,_LocaleUpdate::_LocaleUpdate,___ascii_strnicmp,__tolower_l,__tolower_l,12_2_005F6897
Source: C:\Program Files (x86)\ChicaLogic\ChicaPC-Shield\cpcsgui.exeCode function: __calloc_crt,__malloc_crt,_free,__malloc_crt,_free,_free,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___free_lconv_mon,_free,_free,_free,InterlockedDecrement,InterlockedDecrement,_free,_free,12_2_005F09E7
Source: C:\Program Files (x86)\ChicaLogic\ChicaPC-Shield\cpcsgui.exeCode function: GetLocaleInfoW,GetLocaleInfoW,_malloc,GetLocaleInfoW,WideCharToMultiByte,__freea,12_2_005F4EFC
Source: C:\Program Files (x86)\ChicaLogic\ChicaPC-Shield\cpcsgui.exeCode function: _LocaleUpdate::_LocaleUpdate,__crtGetLocaleInfoA_stat,12_2_005F4FD6
Source: C:\Program Files (x86)\ChicaLogic\ChicaPC-Shield\cpcsgui.exeCode function: ___crtGetLocaleInfoA,GetLastError,___crtGetLocaleInfoA,__calloc_crt,___crtGetLocaleInfoA,__calloc_crt,_free,_free,__invoke_watson,GetLocaleInfoW,GetLocaleInfoW,__calloc_crt,GetLocaleInfoW,_free,GetLocaleInfoW,12_2_005ED05D
Source: C:\Program Files (x86)\ChicaLogic\ChicaPC-Shield\cpcsgui.exeCode function: GetLocaleInfoA,12_2_005EB419
Source: C:\Program Files (x86)\ChicaLogic\ChicaPC-Shield\cpcsgui.exeCode function: GetLocaleInfoW,GetLocaleInfoW,GetACP,12_2_005F172C
Source: C:\Program Files (x86)\ChicaLogic\ChicaPC-Shield\cpcsgui.exeCode function: __getptd,_LcidFromHexString,GetLocaleInfoA,12_2_005F1821
Source: C:\Program Files (x86)\ChicaLogic\ChicaPC-Shield\cpcsgui.exeCode function: GetLocaleInfoW,_GetPrimaryLen,_strlen,12_2_005F18C8
Source: C:\Program Files (x86)\ChicaLogic\ChicaPC-Shield\cpcsgui.exeCode function: __getptd,_LcidFromHexString,GetLocaleInfoA,GetLocaleInfoA,GetLocaleInfoA,_strlen,GetLocaleInfoA,_strlen,_TestDefaultLanguage,12_2_005F1923
Source: C:\Program Files (x86)\ChicaLogic\ChicaPC-Shield\cpcsgui.exeCode function: __getptd,_LcidFromHexString,GetLocaleInfoA,_TestDefaultLanguage,12_2_005F1AF4
Source: C:\Program Files (x86)\ChicaLogic\ChicaPC-Shield\cpcsgui.exeCode function: ___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,12_2_005EFA9D
Source: C:\Program Files (x86)\ChicaLogic\ChicaPC-Shield\cpcsgui.exeCode function: _strlen,_strlen,_GetPrimaryLen,EnumSystemLocalesA,12_2_005F1BB4
Source: C:\Program Files (x86)\ChicaLogic\ChicaPC-Shield\cpcsgui.exeCode function: __getptd,_TranslateName,_GetLcidFromLangCountry,_GetLcidFromLanguage,_TranslateName,_GetLcidFromLangCountry,_GetLcidFromLanguage,_strlen,EnumSystemLocalesA,GetUserDefaultLCID,IsValidCodePage,IsValidLocale,GetLocaleInfoA,_strcpy_s,__invoke_watson,GetLocaleInfoA,GetLocaleInfoA,__itow_s,12_2_005F1C57
Source: C:\Program Files (x86)\ChicaLogic\ChicaPC-Shield\cpcsgui.exeCode function: _strlen,_GetPrimaryLen,EnumSystemLocalesA,12_2_005F1C1B
Source: C:\Program Files (x86)\ChicaLogic\ChicaPC-Shield\cpcsgui.exeCode function: __getptd,_LcidFromHexString,GetLocaleInfoA,_TestDefaultLanguage,12_2_6BBAEBF0
Source: C:\Program Files (x86)\ChicaLogic\ChicaPC-Shield\cpcsgui.exeCode function: __getptd,_LcidFromHexString,GetLocaleInfoA,GetLocaleInfoA,GetLocaleInfoA,_strlen,GetLocaleInfoA,_strlen,_TestDefaultLanguage,12_2_6BBAEA1F
Source: C:\Program Files (x86)\ChicaLogic\ChicaPC-Shield\cpcsgui.exeCode function: GetLocaleInfoW,_GetPrimaryLen,_strlen,12_2_6BBAE9C4
Source: C:\Program Files (x86)\ChicaLogic\ChicaPC-Shield\cpcsgui.exeCode function: __getptd,_LcidFromHexString,GetLocaleInfoA,12_2_6BBAE91D
Source: C:\Program Files (x86)\ChicaLogic\ChicaPC-Shield\cpcsgui.exeCode function: GetLocaleInfoW,GetLocaleInfoW,GetACP,12_2_6BBAE828
Source: C:\Program Files (x86)\ChicaLogic\ChicaPC-Shield\cpcsgui.exeCode function: GetLocaleInfoA,_LocaleUpdate::_LocaleUpdate,___ascii_strnicmp,__tolower_l,__tolower_l,12_2_6BBB0F1E
Source: C:\Program Files (x86)\ChicaLogic\ChicaPC-Shield\cpcsgui.exeCode function: _strlen,_GetPrimaryLen,EnumSystemLocalesA,12_2_6BBAED17
Source: C:\Program Files (x86)\ChicaLogic\ChicaPC-Shield\cpcsgui.exeCode function: __getptd,_TranslateName,_GetLcidFromLangCountry,_GetLcidFromLanguage,_TranslateName,_GetLcidFromLangCountry,_GetLcidFromLanguage,_strlen,EnumSystemLocalesA,GetUserDefaultLCID,IsValidCodePage,IsValidLocale,GetLocaleInfoA,_strcpy_s,__invoke_watson,GetLocaleInfoA,GetLocaleInfoA,__itow_s,12_2_6BBAED53
Source: C:\Program Files (x86)\ChicaLogic\ChicaPC-Shield\cpcsgui.exeCode function: _strlen,_strlen,_GetPrimaryLen,EnumSystemLocalesA,12_2_6BBAECB0
Source: C:\Program Files (x86)\ChicaLogic\ChicaPC-Shield\cpcsgui.exeCode function: GetLocaleInfoA,12_2_6BBB1053
Source: C:\Program Files (x86)\ChicaLogic\ChicaPC-Shield\cpcsgui.exeCode function: __getptd,_LcidFromHexString,GetLocaleInfoA,GetLocaleInfoA,GetLocaleInfoA,_strlen,GetLocaleInfoA,_strlen,_TestDefaultLanguage,12_2_6F89AFC3
Source: C:\Program Files (x86)\ChicaLogic\ChicaPC-Shield\cpcsgui.exeCode function: ___crtGetLocaleInfoA,GetLastError,___crtGetLocaleInfoA,__calloc_crt,___crtGetLocaleInfoA,__calloc_crt,_free,_free,__invoke_watson,GetLocaleInfoW,GetLocaleInfoW,__calloc_crt,GetLocaleInfoW,_free,GetLocaleInfoW,12_2_6F89CF1A
Source: C:\Program Files (x86)\ChicaLogic\ChicaPC-Shield\cpcsgui.exeCode function: GetLocaleInfoW,_GetPrimaryLen,_strlen,12_2_6F89AF68
Source: C:\Program Files (x86)\ChicaLogic\ChicaPC-Shield\cpcsgui.exeCode function: __getptd,_LcidFromHexString,GetLocaleInfoA,12_2_6F89AEC1
Source: C:\Program Files (x86)\ChicaLogic\ChicaPC-Shield\cpcsgui.exeCode function: GetLocaleInfoW,GetLocaleInfoW,GetACP,12_2_6F89ADCC
Source: C:\Program Files (x86)\ChicaLogic\ChicaPC-Shield\cpcsgui.exeCode function: ___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,12_2_6F898D56
Source: C:\Program Files (x86)\ChicaLogic\ChicaPC-Shield\cpcsgui.exeCode function: GetLocaleInfoA,12_2_6F89462F
Source: C:\Program Files (x86)\ChicaLogic\ChicaPC-Shield\cpcsgui.exeCode function: ___getlocaleinfo,__malloc_crt,__calloc_crt,__calloc_crt,__calloc_crt,__calloc_crt,GetCPInfo,___crtGetStringTypeA,___crtLCMapStringA,___crtLCMapStringA,_memmove,_memmove,_memmove,InterlockedDecrement,_free,_free,_free,_free,_free,_free,_free,_free,_free,InterlockedDecrement,12_2_6F8925C7
Source: C:\Program Files (x86)\ChicaLogic\ChicaPC-Shield\cpcsgui.exeCode function: _LocaleUpdate::_LocaleUpdate,__crtGetLocaleInfoA_stat,12_2_6F8A0575
Source: C:\Program Files (x86)\ChicaLogic\ChicaPC-Shield\cpcsgui.exeCode function: GetLocaleInfoW,GetLocaleInfoW,_malloc,GetLocaleInfoW,WideCharToMultiByte,__freea,12_2_6F8A049B
Source: C:\Program Files (x86)\ChicaLogic\ChicaPC-Shield\cpcsgui.exeCode function: __calloc_crt,__malloc_crt,_free,__malloc_crt,_free,_free,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___free_lconv_mon,_free,_free,_free,InterlockedDecrement,InterlockedDecrement,_free,_free,12_2_6F899CA0
Source: C:\Program Files (x86)\ChicaLogic\ChicaPC-Shield\cpcsgui.exeCode function: __calloc_crt,__malloc_crt,_free,__malloc_crt,_free,_free,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___free_lconv_num,InterlockedDecrement,InterlockedDecrement,InterlockedDecrement,_free,_free,12_2_6F8999B2
Source: C:\Program Files (x86)\ChicaLogic\ChicaPC-Shield\cpcsgui.exeCode function: GetLocaleInfoA,_LocaleUpdate::_LocaleUpdate,___ascii_strnicmp,__tolower_l,__tolower_l,12_2_6F89F43F
Source: C:\Program Files (x86)\ChicaLogic\ChicaPC-Shield\cpcsgui.exeCode function: _strlen,_GetPrimaryLen,EnumSystemLocalesA,12_2_6F89B2BB
Source: C:\Program Files (x86)\ChicaLogic\ChicaPC-Shield\cpcsgui.exeCode function: __getptd,_TranslateName,_GetLcidFromLangCountry,_GetLcidFromLanguage,_TranslateName,_GetLcidFromLangCountry,_GetLcidFromLanguage,_strlen,EnumSystemLocalesA,GetUserDefaultLCID,IsValidCodePage,IsValidLocale,GetLocaleInfoA,_strcpy_s,__invoke_watson,GetLocaleInfoA,GetLocaleInfoA,__itow_s,12_2_6F89B2F7
Source: C:\Program Files (x86)\ChicaLogic\ChicaPC-Shield\cpcsgui.exeCode function: _strlen,_strlen,_GetPrimaryLen,EnumSystemLocalesA,12_2_6F89B254
Source: C:\Program Files (x86)\ChicaLogic\ChicaPC-Shield\cpcsgui.exeCode function: __getptd,_LcidFromHexString,GetLocaleInfoA,_TestDefaultLanguage,12_2_6F89B194
Source: C:\Program Files (x86)\ChicaLogic\ChicaPC-Shield\cpcsscheduler.exeCode function: GetLocaleInfoW,GetLocaleInfoW,GetACP,14_2_0091A0D8
Source: C:\Program Files (x86)\ChicaLogic\ChicaPC-Shield\cpcsscheduler.exeCode function: __calloc_crt,__malloc_crt,_free,__malloc_crt,_free,_free,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___free_lconv_mon,_free,_free,_free,InterlockedDecrement,InterlockedDecrement,_free,_free,14_2_0091806B
Source: C:\Program Files (x86)\ChicaLogic\ChicaPC-Shield\cpcsscheduler.exeCode function: __getptd,_LcidFromHexString,GetLocaleInfoA,14_2_0091A1CD
Source: C:\Program Files (x86)\ChicaLogic\ChicaPC-Shield\cpcsscheduler.exeCode function: ___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,14_2_00917121
Source: C:\Program Files (x86)\ChicaLogic\ChicaPC-Shield\cpcsscheduler.exeCode function: __getptd,_LcidFromHexString,GetLocaleInfoA,GetLocaleInfoA,GetLocaleInfoA,_strlen,GetLocaleInfoA,_strlen,_TestDefaultLanguage,14_2_0091A2CF
Source: C:\Program Files (x86)\ChicaLogic\ChicaPC-Shield\cpcsscheduler.exeCode function: GetLocaleInfoW,_GetPrimaryLen,_strlen,14_2_0091A274
Source: C:\Program Files (x86)\ChicaLogic\ChicaPC-Shield\cpcsscheduler.exeCode function: __getptd,_LcidFromHexString,GetLocaleInfoA,_TestDefaultLanguage,14_2_0091A4A0
Source: C:\Program Files (x86)\ChicaLogic\ChicaPC-Shield\cpcsscheduler.exeCode function: ___crtGetLocaleInfoA,GetLastError,___crtGetLocaleInfoA,__calloc_crt,___crtGetLocaleInfoA,__calloc_crt,_free,_free,__invoke_watson,GetLocaleInfoW,GetLocaleInfoW,__calloc_crt,GetLocaleInfoW,_free,GetLocaleInfoW,14_2_00912447
Source: C:\Program Files (x86)\ChicaLogic\ChicaPC-Shield\cpcsscheduler.exeCode function: _strlen,_GetPrimaryLen,EnumSystemLocalesA,14_2_0091A5C7
Source: C:\Program Files (x86)\ChicaLogic\ChicaPC-Shield\cpcsscheduler.exeCode function: _strlen,_strlen,_GetPrimaryLen,EnumSystemLocalesA,14_2_0091A560
Source: C:\Program Files (x86)\ChicaLogic\ChicaPC-Shield\cpcsscheduler.exeCode function: __getptd,_TranslateName,_GetLcidFromLangCountry,_GetLcidFromLanguage,_TranslateName,_GetLcidFromLangCountry,_GetLcidFromLanguage,_strlen,EnumSystemLocalesA,GetUserDefaultLCID,IsValidCodePage,IsValidLocale,GetLocaleInfoA,_strcpy_s,__invoke_watson,GetLocaleInfoA,GetLocaleInfoA,__itow_s,14_2_0091A603
Source: C:\Program Files (x86)\ChicaLogic\ChicaPC-Shield\cpcsscheduler.exeCode function: GetLocaleInfoA,_LocaleUpdate::_LocaleUpdate,___ascii_strnicmp,__tolower_l,__tolower_l,14_2_0091C63D
Source: C:\Program Files (x86)\ChicaLogic\ChicaPC-Shield\cpcsscheduler.exeCode function: GetLocaleInfoA,14_2_0091C772
Source: C:\Program Files (x86)\ChicaLogic\ChicaPC-Shield\cpcsscheduler.exeCode function: _LocaleUpdate::_LocaleUpdate,__crtGetLocaleInfoA_stat,14_2_009168FE
Source: C:\Program Files (x86)\ChicaLogic\ChicaPC-Shield\cpcsscheduler.exeCode function: GetLocaleInfoW,GetLocaleInfoW,_malloc,GetLocaleInfoW,WideCharToMultiByte,__freea,14_2_00916824
Source: C:\Program Files (x86)\ChicaLogic\ChicaPC-Shield\cpcsscheduler.exeCode function: ___getlocaleinfo,__malloc_crt,__calloc_crt,__calloc_crt,__calloc_crt,__calloc_crt,GetCPInfo,___crtGetStringTypeA,___crtLCMapStringA,___crtLCMapStringA,InterlockedDecrement,_free,_free,_free,_free,_free,_free,_free,_free,_free,InterlockedDecrement,14_2_009199CE
Source: C:\Program Files (x86)\ChicaLogic\ChicaPC-Shield\cpcsscheduler.exeCode function: __calloc_crt,__malloc_crt,_free,__malloc_crt,_free,_free,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___free_lconv_num,InterlockedDecrement,InterlockedDecrement,InterlockedDecrement,_free,_free,14_2_00917D7D
Source: C:\Program Files (x86)\ChicaLogic\ChicaPC-Shield\cpcsscheduler.exeCode function: __getptd,_LcidFromHexString,GetLocaleInfoA,_TestDefaultLanguage,14_2_6BBAEBF0
Source: C:\Program Files (x86)\ChicaLogic\ChicaPC-Shield\cpcsscheduler.exeCode function: __getptd,_LcidFromHexString,GetLocaleInfoA,GetLocaleInfoA,GetLocaleInfoA,_strlen,GetLocaleInfoA,_strlen,_TestDefaultLanguage,14_2_6BBAEA1F
Source: C:\Program Files (x86)\ChicaLogic\ChicaPC-Shield\cpcsscheduler.exeCode function: GetLocaleInfoW,_GetPrimaryLen,_strlen,14_2_6BBAE9C4
Source: C:\Program Files (x86)\ChicaLogic\ChicaPC-Shield\cpcsscheduler.exeCode function: __getptd,_LcidFromHexString,GetLocaleInfoA,14_2_6BBAE91D
Source: C:\Program Files (x86)\ChicaLogic\ChicaPC-Shield\cpcsscheduler.exeCode function: GetLocaleInfoW,GetLocaleInfoW,GetACP,14_2_6BBAE828
Source: C:\Program Files (x86)\ChicaLogic\ChicaPC-Shield\cpcsscheduler.exeCode function: GetLocaleInfoA,_LocaleUpdate::_LocaleUpdate,___ascii_strnicmp,__tolower_l,__tolower_l,14_2_6BBB0F1E
Source: C:\Program Files (x86)\ChicaLogic\ChicaPC-Shield\cpcsscheduler.exeCode function: _strlen,_GetPrimaryLen,EnumSystemLocalesA,14_2_6BBAED17
Source: C:\Program Files (x86)\ChicaLogic\ChicaPC-Shield\cpcsscheduler.exeCode function: __getptd,_TranslateName,_GetLcidFromLangCountry,_GetLcidFromLanguage,_TranslateName,_GetLcidFromLangCountry,_GetLcidFromLanguage,_strlen,EnumSystemLocalesA,GetUserDefaultLCID,IsValidCodePage,IsValidLocale,GetLocaleInfoA,_strcpy_s,__invoke_watson,GetLocaleInfoA,GetLocaleInfoA,__itow_s,14_2_6BBAED53
Source: C:\Program Files (x86)\ChicaLogic\ChicaPC-Shield\cpcsscheduler.exeCode function: _strlen,_strlen,_GetPrimaryLen,EnumSystemLocalesA,14_2_6BBAECB0
Source: C:\Program Files (x86)\ChicaLogic\ChicaPC-Shield\cpcsscheduler.exeCode function: GetLocaleInfoA,14_2_6BBB1053
Source: C:\Program Files (x86)\ChicaLogic\ChicaPC-Shield\cpcsscheduler.exeCode function: __getptd,_LcidFromHexString,GetLocaleInfoA,GetLocaleInfoA,GetLocaleInfoA,_strlen,GetLocaleInfoA,_strlen,_TestDefaultLanguage,14_2_6F89AFC3
Source: C:\Program Files (x86)\ChicaLogic\ChicaPC-Shield\cpcsscheduler.exeCode function: ___crtGetLocaleInfoA,GetLastError,___crtGetLocaleInfoA,__calloc_crt,___crtGetLocaleInfoA,__calloc_crt,_free,_free,__invoke_watson,GetLocaleInfoW,GetLocaleInfoW,__calloc_crt,GetLocaleInfoW,_free,GetLocaleInfoW,14_2_6F89CF1A
Source: C:\Program Files (x86)\ChicaLogic\ChicaPC-Shield\cpcsscheduler.exeCode function: GetLocaleInfoW,_GetPrimaryLen,_strlen,14_2_6F89AF68
Source: C:\Program Files (x86)\ChicaLogic\ChicaPC-Shield\cpcsscheduler.exeCode function: __getptd,_LcidFromHexString,GetLocaleInfoA,14_2_6F89AEC1
Source: C:\Program Files (x86)\ChicaLogic\ChicaPC-Shield\cpcsscheduler.exeCode function: GetLocaleInfoW,GetLocaleInfoW,GetACP,14_2_6F89ADCC
Source: C:\Program Files (x86)\ChicaLogic\ChicaPC-Shield\cpcsscheduler.exeCode function: ___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,14_2_6F898D56
Source: C:\Program Files (x86)\ChicaLogic\ChicaPC-Shield\cpcsscheduler.exeCode function: GetLocaleInfoA,14_2_6F89462F
Source: C:\Program Files (x86)\ChicaLogic\ChicaPC-Shield\cpcsscheduler.exeCode function: ___getlocaleinfo,__malloc_crt,__calloc_crt,__calloc_crt,__calloc_crt,__calloc_crt,GetCPInfo,___crtGetStringTypeA,___crtLCMapStringA,___crtLCMapStringA,_memmove,_memmove,_memmove,InterlockedDecrement,_free,_free,_free,_free,_free,_free,_free,_free,_free,InterlockedDecrement,14_2_6F8925C7
Source: C:\Program Files (x86)\ChicaLogic\ChicaPC-Shield\cpcsscheduler.exeCode function: _LocaleUpdate::_LocaleUpdate,__crtGetLocaleInfoA_stat,14_2_6F8A0575
Source: C:\Program Files (x86)\ChicaLogic\ChicaPC-Shield\cpcsscheduler.exeCode function: GetLocaleInfoW,GetLocaleInfoW,_malloc,GetLocaleInfoW,WideCharToMultiByte,__freea,14_2_6F8A049B
Source: C:\Program Files (x86)\ChicaLogic\ChicaPC-Shield\cpcsscheduler.exeCode function: __calloc_crt,__malloc_crt,_free,__malloc_crt,_free,_free,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___free_lconv_mon,_free,_free,_free,InterlockedDecrement,InterlockedDecrement,_free,_free,14_2_6F899CA0
Source: C:\Program Files (x86)\ChicaLogic\ChicaPC-Shield\cpcsscheduler.exeCode function: __calloc_crt,__malloc_crt,_free,__malloc_crt,_free,_free,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___free_lconv_num,InterlockedDecrement,InterlockedDecrement,InterlockedDecrement,_free,_free,14_2_6F8999B2
Source: C:\Program Files (x86)\ChicaLogic\ChicaPC-Shield\cpcsscheduler.exeCode function: GetLocaleInfoA,_LocaleUpdate::_LocaleUpdate,___ascii_strnicmp,__tolower_l,__tolower_l,14_2_6F89F43F
Source: C:\Program Files (x86)\ChicaLogic\ChicaPC-Shield\cpcsscheduler.exeCode function: _strlen,_GetPrimaryLen,EnumSystemLocalesA,14_2_6F89B2BB
Source: C:\Program Files (x86)\ChicaLogic\ChicaPC-Shield\cpcsscheduler.exeCode function: __getptd,_TranslateName,_GetLcidFromLangCountry,_GetLcidFromLanguage,_TranslateName,_GetLcidFromLangCountry,_GetLcidFromLanguage,_strlen,EnumSystemLocalesA,GetUserDefaultLCID,IsValidCodePage,IsValidLocale,GetLocaleInfoA,_strcpy_s,__invoke_watson,GetLocaleInfoA,GetLocaleInfoA,__itow_s,14_2_6F89B2F7
Source: C:\Program Files (x86)\ChicaLogic\ChicaPC-Shield\cpcsscheduler.exeCode function: _strlen,_strlen,_GetPrimaryLen,EnumSystemLocalesA,14_2_6F89B254
Source: C:\Program Files (x86)\ChicaLogic\ChicaPC-Shield\cpcsscheduler.exeCode function: __getptd,_LcidFromHexString,GetLocaleInfoA,_TestDefaultLanguage,14_2_6F89B194
Source: C:\Users\user\AppData\Local\Temp\is-LBG9E.tmp\chica-pc-shield-1-75-0-1300-en-win.tmpQueries volume information: C:\ VolumeInformationJump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-LBG9E.tmp\chica-pc-shield-1-75-0-1300-en-win.tmpQueries volume information: C:\ VolumeInformationJump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-LBG9E.tmp\chica-pc-shield-1-75-0-1300-en-win.tmpQueries volume information: C:\ VolumeInformationJump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-LBG9E.tmp\chica-pc-shield-1-75-0-1300-en-win.tmpQueries volume information: C:\ VolumeInformationJump to behavior
Source: C:\Program Files (x86)\ChicaLogic\ChicaPC-Shield\cpcs.exeQueries volume information: C:\Windows\Fonts\times.ttf VolumeInformationJump to behavior
Source: C:\Windows\System32\svchost.exeQueries volume information: C:\ProgramData\Microsoft\Network\Downloader\edb.chk VolumeInformation
Source: C:\Windows\System32\svchost.exeQueries volume information: C:\ProgramData\Microsoft\Network\Downloader\edb.log VolumeInformation
Source: C:\Windows\System32\svchost.exeQueries volume information: C:\ProgramData\Microsoft\Network\Downloader\edb.chk VolumeInformation
Source: C:\Windows\System32\svchost.exeQueries volume information: C:\ProgramData\Microsoft\Network\Downloader\edb.log VolumeInformation
Source: C:\Windows\System32\svchost.exeQueries volume information: C:\ProgramData\Microsoft\Network\Downloader\edb.log VolumeInformation
Source: C:\Windows\System32\svchost.exeQueries volume information: C:\ProgramData\Microsoft\Network\Downloader\edb.log VolumeInformation
Source: C:\Windows\System32\svchost.exeQueries volume information: C:\ProgramData\Microsoft\Network\Downloader\edb.chk VolumeInformation
Source: C:\Windows\System32\svchost.exeQueries volume information: C:\ProgramData\Microsoft\Network\Downloader\qmgr.db VolumeInformation
Source: C:\Windows\System32\svchost.exeQueries volume information: C:\ProgramData\Microsoft\Network\Downloader\qmgr.jfm VolumeInformation
Source: C:\Windows\System32\svchost.exeQueries volume information: C:\ProgramData\Microsoft\Network\Downloader\qmgr.db VolumeInformation
Source: C:\Windows\System32\svchost.exeQueries volume information: C:\ProgramData\Microsoft\Network\Downloader\qmgr.db VolumeInformation
Source: C:\Windows\System32\svchost.exeQueries volume information: C:\ VolumeInformation
Source: C:\Windows\System32\svchost.exeQueries volume information: C:\ VolumeInformation
Source: C:\Program Files (x86)\ChicaLogic\ChicaPC-Shield\cpcs.exeQueries volume information: C:\ VolumeInformation
Source: C:\Program Files (x86)\ChicaLogic\ChicaPC-Shield\cpcs.exeQueries volume information: C:\ VolumeInformation
Source: C:\Users\user\AppData\Local\Temp\is-LBG9E.tmp\chica-pc-shield-1-75-0-1300-en-win.tmpCode function: 1_2_004584A0 GetTickCount,QueryPerformanceCounter,GetSystemTimeAsFileTime,GetCurrentProcessId,CreateNamedPipeA,GetLastError,CreateFileA,SetNamedPipeHandleState,CreateProcessA,CloseHandle,CloseHandle,1_2_004584A0
Source: C:\Users\user\Desktop\chica-pc-shield-1-75-0-1300-en-win.exeCode function: 0_2_004026C4 GetSystemTime,0_2_004026C4
Source: C:\Users\user\AppData\Local\Temp\is-LBG9E.tmp\chica-pc-shield-1-75-0-1300-en-win.tmpCode function: 1_2_0045559C GetUserNameA,1_2_0045559C
Source: C:\Program Files (x86)\ChicaLogic\ChicaPC-Shield\cpcsgui.exeCode function: 12_2_6BB6DF4B GetTimeZoneInformation,__strftime_l,__free_locale,12_2_6BB6DF4B
Source: C:\Users\user\Desktop\chica-pc-shield-1-75-0-1300-en-win.exeCode function: 0_2_00405CF4 GetVersionExA,0_2_00405CF4
Source: C:\Program Files (x86)\ChicaLogic\ChicaPC-Shield\cpcs.exeKey value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Cryptography MachineGuidJump to behavior
Source: cpcs.exe, 00000009.00000003.2545034326.000000000DF4E000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: C:\USERS\DEFAULT\TEMPLATES\AVG\MSASCUI.EXE
Source: cpcs.exe, 00000009.00000003.2546029145.000000000D30A000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: C:\PROGRAM FILES\WINRAR\FORMATS\KAVSTART.EXE
Source: cpcs.exe, 00000009.00000003.2556561426.0000000008334000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: EXTRA=Security.Hijack, HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\apvxdwin.exe
Source: cpcs.exe, 00000009.00000003.2556561426.0000000008334000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: EXTRA=Security.Hijack, HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\fsaua.exe
Source: cpcs.exe, 00000009.00000003.2556561426.0000000008334000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: EXTRA=Security.Hijack, HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\AYAGENT.AYE
Source: cpcs.exe, 00000009.00000003.2533526590.000000000A5C7000.00000004.00000020.00020000.00000000.sdmp, cpcs.exe, 00000009.00000003.2532883037.000000000A55F000.00000004.00000020.00020000.00000000.sdmp, cpcs.exe, 00000009.00000003.2529734518.000000000A248000.00000004.00000020.00020000.00000000.sdmp, cpcs.exe, 00000009.00000003.2529231058.0000000009F11000.00000004.00000020.00020000.00000000.sdmp, cpcs.exe, 00000009.00000003.2533161271.000000000A493000.00000004.00000020.00020000.00000000.sdmp, cpcs.exe, 00000009.00000003.2528855901.000000000A14E000.00000004.00000020.00020000.00000000.sdmp, cpcs.exe, 00000009.00000003.2533704715.000000000A5CC000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: avcenter.exe
Source: cpcs.exe, 00000009.00000003.2556561426.0000000008334000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: EXTRA=Security.Hijack, HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\AVINSTALL.EXE
Source: cpcs.exe, 00000009.00000003.2556561426.0000000008334000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: EXTRA=Security.Hijack, HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\APORTS.EXE
Source: cpcs.exe, 00000009.00000003.2529281722.0000000009BA5000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: LIVESRV.EXE
Source: cpcs.exe, 00000009.00000003.2556561426.0000000008334000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: EXTRA=Security.Hijack, HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\tisspwiz.exe
Source: cpcs.exe, 00000009.00000003.2556561426.0000000008334000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: EXTRA=Security.Hijack, HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\avgrsx.exe
Source: cpcs.exe, 00000009.00000003.2556561426.0000000008334000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: EXTRA=Security.Hijack, HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\boxmod.exe
Source: cpcs.exe, 00000009.00000003.2529231058.0000000009F11000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: sched.exe
Source: cpcs.exe, 00000009.00000003.2556561426.0000000008334000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: EXTRA=Security.Hijack, HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\quhlpsvc.exe
Source: cpcs.exe, 00000009.00000003.2556561426.0000000008334000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: EXTRA=Trojan.Agent, %PROGRAMFILES%\Windows NT\kav.exe
Source: cpcs.exe, 00000009.00000003.2556561426.0000000008334000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: EXTRA=Trojan.Banker, %USERROOT%\Local Settings\Application Data\nod32.exe
Source: cpcs.exe, 00000009.00000003.2534960911.000000000A621000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: NOD32.EXE
Source: cpcs.exe, 00000009.00000003.2556561426.0000000008334000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: EXTRA=Security.Hijack, HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\ATF-CLEANER.EXE
Source: cpcs.exe, 00000009.00000003.2556561426.0000000008334000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: EXTRA=Security.Hijack, HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\CAVASM.EXE
Source: cpcs.exe, 00000009.00000003.2556561426.0000000008334000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: EXTRA=Security.Hijack, HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\kwatch.exe
Source: cpcs.exe, 00000009.00000003.2556561426.0000000008334000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: EXTRA=Security.Hijack, HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\mbam.exe
Source: cpcs.exe, 00000009.00000003.2543791751.000000000DC90000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: C:\USERS\DEFAULT\LOCAL SETTINGS\APPLICATION DATA\MSASCUI.EXE
Source: cpcs.exe, 00000009.00000003.2556561426.0000000008334000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: EXTRA=Security.Hijack, HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\ComboFix.exe
Source: cpcs.exe, 00000009.00000003.2556561426.0000000008334000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: EXTRA=Security.Hijack, HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\srengps.exe
Source: cpcs.exe, 00000009.00000003.2556561426.0000000008334000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: EXTRA=Security.Hijack, HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\CAFW.EXE
Source: cpcs.exe, 00000009.00000003.2556561426.0000000008334000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: EXTRA=Security.Hijack, HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\psimsvc.exe
Source: cpcs.exe, 00000009.00000003.2533526590.000000000A5C7000.00000004.00000020.00020000.00000000.sdmp, cpcs.exe, 00000009.00000003.2533704715.000000000A5CC000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: fast.exe
Source: cpcs.exe, 00000009.00000003.2556561426.0000000008334000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: EXTRA=Security.Hijack, HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\BUSCAREG.EXE
Source: cpcs.exe, 00000009.00000003.2556561426.0000000008334000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: EXTRA=Security.Hijack, HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\fih32.exe
Source: cpcs.exe, 00000009.00000003.2556561426.0000000008334000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: EXTRA=Security.Hijack, HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\ahnsdsv.exe
Source: cpcs.exe, 00000009.00000003.2556561426.0000000008334000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: EXTRA=Security.Hijack, HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\fch32.exe
Source: cpcs.exe, 00000009.00000003.2556561426.0000000008334000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: EXTRA=Security.Hijack, HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\fsaa.exe
Source: cpcs.exe, 00000009.00000003.2556561426.0000000008334000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: EXTRA=Security.Hijack, HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\A2SCAN.EXE
Source: cpcs.exe, 00000009.00000003.2543791751.000000000DC0A000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: C:\WINDOWS\SERVICEPROFILES\LOCALSERVICE\DOCUMENTS\SYSTEM\MSASCUI.EXE
Source: cpcs.exe, 00000009.00000003.2556561426.0000000008334000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: EXTRA=Backdoor.Agent, %WINDIR%\Resources\temas\Windows.exe\rundll32\avgnt.exe
Source: cpcs.exe, 00000009.00000003.2556561426.0000000008334000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: EXTRA=Security.Hijack, HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\fsav.exe
Source: cpcs.exe, 00000009.00000003.2544897121.000000000DD58000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: C:\WINDOWS\SERVICEPROFILES\NETWORKSERVICE\LOCAL SETTINGS\APPLICATION DATA\MICROSOFT\WINDOWS DEFENDER\MSASCUI.EXE
Source: cpcs.exe, 00000009.00000003.2556561426.0000000008334000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: EXTRA=Security.Hijack, HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\drwebscd.exe
Source: cpcs.exe, 00000009.00000003.2556561426.0000000008334000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: EXTRA=Security.Hijack, HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\fsmb32.exe
Source: cpcs.exe, 00000009.00000003.2534960911.000000000A621000.00000004.00000020.00020000.00000000.sdmp, cpcs.exe, 00000009.00000003.2529734518.000000000A248000.00000004.00000020.00020000.00000000.sdmp, cpcs.exe, 00000009.00000003.2529231058.0000000009F11000.00000004.00000020.00020000.00000000.sdmp, cpcs.exe, 00000009.00000003.2528855901.000000000A14E000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: 360rpt.EXE
Source: cpcs.exe, 00000009.00000003.2556561426.0000000008334000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: EXTRA=Security.Hijack, HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\scanwscs.exe
Source: cpcs.exe, 00000009.00000003.2556561426.0000000008334000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: EXTRA=Security.Hijack, HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\spf.exe
Source: cpcs.exe, 00000009.00000003.2556561426.0000000008334000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: EXTRA=Security.Hijack, HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\SDFix.exe
Source: cpcs.exe, 00000009.00000003.2556561426.0000000008334000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: EXTRA=Security.Hijack, HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\AVIRARKD.EXE
Source: cpcs.exe, 00000009.00000003.2556561426.0000000008334000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: EXTRA=Security.Hijack, HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\scanmsg.exe
Source: cpcs.exe, 00000009.00000003.2528855901.000000000A101000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: nod32krn.exe
Source: cpcs.exe, 00000009.00000003.2556561426.0000000008334000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: EXTRA=Security.Hijack, HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\pavfnsvr.exe
Source: cpcs.exe, 00000009.00000003.2556561426.0000000008334000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: EXTRA=Security.Hijack, HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\zlclient.exe
Source: cpcs.exe, 00000009.00000003.2556561426.0000000008334000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: EXTRA=Security.Hijack, HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\lordpe.exe
Source: cpcs.exe, 00000009.00000003.2556561426.0000000008334000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: EXTRA=Security.Hijack, HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\virusutilities.exe
Source: cpcs.exe, 00000009.00000003.2556561426.0000000008334000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: EXTRA=Security.Hijack, HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\psctrls.exe
Source: cpcs.exe, 00000009.00000003.2556561426.0000000008334000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: EXTRA=Security.Hijack, HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\hijackthis.exe
Source: cpcs.exe, 00000009.00000003.2556561426.0000000008334000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: EXTRA=Security.Hijack, HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\fsma32.exe
Source: cpcs.exe, 00000009.00000003.2556561426.0000000008334000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: EXTRA=Security.Hijack, HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\kavsvc.exe
Source: cpcs.exe, 00000009.00000003.2556561426.0000000008334000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: EXTRA=Security.Hijack, HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\avcenter.exe
Source: cpcs.exe, 00000009.00000003.2556561426.0000000008334000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: EXTRA=Security.Hijack, HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\kpfwsvc.exe
Source: cpcs.exe, 00000009.00000003.2556561426.0000000008334000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: EXTRA=Security.Hijack, HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\processmonitor.exe
Source: cpcs.exe, 00000009.00000003.2556561426.0000000008334000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: EXTRA=Security.Hijack, HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\guard.exe
Source: cpcs.exe, 00000009.00000003.2556561426.0000000008334000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: EXTRA=Security.Hijack, HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\xcommsvr.exe
Source: cpcs.exe, 00000009.00000003.2556561426.0000000008334000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: EXTRA=Security.Hijack, HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\nod32kui.exe
Source: cpcs.exe, 00000009.00000003.2556561426.0000000008334000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: EXTRA=Worm.AutoRun, %WINDIR%\Virus.exe
Source: cpcs.exe, 00000009.00000003.2556561426.0000000008334000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: EXTRA=Security.Hijack, HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\AVKPROXY.EXE
Source: cpcs.exe, 00000009.00000003.2556561426.0000000008334000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: EXTRA=Security.Hijack, HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\kvmonxp.kxp
Source: cpcs.exe, 00000009.00000003.2556561426.0000000008334000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: EXTRA=Security.Hijack, HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\mcshield.exe
Source: cpcs.exe, 00000009.00000003.2556561426.0000000008334000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: EXTRA=Security.Hijack, HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\mcagent.exe
Source: cpcs.exe, 00000009.00000003.2543791751.000000000DC90000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: C:\WINDOWS\SYSTEM32\CONFIG\SYSTEMPROFILE\TEMPLATES\MSASCUI.EXE
Source: cpcs.exe, 00000009.00000003.2556561426.0000000008334000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: EXTRA=Security.Hijack, HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\avgnsx.exe
Source: cpcs.exe, 00000009.00000003.2556561426.0000000008334000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: EXTRA=Security.Hijack, HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\msascui.exe
Source: cpcs.exe, 00000009.00000003.2556561426.0000000008334000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: EXTRA=Rogue.MultipleAV, %USERROOT%\Local Settings\Application Data\Microsoft\Windows Defender\MSASCui.exe
Source: cpcs.exe, 00000009.00000003.2556561426.0000000008334000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: EXTRA=Backdoor.Agent, %ROOTDRIVE%\Nueva carpeta\install\virus.exe
Source: cpcs.exe, 00000009.00000003.2556561426.0000000008334000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: EXTRA=Security.Hijack, HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\APM.EXE
Source: cpcs.exe, 00000009.00000003.2556561426.0000000008334000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: EXTRA=Security.Hijack, HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\spiderui.exe
Source: cpcs.exe, 00000012.00000003.2840443937.000000000E02A000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: C:\WINDOWS\SERVICEPROFILES\LOCALSERVICE\TEMPLATES\AVG\MSASCUI.EXE
Source: cpcs.exe, 00000009.00000003.2556561426.0000000008334000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: EXTRA=Security.Hijack, HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\ashwebsv.exe
Source: cpcs.exe, 00000009.00000003.2556561426.0000000008334000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: EXTRA=Security.Hijack, HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\fsav32.exe
Source: cpcs.exe, 00000009.00000003.2556561426.0000000008334000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: EXTRA=Security.Hijack, HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\kav.exe
Source: cpcs.exe, 00000009.00000003.2529369405.0000000009D87000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: ndows\CurrentVersion\App Paths\360safe.exe
Source: cpcs.exe, 00000009.00000003.2556561426.0000000008334000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: EXTRA=Security.Hijack, HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\ASVIEWER.EXE
Source: cpcs.exe, 00000009.00000003.2556561426.0000000008334000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: EXTRA=Security.Hijack, HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\arcacheck.exe
Source: cpcs.exe, 00000009.00000003.2556561426.0000000008334000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: EXTRA=Security.Hijack, HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\fsdfwd.exe
Source: cpcs.exe, 00000009.00000003.2556561426.0000000008334000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: EXTRA=Security.Hijack, HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\spiderml.exe
Source: cpcs.exe, 00000009.00000003.2544720380.000000000D6EC000.00000004.00000020.00020000.00000000.sdmp, cpcs.exe, 00000009.00000003.2544527727.000000000D6DB000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: C:\USERS\DEFAULT\APPDATA\ROAMING\AVG\MSASCUI.EXE
Source: cpcs.exe, 00000009.00000003.2556561426.0000000008334000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: EXTRA=Security.Hijack, HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\avgemc.exe
Source: cpcs.exe, 00000009.00000003.2556561426.0000000008334000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: EXTRA=Trojan.Banker, %SYSDIR%\avgnt.exe
Source: cpcs.exe, 00000009.00000003.2556561426.0000000008334000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: EXTRA=Rogue.MultipleAV, %USERROOT%\Local Settings\Application Data\MSASCui.exe
Source: cpcs.exe, 00000009.00000003.2556561426.0000000008334000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: EXTRA=Security.Hijack, HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\acals.exe
Source: cpcs.exe, 00000009.00000003.2543791751.000000000DC0A000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: C:\WINDOWS\SERVICEPROFILES\NETWORKSERVICE\DOCUMENTS\SYS\MSASCUI.EXE
Source: cpcs.exe, 00000009.00000003.2556561426.0000000008334000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: EXTRA=Security.Hijack, HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\cmdagent.exe
Source: cpcs.exe, 00000009.00000003.2556561426.0000000008334000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: EXTRA=Security.Hijack, HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\A2GUARD.EXE
Source: cpcs.exe, 00000009.00000003.2556561426.0000000008334000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: EXTRA=Security.Hijack, HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\acaegmgr.exe
Source: cpcs.exe, 00000009.00000003.2546561141.000000000BF7E000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: C:\WINDOWS\SYSTEM32\CONFIG\SYSTEMPROFILE\LOCAL SETTINGS\APPLICATION DATA\MICROSOFT\WINDOWS DEFENDER\MSASCUI.EXE
Source: cpcs.exe, 00000009.00000003.2556561426.0000000008334000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: EXTRA=Security.Hijack, HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\ASWCLNR.EXE
Source: cpcs.exe, 00000009.00000003.2556561426.0000000008334000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: EXTRA=Security.Hijack, HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\ccprovsp.exe
Source: cpcs.exe, 00000009.00000003.2556561426.0000000008334000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: EXTRA=Security.Hijack, HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\kvol.exe
Source: cpcs.exe, 00000009.00000003.2556561426.0000000008334000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: EXTRA=Security.Hijack, HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\nod32.exe
Source: cpcs.exe, 00000009.00000003.2556561426.0000000008334000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: EXTRA=Security.Hijack, HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\fsav530stbyb.exe
Source: cpcs.exe, 00000009.00000003.2556561426.0000000008334000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: EXTRA=Security.Hijack, HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\pctsTray.exe
Source: cpcs.exe, 00000009.00000003.2556561426.0000000008334000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: EXTRA=Trojan.Agent, %APPDATA%\sched.exe
Source: cpcs.exe, 00000009.00000003.2556561426.0000000008334000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: EXTRA=Trojan.Agent, %APPDATA%\MsMpEng.exe
Source: cpcs.exe, 00000009.00000003.2556561426.0000000008334000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: EXTRA=Security.Hijack, HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\Procmon.exe
Source: cpcs.exe, 00000009.00000003.2556561426.0000000008334000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: EXTRA=Security.Hijack, HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\acaas.exe
Source: cpcs.exe, 00000009.00000003.2556561426.0000000008334000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: EXTRA=Security.Hijack, HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\avgscanx.exe
Source: cpcs.exe, 00000009.00000003.2556561426.0000000008334000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: EXTRA=Backdoor.Agent.DC, %SYSDIR%\iExplorer\iefix.exe
Source: cpcs.exe, 00000009.00000003.2556561426.0000000008334000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: EXTRA=Security.Hijack, HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\defwatch.exe
Source: cpcs.exe, 00000009.00000003.2556561426.0000000008334000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: EXTRA=Security.Hijack, HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\mbam-setup.exe
Source: cpcs.exe, 00000009.00000003.2556561426.0000000008334000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: EXTRA=Backdoor.Messa, %APPDATA%\virus.exe
Source: cpcs.exe, 00000009.00000003.2556561426.0000000008334000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: EXTRA=Backdoor.XTRat, %WINDIR%\avast\nod32.exe
Source: cpcs.exe, 00000009.00000003.2556561426.0000000008334000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: EXTRA=Security.Hijack, HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\avgtray.exe
Source: cpcs.exe, 00000009.00000003.2556561426.0000000008334000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: EXTRA=Security.Hijack, HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\procexp.exe
Source: cpcs.exe, 00000009.00000003.2556561426.0000000008334000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: EXTRA=Security.Hijack, HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\mcvsrte.exe
Source: cpcs.exe, 00000009.00000003.2556561426.0000000008334000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: EXTRA=Trojan.Agent, %TEMP%\MsMpEng.exe
Source: cpcs.exe, 00000009.00000003.2556561426.0000000008334000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: EXTRA=Security.Hijack, HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\MsMpEng.exe
Source: cpcs.exe, 00000009.00000003.2556561426.0000000008334000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: EXTRA=Security.Hijack, HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\fp-win.exe
Source: cpcs.exe, 00000009.00000003.2556561426.0000000008334000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: EXTRA=Security.Hijack, HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\f-prot.exe
Source: cpcs.exe, 00000009.00000003.2556561426.0000000008334000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: EXTRA=Trojan.Agent, %ROOTDRIVE%\windy\Nod32.exe
Source: cpcs.exe, 00000009.00000003.2556561426.0000000008334000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: EXTRA=Security.Hijack, HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\kvsrvxp.exe
Source: cpcs.exe, 00000009.00000003.2556561426.0000000008334000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: EXTRA=Trojan.Agent, %SYSDIR%\wbem\360tray.exe
Source: cpcs.exe, 00000009.00000003.2556561426.0000000008334000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: EXTRA=Security.Hijack, HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\f-stopw.exe
Source: cpcs.exe, 00000009.00000003.2556561426.0000000008334000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: EXTRA=Trojan.MultipleAV.Gen, %TEMP%\mtg\MSASCui.exe
Source: cpcs.exe, 00000009.00000003.2556561426.0000000008334000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: EXTRA=Security.Hijack, HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\CAPFUPGRADE.EXE
Source: cpcs.exe, 00000009.00000003.2556561426.0000000008334000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: EXTRA=Security.Hijack, HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\pctsAuxs.exe
Source: cpcs.exe, 00000009.00000003.2556561426.0000000008334000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: EXTRA=Security.Hijack, HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\avz.exe
Source: cpcs.exe, 00000009.00000003.2556561426.0000000008334000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: EXTRA=Security.Hijack, HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\AFMAIN.EXE
Source: cpcs.exe, 00000009.00000003.2556561426.0000000008334000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: EXTRA=Security.Hijack, HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\A2HIJACKFREESETUP.EXE
Source: cpcs.exe, 00000009.00000003.2528855901.000000000A101000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: avgtray.exe
Source: cpcs.exe, 00000009.00000003.2556561426.0000000008334000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: EXTRA=Security.Hijack, HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\HJTInstall.exe
Source: cpcs.exe, 00000009.00000003.2556561426.0000000008334000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: EXTRA=Security.Hijack, HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\sched.exe
Source: cpcs.exe, 00000009.00000003.2529281722.0000000009BA5000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: procexp.exe
Source: cpcs.exe, 00000009.00000003.2556561426.0000000008334000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: EXTRA=Security.Hijack, HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\fsm32.exe
Source: cpcs.exe, 00000009.00000003.2556561426.0000000008334000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: EXTRA=Security.Hijack, HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\mcvsshld.exe
Source: cpcs.exe, 00000009.00000003.2556561426.0000000008334000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: EXTRA=Security.Hijack, HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\BOOTSAFE.EXE
Source: cpcs.exe, 00000009.00000003.2556561426.0000000008334000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: EXTRA=Backdoor.Agent, %SYSDIR%\InstallDir\avgnt.exe
Source: cpcs.exe, 00000009.00000003.2510009992.0000000003565000.00000004.00000020.00020000.00000000.sdmp, cpcs.exe, 00000009.00000003.2500648179.0000000002B4E000.00000004.00000020.00020000.00000000.sdmp, cpcs.exe, 00000009.00000003.2500622555.0000000002B48000.00000004.00000020.00020000.00000000.sdmp, cpcs.exe, 00000009.00000003.2510085331.000000000355F000.00000004.00000020.00020000.00000000.sdmp, cpcs.exe, 00000009.00000003.2509982383.000000000355F000.00000004.00000020.00020000.00000000.sdmp, cpcs.exe, 00000009.00000003.2509920343.000000000354D000.00000004.00000020.00020000.00000000.sdmp, cpcsgui.exeBinary or memory string: $vars\commonappdata$\mbam-setup.exe
Source: cpcs.exe, 00000009.00000003.2556561426.0000000008334000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: EXTRA=Security.Hijack, HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\ccenter.exe
Source: cpcs.exe, 00000009.00000003.2556561426.0000000008334000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: EXTRA=Security.Hijack, HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\vba32ldr.exe
Source: cpcs.exe, 00000009.00000003.2556561426.0000000008334000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: EXTRA=Security.Hijack, HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\avgcmgr.exe
Source: cpcs.exe, 00000009.00000003.2533526590.000000000A5C7000.00000004.00000020.00020000.00000000.sdmp, cpcs.exe, 00000009.00000003.2533704715.000000000A5CC000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: MSASCUI.exe
Source: cpcs.exe, 00000009.00000003.2543791751.000000000DC0A000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: C:\WINDOWS\SERVICEPROFILES\LOCALSERVICE\DOCUMENTS\SYS\MSASCUI.EXE
Source: cpcs.exe, 00000009.00000003.2556561426.0000000008334000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: EXTRA=Security.Hijack, HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\gmer.exe
Source: cpcs.exe, 00000009.00000003.2556561426.0000000008334000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: EXTRA=Trojan.Agent, %TEMP%\MSASCui.exe
Source: cpcs.exe, 00000009.00000003.2556561426.0000000008334000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: EXTRA=Security.Hijack, HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\spybotsd.exe
Source: cpcs.exe, 00000009.00000003.2543791751.000000000DC90000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: C:\USERS\PUBLIC\LOCAL SETTINGS\APPLICATION DATA\AVG\MSASCUI.EXE
Source: cpcs.exe, 00000009.00000003.2556561426.0000000008334000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: EXTRA=Security.Hijack, HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\CATCHME.EXE
Source: cpcs.exe, 00000009.00000003.2556561426.0000000008334000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: EXTRA=Backdoor.Agent, %SYSDIR%\install\virus.exe
Source: cpcs.exe, 00000009.00000003.2556561426.0000000008334000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: EXTRA=Security.Hijack, HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\A2HIJACKFREE.EXE
Source: cpcs.exe, 00000009.00000003.2556561426.0000000008334000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: EXTRA=Security.Hijack, HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\avgui.exe
Source: cpcs.exe, 00000009.00000003.2556561426.0000000008334000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: EXTRA=Security.Hijack, HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\umxcfg.exe
Source: cpcs.exe, 00000009.00000003.2544897121.000000000DD58000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: C:\USERS\user\APPDATA\ROAMING\MICROSOFT\WINDOWS\START MENU\PROGRAMS\STARTUP\AVGUARD.EXE
Source: cpcs.exe, 00000009.00000003.2556561426.0000000008334000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: EXTRA=Security.Hijack, HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\tmbmsrv.exe
Source: cpcs.exe, 00000009.00000003.2556561426.0000000008334000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: EXTRA=Trojan.MultipleAV, %USERROOT%\Templates\MSASCui.exe
Source: cpcs.exe, 00000009.00000003.2556561426.0000000008334000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: EXTRA=Security.Hijack, HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\CAGLOBALLIGHT.EXE
Source: cpcs.exe, 00000009.00000003.2556561426.0000000008334000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: EXTRA=Security.Hijack, HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\ufseagnt.exe
Source: cpcs.exe, 00000009.00000003.2556561426.0000000008334000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: EXTRA=Security.Hijack, HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\ravmond.exe
Source: cpcs.exe, 00000009.00000003.2556561426.0000000008334000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: EXTRA=Security.Hijack, HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\rtvscan.exe
Source: cpcs.exe, 00000009.00000003.2556561426.0000000008334000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: EXTRA=Security.Hijack, HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\ashdisp.exe
Source: cpcs.exe, 00000009.00000003.2556561426.0000000008334000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: EXTRA=Security.Hijack, HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\kav32.exe
Source: cpcs.exe, 00000009.00000003.2556561426.0000000008334000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: EXTRA=Security.Hijack, HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\onlnsvc.exe
Source: cpcs.exe, 00000009.00000003.2556561426.0000000008334000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: EXTRA=Security.Hijack, HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\COMBOFIX.SCR
Source: cpcs.exe, 00000009.00000003.2543791751.000000000DC90000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: C:\USERS\PUBLIC\LOCAL SETTINGS\APPLICATION DATA\MSASCUI.EXE
Source: cpcs.exe, 00000009.00000003.2556561426.0000000008334000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: EXTRA=Security.Hijack, HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\onlinent.exe
Source: cpcs.exe, 00000009.00000003.2556561426.0000000008334000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: EXTRA=Security.Hijack, HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\portdetective.exe
Source: cpcs.exe, 00000009.00000003.2534960911.000000000A621000.00000004.00000020.00020000.00000000.sdmp, cpcs.exe, 00000009.00000003.2533389394.000000000A54E000.00000004.00000020.00020000.00000000.sdmp, cpcs.exe, 00000009.00000003.2529231058.0000000009F11000.00000004.00000020.00020000.00000000.sdmp, cpcs.exe, 00000009.00000003.2532883037.000000000A53D000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: HijackThis.exe
Source: cpcs.exe, 00000009.00000003.2543791751.000000000DC90000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: C:\USERS\PUBLIC\LOCAL SETTINGS\APPLICATION DATA\NOD32.EXE
Source: cpcs.exe, 00000009.00000003.2556561426.0000000008334000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: EXTRA=Security.Hijack, HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\COMBOFIX.BAT
Source: cpcs.exe, 00000009.00000003.2556561426.0000000008334000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: EXTRA=Security.Hijack, HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\ACS.EXE
Source: cpcs.exe, 00000009.00000003.2556561426.0000000008334000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: EXTRA=Security.Hijack, HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\tmproxy.exe
Source: cpcs.exe, 00000009.00000003.2556561426.0000000008334000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: EXTRA=Security.Hijack, HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\TeaTimer.exe
Source: cpcs.exe, 00000009.00000003.2556561426.0000000008334000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: EXTRA=Security.Hijack, HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\SUPERAntiSpyware.exe
Source: cpcs.exe, 00000009.00000003.2534960911.000000000A621000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: Procexp.exe
Source: cpcs.exe, 00000009.00000003.2556561426.0000000008334000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: EXTRA=Security.Hijack, HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\fsav95.exe
Source: cpcs.exe, 00000009.00000003.2556561426.0000000008334000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: EXTRA=Security.Hijack, HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\ufnavi.exe
Source: cpcs.exe, 00000009.00000003.2556561426.0000000008334000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: EXTRA=Security.Hijack, HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\avgupd.exe
Source: cpcs.exe, 00000009.00000003.2556561426.0000000008334000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: EXTRA=Trojan.Agent, %MYDOCS%\SYS\msascui.exe
Source: cpcs.exe, 00000009.00000003.2556561426.0000000008334000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: EXTRA=Security.Hijack, HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\CLAMTRAY.EXE
Source: cpcs.exe, 00000009.00000003.2556561426.0000000008334000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: EXTRA=Security.Hijack, HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\KSafeTray.exe
Source: cpcs.exe, 00000009.00000003.2556561426.0000000008334000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: EXTRA=Security.Hijack, HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\A2START.EXE
Source: cpcs.exe, 00000009.00000003.2556561426.0000000008334000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: EXTRA=Security.Hijack, HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\pctsGui.exe
Source: cpcs.exe, 00000009.00000003.2556561426.0000000008334000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: EXTRA=Security.Hijack, HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\AVMENU.EXE
Source: cpcs.exe, 00000009.00000003.2556561426.0000000008334000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: EXTRA=Security.Hijack, HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\BC5CA6A.EXE
Source: cpcs.exe, 00000009.00000003.2543791751.000000000DC90000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: C:\USERS\user\LOCAL SETTINGS\APPLICATION DATA\AVG\MSASCUI.EXE
Source: cpcs.exe, 00000009.00000003.2556561426.0000000008334000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: EXTRA=Security.Hijack, HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\srengldr.exe
Source: cpcs.exe, 00000009.00000003.2556561426.0000000008334000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: EXTRA=Trojan.Agent, HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\autoruns.exe
Source: cpcs.exe, 00000009.00000003.2556561426.0000000008334000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: EXTRA=Security.Hijack, HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\avgas.exe
Source: cpcs.exe, 00000009.00000003.2556561426.0000000008334000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: EXTRA=Security.Hijack, HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\ALERTMAN.EXE
Source: cpcs.exe, 00000009.00000003.2556561426.0000000008334000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: EXTRA=Security.Hijack, HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\kissvc.exe
Source: cpcs.exe, 00000009.00000003.2556561426.0000000008334000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: EXTRA=Security.Hijack, HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\pctsSvc.exe
Source: cpcs.exe, 00000009.00000003.2556561426.0000000009734000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: PWHITE=%PROGRAMFILES%\BitDefender\BitDefender 2013\bdagent.exe
Source: cpcs.exe, 00000009.00000003.2528855901.000000000A101000.00000004.00000020.00020000.00000000.sdmp, cpcs.exe, 00000009.00000003.2533161271.000000000A493000.00000004.00000020.00020000.00000000.sdmp, cpcs.exe, 00000009.00000003.2528855901.000000000A14E000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: bdagent.exe
Source: cpcs.exe, 00000009.00000003.2556561426.0000000008334000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: EXTRA=Security.Hijack, HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\ABREGMON.EXE.EXE
Source: cpcs.exe, 00000009.00000003.2556561426.0000000008334000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: EXTRA=Security.Hijack, HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\kasmain.exe
Source: cpcs.exe, 00000009.00000003.2556561426.0000000008334000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: EXTRA=Security.Hijack, HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\qoeloader.exe
Source: cpcs.exe, 00000009.00000003.2556561426.0000000008334000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: EXTRA=Security.Hijack, HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\CFGMNG32.EXE
Source: cpcs.exe, 00000009.00000003.2545740501.000000000E112000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: C:\USERS\user\APPDATA\LOCAL\TEMP\PROCMON.EXE
Source: cpcs.exe, 00000009.00000003.2556561426.0000000008334000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: EXTRA=Security.Hijack, HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\bdss.exe
Source: cpcs.exe, 00000009.00000003.2556561426.0000000008334000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: EXTRA=Security.Hijack, HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\umxpol.exe
Source: cpcs.exe, 00000009.00000003.2556561426.0000000008334000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: EXTRA=Security.Hijack, HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\ALMON.EXE
Source: cpcs.exe, 00000009.00000003.2556561426.0000000008334000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: EXTRA=Security.Hijack, HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\avengine.exe
Source: cpcs.exe, 00000009.00000003.2556561426.0000000008334000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: EXTRA=Security.Hijack, HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\kxetray.exe
Source: cpcs.exe, 00000009.00000003.2556561426.0000000008334000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: EXTRA=Security.Hijack, HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\procdump.exe
Source: cpcs.exe, 00000009.00000003.2556561426.0000000008334000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: EXTRA=Trojan.MultipleAV, %USERROOT%\Templates\avg\MSASCui.exe
Source: cpcs.exe, 00000009.00000003.2556561426.0000000008334000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: EXTRA=Security.Hijack, HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\fameh32.exe
Source: cpcs.exe, 00000009.00000003.2533161271.000000000A44A000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: virusutilities.exe
Source: cpcs.exe, 00000009.00000003.2556561426.0000000008334000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: EXTRA=Security.Hijack, HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\kvxp.kxp
Source: cpcs.exe, 00000009.00000003.2556561426.0000000008334000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: EXTRA=Security.Hijack, HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\CLAMWIN.EXE
Source: cpcs.exe, 00000009.00000003.2556561426.0000000008334000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: EXTRA=Security.Hijack, HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\ALSVC.EXE
Source: cpcs.exe, 00000009.00000003.2556561426.0000000008334000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: EXTRA=Security.Hijack, HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\fsgk32.exe
Source: cpcs.exe, 00000009.00000003.2556561426.0000000008334000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: EXTRA=Security.Hijack, HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\fpwin.exe
Source: cpcs.exe, 00000009.00000003.2556561426.0000000008334000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: EXTRA=Security.Hijack, HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\makereport.exe
Source: cpcs.exe, 00000009.00000003.2556561426.0000000008334000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: EXTRA=Security.Hijack, HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\CATEYE.EXE
Source: cpcs.exe, 00000009.00000003.2556561426.0000000008334000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: EXTRA=Security.Hijack, HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\fprottray.exe
Source: cpcs.exe, 00000009.00000003.2556561426.0000000008334000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: EXTRA=Trojan.Agent, %APPDATA%\Microsoft\Virus.exe
Source: cpcs.exe, 00000009.00000003.2556561426.0000000008334000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: EXTRA=Trojan.Agent, HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\SuperKiller.exe
Source: cpcs.exe, 00000009.00000003.2556561426.0000000008334000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: EXTRA=Security.Hijack, HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\AYSERVICENT.AYE
Source: cpcs.exe, 00000009.00000003.2556561426.0000000008334000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: EXTRA=Security.Hijack, HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\fsgk32st.exe
Source: cpcs.exe, 00000009.00000003.2556561426.0000000008334000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: EXTRA=Security.Hijack, HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\vsmon.exe
Source: cpcs.exe, 00000009.00000003.2556561426.0000000008334000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: EXTRA=Trojan.Agent, %APPDATA%\Microsoft\Defender\MSASCui.exe
Source: cpcs.exe, 00000009.00000003.2556561426.0000000008334000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: EXTRA=Security.Hijack, HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\ollydbg.exe
Source: cpcs.exe, 00000009.00000003.2556561426.0000000008334000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: EXTRA=Security.Hijack, HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\fnrb32.exe
Source: cpcs.exe, 00000009.00000003.2556561426.0000000008334000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: EXTRA=Security.Hijack, HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\avkservice.exe
Source: cpcs.exe, 00000009.00000003.2556561426.0000000008334000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: EXTRA=Security.Hijack, HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\avenger.exe
Source: cpcs.exe, 00000009.00000003.2556561426.0000000008334000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: EXTRA=Trojan.Agent, %MYDOCS%\System\msascui.exe
Source: cpcs.exe, 00000009.00000003.2556561426.0000000008334000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: EXTRA=Security.Hijack, HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\AVKTUNERSERVICE.EXE
Source: cpcs.exe, 00000009.00000003.2556561426.0000000008334000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: EXTRA=Security.Hijack, HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\cfp.exe
Source: cpcs.exe, 00000009.00000003.2529734518.000000000A248000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: AVP.EXE
Source: cpcs.exe, 00000009.00000003.2545740501.000000000E112000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: C:\USERS\DEFAULT\APPDATA\LOCAL\TEMP\PROCMON.EXE
Source: cpcs.exe, 00000009.00000003.2556561426.0000000008334000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: EXTRA=Security.Hijack, HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\nod32krn.exe
Source: cpcs.exe, 00000009.00000003.2556561426.0000000008334000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: EXTRA=Security.Hijack, HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\fast.exe
Source: cpcs.exe, 00000009.00000003.2556561426.0000000008334000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: EXTRA=Security.Hijack, HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\webproxy.exe
Source: cpcs.exe, 00000009.00000003.2544527727.000000000D66D000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: C:\WINDOWS\SERVICEPROFILES\NETWORKSERVICE\APPDATA\ROAMING\AVG\MSASCUI.EXE
Source: cpcs.exe, 00000009.00000003.2556561426.0000000008334000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: EXTRA=Trojan.Downloader, HKCU\Software\Microsoft\Windows\CurrentVersion\Run|unlockerassistant=*data*\unlocker\unlockerassistant.exe
Source: cpcs.exe, 00000009.00000003.2556561426.0000000008334000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: EXTRA=Security.Hijack, HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\ARCABIT.CORE.LOGGINGSERVICE.EXE
Source: cpcs.exe, 00000009.00000003.2556561426.0000000008334000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: EXTRA=Security.Hijack, HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\avgnt.exe
Source: cpcs.exe, 00000009.00000003.2556561426.0000000008334000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: EXTRA=Security.Hijack, HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\avgwdsvc.exe
Source: cpcs.exe, 00000009.00000003.2556561426.0000000008334000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: EXTRA=Security.Hijack, HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\mcupdate.exe
Source: cpcs.exe, 00000009.00000003.2556561426.0000000008334000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: EXTRA=Trojan.MultipleAV, %TEMP%\avg\MSASCui.exe
Source: cpcs.exe, 00000009.00000003.2533389394.000000000A54E000.00000004.00000020.00020000.00000000.sdmp, cpcs.exe, 00000009.00000003.2529734518.000000000A217000.00000004.00000020.00020000.00000000.sdmp, cpcs.exe, 00000009.00000003.2532883037.000000000A53D000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: MSASCui.exe
Source: cpcs.exe, 00000009.00000003.2556561426.0000000008334000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: EXTRA=Security.Hijack, HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\CCTRAY.EXE
Source: cpcs.exe, 00000009.00000003.2556561426.0000000008334000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: EXTRA=Security.Hijack, HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\avguard.exe
Source: cpcs.exe, 00000009.00000003.2545034326.000000000E01A000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: C:\WINDOWS\SERVICEPROFILES\LOCALSERVICE\APPDATA\LOCAL\TEMP\PROCMON.EXE
Source: cpcs.exe, 00000009.00000003.2529231058.0000000009F11000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: 360Safe.exe
Source: cpcs.exe, 00000009.00000003.2556561426.0000000008334000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: EXTRA=Security.Hijack, HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\f-prot95.exe
Source: cpcs.exe, 00000009.00000003.2556561426.0000000008334000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: EXTRA=Trojan.Agent, HKCR\Applications\360tray.exe
Source: cpcs.exe, 00000009.00000003.2556561426.0000000008334000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: EXTRA=Security.Hijack, HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\ashmaisv.exe
Source: cpcs.exe, 00000009.00000003.2556561426.0000000008334000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: EXTRA=Security.Hijack, HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\AVGAMSVR.EXE
Source: cpcs.exe, 00000009.00000003.2556561426.0000000008334000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: EXTRA=Backdoor.Agent.DC, %APPDATA%\SYSTEM\kwatch.exe
Source: cpcs.exe, 00000009.00000003.2556561426.0000000008334000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: EXTRA=Security.Hijack, HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\sfctlcom.exe
Source: cpcs.exe, 00000009.00000003.2556561426.0000000008334000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: EXTRA=Backdoor.Agent, %PROGRAMFILES%\SYSTEM\virus.exe
Source: cpcs.exe, 00000009.00000003.2529231058.0000000009F11000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: avgnt.exe
Source: cpcs.exe, 00000009.00000003.2556561426.0000000008334000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: EXTRA=Security.Hijack, HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\kpfw32.exe
Source: cpcs.exe, 00000009.00000003.2556561426.0000000008334000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: EXTRA=Security.Hijack, HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\acais.exe
Source: cpcs.exe, 00000009.00000003.2556561426.0000000008334000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: EXTRA=Security.Hijack, HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\ravtask.exe
Source: cpcs.exe, 00000009.00000003.2556561426.0000000008334000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: EXTRA=Security.Hijack, HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\APT.EXE
Source: cpcs.exe, 00000009.00000003.2534960911.000000000A621000.00000004.00000020.00020000.00000000.sdmp, cpcs.exe, 00000009.00000003.2529231058.0000000009F11000.00000004.00000020.00020000.00000000.sdmp, cpcs.exe, 00000009.00000003.2533161271.000000000A493000.00000004.00000020.00020000.00000000.sdmp, cpcs.exe, 00000009.00000003.2528855901.000000000A14E000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: mbam.exe
Source: cpcs.exe, 00000009.00000003.2556561426.0000000008334000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: EXTRA=Security.Hijack, HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\fpavserver.exe
Source: cpcs.exe, 00000009.00000003.2556561426.0000000008334000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: EXTRA=Security.Hijack, HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\arcavir.exe
Source: cpcs.exe, 00000009.00000003.2529231058.0000000009F11000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: **\NOD32.EXE
Source: cpcs.exe, 00000009.00000003.2556561426.0000000008334000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: EXTRA=Security.Hijack, HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\upschd.exe
Source: cpcs.exe, 00000009.00000003.2556561426.0000000008334000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: EXTRA=Security.Hijack, HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\CF9409.EXE
Source: cpcs.exe, 00000009.00000003.2556561426.0000000008334000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: EXTRA=Security.Hijack, HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\COMBOFIX.COM
Source: cpcs.exe, 00000009.00000003.2556561426.0000000008334000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: EXTRA=Trojan.Small, %MYDOCS%\360Safe.exe
Source: cpcs.exe, 00000009.00000003.2556561426.0000000008334000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: EXTRA=Security.Hijack, HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\CMAIN.EXE
Source: cpcs.exe, 00000009.00000003.2556561426.0000000008334000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: EXTRA=Security.Hijack, HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\AVKWCTL.EXE
Source: cpcs.exe, 00000009.00000003.2556561426.0000000008334000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: EXTRA=Security.Hijack, HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\AVGARKT.EXE
Source: cpcs.exe, 00000009.00000003.2556561426.0000000008334000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: EXTRA=Security.Hijack, HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\emlproui.exe
Source: cpcs.exe, 00000009.00000003.2556561426.0000000008334000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: EXTRA=Security.Hijack, HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\fsav530wtbyb.exe
Source: cpcs.exe, 00000009.00000003.2556561426.0000000008334000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: EXTRA=Security.Hijack, HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\kavstart.exe
Source: cpcs.exe, 00000009.00000003.2556561426.0000000008334000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: EXTRA=Security.Hijack, HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\kavpfw.exe
Source: cpcs.exe, 00000009.00000003.2546826441.000000000D614000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: C:\WINDOWS\SERVICEPROFILES\NETWORKSERVICE\APPDATA\LOCAL\TEMP\AVP.EXE
Source: cpcs.exe, 00000009.00000003.2556561426.0000000008334000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: EXTRA=Security.Hijack, HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\aswupdsv.exe
Source: cpcs.exe, 00000009.00000003.2556561426.0000000008334000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: EXTRA=Security.Hijack, HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\CAPFASEM.EXE
Source: cpcs.exe, 00000009.00000003.2556561426.0000000008334000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: EXTRA=Trojan.Backdoor, %SYSDIR%\Sys32\cmdagent.exe
Source: cpcs.exe, 00000009.00000003.2529231058.0000000009F11000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: avguard.exe
Source: cpcs.exe, 00000009.00000003.2556561426.0000000008334000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: EXTRA=Security.Hijack, HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\fprot.exe
Source: cpcs.exe, 00000009.00000003.2556561426.0000000008334000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: EXTRA=Security.Hijack, HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\spidernt.exe
Source: cpcs.exe, 00000009.00000003.2545034326.000000000DFB4000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: C:\USERS\user\TEMPLATES\MSASCUI.EXE
Source: cpcs.exe, 00000009.00000003.2556561426.0000000008334000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: EXTRA=Security.Hijack, HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\ARCABIT.CORE.CONFIGURATOR2.EXE
Source: cpcs.exe, 00000009.00000003.2546561141.000000000BF7E000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: C:\WINDOWS\SERVICEPROFILES\LOCALSERVICE\LOCAL SETTINGS\APPLICATION DATA\MICROSOFT\WINDOWS DEFENDER\MSASCUI.EXE
Source: cpcs.exe, 00000009.00000003.2556561426.0000000008334000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: EXTRA=Security.Hijack, HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\tpsrv.exe
Source: cpcs.exe, 00000009.00000003.2556561426.0000000008334000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: EXTRA=Security.Hijack, HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\guardxservice.exe
Source: cpcs.exe, 00000009.00000003.2556561426.0000000008334000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: EXTRA=Security.Hijack, HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\regmon.exe
Source: cpcs.exe, 00000009.00000003.2556561426.0000000008334000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: EXTRA=Security.Hijack, HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\nmain.exe
Source: cpcs.exe, 00000009.00000003.2556561426.0000000008334000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: EXTRA=Security.Hijack, HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\ulibcfg.exe
Source: cpcs.exe, 00000009.00000003.2556561426.0000000008334000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: EXTRA=Security.Hijack, HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\umxfwhlp.exe
Source: cpcs.exe, 00000009.00000003.2556561426.0000000008334000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: EXTRA=Security.Hijack, HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\portmonitor.exe
Source: cpcs.exe, 00000009.00000003.2556561426.0000000008334000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: EXTRA=Security.Hijack, HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\umxagent.exe
Source: cpcs.exe, 00000009.00000003.2556561426.0000000008334000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: EXTRA=Security.Hijack, HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\AVKTRAY.EXE
Source: cpcs.exe, 00000009.00000003.2556561426.0000000008334000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: EXTRA=Security.Hijack, HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\a2service.exe
Source: cpcs.exe, 00000009.00000003.2556561426.0000000008334000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: EXTRA=Security.Hijack, HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\emlproxy.exe
Source: cpcs.exe, 00000009.00000003.2556561426.0000000008334000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: EXTRA=Security.Hijack, HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\pavprsrv.exe
Source: cpcs.exe, 00000009.00000003.2556561426.0000000008334000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: EXTRA=Security.Hijack, HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\avgcsrvx.exe
Source: cpcs.exe, 00000009.00000003.2556561426.0000000008334000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: EXTRA=Security.Hijack, HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\ashserv.exe
Source: cpcs.exe, 00000009.00000003.2556561426.0000000008334000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: EXTRA=Rogue.MultipleAV, %USERROOT%\Local Settings\Application Data\avG\MSASCui.exe
Source: cpcs.exe, 00000009.00000003.2556561426.0000000008334000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: EXTRA=Backdoor.PoisonIvy, %TEMP%\ixp000.tmp\123.exe

Stealing of Sensitive Information

barindex
Yara detected GhostRat
Source: Yara matchFile source: 0000000F.00000003.2652428311.0000000004663000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara matchFile source: Process Memory Space: cpcs.exe PID: 2412, type: MEMORYSTR
Source: cpcs.exe, 00000009.00000003.2556561426.0000000008334000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: EXTRA=Backdoor.Agent, %SYSDIR%\aaa\Win_Xp.exe
Source: cpcs.exe, 00000009.00000003.2556561426.0000000008334000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: EXTRA=Backdoor.Agent, %PROGRAMFILES%\Win_Xp.exe
Source: cpcs.exe, 00000009.00000003.2544105021.000000000DDDC000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: C:\WINDOWS\SYSTEM32\MICROSOFT\WIN_XP.EXE
Source: cpcs.exe, 00000009.00000003.2556561426.0000000008334000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: EXTRA=Backdoor.Agent, %APPDATA%\Win_Xp.exe
Source: cpcs.exe, 00000009.00000003.2544105021.000000000DDDC000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: C:\WINDOWS\SYSWOW64\MICROSOFT\WIN_XP.EXE
Source: cpcs.exe, 00000009.00000003.2546029145.000000000D31E000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: C:\PROGRAM FILES (X86)\WIN_XP.EXE.EXEI
Source: cpcs.exe, 00000009.00000003.2556561426.0000000008334000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: EXTRA=Backdoor.SpyRat, %SYSDIR%\Microsoft\Win_Xp.exe
Source: cpcs.exe, 00000009.00000003.2556561426.0000000008334000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: EXTRA=Trojan.Agent, HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Run|Microsoft WIN_XP
Source: cpcs.exe, 00000009.00000003.2556561426.0000000008334000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: EXTRA=Backdoor.Bifrose, %WINDIR%\Win_Xp\Win_Xp.exe
Source: cpcs.exe, 00000009.00000003.2541405292.000000000D450000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: C:\WINDOWS\SYSWOW64\MICROSOFT\WIN_XP.EXEW
Source: Yara matchFile source: Process Memory Space: cpcs.exe PID: 2412, type: MEMORYSTR

Remote Access Functionality

barindex
Yara detected GhostRat
Source: Yara matchFile source: 0000000F.00000003.2652428311.0000000004663000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara matchFile source: Process Memory Space: cpcs.exe PID: 2412, type: MEMORYSTR

Mitre Att&ck Matrix

ReconnaissanceResource DevelopmentInitial AccessExecutionPersistencePrivilege EscalationDefense EvasionCredential AccessDiscoveryLateral MovementCollectionCommand and ControlExfiltrationImpact
Gather Victim Identity Information1
Scripting		1
Valid Accounts		3
Native API		1
Scripting		1
Exploitation for Privilege Escalation		1
Deobfuscate/Decode Files or Information		1
Credential API Hooking		12
System Time Discovery		Remote Services1
Archive Collected Data		1
Ingress Tool Transfer		Exfiltration Over Other Network Medium1
System Shutdown/Reboot
CredentialsDomains2
Replication Through Removable Media		3
Command and Scripting Interpreter		1
DLL Side-Loading		1
DLL Side-Loading		2
Obfuscated Files or Information		LSASS Memory11
Peripheral Device Discovery		Remote Desktop Protocol1
Credential API Hooking		22
Encrypted Channel		Exfiltration Over BluetoothNetwork Denial of Service
Email AddressesDNS ServerDomain Accounts12
Service Execution		1
Valid Accounts		1
Valid Accounts		1
DLL Side-Loading		Security Account Manager1
Account Discovery		SMB/Windows Admin SharesData from Network Shared Drive2
Non-Application Layer Protocol		Automated ExfiltrationData Encrypted for Impact
Employee NamesVirtual Private ServerLocal AccountsCron23
Windows Service		11
Access Token Manipulation		32
Masquerading		NTDS2
File and Directory Discovery		Distributed Component Object ModelInput Capture3
Application Layer Protocol		Traffic DuplicationData Destruction
Gather Victim Network InformationServerCloud AccountsLaunchd111
Registry Run Keys / Startup Folder		23
Windows Service		1
Valid Accounts		LSA Secrets36
System Information Discovery		SSHKeyloggingFallback ChannelsScheduled TransferData Encrypted for Impact
Domain PropertiesBotnetReplication Through Removable MediaScheduled TaskRC Scripts23
Process Injection		3
Virtualization/Sandbox Evasion		Cached Domain Credentials131
Security Software Discovery		VNCGUI Input CaptureMultiband CommunicationData Transfer Size LimitsService Stop
DNSWeb ServicesExternal Remote ServicesSystemd TimersStartup Items111
Registry Run Keys / Startup Folder		11
Access Token Manipulation		DCSync3
Virtualization/Sandbox Evasion		Windows Remote ManagementWeb Portal CaptureCommonly Used PortExfiltration Over C2 ChannelInhibit System Recovery
Network Trust DependenciesServerlessDrive-by CompromiseContainer Orchestration JobScheduled Task/JobScheduled Task/Job23
Process Injection		Proc Filesystem3
Process Discovery		Cloud ServicesCredential API HookingApplication Layer ProtocolExfiltration Over Alternative ProtocolDefacement
Network TopologyMalvertisingExploit Public-Facing ApplicationCommand and Scripting InterpreterAtAt1
Hidden Users		/etc/passwd and /etc/shadow1
Application Window Discovery		Direct Cloud VM ConnectionsData StagedWeb ProtocolsExfiltration Over Symmetric Encrypted Non-C2 ProtocolInternal Defacement
IP AddressesCompromise InfrastructureSupply Chain CompromisePowerShellCronCron1
Regsvr32		Network Sniffing3
System Owner/User Discovery		Shared WebrootLocal Data StagingFile Transfer ProtocolsExfiltration Over Asymmetric Encrypted Non-C2 ProtocolExternal Defacement
Network Security AppliancesDomainsCompromise Software Dependencies and Development ToolsAppleScriptLaunchdLaunchdStripped PayloadsInput Capture1
System Network Configuration Discovery		Software Deployment ToolsRemote Data StagingMail ProtocolsExfiltration Over Unencrypted Non-C2 ProtocolFirmware Corruption

Behavior Graph

Hide Legend

Legend:

  • Process
  • Signature
  • Created File
  • DNS/IP Info
  • Is Dropped
  • Is Windows Process
  • Number of created Registry Values
  • Number of created Files
  • Visual Basic
  • Delphi
  • Java
  • .Net C# or VB.NET
  • C, C++ or other language
  • Is malicious
  • Internet
behaviorgraph top1 dnsIp2 2 Behavior Graph ID: 1545541 Sample: chica-pc-shield-1-75-0-1300... Startdate: 30/10/2024 Architecture: WINDOWS Score: 54 54 stats.mbamupdates.com 2->54 56 llnw.data-cdn.mbamupdates.com 2->56 58 3 other IPs or domains 2->58 66 Malicious sample detected (through community Yara rule) 2->66 68 Yara detected KillMBR 2->68 70 Yara detected Xtreme RAT 2->70 72 3 other signatures 2->72 9 chica-pc-shield-1-75-0-1300-en-win.exe 2 2->9         started        12 svchost.exe 2->12         started        15 cpcsgui.exe 2->15         started        17 cpcsscheduler.exe 2->17         started        signatures3 process4 dnsIp5 52 C:\...\chica-pc-shield-1-75-0-1300-en-win.tmp, PE32 9->52 dropped 19 chica-pc-shield-1-75-0-1300-en-win.tmp 60 64 9->19         started        64 127.0.0.1 unknown unknown 12->64 file6 process7 file8 44 C:\...\cpcsscheduler.exe (copy), PE32 19->44 dropped 46 C:\Program Files (x86)\...\cpcsgui.exe (copy), PE32 19->46 dropped 48 C:\Program Files (x86)\...\cpcs.exe (copy), PE32 19->48 dropped 50 30 other files (none is malicious) 19->50 dropped 22 cpcs.exe 6 27 19->22         started        25 cpcs.exe 19->25         started        28 regsvr32.exe 25 19->28         started        30 3 other processes 19->30 process9 dnsIp10 74 Found PHP interpreter 22->74 76 Contains functionality to hide user accounts 22->76 78 May modify the system service descriptor table (often done to hook functions) 22->78 80 Creates a FSFilter Anti-Virus service 22->80 32 regsvr32.exe 8 22->32         started        34 regsvr32.exe 6 22->34         started        60 65.9.66.107, 443, 49994, 49995 AMAZON-02US United States 25->60 82 Tries to detect sandboxes and other dynamic analysis tools (process name or module or function) 25->82 36 regsvr32.exe 25->36         started        38 regsvr32.exe 25->38         started        84 Creates an undocumented autostart registry key 28->84 62 data-cdn.mbamupdates.com 65.9.66.84, 443, 49915, 49921 AMAZON-02US United States 30->62 40 regsvr32.exe 30->40         started        42 regsvr32.exe 30->42         started        signatures11 process12

Screenshots

Thumbnails

This section contains all screenshots as thumbnails, including those not shown in the slideshow.


windows-stand

Antivirus, Machine Learning and Genetic Malware Detection

Initial Sample

SourceDetectionScannerLabelLink
chica-pc-shield-1-75-0-1300-en-win.exe3%ReversingLabs

Dropped Files

SourceDetectionScannerLabelLink
C:\Program Files (x86)\ChicaLogic\ChicaPC-Shield\7z.dll (copy)0%ReversingLabs
C:\Program Files (x86)\ChicaLogic\ChicaPC-Shield\cpcs.exe (copy)2%ReversingLabs
C:\Program Files (x86)\ChicaLogic\ChicaPC-Shield\cpcsgui.exe (copy)2%ReversingLabs
C:\Program Files (x86)\ChicaLogic\ChicaPC-Shield\cpcspt.exe (copy)0%ReversingLabs
C:\Program Files (x86)\ChicaLogic\ChicaPC-Shield\cpcsscheduler.exe (copy)3%ReversingLabs
C:\Program Files (x86)\ChicaLogic\ChicaPC-Shield\cpcsservice.exe (copy)0%ReversingLabs
C:\Program Files (x86)\ChicaLogic\ChicaPC-Shield\is-0DUR6.tmp2%ReversingLabs
C:\Program Files (x86)\ChicaLogic\ChicaPC-Shield\is-6H2TN.tmp4%ReversingLabs
C:\Program Files (x86)\ChicaLogic\ChicaPC-Shield\is-6PN99.tmp0%ReversingLabs
C:\Program Files (x86)\ChicaLogic\ChicaPC-Shield\is-9INTD.tmp2%ReversingLabs
C:\Program Files (x86)\ChicaLogic\ChicaPC-Shield\is-CI4PM.tmp0%ReversingLabs
C:\Program Files (x86)\ChicaLogic\ChicaPC-Shield\is-CU77C.tmp0%ReversingLabs
C:\Program Files (x86)\ChicaLogic\ChicaPC-Shield\is-DB4G5.tmp4%ReversingLabs
C:\Program Files (x86)\ChicaLogic\ChicaPC-Shield\is-J2CDD.tmp0%ReversingLabs
C:\Program Files (x86)\ChicaLogic\ChicaPC-Shield\is-K9CAE.tmp2%ReversingLabs
C:\Program Files (x86)\ChicaLogic\ChicaPC-Shield\is-KP3IJ.tmp2%ReversingLabs
C:\Program Files (x86)\ChicaLogic\ChicaPC-Shield\is-L12IJ.tmp2%ReversingLabs
C:\Program Files (x86)\ChicaLogic\ChicaPC-Shield\is-S0PAI.tmp3%ReversingLabs
C:\Program Files (x86)\ChicaLogic\ChicaPC-Shield\is-SJQ69.tmp0%ReversingLabs
C:\Program Files (x86)\ChicaLogic\ChicaPC-Shield\is-UQ1R3.tmp2%ReversingLabs
C:\Program Files (x86)\ChicaLogic\ChicaPC-Shield\mbam.dll (copy)2%ReversingLabs
C:\Program Files (x86)\ChicaLogic\ChicaPC-Shield\mbamcore.dll (copy)2%ReversingLabs
C:\Program Files (x86)\ChicaLogic\ChicaPC-Shield\mbamext.dll (copy)2%ReversingLabs
C:\Program Files (x86)\ChicaLogic\ChicaPC-Shield\mbamnet.dll (copy)2%ReversingLabs
C:\Program Files (x86)\ChicaLogic\ChicaPC-Shield\mbamtoast.dll (copy)4%ReversingLabs
C:\Program Files (x86)\ChicaLogic\ChicaPC-Shield\ssubtmr6.dll (copy)0%ReversingLabs
C:\Program Files (x86)\ChicaLogic\ChicaPC-Shield\unins000.exe (copy)4%ReversingLabs
C:\Program Files (x86)\ChicaLogic\ChicaPC-Shield\vbalsgrid6.ocx (copy)0%ReversingLabs
C:\Users\user\AppData\Local\Temp\is-93AED.tmp\_isetup\_setup64.tmp0%ReversingLabs
C:\Users\user\AppData\Local\Temp\is-93AED.tmp\_isetup\_shfoldr.dll0%ReversingLabs
C:\Users\user\AppData\Local\Temp\is-93AED.tmp\mbam.dll2%ReversingLabs
C:\Users\user\AppData\Local\Temp\is-LBG9E.tmp\chica-pc-shield-1-75-0-1300-en-win.tmp4%ReversingLabs
C:\Windows\System32\drivers\is-VCK25.tmp2%ReversingLabs
C:\Windows\system32\drivers\cpcs.sys (copy)2%ReversingLabs

Unpacked PE Files

No Antivirus matches

Domains

No Antivirus matches

URLs

SourceDetectionScannerLabelLink
http://www.innosetup.com/0%URL Reputationsafe

Domains and IPs

Contacted Domains

NameIPActiveMaliciousAntivirus DetectionReputation
data-cdn.mbamupdates.com
65.9.66.84
truefalse
    		unknown
    edge.data-cdn.mbamupdates.com
    		unknown
    		unknownfalse
      		unknown
      hw.data-cdn.mbamupdates.com
      		unknown
      		unknownfalse
        		unknown
        llnw.data-cdn.mbamupdates.com
        		unknown
        		unknownfalse
          		unknown
          stats.mbamupdates.com
          		unknown
          		unknownfalse
            		unknown

            Contacted URLs

            NameMaliciousAntivirus DetectionReputation
            http://data-cdn.mbamupdates.com/v1/custom/chicalogic/version.chkfalse
              		unknown
              http://data-cdn.mbamupdates.com/v0/clients/chicalogic/mbam.check.programfalse
                		unknown
                http://data-cdn.mbamupdates.com/v1/news/chicalogic/version.chkfalse
                  		unknown
                  http://data-cdn.mbamupdates.com/v1/config/chicalogic/version.chkfalse
                    		unknown

                    URLs from Memory and Binaries

                    NameSourceMaliciousAntivirus DetectionReputation
                    http://best-pc.co.krcpcs.exe, 00000009.00000003.2534960911.000000000A621000.00000004.00000020.00020000.00000000.sdmp, cpcs.exe, 00000009.00000003.2561266540.0000000003D26000.00000004.00000020.00020000.00000000.sdmpfalse
                      		unknown
                      http://cdn.static.malcpcs.exe, 00000009.00000003.2509521137.0000000003556000.00000004.00000020.00020000.00000000.sdmpfalse
                        		unknown
                        http://cdn.static.malwarebytes.org/cliecpcsgui.exefalse
                          		unknown
                          http://downloads.malwarebytes.org/mbam-download.phponcpcs.exe, 00000009.00000003.2510085331.000000000355F000.00000004.00000020.00020000.00000000.sdmp, cpcs.exe, 00000009.00000003.2509982383.000000000355F000.00000004.00000020.00020000.00000000.sdmp, cpcs.exe, 00000009.00000003.2509920343.000000000354D000.00000004.00000020.00020000.00000000.sdmpfalse
                            		unknown
                            http://www.aimp.rucpcs.exe, 00000009.00000003.2556561426.0000000006534000.00000004.00000020.00020000.00000000.sdmp, cpcs.exe, 00000009.00000003.2561266540.0000000003D26000.00000004.00000020.00020000.00000000.sdmpfalse
                              		unknown
                              http://www.chicalogic.comchica-pc-shield-1-75-0-1300-en-win.exe, 00000000.00000003.2032168361.00000000023F0000.00000004.00001000.00020000.00000000.sdmp, chica-pc-shield-1-75-0-1300-en-win.exe, 00000000.00000003.2795341385.0000000002100000.00000004.00001000.00020000.00000000.sdmp, chica-pc-shield-1-75-0-1300-en-win.exe, 00000000.00000003.2032244303.00000000020F4000.00000004.00001000.00020000.00000000.sdmp, chica-pc-shield-1-75-0-1300-en-win.tmp, chica-pc-shield-1-75-0-1300-en-win.tmp, 00000001.00000003.2034370148.000000000213C000.00000004.00001000.00020000.00000000.sdmp, chica-pc-shield-1-75-0-1300-en-win.tmp, 00000001.00000003.2034264033.0000000003110000.00000004.00001000.00020000.00000000.sdmp, chica-pc-shield-1-75-0-1300-en-win.tmp, 00000001.00000003.2791392614.0000000002140000.00000004.00001000.00020000.00000000.sdmp, chica-pc-shield-1-75-0-1300-en-win.tmp, 00000001.00000003.2792550502.0000000002144000.00000004.00001000.00020000.00000000.sdmp, chica-pc-shield-1-75-0-1300-en-win.tmp, 00000001.00000003.2791262908.000000000213C000.00000004.00001000.00020000.00000000.sdmpfalse
                                		unknown
                                http://cdn.static.malwarebcpcs.exe, 00000009.00000003.2509409389.0000000003565000.00000004.00000020.00020000.00000000.sdmp, cpcs.exe, 00000009.00000003.2509325799.000000000355F000.00000004.00000020.00020000.00000000.sdmp, cpcsgui.exefalse
                                  		unknown
                                  http://77.78.240.87/ebb.phpcpcs.exe, 00000009.00000003.2529231058.0000000009F11000.00000004.00000020.00020000.00000000.sdmpfalse
                                    		unknown
                                    http://xml.org/sax/features/namespace-prefixescpcsscheduler.exe, 0000000E.00000002.3285698951.000000006BCC3000.00000002.00000001.01000000.00000015.sdmpfalse
                                      		unknown
                                      http://wfef5.mine.nu/config.aspcpcs.exe, 00000009.00000003.2535574656.000000000A39A000.00000004.00000020.00020000.00000000.sdmpfalse
                                        		unknown
                                        http://www.malwarebytes.orgcpcs.exe, 00000009.00000003.2510009992.0000000003565000.00000004.00000020.00020000.00000000.sdmp, cpcs.exe, 00000009.00000003.2510085331.000000000355F000.00000004.00000020.00020000.00000000.sdmp, cpcs.exe, 00000009.00000003.2509982383.000000000355F000.00000004.00000020.00020000.00000000.sdmp, cpcs.exe, 00000009.00000003.2509409389.0000000003565000.00000004.00000020.00020000.00000000.sdmp, cpcs.exe, 00000009.00000003.2509325799.000000000355F000.00000004.00000020.00020000.00000000.sdmp, cpcs.exe, 00000009.00000003.2509920343.000000000354D000.00000004.00000020.00020000.00000000.sdmp, cpcsgui.exefalse
                                          		unknown
                                          http://cdn.static.malwarebytes.org/client_resources/1.7/images/StartupLite_64x64.pngcpcs.exe, 00000009.00000003.2510041575.000000000354D000.00000004.00000020.00020000.00000000.sdmp, cpcs.exe, 00000009.00000003.2510085331.000000000355F000.00000004.00000020.00020000.00000000.sdmp, cpcs.exe, 00000009.00000003.2509409389.0000000003565000.00000004.00000020.00020000.00000000.sdmp, cpcs.exe, 00000009.00000003.2509521137.0000000003556000.00000004.00000020.00020000.00000000.sdmpfalse
                                            		unknown
                                            http://www.malwarebytes.oYcpcs.exe, 00000009.00000003.2509521137.0000000003553000.00000004.00000020.00020000.00000000.sdmpfalse
                                              		unknown
                                              http://xml.org/sax/features/string-interningcpcsscheduler.exe, 0000000E.00000002.3285698951.000000006BCC3000.00000002.00000001.01000000.00000015.sdmpfalse
                                                		unknown
                                                http://www.ntkrnl.comycpcs.exe, 00000009.00000003.2529231058.0000000009F11000.00000004.00000020.00020000.00000000.sdmpfalse
                                                  		unknown
                                                  http://www.chicalogic.com/pc-shield-rewcpcs.exe, 00000009.00000003.2510009992.0000000003565000.00000004.00000020.00020000.00000000.sdmp, cpcs.exe, 00000009.00000003.2509982383.000000000355F000.00000004.00000020.00020000.00000000.sdmp, cpcs.exe, 00000009.00000003.2509920343.000000000354D000.00000004.00000020.00020000.00000000.sdmpfalse
                                                    		unknown
                                                    http://182.237.1.106:333/32.execpcs.exe, 00000009.00000003.2528855901.000000000A101000.00000004.00000020.00020000.00000000.sdmpfalse
                                                      		unknown
                                                      http://www.GoCasino.com11cpcs.exe, 00000009.00000003.2529281722.0000000009BA5000.00000004.00000020.00020000.00000000.sdmpfalse
                                                        		unknown
                                                        http://www.6071.com/cpcs.exe, 00000009.00000003.2535574656.000000000A39A000.00000004.00000020.00020000.00000000.sdmpfalse
                                                          		unknown
                                                          http://topagacilaboratuari.com/topagaci.comcpcs.exe, 00000009.00000003.2529281722.0000000009BA5000.00000004.00000020.00020000.00000000.sdmpfalse
                                                            		unknown
                                                            http://link0125baixa2010.fromru.com/arroxa.execpcs.exe, 00000009.00000003.2535574656.000000000A39A000.00000004.00000020.00020000.00000000.sdmpfalse
                                                              		unknown
                                                              http://cha.91mt.com/asp/xg.aspcpcs.exe, 00000009.00000003.2528855901.000000000A101000.00000004.00000020.00020000.00000000.sdmpfalse
                                                                		unknown
                                                                http://www.ntkrnl.comcpcs.exe, 00000009.00000003.2529231058.0000000009F11000.00000004.00000020.00020000.00000000.sdmpfalse
                                                                  		unknown
                                                                  http://www.go2000.cn.&cpcs.exe, 00000009.00000003.2529281722.0000000009BA5000.00000004.00000020.00020000.00000000.sdmpfalse
                                                                    		unknown
                                                                    http://www.malwarebytes.org/products/filecpcsgui.exefalse
                                                                      		unknown
                                                                      http://www.malwarebytes.orcpcsgui.exefalse
                                                                        		unknown
                                                                        http://www.malwarebytes.org/products/mbarcpcsgui.exefalse
                                                                          		unknown
                                                                          http://www.zippay.ru/robo-pay.php?lang=cpcs.exe, 00000009.00000003.2529281722.0000000009BA5000.00000004.00000020.00020000.00000000.sdmpfalse
                                                                            		unknown
                                                                            http://www.abyssmedia.comcpcs.exe, 00000009.00000003.2529281722.0000000009BA5000.00000004.00000020.00020000.00000000.sdmp, cpcs.exe, 00000009.00000003.2529369405.0000000009D87000.00000004.00000020.00020000.00000000.sdmpfalse
                                                                              		unknown
                                                                              http://www.grandesgans.com/Vista.comr.cpcs.exe, 00000009.00000003.2529281722.0000000009BA5000.00000004.00000020.00020000.00000000.sdmpfalse
                                                                                		unknown
                                                                                http://cdn.static.malwarebytes.org/client_resources/1.7/images/FileAssassin_64x64.pngcpcsgui.exefalse
                                                                                  		unknown
                                                                                  http://www.heaventools.com)cpcs.exe, 00000009.00000003.2556561426.0000000006534000.00000004.00000020.00020000.00000000.sdmp, cpcs.exe, 00000009.00000003.2561266540.0000000003D26000.00000004.00000020.00020000.00000000.sdmp, cpcs.exe, 00000009.00000003.2533630438.000000000A445000.00000004.00000020.00020000.00000000.sdmpfalse
                                                                                    		unknown
                                                                                    http://bsalsa.com/cpcs.exe, 00000009.00000003.2529281722.0000000009BA5000.00000004.00000020.00020000.00000000.sdmpfalse
                                                                                      		unknown
                                                                                      http://www.appinf.com/features/no-whitespace-in-element-contentcpcsscheduler.exe, 0000000E.00000002.3285698951.000000006BCC3000.00000002.00000001.01000000.00000015.sdmpfalse
                                                                                        		unknown
                                                                                        http://www.innosetup.com/chica-pc-shield-1-75-0-1300-en-win.tmp, chica-pc-shield-1-75-0-1300-en-win.tmp, 00000001.00000000.2033381655.0000000000401000.00000020.00000001.01000000.00000004.sdmpfalse
                                                                                        • URL Reputation: safe
                                                                                        		unknown
                                                                                        http://saskentbbq.com/sasmatecpcs.exe, 00000009.00000003.2556561426.0000000008334000.00000004.00000020.00020000.00000000.sdmpfalse
                                                                                          		unknown
                                                                                          http://www.baidu.comcpcs.exe, 00000009.00000003.2533161271.000000000A493000.00000004.00000020.00020000.00000000.sdmp, cpcs.exe, 00000009.00000003.2528855901.000000000A14E000.00000004.00000020.00020000.00000000.sdmpfalse
                                                                                            		unknown
                                                                                            http://www.emule-project.netcpcs.exe, 00000009.00000003.2556561426.0000000007934000.00000004.00000020.00020000.00000000.sdmpfalse
                                                                                              		unknown
                                                                                              http://www.malwarebytes.org/products/fileasscpcsgui.exefalse
                                                                                                		unknown
                                                                                                http://www.contoso.com/PostAccepter.aspxQ5cpcs.exe, 00000009.00000003.2534960911.000000000A69B000.00000004.00000020.00020000.00000000.sdmpfalse
                                                                                                  		unknown
                                                                                                  http://www.malwarebytes.org/productscpcsgui.exefalse
                                                                                                    		unknown
                                                                                                    http://www.Parodieront.comcpcs.exe, 00000009.00000003.2561266540.0000000003D26000.00000004.00000020.00020000.00000000.sdmpfalse
                                                                                                      		unknown
                                                                                                      http://www.malwarebytes.org/products/fileassassincpcsgui.exefalse
                                                                                                        		unknown
                                                                                                        http://www.abyssmedia.comzcpcs.exe, 00000009.00000003.2529369405.0000000009D87000.00000004.00000020.00020000.00000000.sdmpfalse
                                                                                                          		unknown
                                                                                                          http://www.super-ec.cnhttp://wghai.com/echttp://qsyou.comcpcs.exe, 00000009.00000003.2535574656.000000000A39A000.00000004.00000020.00020000.00000000.sdmpfalse
                                                                                                            		unknown
                                                                                                            http://xdinheirox.rememberit.com.au/cpcs.exe, 00000009.00000003.2529281722.0000000009BA5000.00000004.00000020.00020000.00000000.sdmpfalse
                                                                                                              		unknown
                                                                                                              http://www.abyssmedia.comioncpcs.exe, 00000009.00000003.2529369405.0000000009D87000.00000004.00000020.00020000.00000000.sdmpfalse
                                                                                                                		unknown
                                                                                                                http://cdn.static.malwarebycpcsgui.exefalse
                                                                                                                  		unknown
                                                                                                                  http://www.malwarebytes.org/products/filcpcsgui.exefalse
                                                                                                                    		unknown
                                                                                                                    http://anthneic.blogspot.com/cpcs.exe, 00000009.00000003.2561266540.0000000003D26000.00000004.00000020.00020000.00000000.sdmp, cpcs.exe, 00000009.00000003.2533842656.000000000A4B5000.00000004.00000020.00020000.00000000.sdmpfalse
                                                                                                                      		unknown
                                                                                                                      http://www.malwarebytes.org/products/cpcsgui.exefalse
                                                                                                                        		unknown
                                                                                                                        http://as.starware.comcpcs.exe, 00000009.00000003.2556561426.0000000008334000.00000004.00000020.00020000.00000000.sdmpfalse
                                                                                                                          		unknown
                                                                                                                          http://www.go2000.cncpcs.exe, 00000009.00000003.2529281722.0000000009BA5000.00000004.00000020.00020000.00000000.sdmpfalse
                                                                                                                            		unknown
                                                                                                                            http://cdn.static.malwarebytes.org/client_resources/1.7/images/Chameleon_64x64.pngcpcs.exe, 00000009.00000003.2509409389.0000000003565000.00000004.00000020.00020000.00000000.sdmpfalse
                                                                                                                              		unknown
                                                                                                                              http://www.niudoudou.com/web/download/cpcs.exe, 00000009.00000003.2528855901.000000000A101000.00000004.00000020.00020000.00000000.sdmpfalse
                                                                                                                                		unknown
                                                                                                                                http://www.qqceo.netcpcs.exe, 00000009.00000003.2556561426.0000000006534000.00000004.00000020.00020000.00000000.sdmp, cpcs.exe, 00000009.00000003.2561266540.0000000003D26000.00000004.00000020.00020000.00000000.sdmpfalse
                                                                                                                                  		unknown
                                                                                                                                  http://cdn.static.malwacpcsgui.exefalse
                                                                                                                                    		unknown
                                                                                                                                    http://geral.gratixhost.com.br/publicidade/publicidade.jscpcs.exe, 00000009.00000003.2529281722.0000000009BA5000.00000004.00000020.00020000.00000000.sdmpfalse
                                                                                                                                      		unknown
                                                                                                                                      http://cdn.static.malwarebytes.org/client_rcpcsgui.exefalse
                                                                                                                                        		unknown
                                                                                                                                        http://http.proxy.icq.com/hellocpcs.exe, 00000009.00000003.2529281722.0000000009BA5000.00000004.00000020.00020000.00000000.sdmpfalse
                                                                                                                                          		unknown
                                                                                                                                          http://wara6.homeftp.org/ccpcs.exe, 00000009.00000003.2535574656.000000000A39A000.00000004.00000020.00020000.00000000.sdmpfalse
                                                                                                                                            		unknown
                                                                                                                                            http://xml.org/sax/features/validationcpcsscheduler.exe, 0000000E.00000002.3285698951.000000006BCC3000.00000002.00000001.01000000.00000015.sdmpfalse
                                                                                                                                              		unknown
                                                                                                                                              http://cdn.static.malwarebytes.org/client_resources/1.7/images/anti_rootkit_64x64.pngcpcsgui.exefalse
                                                                                                                                                		unknown
                                                                                                                                                Http://WwW.YlmF.CoMcpcs.exe, 00000009.00000003.2556561426.0000000006534000.00000004.00000020.00020000.00000000.sdmp, cpcs.exe, 00000009.00000003.2561266540.0000000003D26000.00000004.00000020.00020000.00000000.sdmpfalse
                                                                                                                                                  		unknown
                                                                                                                                                  http://xml.org/sax/properties/lexical-handlercpcsscheduler.exe, 0000000E.00000002.3285698951.000000006BCC3000.00000002.00000001.01000000.00000015.sdmpfalse
                                                                                                                                                    		unknown
                                                                                                                                                    http://www.appinf.com/features/enable-partial-readscpcsscheduler.exe, 0000000E.00000002.3285698951.000000006BCC3000.00000002.00000001.01000000.00000015.sdmpfalse
                                                                                                                                                      		unknown
                                                                                                                                                      http://www.jetswap.comDcpcs.exe, 00000009.00000003.2529281722.0000000009BA5000.00000004.00000020.00020000.00000000.sdmpfalse
                                                                                                                                                        		unknown
                                                                                                                                                        http://link0125baixa2010.fromru.com/arroxa.exeC:cpcs.exe, 00000009.00000003.2535574656.000000000A39A000.00000004.00000020.00020000.00000000.sdmpfalse
                                                                                                                                                          		unknown
                                                                                                                                                          http://wsy539.myrice.comcpcs.exe, 00000009.00000003.2561266540.0000000003D26000.00000004.00000020.00020000.00000000.sdmp, cpcs.exe, 00000009.00000003.2533842656.000000000A4B5000.00000004.00000020.00020000.00000000.sdmpfalse
                                                                                                                                                            		unknown
                                                                                                                                                            http://www.cookst.com/sentry/api/20110306.exeWcpcs.exe, 00000009.00000003.2533161271.000000000A44A000.00000004.00000020.00020000.00000000.sdmpfalse
                                                                                                                                                              		unknown
                                                                                                                                                              http://cdn.statcpcs.exe, 00000009.00000003.2510009992.0000000003565000.00000004.00000020.00020000.00000000.sdmp, cpcs.exe, 00000009.00000003.2510085331.000000000355F000.00000004.00000020.00020000.00000000.sdmp, cpcs.exe, 00000009.00000003.2509982383.000000000355F000.00000004.00000020.00020000.00000000.sdmp, cpcs.exe, 00000009.00000003.2509409389.0000000003565000.00000004.00000020.00020000.00000000.sdmp, cpcs.exe, 00000009.00000003.2509325799.000000000355F000.00000004.00000020.00020000.00000000.sdmp, cpcs.exe, 00000009.00000003.2509920343.000000000354D000.00000004.00000020.00020000.00000000.sdmp, cpcsgui.exefalse
                                                                                                                                                                		unknown
                                                                                                                                                                http://w.cliccpcs.exe, 00000009.00000003.2529231058.0000000009F11000.00000004.00000020.00020000.00000000.sdmpfalse
                                                                                                                                                                  		unknown
                                                                                                                                                                  http://www.chukotka.kz/cache/msn.php?id=0cpcs.exe, 00000009.00000003.2529281722.0000000009BA5000.00000004.00000020.00020000.00000000.sdmpfalse
                                                                                                                                                                    		unknown
                                                                                                                                                                    http://www.ww-xxooxx-ch.netcpcs.exe, 00000009.00000003.2556561426.0000000008334000.00000004.00000020.00020000.00000000.sdmpfalse
                                                                                                                                                                      		unknown
                                                                                                                                                                      http://redirecionamentosb.com/sw4.packercpcs.exe, 00000009.00000003.2529281722.0000000009BA5000.00000004.00000020.00020000.00000000.sdmpfalse
                                                                                                                                                                        		unknown
                                                                                                                                                                        http://www.desksave.decpcs.exe, 00000009.00000003.2561266540.0000000003D26000.00000004.00000020.00020000.00000000.sdmpfalse
                                                                                                                                                                          		unknown
                                                                                                                                                                          http://cdn.static.malwareb-cpcs.exe, 00000009.00000003.2509521137.0000000003553000.00000004.00000020.00020000.00000000.sdmpfalse
                                                                                                                                                                            		unknown
                                                                                                                                                                            http://www.ankord.com/)cpcs.exe, 00000009.00000003.2561266540.0000000003D26000.00000004.00000020.00020000.00000000.sdmp, cpcs.exe, 00000009.00000003.2529734518.000000000A248000.00000004.00000020.00020000.00000000.sdmpfalse
                                                                                                                                                                              		unknown
                                                                                                                                                                              http://redirecionamentosb.com/sw4.paccpcs.exe, 00000009.00000003.2535574656.000000000A39A000.00000004.00000020.00020000.00000000.sdmp, cpcs.exe, 00000009.00000003.2529281722.0000000009BA5000.00000004.00000020.00020000.00000000.sdmpfalse
                                                                                                                                                                                		unknown
                                                                                                                                                                                http://xml.org/sax/features/external-parameter-entitiescpcsscheduler.exe, 0000000E.00000002.3285698951.000000006BCC3000.00000002.00000001.01000000.00000015.sdmpfalse
                                                                                                                                                                                  		unknown
                                                                                                                                                                                  http://www.malwarebytes.org/products/startuplitecpcsgui.exefalse
                                                                                                                                                                                    		unknown
                                                                                                                                                                                    http://www.malwarebytes.ocpcs.exe, 00000009.00000003.2509521137.0000000003556000.00000004.00000020.00020000.00000000.sdmpfalse
                                                                                                                                                                                      		unknown
                                                                                                                                                                                      http://www.w3.cpcs.exe, 00000009.00000003.2509409389.0000000003565000.00000004.00000020.00020000.00000000.sdmp, cpcs.exe, 00000009.00000003.2509325799.000000000355F000.00000004.00000020.00020000.00000000.sdmp, cpcsgui.exefalse
                                                                                                                                                                                        		unknown
                                                                                                                                                                                        http://d1.kuai8.comcpcs.exe, 00000009.00000003.2535574656.000000000A39A000.00000004.00000020.00020000.00000000.sdmpfalse
                                                                                                                                                                                          		unknown
                                                                                                                                                                                          http://www.appinf.com/features/no-whitespace-in-element-contenthttp://xml.org/sax/features/validatiocpcsscheduler.exe, 0000000E.00000002.3285698951.000000006BCC3000.00000002.00000001.01000000.00000015.sdmpfalse
                                                                                                                                                                                            		unknown
                                                                                                                                                                                            http://www.eyuyan.com)cpcs.exe, 00000009.00000003.2556561426.0000000007934000.00000004.00000020.00020000.00000000.sdmpfalse
                                                                                                                                                                                              		unknown
                                                                                                                                                                                              http://sms911.rucpcs.exe, 00000009.00000003.2529281722.0000000009BA5000.00000004.00000020.00020000.00000000.sdmpfalse
                                                                                                                                                                                                		unknown
                                                                                                                                                                                                http://b.ez173.com/cpcs.exe, 00000009.00000003.2535574656.000000000A39A000.00000004.00000020.00020000.00000000.sdmpfalse
                                                                                                                                                                                                  		unknown
                                                                                                                                                                                                  http://www.best-pc.co.krcpcs.exe, 00000009.00000003.2556561426.0000000008334000.00000004.00000020.00020000.00000000.sdmpfalse
                                                                                                                                                                                                    		unknown
                                                                                                                                                                                                    http://www.grandesgans.com/Vista.comcpcs.exe, 00000009.00000003.2529281722.0000000009BA5000.00000004.00000020.00020000.00000000.sdmpfalse
                                                                                                                                                                                                      		unknown
                                                                                                                                                                                                      http://www.8es.cn/code/adview_pic.phpcpcs.exe, 00000009.00000003.2533161271.000000000A44A000.00000004.00000020.00020000.00000000.sdmpfalse
                                                                                                                                                                                                        		unknown
                                                                                                                                                                                                        http://www.pdfforge.org/cpcs.exe, 00000009.00000003.2561266540.0000000003D26000.00000004.00000020.00020000.00000000.sdmpfalse
                                                                                                                                                                                                          		unknown
                                                                                                                                                                                                          http://www.czsoft.go1.icpcn.com/cpcs.exe, 00000009.00000003.2561266540.0000000003D26000.00000004.00000020.00020000.00000000.sdmpfalse
                                                                                                                                                                                                            		unknown
                                                                                                                                                                                                            http://www.a0?a.co0cpcs.exe, 00000009.00000003.2529281722.0000000009BA5000.00000004.00000020.00020000.00000000.sdmpfalse
                                                                                                                                                                                                              		unknown
                                                                                                                                                                                                              http://c.ez173.com/cpcs.exe, 00000009.00000003.2535574656.000000000A39A000.00000004.00000020.00020000.00000000.sdmpfalse
                                                                                                                                                                                                                		unknown
                                                                                                                                                                                                                http://www.GoCasino.comcpcs.exe, 00000009.00000003.2529281722.0000000009BA5000.00000004.00000020.00020000.00000000.sdmpfalse
                                                                                                                                                                                                                  		unknown

                                                                                                                                                                                                                  World Map of Contacted IPs

                                                                                                                                                                                                                  • No. of IPs < 25%
                                                                                                                                                                                                                  • 25% < No. of IPs < 50%
                                                                                                                                                                                                                  • 50% < No. of IPs < 75%
                                                                                                                                                                                                                  • 75% < No. of IPs

                                                                                                                                                                                                                  Public IPs

                                                                                                                                                                                                                  IPDomainCountryFlagASNASN NameMalicious
                                                                                                                                                                                                                  65.9.66.84
                                                                                                                                                                                                                  		data-cdn.mbamupdates.comUnited States
                                                                                                                                                                                                                  		16509AMAZON-02USfalse
                                                                                                                                                                                                                  65.9.66.107
                                                                                                                                                                                                                  		unknownUnited States
                                                                                                                                                                                                                  		16509AMAZON-02USfalse

                                                                                                                                                                                                                  Private

                                                                                                                                                                                                                  IP
                                                                                                                                                                                                                  127.0.0.1

                                                                                                                                                                                                                  General Information

                                                                                                                                                                                                                  Joe Sandbox version:41.0.0 Charoite
                                                                                                                                                                                                                  Analysis ID:1545541
                                                                                                                                                                                                                  Start date and time:2024-10-30 16:56:11 +01:00
                                                                                                                                                                                                                  Joe Sandbox product:CloudBasic
                                                                                                                                                                                                                  Overall analysis duration:0h 10m 11s
                                                                                                                                                                                                                  Hypervisor based Inspection enabled:false
                                                                                                                                                                                                                  Report type:full
                                                                                                                                                                                                                  Cookbook file name:default.jbs
                                                                                                                                                                                                                  Analysis system description:Windows 10 x64 22H2 with Office Professional Plus 2019, Chrome 117, Firefox 118, Adobe Reader DC 23, Java 8 Update 381, 7zip 23.01
                                                                                                                                                                                                                  Number of analysed new started processes analysed:21
                                                                                                                                                                                                                  Number of new started drivers analysed:0
                                                                                                                                                                                                                  Number of existing processes analysed:0
                                                                                                                                                                                                                  Number of existing drivers analysed:0
                                                                                                                                                                                                                  Number of injected processes analysed:0
                                                                                                                                                                                                                  Technologies:
                                                                                                                                                                                                                  • HCA enabled
                                                                                                                                                                                                                  • EGA enabled
                                                                                                                                                                                                                  • AMSI enabled
                                                                                                                                                                                                                  Analysis Mode:default
                                                                                                                                                                                                                  Analysis stop reason:Timeout
                                                                                                                                                                                                                  Sample name:chica-pc-shield-1-75-0-1300-en-win.exe
                                                                                                                                                                                                                  Detection:MAL
                                                                                                                                                                                                                  Classification:mal54.rans.troj.evad.winEXE@30/92@19/3
                                                                                                                                                                                                                  EGA Information:
                                                                                                                                                                                                                  • Successful, ratio: 100%
                                                                                                                                                                                                                  HCA Information:
                                                                                                                                                                                                                  • Successful, ratio: 96%
                                                                                                                                                                                                                  • Number of executed functions: 232
                                                                                                                                                                                                                  • Number of non-executed functions: 239
                                                                                                                                                                                                                  Cookbook Comments:
                                                                                                                                                                                                                  • Found application associated with file extension: .exe

                                                                                                                                                                                                                  Warnings

                                                                                                                                                                                                                  • Exclude process from analysis (whitelisted): dllhost.exe, WMIADAP.exe, SIHClient.exe
                                                                                                                                                                                                                  • Excluded IPs from analysis (whitelisted): 184.28.90.27
                                                                                                                                                                                                                  • Excluded domains from analysis (whitelisted): fs.microsoft.com, ocsp.digicert.com, slscr.update.microsoft.com, otelrules.azureedge.net, e16604.g.akamaiedge.net, prod.fs.microsoft.com.akadns.net, fs-wildcard.microsoft.com.edgekey.net, fs-wildcard.microsoft.com.edgekey.net.globalredir.akadns.net, fe3cr.delivery.mp.microsoft.com
                                                                                                                                                                                                                  • Report creation exceeded maximum time and may have missing disassembly code information.
                                                                                                                                                                                                                  • Report size exceeded maximum capacity and may have missing behavior information.
                                                                                                                                                                                                                  • Report size exceeded maximum capacity and may have missing disassembly code.
                                                                                                                                                                                                                  • Report size getting too big, too many NtCreateFile calls found.
                                                                                                                                                                                                                  • Report size getting too big, too many NtEnumerateValueKey calls found.
                                                                                                                                                                                                                  • Report size getting too big, too many NtOpenKeyEx calls found.
                                                                                                                                                                                                                  • Report size getting too big, too many NtProtectVirtualMemory calls found.
                                                                                                                                                                                                                  • Report size getting too big, too many NtQueryValueKey calls found.
                                                                                                                                                                                                                  • VT rate limit hit for: chica-pc-shield-1-75-0-1300-en-win.exe

                                                                                                                                                                                                                  Simulations

                                                                                                                                                                                                                  Behavior and APIs

                                                                                                                                                                                                                  TimeTypeDescription
                                                                                                                                                                                                                  11:57:54API Interceptor2x Sleep call for process: svchost.exe modified
                                                                                                                                                                                                                  11:58:55API Interceptor51x Sleep call for process: cpcs.exe modified
                                                                                                                                                                                                                  16:57:46AutostartRun: HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnce ChicaPC-Shield C:\Program Files (x86)\ChicaLogic\ChicaPC-Shield\cpcsgui.exe /install /silent

                                                                                                                                                                                                                  Joe Sandbox View / Context

                                                                                                                                                                                                                  IPs

                                                                                                                                                                                                                  MatchAssociated Sample Name / URLSHA 256DetectionThreat NameLinkContext
                                                                                                                                                                                                                  65.9.66.84https://www.pumpproducts.com/goulds-lb0735te-centrifugal-booster-pump-3-4-hp-208-230-460-volts-3-phase-1-1-4-npt-suction-1-npt-discharge-18-gpm-max-176-ft-max-head-5-impeller-tefc-stainless-steel-pump-end-casing.htmlGet hashmaliciousUnknownBrowse
                                                                                                                                                                                                                    https://meandyouj.weebly.com/Get hashmaliciousUnknownBrowse
                                                                                                                                                                                                                      https://coinbase-auth.netlify.app/Get hashmaliciousHTMLPhisherBrowse
                                                                                                                                                                                                                        65.9.66.107https://app.collabow.io/d/GNgkdZO5gKluqEP3mMdbEwzWbgEyOeRe8sIh64SLMvsNGet hashmaliciousUnknownBrowse
                                                                                                                                                                                                                          https://www.bdoiraq.com/Get hashmaliciousUnknownBrowse
                                                                                                                                                                                                                            http://smartchainplatformfx.pages.dev/Get hashmaliciousUnknownBrowse
                                                                                                                                                                                                                              http://umjkitjtsk.top/crp/325gewfkj345Get hashmaliciousUnknownBrowse
                                                                                                                                                                                                                                http://www.glasgowmobiletyres.comGet hashmaliciousUnknownBrowse

                                                                                                                                                                                                                                  Domains

                                                                                                                                                                                                                                  No context

                                                                                                                                                                                                                                  ASNs

                                                                                                                                                                                                                                  MatchAssociated Sample Name / URLSHA 256DetectionThreat NameLinkContext
                                                                                                                                                                                                                                  AMAZON-02USReceipt.htmGet hashmaliciousUnknownBrowse
                                                                                                                                                                                                                                  • 18.245.86.57
                                                                                                                                                                                                                                  weekly-finances-report.xlsxGet hashmaliciousKnowBe4Browse
                                                                                                                                                                                                                                  • 52.216.77.118
                                                                                                                                                                                                                                  file.exeGet hashmaliciousStealc, VidarBrowse
                                                                                                                                                                                                                                  • 18.244.18.38
                                                                                                                                                                                                                                  https://token.onelogin.com-token-auth.com/XaFNXZmZxdFUzWDFPWVFxY2lia3BpYkY4UHdlcTNmZStWYjZidGFaMXFldkJJUk9VdmZTZVQxRk5QbVBlVFlJNGttbUlHcmViUysvaGcrWmRnbmwxLzZ6c0MrRWdVcEg1bHZtYnc4c2czNVlSUlhtdnRPc0gwWS9mZ3R4QTltZUZjdWZRZ1kvZmk0N2huS054TUFZUHJyNk4rNHcrNElWbjI0NWlrN2puRlNtYkx0ZzVhWExWcmpZbmt3PT0tLTFCMXhxTFNKS2ZOU3lIZTItLWtCRWhkMzBFQWZwNE0yN1QwM3BCT1E9PQ==?cid=2262276963Get hashmaliciousKnowBe4Browse
                                                                                                                                                                                                                                  • 52.216.218.136
                                                                                                                                                                                                                                  https://token.onelogin.com-token-auth.com/Xa0Y1MmVibVhmY0E5dnlabzhVK2w2MVo4bXZUM3RzTFBZU1FSUEYxRHlzb29tODRTUDQ4alBDR3Y1cWUvN1JvVzhtWGVkaHFaSG0rOVpUTVV1VjY2a3MvZDB6TktwTHhsRk9xdzQwQjV6YjIvcnA5MjFsaFJEamtNdXI5UXQ1Qm9lK0ZsZFd0TXI0R2JWWlVYeFFXa2pBaXZOKzR2QXRkUTd3dlBLNzUrQ1RweERVMmQ5ZHQwdjlKZ2dlS2tEVUF5UEE9PS0tdFFWWndQdklZQXNodTY1US0tUXAyU1llVHhDaXRTRjU1OVNWMXFNdz09?cid=2262276963Get hashmaliciousKnowBe4Browse
                                                                                                                                                                                                                                  • 54.231.236.168
                                                                                                                                                                                                                                  https://www.guidedtrack.com/programs/n5snx1a/runGet hashmaliciousUnknownBrowse
                                                                                                                                                                                                                                  • 52.222.236.122
                                                                                                                                                                                                                                  https://1rkzzyapew.beefreedesign.com/EfTl-assets-eurmktdynamicsGet hashmaliciousUnknownBrowse
                                                                                                                                                                                                                                  • 13.32.121.40
                                                                                                                                                                                                                                  0T32Kz4dZU.exeGet hashmaliciousStealc, VidarBrowse
                                                                                                                                                                                                                                  • 18.244.18.38
                                                                                                                                                                                                                                  SecuriteInfo.com.Win32.SuspectCrc.28663.30359.exeGet hashmaliciousFormBookBrowse
                                                                                                                                                                                                                                  • 13.248.169.48
                                                                                                                                                                                                                                  https://www.google.im/url?q=38pQvvq6xRyj7Y00xDjnlx9kIHOSozurMOiaAkImPuQJnOIWtJjqJLi6stjtDz3yh&rct=tTPSrMOiaAkImPuQJnOIWtJjqJLi6stjtFX08pQvvq6xRyj7Y00xDjnlx9kIjusucT&sa=t&url=amp/s/cristorei.neemo.com.br/yaya/aALPghQuwJ38KMxdobOJdzxm/YW50b25lbGxhLmNvc3RhQGVzYS5pbnQ=Get hashmaliciousTycoon2FABrowse
                                                                                                                                                                                                                                  • 13.33.187.60
                                                                                                                                                                                                                                  AMAZON-02USReceipt.htmGet hashmaliciousUnknownBrowse
                                                                                                                                                                                                                                  • 18.245.86.57
                                                                                                                                                                                                                                  weekly-finances-report.xlsxGet hashmaliciousKnowBe4Browse
                                                                                                                                                                                                                                  • 52.216.77.118
                                                                                                                                                                                                                                  file.exeGet hashmaliciousStealc, VidarBrowse
                                                                                                                                                                                                                                  • 18.244.18.38
                                                                                                                                                                                                                                  https://token.onelogin.com-token-auth.com/XaFNXZmZxdFUzWDFPWVFxY2lia3BpYkY4UHdlcTNmZStWYjZidGFaMXFldkJJUk9VdmZTZVQxRk5QbVBlVFlJNGttbUlHcmViUysvaGcrWmRnbmwxLzZ6c0MrRWdVcEg1bHZtYnc4c2czNVlSUlhtdnRPc0gwWS9mZ3R4QTltZUZjdWZRZ1kvZmk0N2huS054TUFZUHJyNk4rNHcrNElWbjI0NWlrN2puRlNtYkx0ZzVhWExWcmpZbmt3PT0tLTFCMXhxTFNKS2ZOU3lIZTItLWtCRWhkMzBFQWZwNE0yN1QwM3BCT1E9PQ==?cid=2262276963Get hashmaliciousKnowBe4Browse
                                                                                                                                                                                                                                  • 52.216.218.136
                                                                                                                                                                                                                                  https://token.onelogin.com-token-auth.com/Xa0Y1MmVibVhmY0E5dnlabzhVK2w2MVo4bXZUM3RzTFBZU1FSUEYxRHlzb29tODRTUDQ4alBDR3Y1cWUvN1JvVzhtWGVkaHFaSG0rOVpUTVV1VjY2a3MvZDB6TktwTHhsRk9xdzQwQjV6YjIvcnA5MjFsaFJEamtNdXI5UXQ1Qm9lK0ZsZFd0TXI0R2JWWlVYeFFXa2pBaXZOKzR2QXRkUTd3dlBLNzUrQ1RweERVMmQ5ZHQwdjlKZ2dlS2tEVUF5UEE9PS0tdFFWWndQdklZQXNodTY1US0tUXAyU1llVHhDaXRTRjU1OVNWMXFNdz09?cid=2262276963Get hashmaliciousKnowBe4Browse
                                                                                                                                                                                                                                  • 54.231.236.168
                                                                                                                                                                                                                                  https://www.guidedtrack.com/programs/n5snx1a/runGet hashmaliciousUnknownBrowse
                                                                                                                                                                                                                                  • 52.222.236.122
                                                                                                                                                                                                                                  https://1rkzzyapew.beefreedesign.com/EfTl-assets-eurmktdynamicsGet hashmaliciousUnknownBrowse
                                                                                                                                                                                                                                  • 13.32.121.40
                                                                                                                                                                                                                                  0T32Kz4dZU.exeGet hashmaliciousStealc, VidarBrowse
                                                                                                                                                                                                                                  • 18.244.18.38
                                                                                                                                                                                                                                  SecuriteInfo.com.Win32.SuspectCrc.28663.30359.exeGet hashmaliciousFormBookBrowse
                                                                                                                                                                                                                                  • 13.248.169.48
                                                                                                                                                                                                                                  https://www.google.im/url?q=38pQvvq6xRyj7Y00xDjnlx9kIHOSozurMOiaAkImPuQJnOIWtJjqJLi6stjtDz3yh&rct=tTPSrMOiaAkImPuQJnOIWtJjqJLi6stjtFX08pQvvq6xRyj7Y00xDjnlx9kIjusucT&sa=t&url=amp/s/cristorei.neemo.com.br/yaya/aALPghQuwJ38KMxdobOJdzxm/YW50b25lbGxhLmNvc3RhQGVzYS5pbnQ=Get hashmaliciousTycoon2FABrowse
                                                                                                                                                                                                                                  • 13.33.187.60

                                                                                                                                                                                                                                  JA3 Fingerprints

                                                                                                                                                                                                                                  No context

                                                                                                                                                                                                                                  Dropped Files

                                                                                                                                                                                                                                  MatchAssociated Sample Name / URLSHA 256DetectionThreat NameLinkContext
                                                                                                                                                                                                                                  C:\Program Files (x86)\ChicaLogic\ChicaPC-Shield\7z.dll (copy)9f0TXmuCBE.exeGet hashmaliciousUnknownBrowse
                                                                                                                                                                                                                                    SecuriteInfo.com.Variant.Mikey.166930.18140.30541.dllGet hashmaliciousUnknownBrowse
                                                                                                                                                                                                                                      SecuriteInfo.com.Variant.Mikey.166930.18140.30541.dllGet hashmaliciousUnknownBrowse
                                                                                                                                                                                                                                        GzYMZtRVDU.exeGet hashmaliciousUnknownBrowse
                                                                                                                                                                                                                                          msmdownloadtool.exeGet hashmaliciousUnknownBrowse
                                                                                                                                                                                                                                            MsmDownloadTool.exeGet hashmaliciousUnknownBrowse
                                                                                                                                                                                                                                              dmge-latest.exeGet hashmaliciousUnknownBrowse
                                                                                                                                                                                                                                                lZYIQJNUsZ.exeGet hashmaliciousUnknownBrowse
                                                                                                                                                                                                                                                  sMpor4yDdu.exeGet hashmaliciousUnknownBrowse
                                                                                                                                                                                                                                                    Pxa4150NA5.exeGet hashmaliciousAZORult++Browse

                                                                                                                                                                                                                                                      Created / dropped Files

                                                                                                                                                                                                                                                      C:\Program Files (x86)\ChicaLogic\ChicaPC-Shield\7z.dll (copy)

                                                                                                                                                                                                                                                      Download File
                                                                                                                                                                                                                                                      Process:C:\Users\user\AppData\Local\Temp\is-LBG9E.tmp\chica-pc-shield-1-75-0-1300-en-win.tmp
                                                                                                                                                                                                                                                      File Type:PE32 executable (DLL) (GUI) Intel 80386, for MS Windows
                                                                                                                                                                                                                                                      Category:dropped
                                                                                                                                                                                                                                                      Size (bytes):914432
                                                                                                                                                                                                                                                      Entropy (8bit):6.481500443477186
                                                                                                                                                                                                                                                      Encrypted:false
                                                                                                                                                                                                                                                      SSDEEP:24576:TW+wsDaQw6DDz3qRyPnmGfrnvVUKueY8RmneWtJ:TasY6DwOBfrnvV7UeWt
                                                                                                                                                                                                                                                      MD5:04AD4B80880B32C94BE8D0886482C774
                                                                                                                                                                                                                                                      SHA1:344FAF61C3EB76F4A2FB6452E83ED16C9CCE73E0
                                                                                                                                                                                                                                                      SHA-256:A1E1D1F0FFF4FCCCFBDFA313F3BDFEA4D3DFE2C2D9174A615BBC39A0A6929338
                                                                                                                                                                                                                                                      SHA-512:3E3AAF01B769471B18126E443A721C9E9A0269E9F5E48D0A10251BC1EE309855BD71EDE266CAA6828B007359B21BA562C2A5A3469078760F564FB7BD43ACABFB
                                                                                                                                                                                                                                                      Malicious:false
                                                                                                                                                                                                                                                      Antivirus:
                                                                                                                                                                                                                                                      • Antivirus: ReversingLabs, Detection: 0%
                                                                                                                                                                                                                                                      Joe Sandbox View:
                                                                                                                                                                                                                                                      • Filename: 9f0TXmuCBE.exe, Detection: malicious, Browse
                                                                                                                                                                                                                                                      • Filename: SecuriteInfo.com.Variant.Mikey.166930.18140.30541.dll, Detection: malicious, Browse
                                                                                                                                                                                                                                                      • Filename: SecuriteInfo.com.Variant.Mikey.166930.18140.30541.dll, Detection: malicious, Browse
                                                                                                                                                                                                                                                      • Filename: GzYMZtRVDU.exe, Detection: malicious, Browse
                                                                                                                                                                                                                                                      • Filename: msmdownloadtool.exe, Detection: malicious, Browse
                                                                                                                                                                                                                                                      • Filename: MsmDownloadTool.exe, Detection: malicious, Browse
                                                                                                                                                                                                                                                      • Filename: dmge-latest.exe, Detection: malicious, Browse
                                                                                                                                                                                                                                                      • Filename: lZYIQJNUsZ.exe, Detection: malicious, Browse
                                                                                                                                                                                                                                                      • Filename: sMpor4yDdu.exe, Detection: malicious, Browse
                                                                                                                                                                                                                                                      • Filename: Pxa4150NA5.exe, Detection: malicious, Browse
                                                                                                                                                                                                                                                      Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$..........0;.tc;.tc;.tcT..c8.tc..zc3.tcT.~c?.tcT.pc9.tc..+c:.tc;.ucH.tc..)c<.tc...c.tcT..c..tcT..c9.tc..rc:.tc.pc:.tcRich;.tc........................PE..L....S.L...........!.....:...................P......................................................................p.......L...d........{......................8q...................................................P..(............................text....8.......:.................. ..`.rdata..bR...P...T...>..............@..@.data............^..................@....sxdata......p......................@....rsrc....{.......|..................@..@.reloc...............n..............@..B................................................................................................................................................................................................................................................

                                                                                                                                                                                                                                                      C:\Program Files (x86)\ChicaLogic\ChicaPC-Shield\Languages\danish.lng (copy)

                                                                                                                                                                                                                                                      Download File
                                                                                                                                                                                                                                                      Process:C:\Users\user\AppData\Local\Temp\is-LBG9E.tmp\chica-pc-shield-1-75-0-1300-en-win.tmp
                                                                                                                                                                                                                                                      File Type:Unicode text, UTF-16, little-endian text, with CRLF line terminators
                                                                                                                                                                                                                                                      Category:dropped
                                                                                                                                                                                                                                                      Size (bytes):26090
                                                                                                                                                                                                                                                      Entropy (8bit):3.5138293053571332
                                                                                                                                                                                                                                                      Encrypted:false
                                                                                                                                                                                                                                                      SSDEEP:192:ZSmk2KLKS4DUjVNUve5sjIkm9PYt4PpwQ4sETQzI0BnMmka/kEasoAZ1SzGY:ZSmCKTcNEmsjdt4PcsETQDD/kEasoHGY
                                                                                                                                                                                                                                                      MD5:605ED5505E900F06D4A0AFD4B52A6779
                                                                                                                                                                                                                                                      SHA1:0C822909E159074F2E29C7D0E3453A2F5BBF7E00
                                                                                                                                                                                                                                                      SHA-256:1F0C07F58A67FA154FE1A525A082705980F62FA84F6C8C58DA4A3E9141C19816
                                                                                                                                                                                                                                                      SHA-512:93EC824B58BD4CA3FAB451A1EDEE6F31361B9F4D7EA341D6BB02602A11BEC88488D2B7F4562809A0F1320AA6DC8F1E0E26BBBB5D8C7D5AC533FCA863BDA95853
                                                                                                                                                                                                                                                      Malicious:false
                                                                                                                                                                                                                                                      Preview:..0.=.D.a.n.i.s.h.....1.=.C.h.i.c.a.P.C.-.S.h.i.e.l.d.....2.=.F...j. .t.i.l. .e.k.s.k.l.u.d.e.r.i.n.g.....3.=.G... .t.i.l. .l.o.k.a.t.i.o.n.....4.=.V...l.g. .a.l.l.e. .o.b.j.e.k.t.e.r.....5.=.F.r.a.v...l.g. .a.l.l.e. .o.b.j.e.k.t.e.r.....6.=.V...l.g. .a.l.l.e. .o.b.j.e.k.t.e.r. .f.r.a. .d.e.t.t.e. .f.i.r.m.a.....7.=.F.r.a.v...l.g. .a.l.l.e. .o.b.j.e.k.t.e.r. .f.r.a. .d.e.t.t.e. .f.i.r.m.a.....8.=.F.i.r.m.a. .i.n.f.o.r.m.a.t.i.o.n.....9.=.S.k.a.n.n.e.r.....1.0.=.B.e.s.k.y.t.t.e.l.s.e.....1.1.=.O.p.d.a.t.e.r.....1.2.=.K.a.r.a.n.t...n.e.....1.3.=.L.o.g.s.....1.4.=.E.k.s.k.l.u.d.e.r.i.n.g.....1.5.=.I.n.d.s.t.i.l.l.i.n.g.e.r.....1.6.=.F.l.e.r.e. .V...r.k.t...j.e.r.....1.7.=.O.m.....1.8.=.S.k.a.n.n.e.r.e.n. .k.a.n. .f.i.n.d.e. .o.g. .f.j.e.r.n.e. .s.k.a.d.e.l.i.g. .s.o.f.t.w.a.r.e.,. .s.o.m. .m...t.t.e. .f.i.n.d.e.s. .p... .d.i.n. .c.o.m.p.u.t.e.r... .V...l.g. .v.e.n.l.i.g.s.t. .e.n. .s.k.a.n.n.i.n.g.s.t.y.p.e. .o.g. .k.l.i.k. .. s.k.a.n.. .. .L.u.k. .v.e.n.l.i.g.s.t. .a.l.l.e. .u.n...d.v.e.

                                                                                                                                                                                                                                                      C:\Program Files (x86)\ChicaLogic\ChicaPC-Shield\Languages\dutch.lng (copy)

                                                                                                                                                                                                                                                      Download File
                                                                                                                                                                                                                                                      Process:C:\Users\user\AppData\Local\Temp\is-LBG9E.tmp\chica-pc-shield-1-75-0-1300-en-win.tmp
                                                                                                                                                                                                                                                      File Type:Unicode text, UTF-16, little-endian text, with CRLF line terminators
                                                                                                                                                                                                                                                      Category:dropped
                                                                                                                                                                                                                                                      Size (bytes):27806
                                                                                                                                                                                                                                                      Entropy (8bit):3.4684618845087263
                                                                                                                                                                                                                                                      Encrypted:false
                                                                                                                                                                                                                                                      SSDEEP:768:c0fv25CUC2l61eFm41l2w3WdmD0Tpu3qWEpBjt2:nfv2ii6wFm41l2G4mwYqWE/jI
                                                                                                                                                                                                                                                      MD5:E953D930719B22685F25BDA67DE3D1AD
                                                                                                                                                                                                                                                      SHA1:5552871F6CA5F018E5991759D5DDEC7E23F8E630
                                                                                                                                                                                                                                                      SHA-256:320428041630D443830840CF47857B73F4CC77C4D6FF8467A4B23D1B3817DE9D
                                                                                                                                                                                                                                                      SHA-512:D0FBE77FE2C5B3282A2688377120E9C0C40CA7F835E347AE2B12E42A600CB6651DB79641034DC56E22D708B67C960B25F69E449A522C7777880F35BF331DC079
                                                                                                                                                                                                                                                      Malicious:false
                                                                                                                                                                                                                                                      Preview:..0.=.D.u.t.c.h.....1.=.C.h.i.c.a.P.C.-.S.h.i.e.l.d.....2.=.T.o.e.v.o.e.g.e.n. .a.a.n. .d.e. .n.e.g.e.e.r.l.i.j.s.t.....3.=.G.a. .n.a.a.r. .l.o.c.a.t.i.e.....4.=.S.e.l.e.c.t.e.e.r. .a.l.l.e. .o.b.j.e.c.t.e.n.....5.=.D.e.s.e.l.e.c.t.e.e.r. .a.l.l.e. .o.b.j.e.c.t.e.n.....6.=.S.e.l.e.c.t.e.e.r. .a.l.l.e. .o.b.j.e.c.t.e.n. .v.a.n. .d.e.z.e. .i.n.f.e.c.t.i.e.....7.=.D.e.s.e.l.e.c.t.e.e.r. .a.l.l.e. .o.b.j.e.c.t.e.n. .v.a.n. .d.e.z.e. .i.n.f.e.c.t.i.e.....8.=.I.n.f.o.r.m.a.t.i.e. .o.v.e.r. .d.e.z.e. .i.n.f.e.c.t.i.e.....9.=.S.c.a.n.n.e.r.....1.0.=.B.e.s.c.h.e.r.m.i.n.g.....1.1.=.U.p.d.a.t.e.s.....1.2.=.Q.u.a.r.a.n.t.a.i.n.e.....1.3.=.L.o.g.b.e.s.t.a.n.d.e.n.....1.4.=.N.e.g.e.e.r.l.i.j.s.t.....1.5.=.I.n.s.t.e.l.l.i.n.g.e.n.....1.6.=.G.e.r.e.e.d.s.c.h.a.p.....1.7.=.O.v.e.r.........1.8.=.D.e. .s.c.a.n.n.e.r. .k.a.n. .i.n.f.e.c.t.i.e.s. .v.i.n.d.e.n. .e.n. .v.e.r.w.i.j.d.e.r.e.n... .S.l.u.i.t. .e.e.r.s.t. .a.l.l.e. .a.n.d.e.r.e. .p.r.o.g.r.a.m.m.a.'.s. .a.f. .o.m. .d.e. .s.c.a.n. .p.r.e.s.t.a.t.

                                                                                                                                                                                                                                                      C:\Program Files (x86)\ChicaLogic\ChicaPC-Shield\Languages\english.lng (copy)

                                                                                                                                                                                                                                                      Download File
                                                                                                                                                                                                                                                      Process:C:\Users\user\AppData\Local\Temp\is-LBG9E.tmp\chica-pc-shield-1-75-0-1300-en-win.tmp
                                                                                                                                                                                                                                                      File Type:Unicode text, UTF-16, little-endian text, with CRLF line terminators
                                                                                                                                                                                                                                                      Category:dropped
                                                                                                                                                                                                                                                      Size (bytes):24032
                                                                                                                                                                                                                                                      Entropy (8bit):3.5183168402875302
                                                                                                                                                                                                                                                      Encrypted:false
                                                                                                                                                                                                                                                      SSDEEP:384:vog5HwEduYOUiXvWZC+nMEtwCvWCReXz8jaDfNOTp1qI+:vog5HwfBQdXKoWIejea5OTp1k
                                                                                                                                                                                                                                                      MD5:CB7FEE393B8B8553E1BA2516B3B163A8
                                                                                                                                                                                                                                                      SHA1:051CAECA6E378D955F05315EA864F0FA2FD424CE
                                                                                                                                                                                                                                                      SHA-256:1FF2ABFF575E156E2B2CC07C0F2B351B3DB1B9EEEBD9E42D0AE9AE7742666AE7
                                                                                                                                                                                                                                                      SHA-512:9DC01D7C301C3D59570336D7411EA0DD324F9888740C3A31F04A2AC8F2EC799CBB751BA6B93D1B5874307A71A838751B94A6EA5EA98503AAB463743C3874F6B0
                                                                                                                                                                                                                                                      Malicious:false
                                                                                                                                                                                                                                                      Preview:..0.=.E.n.g.l.i.s.h.....1.=.C.h.i.c.a.P.C.-.S.h.i.e.l.d.....2.=.A.d.d. .t.o. .i.g.n.o.r.e. .l.i.s.t.....3.=.J.u.m.p. .t.o. .l.o.c.a.t.i.o.n.....4.=.C.h.e.c.k. .a.l.l. .i.t.e.m.s.....5.=.U.n.c.h.e.c.k. .a.l.l. .i.t.e.m.s.....6.=.C.h.e.c.k. .a.l.l. .i.t.e.m.s. .f.r.o.m. .t.h.i.s. .v.e.n.d.o.r.....7.=.U.n.c.h.e.c.k. .a.l.l. .i.t.e.m.s. .f.r.o.m. .t.h.i.s. .v.e.n.d.o.r.....8.=.V.e.n.d.o.r. .i.n.f.o.r.m.a.t.i.o.n.....9.=.S.c.a.n.n.e.r.....1.0.=.P.r.o.t.e.c.t.i.o.n.....1.1.=.U.p.d.a.t.e.....1.2.=.Q.u.a.r.a.n.t.i.n.e.....1.3.=.L.o.g.s.....1.4.=.I.g.n.o.r.e. .L.i.s.t.....1.5.=.S.e.t.t.i.n.g.s.....1.6.=.M.o.r.e. .T.o.o.l.s.....1.7.=.H.e.l.p.....1.8.=.T.h.e. .s.c.a.n.n.e.r. .w.i.l.l. .f.i.n.d. .a.n.d. .r.e.m.o.v.e. .m.a.l.i.c.i.o.u.s. .s.o.f.t.w.a.r.e. .t.h.a.t. .i.s. .i.n.f.e.c.t.i.n.g. .y.o.u.r. .c.o.m.p.u.t.e.r... .P.l.e.a.s.e. .s.e.l.e.c.t. .t.h.e. .s.c.a.n. .t.y.p.e. .a.n.d. .c.l.i.c.k. .'.S.c.a.n.'... .P.l.e.a.s.e. .c.l.o.s.e. .a.l.l. .u.n.n.e.c.e.s.s.a.r.y. .w.i.n.d.o.w.s. .a.n.d. .a.p.p.

                                                                                                                                                                                                                                                      C:\Program Files (x86)\ChicaLogic\ChicaPC-Shield\Languages\finnish.lng (copy)

                                                                                                                                                                                                                                                      Download File
                                                                                                                                                                                                                                                      Process:C:\Users\user\AppData\Local\Temp\is-LBG9E.tmp\chica-pc-shield-1-75-0-1300-en-win.tmp
                                                                                                                                                                                                                                                      File Type:Unicode text, UTF-16, little-endian text, with CRLF line terminators
                                                                                                                                                                                                                                                      Category:dropped
                                                                                                                                                                                                                                                      Size (bytes):25458
                                                                                                                                                                                                                                                      Entropy (8bit):3.4525083855467718
                                                                                                                                                                                                                                                      Encrypted:false
                                                                                                                                                                                                                                                      SSDEEP:384:lWkz0VMgliFYHFa94CPiwixvEcuc+Cs/3wZh0f+9D3EzM+I:lhtglYYHFamY3KvEdQif+pZ
                                                                                                                                                                                                                                                      MD5:22EC0A87090FDC6FF41525A09208374E
                                                                                                                                                                                                                                                      SHA1:DAF9BD25E628157612622B65E2FD58A13E3E5095
                                                                                                                                                                                                                                                      SHA-256:F66929356AB9895D1E4DA4F4047223F8348443C10A56CC1DD63CF87EA4724076
                                                                                                                                                                                                                                                      SHA-512:70C7247127EDA54D16E8D2DEFC7B315D956C69A3BE99153EBB66F42960CFA03F9F48A86387F7E8ACAAE8FC59E0455DCEB6827ABA64130021DA284616F2631994
                                                                                                                                                                                                                                                      Malicious:false
                                                                                                                                                                                                                                                      Preview:..0.=.F.i.n.n.i.s.h.....1.=.C.h.i.c.a.P.C.-.S.h.i.e.l.d.....2.=.L.i.s..... .h.u.o.m.i.o.i.m.a.t.t.o.m.u.u.s.l.i.s.t.a.l.l.e.....3.=.S.i.i.r.r.y. .s.i.j.a.i.n.t.i.i.n.....4.=.V.a.l.i.t.s.e. .k.a.i.k.k.i. .k.o.h.t.e.e.t.....5.=...l... .v.a.l.i.t.s.e. .m.i.t.....n. .k.o.h.t.e.i.t.a.....6.=.V.a.l.i.t.s.e. .k.a.i.k.k.i. .k.o.h.t.e.e.t. .t...l.t... .v.a.l.m.i.s.t.a.j.a.l.t.a. .....7.=...l... .v.a.l.i.t.s.e. .m.i.t.....n. .k.o.h.t.e.i.t.a. .t...l.t... .v.a.l.m.i.s.t.a.j.a.l.t.a. .....8.=.V.a.l.m.i.s.t.a.j.a.n. .t.i.e.d.o.t.....9.=.T.a.r.k.i.s.t.u.s.....1.0.=.S.u.o.j.a.u.s.....1.1.=.P...i.v.i.t.y.s.....1.2.=.K.a.r.a.n.t.e.e.n.i.....1.3.=.L.o.k.i.t.i.e.d.o.s.t.o.t.....1.4.=.O.h.i.t.u.s.l.i.s.t.a.....1.5.=.A.s.e.t.u.k.s.e.t.....1.6.=.L.i.s..... .t.y...k.a.l.u.j.a.....1.7.=.T.i.e.t.o.a.....1.8.=.T.a.r.k.i.s.t.u.s. .v.o.i. .l...y.t..... .j.a. .p.o.i.s.t.a.a. .j...r.j.e.s.t.e.l.m...s.s...s.i. .o.l.e.v.i.a. .h.a.i.t.t.a.o.h.j.e.l.m.i.a... .V.a.l.i.t.s.e. .t.a.r.k.i.s.t.u.s.t.y.y.p.p.i. .j.a. .v.a.l.

                                                                                                                                                                                                                                                      C:\Program Files (x86)\ChicaLogic\ChicaPC-Shield\Languages\french.lng (copy)

                                                                                                                                                                                                                                                      Download File
                                                                                                                                                                                                                                                      Process:C:\Users\user\AppData\Local\Temp\is-LBG9E.tmp\chica-pc-shield-1-75-0-1300-en-win.tmp
                                                                                                                                                                                                                                                      File Type:Unicode text, UTF-16, little-endian text, with CRLF line terminators
                                                                                                                                                                                                                                                      Category:dropped
                                                                                                                                                                                                                                                      Size (bytes):29294
                                                                                                                                                                                                                                                      Entropy (8bit):3.4950342969339037
                                                                                                                                                                                                                                                      Encrypted:false
                                                                                                                                                                                                                                                      SSDEEP:384:SF2PIuXEVX/VJ1RFDRrXq8tYKe7P+TMJhOkmGsUb4Frhipu9d:SLdRq1PCO74V
                                                                                                                                                                                                                                                      MD5:9CF1C60759D70D870E2E01932E774AAE
                                                                                                                                                                                                                                                      SHA1:1F286192B03C0C70698EF42BBB536C6954DFCB69
                                                                                                                                                                                                                                                      SHA-256:1D72D91FFB86204BD9A61E504FF5BD363043E5F14B4CE04A6E07056A003E580D
                                                                                                                                                                                                                                                      SHA-512:88805199FAE98D1EB851909C445D9A95D7C8F3E938FE5AA8208943AA417DDC93DE7BC4115196FD3AEC37B7F0E164A96B4240C4AAF080866025542C1049095518
                                                                                                                                                                                                                                                      Malicious:false
                                                                                                                                                                                                                                                      Preview:..0.=.F.r.e.n.c.h.....1.=.C.h.i.c.a.P.C.-.S.h.i.e.l.d.....2.=.A.j.o.u.t.e.r. .a.u.x. .e.x.c.l.u.s.i.o.n.s.....3.=.A.l.l.e.r. ... .l.'.e.m.p.l.a.c.e.m.e.n.t.....4.=.T.o.u.t. .c.o.c.h.e.r.....5.=.T.o.u.t. .d...c.o.c.h.e.r.....6.=.C.o.c.h.e.r. .t.o.u.s. .l.e.s. ...l...m.e.n.t.s. .d.e. .c.e. .v.e.n.d.e.u.r.....7.=.D...c.o.c.h.e.r. .t.o.u.s. .l.e.s. ...l...m.e.n.t.s. .d.e. .c.e. .v.e.n.d.e.u.r.....8.=.I.n.f.o.r.m.a.t.i.o.n.s. .s.u.r. .l.e. .v.e.n.d.e.u.r.....9.=.R.e.c.h.e.r.c.h.e.....1.0.=.P.r.o.t.e.c.t.i.o.n.....1.1.=.M.i.s.e. ... .j.o.u.r.....1.2.=.Q.u.a.r.a.n.t.a.i.n.e.....1.3.=.R.a.p.p.o.r.t.s./.L.o.g.s.....1.4.=.E.x.c.l.u.s.i.o.n.s.....1.5.=.P.a.r.a.m...t.r.e.s.....1.6.=.A.u.t.r.e.s. .o.u.t.i.l.s.....1.7.=.A. .p.r.o.p.o.s...........1.8.=.L.e. .m.o.d.u.l.e. .d.e. .r.e.c.h.e.r.c.h.e. .p.e.u.t. .t.r.o.u.v.e.r. .e.t. .s.u.p.p.r.i.m.e.r. .d.e.s. .p.r.o.g.r.a.m.m.e.s. .m.a.l.v.e.i.l.l.a.n.t.s. .p.r...s.e.n.t.s. .s.u.r. .v.o.t.r.e. .s.y.s.t...m.e... .C.h.o.i.s.i.s.s.e.z. .u.n. .t.y.p.e. .d.'.

                                                                                                                                                                                                                                                      C:\Program Files (x86)\ChicaLogic\ChicaPC-Shield\Languages\german.lng (copy)

                                                                                                                                                                                                                                                      Download File
                                                                                                                                                                                                                                                      Process:C:\Users\user\AppData\Local\Temp\is-LBG9E.tmp\chica-pc-shield-1-75-0-1300-en-win.tmp
                                                                                                                                                                                                                                                      File Type:Unicode text, UTF-16, little-endian text, with CRLF line terminators
                                                                                                                                                                                                                                                      Category:dropped
                                                                                                                                                                                                                                                      Size (bytes):29372
                                                                                                                                                                                                                                                      Entropy (8bit):3.5425237288380647
                                                                                                                                                                                                                                                      Encrypted:false
                                                                                                                                                                                                                                                      SSDEEP:768:XmgtzRbWpEatDSp+Groyo0y9P65q18CIqMGls9FqxnGe1:WgtztWmaQp+Groyo0y9z8qMG6qxnGe1
                                                                                                                                                                                                                                                      MD5:B46C9C0D2BDA5299659845A723DB640A
                                                                                                                                                                                                                                                      SHA1:3BF0B555980F14AE06288C465322E07AC8AD4279
                                                                                                                                                                                                                                                      SHA-256:9BDFDA5651B2284A057CC5F43E927AF95B580E06552ACF6A9D2677550ADBD612
                                                                                                                                                                                                                                                      SHA-512:297C5A05CD5A6BD5138A6B2B7AD059CD7E79545DFC468C8EE7F106E64E3E7D94075854B8F1E262F2B170AE88ADF48CBD7AD989B0C297161FB479BA659510A922
                                                                                                                                                                                                                                                      Malicious:false
                                                                                                                                                                                                                                                      Preview:..0.=.G.e.r.m.a.n.....1.=.C.h.i.c.a.P.C.-.S.h.i.e.l.d.....2.=.Z.u.r. .I.g.n.o.r.i.e.r.l.i.s.t.e. .h.i.n.z.u.f...g.e.n.....3.=.S.p.r.i.n.g.e. .z.u. .P.o.s.i.t.i.o.n.....4.=.A.l.l.e. .E.i.n.t.r...g.e. .a.u.s.w...h.l.e.n.....5.=.A.u.s.w.a.h.l. .a.l.l.e.r. .E.i.n.t.r...g.e. .r...c.k.g...n.g.i.g. .m.a.c.h.e.n.....6.=.A.l.l.e. .E.i.n.t.r...g.e. .d.i.e.s.e.s. .A.n.b.i.e.t.e.r.s. .a.u.s.w...h.l.e.n.....7.=.A.u.s.w.a.h.l. .a.l.l.e.r. .E.i.n.t.r...g.e. .d.i.e.s.e.s. .A.n.b.i.e.t.e.r.s. .r...c.k.g...n.g.i.g. .m.a.c.h.e.n.....8.=.A.n.b.i.e.t.e.r. .I.n.f.o.r.m.a.t.i.o.n.e.n.....9.=.S.u.c.h.l.a.u.f.....1.0.=.S.c.h.u.t.z.....1.1.=.A.k.t.u.a.l.i.s.i.e.r.u.n.g.....1.2.=.Q.u.a.r.a.n.t...n.e.....1.3.=.L.o.g.d.a.t.e.i.e.n.....1.4.=.I.g.n.o.r.i.e.r.l.i.s.t.e.....1.5.=.E.i.n.s.t.e.l.l.u.n.g.e.n.....1.6.=.W.e.i.t.e.r.e. .P.r.o.g.r.a.m.m.e.....1.7.=...b.e.r.....1.8.=.D.e.r. .S.u.c.h.l.a.u.f. .k.a.n.n. .b...s.a.r.t.i.g.e. .P.r.o.g.r.a.m.m.e. .a.u.f. .I.h.r.e.m. .S.y.s.t.e.m. .f.i.n.d.e.n. .u.n.d. .e.n.t.f.e.r.

                                                                                                                                                                                                                                                      C:\Program Files (x86)\ChicaLogic\ChicaPC-Shield\Languages\is-0HFFJ.tmp

                                                                                                                                                                                                                                                      Download File
                                                                                                                                                                                                                                                      Process:C:\Users\user\AppData\Local\Temp\is-LBG9E.tmp\chica-pc-shield-1-75-0-1300-en-win.tmp
                                                                                                                                                                                                                                                      File Type:Unicode text, UTF-16, little-endian text, with CRLF line terminators
                                                                                                                                                                                                                                                      Category:dropped
                                                                                                                                                                                                                                                      Size (bytes):29546
                                                                                                                                                                                                                                                      Entropy (8bit):3.4652359591306263
                                                                                                                                                                                                                                                      Encrypted:false
                                                                                                                                                                                                                                                      SSDEEP:384:0oomqWisQuRZGDQb+CmsGyO+1UxQR8rEB+0uF7IuPSu+FKWlBk7:0oRiTO96CmsDOpQ2wB1XuPLWly
                                                                                                                                                                                                                                                      MD5:3A57303C8AAF78C7AB7ED16B3DC10989
                                                                                                                                                                                                                                                      SHA1:8DCA05D0C55CFA6FBD78AFA8C177FD68ECAEC8D9
                                                                                                                                                                                                                                                      SHA-256:9CEE0D51D2385AA56A41461EEF49354AA473B67FF017DDF4437781CE505F5815
                                                                                                                                                                                                                                                      SHA-512:F4F61AA31F0B1A42AA38793E8F8C6279223A34E68ABD624388E8C1469CFD91144283E459C89DE85E4C6053428B88CE6A95A7855061F2C80E7BAA624BA49A4AFB
                                                                                                                                                                                                                                                      Malicious:false
                                                                                                                                                                                                                                                      Preview:..0.=.S.p.a.n.i.s.h.....1.=.C.h.i.c.a.P.C.-.S.h.i.e.l.d.....2.=.A...a.d.i.r. .a. .l.a. .l.i.s.t.a. .d.e. .i.g.n.o.r.a.d.o.s.....3.=.I.r. .a. .l.a. .u.b.i.c.a.c.i...n.....4.=.M.a.r.c.a.r. .t.o.d.o.s. .l.o.s. .e.l.e.m.e.n.t.o.s.....5.=.D.e.s.m.a.r.c.a.r. .t.o.d.o.s. .l.o.s. .e.l.e.m.e.n.t.o.s.....6.=.C.o.m.p.r.u.e.b.e. .t.o.d.o.s. .l.o.s. .e.l.e.m.e.n.t.o.s. .d.e. .e.s.t.e. .p.r.o.v.e.e.d.o.r.....7.=.D.e.s.m.a.r.c.a.r. .t.o.d.o.s. .l.o.s. .e.l.e.m.e.n.t.o.s. .d.e. .e.s.t.e. .p.r.o.v.e.e.d.o.r.....8.=.I.n.f.o.r.m.a.c.i...n. .s.o.b.r.e. .e.l. .p.r.o.v.e.e.d.o.r.....9.=.E.s.c...n.e.r.....1.0.=.P.r.o.t.e.c.c.i...n.....1.1.=.A.c.t.u.a.l.i.z.a.r.....1.2.=.C.u.a.r.e.n.t.e.n.a.....1.3.=.R.e.g.i.s.t.r.o.s.....1.4.=.L.i.s.t.a. .d.e. .i.g.n.o.r.a.d.o.s.....1.5.=.C.o.n.f.i.g.u.r.a.c.i...n.....1.6.=.M...s. .h.e.r.r.a.m.i.e.n.t.a.s.....1.7.=.A.c.e.r.c.a. .d.e.....1.8.=.E.l. .e.s.c.a.n.e.o. .p.u.e.d.e. .e.n.c.o.n.t.r.a.r. .y. .e.l.i.m.i.n.a.r. .e.l. .s.o.f.t.w.a.r.e. .m.a.l.i.c.i.o.s.o. .p.r.e.s.e.n.t.

                                                                                                                                                                                                                                                      C:\Program Files (x86)\ChicaLogic\ChicaPC-Shield\Languages\is-3614V.tmp

                                                                                                                                                                                                                                                      Download File
                                                                                                                                                                                                                                                      Process:C:\Users\user\AppData\Local\Temp\is-LBG9E.tmp\chica-pc-shield-1-75-0-1300-en-win.tmp
                                                                                                                                                                                                                                                      File Type:Unicode text, UTF-16, little-endian text, with CRLF line terminators
                                                                                                                                                                                                                                                      Category:dropped
                                                                                                                                                                                                                                                      Size (bytes):24602
                                                                                                                                                                                                                                                      Entropy (8bit):3.511817410114942
                                                                                                                                                                                                                                                      Encrypted:false
                                                                                                                                                                                                                                                      SSDEEP:384:w+uox0zeMk1KtiSsVJDu8AOcDjB3OyHTeuy:nuox0zeMk1KtiSsVNujvB3lTi
                                                                                                                                                                                                                                                      MD5:33865F12839E7FEF9FC7956C5827295D
                                                                                                                                                                                                                                                      SHA1:DF1AD9FDF84B12B69F8F1D701FEDA8AFD05D7AF8
                                                                                                                                                                                                                                                      SHA-256:3A3F5DCD1518C6EFD066A36FAF09AA55AAA0C98201E31F5DB2406CDCB63DD4A2
                                                                                                                                                                                                                                                      SHA-512:889B6BB7C7C83F14FF933C0AC4851AF789A511C6EB2AB7F8A9D983E4721052C274ABA7D0EA9F67A22F202DE960971BF0FE228A1E65F06F093EE840DAC11CCD58
                                                                                                                                                                                                                                                      Malicious:false
                                                                                                                                                                                                                                                      Preview:..0.=.N.o.r.w.e.g.i.a.n.....1.=.C.h.i.c.a.P.C.-.S.h.i.e.l.d.....2.=.L.e.g.g. .t.i.l. .e.k.s.k.l.u.d.e.r.i.n.g.s.l.i.s.t.e.n.....3.=.G... .t.i.l. .d.e.s.t.i.n.a.s.j.o.n.....4.=.V.e.l.g. .a.l.l.e. .o.b.j.e.k.t.e.r.....5.=.F.j.e.r.n. .a.l.l.e. .o.b.j.e.k.t.e.r.....6.=.V.e.l.g. .a.l.l.e. .o.b.j.e.k.t.e.r. .f.r.a. .d.e.n.n.e. .p.r.o.d.u.s.e.n.t.e.n.....7.=.F.j.e.r.n. .a.l.l.e. .e.l.e.m.e.n.t.e.r. .f.r.a. .d.e.n.n.e. .p.r.o.d.u.s.e.n.t.e.n.....8.=.P.r.o.d.u.s.e.n.t.i.n.f.o.r.m.a.s.j.o.n.....9.=.S.k.a.n.n.e.r.....1.0.=.B.e.s.k.y.t.t.e.l.s.e.....1.1.=.O.p.p.d.a.t.e.r.....1.2.=.K.a.r.a.n.t.e.n.e.....1.3.=.L.o.g.g.e.r.....1.4.=.E.k.s.k.l.u.d.e.r.i.n.g.s.l.i.s.t.e.....1.5.=.I.n.n.s.t.i.l.l.i.n.g.e.r.....1.6.=.F.l.e.r.e. .v.e.r.k.t...y.....1.7.=.O.m.....1.8.=.S.k.a.n.n.e.r.e.n. .k.a.n. .f.i.n.n.e. .o.g. .f.j.e.r.n.e. .s.k.a.d.e.l.i.g. .p.r.o.g.r.a.m.v.a.r.e. .p... .s.y.s.t.e.m.e.t. .d.i.t.t... .V.e.l.g. .e.n. .s...k.e.m.e.t.o.d.e. .o.g. .k.l.i.k.k. .'.S.k.a.n.n.'... .V.e.n.n.l.i.g.s.t. .l.u.k.k. .

                                                                                                                                                                                                                                                      C:\Program Files (x86)\ChicaLogic\ChicaPC-Shield\Languages\is-36Q7V.tmp

                                                                                                                                                                                                                                                      Download File
                                                                                                                                                                                                                                                      Process:C:\Users\user\AppData\Local\Temp\is-LBG9E.tmp\chica-pc-shield-1-75-0-1300-en-win.tmp
                                                                                                                                                                                                                                                      File Type:Unicode text, UTF-16, little-endian text, with CRLF line terminators
                                                                                                                                                                                                                                                      Category:dropped
                                                                                                                                                                                                                                                      Size (bytes):25478
                                                                                                                                                                                                                                                      Entropy (8bit):3.5297575392191374
                                                                                                                                                                                                                                                      Encrypted:false
                                                                                                                                                                                                                                                      SSDEEP:384:X3DXSknVEWkeeXL0NqNP4X7DAh1rQrfYo+XbA089lZ7hEIY4u:XFVEXeeXL08NwX7DL+gjYl
                                                                                                                                                                                                                                                      MD5:2EF431197148CAF95808046A43401EE0
                                                                                                                                                                                                                                                      SHA1:6D23BC04CEECA33232B769492FC68C339794E945
                                                                                                                                                                                                                                                      SHA-256:2B4A5A26AAC4F920C1D56DBB5764A7DF53EA99BAB0D70132FAF9955E5D6CA045
                                                                                                                                                                                                                                                      SHA-512:B8182495CC18487942A5C0F5E32EF41315A3EEA467AF7A354D10ABBA1065A7A088966FC19CD816599EC529FA7D5C78CADBAE30436997DC230F8F61BA4E546370
                                                                                                                                                                                                                                                      Malicious:false
                                                                                                                                                                                                                                                      Preview:..0.=.S.w.e.d.i.s.h.....1.=.C.h.i.c.a.P.C.-.S.h.i.e.l.d.....2.=.L...g.g. .t.i.l.l. .i. .i.g.n.o.r.e.r.a.l.i.s.t.a.n.....3.=.H.o.p.p.a. .t.i.l.l. .p.l.a.t.s.....4.=.M.a.r.k.e.r.a. .a.l.l.a. .p.o.s.t.e.r.....5.=.A.v.m.a.r.k.e.r.a. .a.l.l.a. .p.o.s.t.e.r.....6.=.M.a.r.k.e.r.a. .a.l.l.a. .p.o.s.t.e.r. .f.r...n. .d.e.n. .h...r. .u.t.f...r.d.a.r.e.n.....7.=.A.v.m.a.r.k.e.r.a. .a.l.l.a. .p.o.s.t.e.r. .f.r...n. .d.e.n. .h...r. .u.t.f...r.d.a.r.e.n.....8.=.U.t.f...r.d.a.r.i.n.f.o.r.m.a.t.i.o.n.....9.=.S.k.a.n.n.e.r.....1.0.=.S.k.y.d.d.....1.1.=.U.p.p.d.a.t.e.r.a.....1.2.=.K.a.r.a.n.t...n.....1.3.=.L.o.g.g.a.r.....1.4.=.I.g.n.o.r.e.r.a.l.i.s.t.a.....1.5.=.I.n.s.t...l.l.n.i.n.g.a.r.....1.6.=.F.l.e.r. .v.e.r.k.t.y.g.....1.7.=.O.m.....1.8.=.S.k.a.n.n.e.r.n. .k.a.n. .h.i.t.t.a. .o.c.h. .t.a. .b.o.r.t. .s.k.a.d.l.i.g.a. .p.r.o.g.r.a.m. .s.o.m. .f.i.n.n.s. .i. .d.i.t.t. .s.y.s.t.e.m... .V...l.j. .e.n. .s.k.a.n.n.i.n.g.s.t.y.p. .o.c.h. .k.l.i.c.k.a. .p... .'.S.k.a.n.n.a.'... .A.v.s.l.u.t.a. .a.l.l.a. .

                                                                                                                                                                                                                                                      C:\Program Files (x86)\ChicaLogic\ChicaPC-Shield\Languages\is-5A794.tmp

                                                                                                                                                                                                                                                      Download File
                                                                                                                                                                                                                                                      Process:C:\Users\user\AppData\Local\Temp\is-LBG9E.tmp\chica-pc-shield-1-75-0-1300-en-win.tmp
                                                                                                                                                                                                                                                      File Type:Unicode text, UTF-16, little-endian text, with CRLF line terminators
                                                                                                                                                                                                                                                      Category:dropped
                                                                                                                                                                                                                                                      Size (bytes):27806
                                                                                                                                                                                                                                                      Entropy (8bit):3.4684618845087263
                                                                                                                                                                                                                                                      Encrypted:false
                                                                                                                                                                                                                                                      SSDEEP:768:c0fv25CUC2l61eFm41l2w3WdmD0Tpu3qWEpBjt2:nfv2ii6wFm41l2G4mwYqWE/jI
                                                                                                                                                                                                                                                      MD5:E953D930719B22685F25BDA67DE3D1AD
                                                                                                                                                                                                                                                      SHA1:5552871F6CA5F018E5991759D5DDEC7E23F8E630
                                                                                                                                                                                                                                                      SHA-256:320428041630D443830840CF47857B73F4CC77C4D6FF8467A4B23D1B3817DE9D
                                                                                                                                                                                                                                                      SHA-512:D0FBE77FE2C5B3282A2688377120E9C0C40CA7F835E347AE2B12E42A600CB6651DB79641034DC56E22D708B67C960B25F69E449A522C7777880F35BF331DC079
                                                                                                                                                                                                                                                      Malicious:false
                                                                                                                                                                                                                                                      Preview:..0.=.D.u.t.c.h.....1.=.C.h.i.c.a.P.C.-.S.h.i.e.l.d.....2.=.T.o.e.v.o.e.g.e.n. .a.a.n. .d.e. .n.e.g.e.e.r.l.i.j.s.t.....3.=.G.a. .n.a.a.r. .l.o.c.a.t.i.e.....4.=.S.e.l.e.c.t.e.e.r. .a.l.l.e. .o.b.j.e.c.t.e.n.....5.=.D.e.s.e.l.e.c.t.e.e.r. .a.l.l.e. .o.b.j.e.c.t.e.n.....6.=.S.e.l.e.c.t.e.e.r. .a.l.l.e. .o.b.j.e.c.t.e.n. .v.a.n. .d.e.z.e. .i.n.f.e.c.t.i.e.....7.=.D.e.s.e.l.e.c.t.e.e.r. .a.l.l.e. .o.b.j.e.c.t.e.n. .v.a.n. .d.e.z.e. .i.n.f.e.c.t.i.e.....8.=.I.n.f.o.r.m.a.t.i.e. .o.v.e.r. .d.e.z.e. .i.n.f.e.c.t.i.e.....9.=.S.c.a.n.n.e.r.....1.0.=.B.e.s.c.h.e.r.m.i.n.g.....1.1.=.U.p.d.a.t.e.s.....1.2.=.Q.u.a.r.a.n.t.a.i.n.e.....1.3.=.L.o.g.b.e.s.t.a.n.d.e.n.....1.4.=.N.e.g.e.e.r.l.i.j.s.t.....1.5.=.I.n.s.t.e.l.l.i.n.g.e.n.....1.6.=.G.e.r.e.e.d.s.c.h.a.p.....1.7.=.O.v.e.r.........1.8.=.D.e. .s.c.a.n.n.e.r. .k.a.n. .i.n.f.e.c.t.i.e.s. .v.i.n.d.e.n. .e.n. .v.e.r.w.i.j.d.e.r.e.n... .S.l.u.i.t. .e.e.r.s.t. .a.l.l.e. .a.n.d.e.r.e. .p.r.o.g.r.a.m.m.a.'.s. .a.f. .o.m. .d.e. .s.c.a.n. .p.r.e.s.t.a.t.

                                                                                                                                                                                                                                                      C:\Program Files (x86)\ChicaLogic\ChicaPC-Shield\Languages\is-5RTRO.tmp

                                                                                                                                                                                                                                                      Download File
                                                                                                                                                                                                                                                      Process:C:\Users\user\AppData\Local\Temp\is-LBG9E.tmp\chica-pc-shield-1-75-0-1300-en-win.tmp
                                                                                                                                                                                                                                                      File Type:Unicode text, UTF-16, little-endian text, with CRLF line terminators
                                                                                                                                                                                                                                                      Category:dropped
                                                                                                                                                                                                                                                      Size (bytes):29294
                                                                                                                                                                                                                                                      Entropy (8bit):3.4950342969339037
                                                                                                                                                                                                                                                      Encrypted:false
                                                                                                                                                                                                                                                      SSDEEP:384:SF2PIuXEVX/VJ1RFDRrXq8tYKe7P+TMJhOkmGsUb4Frhipu9d:SLdRq1PCO74V
                                                                                                                                                                                                                                                      MD5:9CF1C60759D70D870E2E01932E774AAE
                                                                                                                                                                                                                                                      SHA1:1F286192B03C0C70698EF42BBB536C6954DFCB69
                                                                                                                                                                                                                                                      SHA-256:1D72D91FFB86204BD9A61E504FF5BD363043E5F14B4CE04A6E07056A003E580D
                                                                                                                                                                                                                                                      SHA-512:88805199FAE98D1EB851909C445D9A95D7C8F3E938FE5AA8208943AA417DDC93DE7BC4115196FD3AEC37B7F0E164A96B4240C4AAF080866025542C1049095518
                                                                                                                                                                                                                                                      Malicious:false
                                                                                                                                                                                                                                                      Preview:..0.=.F.r.e.n.c.h.....1.=.C.h.i.c.a.P.C.-.S.h.i.e.l.d.....2.=.A.j.o.u.t.e.r. .a.u.x. .e.x.c.l.u.s.i.o.n.s.....3.=.A.l.l.e.r. ... .l.'.e.m.p.l.a.c.e.m.e.n.t.....4.=.T.o.u.t. .c.o.c.h.e.r.....5.=.T.o.u.t. .d...c.o.c.h.e.r.....6.=.C.o.c.h.e.r. .t.o.u.s. .l.e.s. ...l...m.e.n.t.s. .d.e. .c.e. .v.e.n.d.e.u.r.....7.=.D...c.o.c.h.e.r. .t.o.u.s. .l.e.s. ...l...m.e.n.t.s. .d.e. .c.e. .v.e.n.d.e.u.r.....8.=.I.n.f.o.r.m.a.t.i.o.n.s. .s.u.r. .l.e. .v.e.n.d.e.u.r.....9.=.R.e.c.h.e.r.c.h.e.....1.0.=.P.r.o.t.e.c.t.i.o.n.....1.1.=.M.i.s.e. ... .j.o.u.r.....1.2.=.Q.u.a.r.a.n.t.a.i.n.e.....1.3.=.R.a.p.p.o.r.t.s./.L.o.g.s.....1.4.=.E.x.c.l.u.s.i.o.n.s.....1.5.=.P.a.r.a.m...t.r.e.s.....1.6.=.A.u.t.r.e.s. .o.u.t.i.l.s.....1.7.=.A. .p.r.o.p.o.s...........1.8.=.L.e. .m.o.d.u.l.e. .d.e. .r.e.c.h.e.r.c.h.e. .p.e.u.t. .t.r.o.u.v.e.r. .e.t. .s.u.p.p.r.i.m.e.r. .d.e.s. .p.r.o.g.r.a.m.m.e.s. .m.a.l.v.e.i.l.l.a.n.t.s. .p.r...s.e.n.t.s. .s.u.r. .v.o.t.r.e. .s.y.s.t...m.e... .C.h.o.i.s.i.s.s.e.z. .u.n. .t.y.p.e. .d.'.

                                                                                                                                                                                                                                                      C:\Program Files (x86)\ChicaLogic\ChicaPC-Shield\Languages\is-DLO1P.tmp

                                                                                                                                                                                                                                                      Download File
                                                                                                                                                                                                                                                      Process:C:\Users\user\AppData\Local\Temp\is-LBG9E.tmp\chica-pc-shield-1-75-0-1300-en-win.tmp
                                                                                                                                                                                                                                                      File Type:Unicode text, UTF-16, little-endian text, with CRLF line terminators
                                                                                                                                                                                                                                                      Category:dropped
                                                                                                                                                                                                                                                      Size (bytes):24032
                                                                                                                                                                                                                                                      Entropy (8bit):3.5183168402875302
                                                                                                                                                                                                                                                      Encrypted:false
                                                                                                                                                                                                                                                      SSDEEP:384:vog5HwEduYOUiXvWZC+nMEtwCvWCReXz8jaDfNOTp1qI+:vog5HwfBQdXKoWIejea5OTp1k
                                                                                                                                                                                                                                                      MD5:CB7FEE393B8B8553E1BA2516B3B163A8
                                                                                                                                                                                                                                                      SHA1:051CAECA6E378D955F05315EA864F0FA2FD424CE
                                                                                                                                                                                                                                                      SHA-256:1FF2ABFF575E156E2B2CC07C0F2B351B3DB1B9EEEBD9E42D0AE9AE7742666AE7
                                                                                                                                                                                                                                                      SHA-512:9DC01D7C301C3D59570336D7411EA0DD324F9888740C3A31F04A2AC8F2EC799CBB751BA6B93D1B5874307A71A838751B94A6EA5EA98503AAB463743C3874F6B0
                                                                                                                                                                                                                                                      Malicious:false
                                                                                                                                                                                                                                                      Preview:..0.=.E.n.g.l.i.s.h.....1.=.C.h.i.c.a.P.C.-.S.h.i.e.l.d.....2.=.A.d.d. .t.o. .i.g.n.o.r.e. .l.i.s.t.....3.=.J.u.m.p. .t.o. .l.o.c.a.t.i.o.n.....4.=.C.h.e.c.k. .a.l.l. .i.t.e.m.s.....5.=.U.n.c.h.e.c.k. .a.l.l. .i.t.e.m.s.....6.=.C.h.e.c.k. .a.l.l. .i.t.e.m.s. .f.r.o.m. .t.h.i.s. .v.e.n.d.o.r.....7.=.U.n.c.h.e.c.k. .a.l.l. .i.t.e.m.s. .f.r.o.m. .t.h.i.s. .v.e.n.d.o.r.....8.=.V.e.n.d.o.r. .i.n.f.o.r.m.a.t.i.o.n.....9.=.S.c.a.n.n.e.r.....1.0.=.P.r.o.t.e.c.t.i.o.n.....1.1.=.U.p.d.a.t.e.....1.2.=.Q.u.a.r.a.n.t.i.n.e.....1.3.=.L.o.g.s.....1.4.=.I.g.n.o.r.e. .L.i.s.t.....1.5.=.S.e.t.t.i.n.g.s.....1.6.=.M.o.r.e. .T.o.o.l.s.....1.7.=.H.e.l.p.....1.8.=.T.h.e. .s.c.a.n.n.e.r. .w.i.l.l. .f.i.n.d. .a.n.d. .r.e.m.o.v.e. .m.a.l.i.c.i.o.u.s. .s.o.f.t.w.a.r.e. .t.h.a.t. .i.s. .i.n.f.e.c.t.i.n.g. .y.o.u.r. .c.o.m.p.u.t.e.r... .P.l.e.a.s.e. .s.e.l.e.c.t. .t.h.e. .s.c.a.n. .t.y.p.e. .a.n.d. .c.l.i.c.k. .'.S.c.a.n.'... .P.l.e.a.s.e. .c.l.o.s.e. .a.l.l. .u.n.n.e.c.e.s.s.a.r.y. .w.i.n.d.o.w.s. .a.n.d. .a.p.p.

                                                                                                                                                                                                                                                      C:\Program Files (x86)\ChicaLogic\ChicaPC-Shield\Languages\is-GM6MD.tmp

                                                                                                                                                                                                                                                      Download File
                                                                                                                                                                                                                                                      Process:C:\Users\user\AppData\Local\Temp\is-LBG9E.tmp\chica-pc-shield-1-75-0-1300-en-win.tmp
                                                                                                                                                                                                                                                      File Type:Unicode text, UTF-16, little-endian text, with CRLF line terminators
                                                                                                                                                                                                                                                      Category:dropped
                                                                                                                                                                                                                                                      Size (bytes):25458
                                                                                                                                                                                                                                                      Entropy (8bit):3.4525083855467718
                                                                                                                                                                                                                                                      Encrypted:false
                                                                                                                                                                                                                                                      SSDEEP:384:lWkz0VMgliFYHFa94CPiwixvEcuc+Cs/3wZh0f+9D3EzM+I:lhtglYYHFamY3KvEdQif+pZ
                                                                                                                                                                                                                                                      MD5:22EC0A87090FDC6FF41525A09208374E
                                                                                                                                                                                                                                                      SHA1:DAF9BD25E628157612622B65E2FD58A13E3E5095
                                                                                                                                                                                                                                                      SHA-256:F66929356AB9895D1E4DA4F4047223F8348443C10A56CC1DD63CF87EA4724076
                                                                                                                                                                                                                                                      SHA-512:70C7247127EDA54D16E8D2DEFC7B315D956C69A3BE99153EBB66F42960CFA03F9F48A86387F7E8ACAAE8FC59E0455DCEB6827ABA64130021DA284616F2631994
                                                                                                                                                                                                                                                      Malicious:false
                                                                                                                                                                                                                                                      Preview:..0.=.F.i.n.n.i.s.h.....1.=.C.h.i.c.a.P.C.-.S.h.i.e.l.d.....2.=.L.i.s..... .h.u.o.m.i.o.i.m.a.t.t.o.m.u.u.s.l.i.s.t.a.l.l.e.....3.=.S.i.i.r.r.y. .s.i.j.a.i.n.t.i.i.n.....4.=.V.a.l.i.t.s.e. .k.a.i.k.k.i. .k.o.h.t.e.e.t.....5.=...l... .v.a.l.i.t.s.e. .m.i.t.....n. .k.o.h.t.e.i.t.a.....6.=.V.a.l.i.t.s.e. .k.a.i.k.k.i. .k.o.h.t.e.e.t. .t...l.t... .v.a.l.m.i.s.t.a.j.a.l.t.a. .....7.=...l... .v.a.l.i.t.s.e. .m.i.t.....n. .k.o.h.t.e.i.t.a. .t...l.t... .v.a.l.m.i.s.t.a.j.a.l.t.a. .....8.=.V.a.l.m.i.s.t.a.j.a.n. .t.i.e.d.o.t.....9.=.T.a.r.k.i.s.t.u.s.....1.0.=.S.u.o.j.a.u.s.....1.1.=.P...i.v.i.t.y.s.....1.2.=.K.a.r.a.n.t.e.e.n.i.....1.3.=.L.o.k.i.t.i.e.d.o.s.t.o.t.....1.4.=.O.h.i.t.u.s.l.i.s.t.a.....1.5.=.A.s.e.t.u.k.s.e.t.....1.6.=.L.i.s..... .t.y...k.a.l.u.j.a.....1.7.=.T.i.e.t.o.a.....1.8.=.T.a.r.k.i.s.t.u.s. .v.o.i. .l...y.t..... .j.a. .p.o.i.s.t.a.a. .j...r.j.e.s.t.e.l.m...s.s...s.i. .o.l.e.v.i.a. .h.a.i.t.t.a.o.h.j.e.l.m.i.a... .V.a.l.i.t.s.e. .t.a.r.k.i.s.t.u.s.t.y.y.p.p.i. .j.a. .v.a.l.

                                                                                                                                                                                                                                                      C:\Program Files (x86)\ChicaLogic\ChicaPC-Shield\Languages\is-P4B2K.tmp

                                                                                                                                                                                                                                                      Download File
                                                                                                                                                                                                                                                      Process:C:\Users\user\AppData\Local\Temp\is-LBG9E.tmp\chica-pc-shield-1-75-0-1300-en-win.tmp
                                                                                                                                                                                                                                                      File Type:Unicode text, UTF-16, little-endian text, with CRLF line terminators
                                                                                                                                                                                                                                                      Category:dropped
                                                                                                                                                                                                                                                      Size (bytes):26090
                                                                                                                                                                                                                                                      Entropy (8bit):3.5138293053571332
                                                                                                                                                                                                                                                      Encrypted:false
                                                                                                                                                                                                                                                      SSDEEP:192:ZSmk2KLKS4DUjVNUve5sjIkm9PYt4PpwQ4sETQzI0BnMmka/kEasoAZ1SzGY:ZSmCKTcNEmsjdt4PcsETQDD/kEasoHGY
                                                                                                                                                                                                                                                      MD5:605ED5505E900F06D4A0AFD4B52A6779
                                                                                                                                                                                                                                                      SHA1:0C822909E159074F2E29C7D0E3453A2F5BBF7E00
                                                                                                                                                                                                                                                      SHA-256:1F0C07F58A67FA154FE1A525A082705980F62FA84F6C8C58DA4A3E9141C19816
                                                                                                                                                                                                                                                      SHA-512:93EC824B58BD4CA3FAB451A1EDEE6F31361B9F4D7EA341D6BB02602A11BEC88488D2B7F4562809A0F1320AA6DC8F1E0E26BBBB5D8C7D5AC533FCA863BDA95853
                                                                                                                                                                                                                                                      Malicious:false
                                                                                                                                                                                                                                                      Preview:..0.=.D.a.n.i.s.h.....1.=.C.h.i.c.a.P.C.-.S.h.i.e.l.d.....2.=.F...j. .t.i.l. .e.k.s.k.l.u.d.e.r.i.n.g.....3.=.G... .t.i.l. .l.o.k.a.t.i.o.n.....4.=.V...l.g. .a.l.l.e. .o.b.j.e.k.t.e.r.....5.=.F.r.a.v...l.g. .a.l.l.e. .o.b.j.e.k.t.e.r.....6.=.V...l.g. .a.l.l.e. .o.b.j.e.k.t.e.r. .f.r.a. .d.e.t.t.e. .f.i.r.m.a.....7.=.F.r.a.v...l.g. .a.l.l.e. .o.b.j.e.k.t.e.r. .f.r.a. .d.e.t.t.e. .f.i.r.m.a.....8.=.F.i.r.m.a. .i.n.f.o.r.m.a.t.i.o.n.....9.=.S.k.a.n.n.e.r.....1.0.=.B.e.s.k.y.t.t.e.l.s.e.....1.1.=.O.p.d.a.t.e.r.....1.2.=.K.a.r.a.n.t...n.e.....1.3.=.L.o.g.s.....1.4.=.E.k.s.k.l.u.d.e.r.i.n.g.....1.5.=.I.n.d.s.t.i.l.l.i.n.g.e.r.....1.6.=.F.l.e.r.e. .V...r.k.t...j.e.r.....1.7.=.O.m.....1.8.=.S.k.a.n.n.e.r.e.n. .k.a.n. .f.i.n.d.e. .o.g. .f.j.e.r.n.e. .s.k.a.d.e.l.i.g. .s.o.f.t.w.a.r.e.,. .s.o.m. .m...t.t.e. .f.i.n.d.e.s. .p... .d.i.n. .c.o.m.p.u.t.e.r... .V...l.g. .v.e.n.l.i.g.s.t. .e.n. .s.k.a.n.n.i.n.g.s.t.y.p.e. .o.g. .k.l.i.k. .. s.k.a.n.. .. .L.u.k. .v.e.n.l.i.g.s.t. .a.l.l.e. .u.n...d.v.e.

                                                                                                                                                                                                                                                      C:\Program Files (x86)\ChicaLogic\ChicaPC-Shield\Languages\is-S8JRA.tmp

                                                                                                                                                                                                                                                      Download File
                                                                                                                                                                                                                                                      Process:C:\Users\user\AppData\Local\Temp\is-LBG9E.tmp\chica-pc-shield-1-75-0-1300-en-win.tmp
                                                                                                                                                                                                                                                      File Type:Unicode text, UTF-16, little-endian text, with CRLF line terminators
                                                                                                                                                                                                                                                      Category:dropped
                                                                                                                                                                                                                                                      Size (bytes):27680
                                                                                                                                                                                                                                                      Entropy (8bit):3.418267624959816
                                                                                                                                                                                                                                                      Encrypted:false
                                                                                                                                                                                                                                                      SSDEEP:384:bOS+eRPUkw14KqCIXtR9xY+HJyG+32FQofgrvYGFodLdF:BUoZr9c42orGFodD
                                                                                                                                                                                                                                                      MD5:E3D594A7687D758B29574C77E8E43839
                                                                                                                                                                                                                                                      SHA1:061F7701987364A1CEDCEECD078AA8CBA814E3C1
                                                                                                                                                                                                                                                      SHA-256:80BD8B7CA567EEE73C7D1F1335B906B8BDEE022C71855593147CD756D6A74CAD
                                                                                                                                                                                                                                                      SHA-512:5DC81FD6478CAEE9849B96B9E5CE92B181ABFFF5BB890BE37B73A6079ED621AC5ACBAAEDE2CC995264EB881A327663077EFD389E76910E9EA0B858D6B44E3327
                                                                                                                                                                                                                                                      Malicious:false
                                                                                                                                                                                                                                                      Preview:..0.=.I.t.a.l.i.a.n.....1.=.C.h.i.c.a.P.C.-.S.h.i.e.l.d.....2.=.A.g.g.i.u.n.g.i. .a. .l.i.s.t.a. .i.g.n.o.r.a.....3.=.V.a.i. .a.l.l.a. .p.o.s.i.z.i.o.n.e.....4.=.S.e.l.e.z.i.o.n.a. .t.u.t.t.i. .g.l.i. .e.l.e.m.e.n.t.i.....5.=.D.e.s.e.l.e.z.i.o.n.a. .t.u.t.t.i. .g.l.i. .e.l.e.m.e.n.t.i.....6.=.S.e.l.e.z.i.o.n.a. .t.u.t.t.i. .g.l.i. .e.l.e.m.e.n.t.i. .c.o.n. .q.u.e.s.t.a. .p.r.o.v.e.n.i.e.n.z.a.....7.=.D.e.s.e.l.e.z.i.o.n.a. .t.u.t.t.i. .g.l.i. .e.l.e.m.e.n.t.i. .c.o.n. .q.u.e.s.t.a. .p.r.o.v.e.n.i.e.n.z.a.....8.=.I.n.f.o. .p.r.o.v.e.n.i.e.n.z.a.....9.=.S.c.a.n.s.i.o.n.e.....1.0.=.P.r.o.t.e.z.i.o.n.e.....1.1.=.A.g.g.i.o.r.n.a.m.e.n.t.o.....1.2.=.Q.u.a.r.a.n.t.e.n.a.....1.3.=.L.o.g.....1.4.=.L.i.s.t.a. .i.g.n.o.r.a.....1.5.=.I.m.p.o.s.t.a.z.i.o.n.i.....1.6.=.A.l.t.r.i. .s.t.r.u.m.e.n.t.i.....1.7.=.I.n.f.o.r.m.a.z.i.o.n.i.....1.8.=.L.a. .s.c.a.n.s.i.o.n.e. .r.i.l.e.v.a. .e. .r.i.m.u.o.v.e. .i.l. .s.o.f.t.w.a.r.e. .n.o.c.i.v.o. .e.v.e.n.t.u.a.l.m.e.n.t.e. .p.r.e.s.e.n.t.e. .n.e.l. .s.i.s.t.

                                                                                                                                                                                                                                                      C:\Program Files (x86)\ChicaLogic\ChicaPC-Shield\Languages\is-UFVDK.tmp

                                                                                                                                                                                                                                                      Download File
                                                                                                                                                                                                                                                      Process:C:\Users\user\AppData\Local\Temp\is-LBG9E.tmp\chica-pc-shield-1-75-0-1300-en-win.tmp
                                                                                                                                                                                                                                                      File Type:Unicode text, UTF-16, little-endian text, with CRLF line terminators
                                                                                                                                                                                                                                                      Category:dropped
                                                                                                                                                                                                                                                      Size (bytes):29372
                                                                                                                                                                                                                                                      Entropy (8bit):3.5425237288380647
                                                                                                                                                                                                                                                      Encrypted:false
                                                                                                                                                                                                                                                      SSDEEP:768:XmgtzRbWpEatDSp+Groyo0y9P65q18CIqMGls9FqxnGe1:WgtztWmaQp+Groyo0y9z8qMG6qxnGe1
                                                                                                                                                                                                                                                      MD5:B46C9C0D2BDA5299659845A723DB640A
                                                                                                                                                                                                                                                      SHA1:3BF0B555980F14AE06288C465322E07AC8AD4279
                                                                                                                                                                                                                                                      SHA-256:9BDFDA5651B2284A057CC5F43E927AF95B580E06552ACF6A9D2677550ADBD612
                                                                                                                                                                                                                                                      SHA-512:297C5A05CD5A6BD5138A6B2B7AD059CD7E79545DFC468C8EE7F106E64E3E7D94075854B8F1E262F2B170AE88ADF48CBD7AD989B0C297161FB479BA659510A922
                                                                                                                                                                                                                                                      Malicious:false
                                                                                                                                                                                                                                                      Preview:..0.=.G.e.r.m.a.n.....1.=.C.h.i.c.a.P.C.-.S.h.i.e.l.d.....2.=.Z.u.r. .I.g.n.o.r.i.e.r.l.i.s.t.e. .h.i.n.z.u.f...g.e.n.....3.=.S.p.r.i.n.g.e. .z.u. .P.o.s.i.t.i.o.n.....4.=.A.l.l.e. .E.i.n.t.r...g.e. .a.u.s.w...h.l.e.n.....5.=.A.u.s.w.a.h.l. .a.l.l.e.r. .E.i.n.t.r...g.e. .r...c.k.g...n.g.i.g. .m.a.c.h.e.n.....6.=.A.l.l.e. .E.i.n.t.r...g.e. .d.i.e.s.e.s. .A.n.b.i.e.t.e.r.s. .a.u.s.w...h.l.e.n.....7.=.A.u.s.w.a.h.l. .a.l.l.e.r. .E.i.n.t.r...g.e. .d.i.e.s.e.s. .A.n.b.i.e.t.e.r.s. .r...c.k.g...n.g.i.g. .m.a.c.h.e.n.....8.=.A.n.b.i.e.t.e.r. .I.n.f.o.r.m.a.t.i.o.n.e.n.....9.=.S.u.c.h.l.a.u.f.....1.0.=.S.c.h.u.t.z.....1.1.=.A.k.t.u.a.l.i.s.i.e.r.u.n.g.....1.2.=.Q.u.a.r.a.n.t...n.e.....1.3.=.L.o.g.d.a.t.e.i.e.n.....1.4.=.I.g.n.o.r.i.e.r.l.i.s.t.e.....1.5.=.E.i.n.s.t.e.l.l.u.n.g.e.n.....1.6.=.W.e.i.t.e.r.e. .P.r.o.g.r.a.m.m.e.....1.7.=...b.e.r.....1.8.=.D.e.r. .S.u.c.h.l.a.u.f. .k.a.n.n. .b...s.a.r.t.i.g.e. .P.r.o.g.r.a.m.m.e. .a.u.f. .I.h.r.e.m. .S.y.s.t.e.m. .f.i.n.d.e.n. .u.n.d. .e.n.t.f.e.r.

                                                                                                                                                                                                                                                      C:\Program Files (x86)\ChicaLogic\ChicaPC-Shield\Languages\italian.lng (copy)

                                                                                                                                                                                                                                                      Download File
                                                                                                                                                                                                                                                      Process:C:\Users\user\AppData\Local\Temp\is-LBG9E.tmp\chica-pc-shield-1-75-0-1300-en-win.tmp
                                                                                                                                                                                                                                                      File Type:Unicode text, UTF-16, little-endian text, with CRLF line terminators
                                                                                                                                                                                                                                                      Category:dropped
                                                                                                                                                                                                                                                      Size (bytes):27680
                                                                                                                                                                                                                                                      Entropy (8bit):3.418267624959816
                                                                                                                                                                                                                                                      Encrypted:false
                                                                                                                                                                                                                                                      SSDEEP:384:bOS+eRPUkw14KqCIXtR9xY+HJyG+32FQofgrvYGFodLdF:BUoZr9c42orGFodD
                                                                                                                                                                                                                                                      MD5:E3D594A7687D758B29574C77E8E43839
                                                                                                                                                                                                                                                      SHA1:061F7701987364A1CEDCEECD078AA8CBA814E3C1
                                                                                                                                                                                                                                                      SHA-256:80BD8B7CA567EEE73C7D1F1335B906B8BDEE022C71855593147CD756D6A74CAD
                                                                                                                                                                                                                                                      SHA-512:5DC81FD6478CAEE9849B96B9E5CE92B181ABFFF5BB890BE37B73A6079ED621AC5ACBAAEDE2CC995264EB881A327663077EFD389E76910E9EA0B858D6B44E3327
                                                                                                                                                                                                                                                      Malicious:false
                                                                                                                                                                                                                                                      Preview:..0.=.I.t.a.l.i.a.n.....1.=.C.h.i.c.a.P.C.-.S.h.i.e.l.d.....2.=.A.g.g.i.u.n.g.i. .a. .l.i.s.t.a. .i.g.n.o.r.a.....3.=.V.a.i. .a.l.l.a. .p.o.s.i.z.i.o.n.e.....4.=.S.e.l.e.z.i.o.n.a. .t.u.t.t.i. .g.l.i. .e.l.e.m.e.n.t.i.....5.=.D.e.s.e.l.e.z.i.o.n.a. .t.u.t.t.i. .g.l.i. .e.l.e.m.e.n.t.i.....6.=.S.e.l.e.z.i.o.n.a. .t.u.t.t.i. .g.l.i. .e.l.e.m.e.n.t.i. .c.o.n. .q.u.e.s.t.a. .p.r.o.v.e.n.i.e.n.z.a.....7.=.D.e.s.e.l.e.z.i.o.n.a. .t.u.t.t.i. .g.l.i. .e.l.e.m.e.n.t.i. .c.o.n. .q.u.e.s.t.a. .p.r.o.v.e.n.i.e.n.z.a.....8.=.I.n.f.o. .p.r.o.v.e.n.i.e.n.z.a.....9.=.S.c.a.n.s.i.o.n.e.....1.0.=.P.r.o.t.e.z.i.o.n.e.....1.1.=.A.g.g.i.o.r.n.a.m.e.n.t.o.....1.2.=.Q.u.a.r.a.n.t.e.n.a.....1.3.=.L.o.g.....1.4.=.L.i.s.t.a. .i.g.n.o.r.a.....1.5.=.I.m.p.o.s.t.a.z.i.o.n.i.....1.6.=.A.l.t.r.i. .s.t.r.u.m.e.n.t.i.....1.7.=.I.n.f.o.r.m.a.z.i.o.n.i.....1.8.=.L.a. .s.c.a.n.s.i.o.n.e. .r.i.l.e.v.a. .e. .r.i.m.u.o.v.e. .i.l. .s.o.f.t.w.a.r.e. .n.o.c.i.v.o. .e.v.e.n.t.u.a.l.m.e.n.t.e. .p.r.e.s.e.n.t.e. .n.e.l. .s.i.s.t.

                                                                                                                                                                                                                                                      C:\Program Files (x86)\ChicaLogic\ChicaPC-Shield\Languages\norwegian.lng (copy)

                                                                                                                                                                                                                                                      Download File
                                                                                                                                                                                                                                                      Process:C:\Users\user\AppData\Local\Temp\is-LBG9E.tmp\chica-pc-shield-1-75-0-1300-en-win.tmp
                                                                                                                                                                                                                                                      File Type:Unicode text, UTF-16, little-endian text, with CRLF line terminators
                                                                                                                                                                                                                                                      Category:dropped
                                                                                                                                                                                                                                                      Size (bytes):24602
                                                                                                                                                                                                                                                      Entropy (8bit):3.511817410114942
                                                                                                                                                                                                                                                      Encrypted:false
                                                                                                                                                                                                                                                      SSDEEP:384:w+uox0zeMk1KtiSsVJDu8AOcDjB3OyHTeuy:nuox0zeMk1KtiSsVNujvB3lTi
                                                                                                                                                                                                                                                      MD5:33865F12839E7FEF9FC7956C5827295D
                                                                                                                                                                                                                                                      SHA1:DF1AD9FDF84B12B69F8F1D701FEDA8AFD05D7AF8
                                                                                                                                                                                                                                                      SHA-256:3A3F5DCD1518C6EFD066A36FAF09AA55AAA0C98201E31F5DB2406CDCB63DD4A2
                                                                                                                                                                                                                                                      SHA-512:889B6BB7C7C83F14FF933C0AC4851AF789A511C6EB2AB7F8A9D983E4721052C274ABA7D0EA9F67A22F202DE960971BF0FE228A1E65F06F093EE840DAC11CCD58
                                                                                                                                                                                                                                                      Malicious:false
                                                                                                                                                                                                                                                      Preview:..0.=.N.o.r.w.e.g.i.a.n.....1.=.C.h.i.c.a.P.C.-.S.h.i.e.l.d.....2.=.L.e.g.g. .t.i.l. .e.k.s.k.l.u.d.e.r.i.n.g.s.l.i.s.t.e.n.....3.=.G... .t.i.l. .d.e.s.t.i.n.a.s.j.o.n.....4.=.V.e.l.g. .a.l.l.e. .o.b.j.e.k.t.e.r.....5.=.F.j.e.r.n. .a.l.l.e. .o.b.j.e.k.t.e.r.....6.=.V.e.l.g. .a.l.l.e. .o.b.j.e.k.t.e.r. .f.r.a. .d.e.n.n.e. .p.r.o.d.u.s.e.n.t.e.n.....7.=.F.j.e.r.n. .a.l.l.e. .e.l.e.m.e.n.t.e.r. .f.r.a. .d.e.n.n.e. .p.r.o.d.u.s.e.n.t.e.n.....8.=.P.r.o.d.u.s.e.n.t.i.n.f.o.r.m.a.s.j.o.n.....9.=.S.k.a.n.n.e.r.....1.0.=.B.e.s.k.y.t.t.e.l.s.e.....1.1.=.O.p.p.d.a.t.e.r.....1.2.=.K.a.r.a.n.t.e.n.e.....1.3.=.L.o.g.g.e.r.....1.4.=.E.k.s.k.l.u.d.e.r.i.n.g.s.l.i.s.t.e.....1.5.=.I.n.n.s.t.i.l.l.i.n.g.e.r.....1.6.=.F.l.e.r.e. .v.e.r.k.t...y.....1.7.=.O.m.....1.8.=.S.k.a.n.n.e.r.e.n. .k.a.n. .f.i.n.n.e. .o.g. .f.j.e.r.n.e. .s.k.a.d.e.l.i.g. .p.r.o.g.r.a.m.v.a.r.e. .p... .s.y.s.t.e.m.e.t. .d.i.t.t... .V.e.l.g. .e.n. .s...k.e.m.e.t.o.d.e. .o.g. .k.l.i.k.k. .'.S.k.a.n.n.'... .V.e.n.n.l.i.g.s.t. .l.u.k.k. .

                                                                                                                                                                                                                                                      C:\Program Files (x86)\ChicaLogic\ChicaPC-Shield\Languages\spanish.lng (copy)

                                                                                                                                                                                                                                                      Download File
                                                                                                                                                                                                                                                      Process:C:\Users\user\AppData\Local\Temp\is-LBG9E.tmp\chica-pc-shield-1-75-0-1300-en-win.tmp
                                                                                                                                                                                                                                                      File Type:Unicode text, UTF-16, little-endian text, with CRLF line terminators
                                                                                                                                                                                                                                                      Category:dropped
                                                                                                                                                                                                                                                      Size (bytes):29546
                                                                                                                                                                                                                                                      Entropy (8bit):3.4652359591306263
                                                                                                                                                                                                                                                      Encrypted:false
                                                                                                                                                                                                                                                      SSDEEP:384:0oomqWisQuRZGDQb+CmsGyO+1UxQR8rEB+0uF7IuPSu+FKWlBk7:0oRiTO96CmsDOpQ2wB1XuPLWly
                                                                                                                                                                                                                                                      MD5:3A57303C8AAF78C7AB7ED16B3DC10989
                                                                                                                                                                                                                                                      SHA1:8DCA05D0C55CFA6FBD78AFA8C177FD68ECAEC8D9
                                                                                                                                                                                                                                                      SHA-256:9CEE0D51D2385AA56A41461EEF49354AA473B67FF017DDF4437781CE505F5815
                                                                                                                                                                                                                                                      SHA-512:F4F61AA31F0B1A42AA38793E8F8C6279223A34E68ABD624388E8C1469CFD91144283E459C89DE85E4C6053428B88CE6A95A7855061F2C80E7BAA624BA49A4AFB
                                                                                                                                                                                                                                                      Malicious:false
                                                                                                                                                                                                                                                      Preview:..0.=.S.p.a.n.i.s.h.....1.=.C.h.i.c.a.P.C.-.S.h.i.e.l.d.....2.=.A...a.d.i.r. .a. .l.a. .l.i.s.t.a. .d.e. .i.g.n.o.r.a.d.o.s.....3.=.I.r. .a. .l.a. .u.b.i.c.a.c.i...n.....4.=.M.a.r.c.a.r. .t.o.d.o.s. .l.o.s. .e.l.e.m.e.n.t.o.s.....5.=.D.e.s.m.a.r.c.a.r. .t.o.d.o.s. .l.o.s. .e.l.e.m.e.n.t.o.s.....6.=.C.o.m.p.r.u.e.b.e. .t.o.d.o.s. .l.o.s. .e.l.e.m.e.n.t.o.s. .d.e. .e.s.t.e. .p.r.o.v.e.e.d.o.r.....7.=.D.e.s.m.a.r.c.a.r. .t.o.d.o.s. .l.o.s. .e.l.e.m.e.n.t.o.s. .d.e. .e.s.t.e. .p.r.o.v.e.e.d.o.r.....8.=.I.n.f.o.r.m.a.c.i...n. .s.o.b.r.e. .e.l. .p.r.o.v.e.e.d.o.r.....9.=.E.s.c...n.e.r.....1.0.=.P.r.o.t.e.c.c.i...n.....1.1.=.A.c.t.u.a.l.i.z.a.r.....1.2.=.C.u.a.r.e.n.t.e.n.a.....1.3.=.R.e.g.i.s.t.r.o.s.....1.4.=.L.i.s.t.a. .d.e. .i.g.n.o.r.a.d.o.s.....1.5.=.C.o.n.f.i.g.u.r.a.c.i...n.....1.6.=.M...s. .h.e.r.r.a.m.i.e.n.t.a.s.....1.7.=.A.c.e.r.c.a. .d.e.....1.8.=.E.l. .e.s.c.a.n.e.o. .p.u.e.d.e. .e.n.c.o.n.t.r.a.r. .y. .e.l.i.m.i.n.a.r. .e.l. .s.o.f.t.w.a.r.e. .m.a.l.i.c.i.o.s.o. .p.r.e.s.e.n.t.

                                                                                                                                                                                                                                                      C:\Program Files (x86)\ChicaLogic\ChicaPC-Shield\Languages\swedish.lng (copy)

                                                                                                                                                                                                                                                      Download File
                                                                                                                                                                                                                                                      Process:C:\Users\user\AppData\Local\Temp\is-LBG9E.tmp\chica-pc-shield-1-75-0-1300-en-win.tmp
                                                                                                                                                                                                                                                      File Type:Unicode text, UTF-16, little-endian text, with CRLF line terminators
                                                                                                                                                                                                                                                      Category:dropped
                                                                                                                                                                                                                                                      Size (bytes):25478
                                                                                                                                                                                                                                                      Entropy (8bit):3.5297575392191374
                                                                                                                                                                                                                                                      Encrypted:false
                                                                                                                                                                                                                                                      SSDEEP:384:X3DXSknVEWkeeXL0NqNP4X7DAh1rQrfYo+XbA089lZ7hEIY4u:XFVEXeeXL08NwX7DL+gjYl
                                                                                                                                                                                                                                                      MD5:2EF431197148CAF95808046A43401EE0
                                                                                                                                                                                                                                                      SHA1:6D23BC04CEECA33232B769492FC68C339794E945
                                                                                                                                                                                                                                                      SHA-256:2B4A5A26AAC4F920C1D56DBB5764A7DF53EA99BAB0D70132FAF9955E5D6CA045
                                                                                                                                                                                                                                                      SHA-512:B8182495CC18487942A5C0F5E32EF41315A3EEA467AF7A354D10ABBA1065A7A088966FC19CD816599EC529FA7D5C78CADBAE30436997DC230F8F61BA4E546370
                                                                                                                                                                                                                                                      Malicious:false
                                                                                                                                                                                                                                                      Preview:..0.=.S.w.e.d.i.s.h.....1.=.C.h.i.c.a.P.C.-.S.h.i.e.l.d.....2.=.L...g.g. .t.i.l.l. .i. .i.g.n.o.r.e.r.a.l.i.s.t.a.n.....3.=.H.o.p.p.a. .t.i.l.l. .p.l.a.t.s.....4.=.M.a.r.k.e.r.a. .a.l.l.a. .p.o.s.t.e.r.....5.=.A.v.m.a.r.k.e.r.a. .a.l.l.a. .p.o.s.t.e.r.....6.=.M.a.r.k.e.r.a. .a.l.l.a. .p.o.s.t.e.r. .f.r...n. .d.e.n. .h...r. .u.t.f...r.d.a.r.e.n.....7.=.A.v.m.a.r.k.e.r.a. .a.l.l.a. .p.o.s.t.e.r. .f.r...n. .d.e.n. .h...r. .u.t.f...r.d.a.r.e.n.....8.=.U.t.f...r.d.a.r.i.n.f.o.r.m.a.t.i.o.n.....9.=.S.k.a.n.n.e.r.....1.0.=.S.k.y.d.d.....1.1.=.U.p.p.d.a.t.e.r.a.....1.2.=.K.a.r.a.n.t...n.....1.3.=.L.o.g.g.a.r.....1.4.=.I.g.n.o.r.e.r.a.l.i.s.t.a.....1.5.=.I.n.s.t...l.l.n.i.n.g.a.r.....1.6.=.F.l.e.r. .v.e.r.k.t.y.g.....1.7.=.O.m.....1.8.=.S.k.a.n.n.e.r.n. .k.a.n. .h.i.t.t.a. .o.c.h. .t.a. .b.o.r.t. .s.k.a.d.l.i.g.a. .p.r.o.g.r.a.m. .s.o.m. .f.i.n.n.s. .i. .d.i.t.t. .s.y.s.t.e.m... .V...l.j. .e.n. .s.k.a.n.n.i.n.g.s.t.y.p. .o.c.h. .k.l.i.c.k.a. .p... .'.S.k.a.n.n.a.'... .A.v.s.l.u.t.a. .a.l.l.a. .

                                                                                                                                                                                                                                                      C:\Program Files (x86)\ChicaLogic\ChicaPC-Shield\changes.txt (copy)

                                                                                                                                                                                                                                                      Download File
                                                                                                                                                                                                                                                      Process:C:\Users\user\AppData\Local\Temp\is-LBG9E.tmp\chica-pc-shield-1-75-0-1300-en-win.tmp
                                                                                                                                                                                                                                                      File Type:Unicode text, UTF-16, little-endian text, with CRLF line terminators
                                                                                                                                                                                                                                                      Category:dropped
                                                                                                                                                                                                                                                      Size (bytes):178
                                                                                                                                                                                                                                                      Entropy (8bit):3.451125105766001
                                                                                                                                                                                                                                                      Encrypted:false
                                                                                                                                                                                                                                                      SSDEEP:3:QmXlM1xlC3JpBIBdRUUOlWF5uERUNo1/fFaAJyMPlfRwkGlMZ1CNWly0uM2vl:QmGDE5wby3lDEtaAJyMPNO6L2iUM29
                                                                                                                                                                                                                                                      MD5:BB3FDC8A63D5D0AEE231A1B48087BF32
                                                                                                                                                                                                                                                      SHA1:AB71C287D0A31AB100CEBA863C22E4F782DBFBA6
                                                                                                                                                                                                                                                      SHA-256:8F413AFD995C6F75F3B056F66EF222FCE061A7F5BDFC6D31CB6423FBFFC19F52
                                                                                                                                                                                                                                                      SHA-512:17F55B945F5F6DA51BCCF23827CE515F02B8C23FFACEA1476D28AABE892E1DEBA7D44497DA55AA53CA57D079EEB9D2B2BEAA0407F76BB875B5DF36E95E4EAE89
                                                                                                                                                                                                                                                      Malicious:false
                                                                                                                                                                                                                                                      Preview:..C.h.i.c.a.P.C.-.S.h.i.e.l.d. .1...7.5...0...1.3.0.0.........N.e.w. .F.e.a.t.u.r.e.s.:....." . . .A.d.d.e.d. .a.b.i.l.i.t.y. .t.o. .s.c.a.n. .w.i.t.h.i.n. .a.r.c.h.i.v.e.s.....

                                                                                                                                                                                                                                                      C:\Program Files (x86)\ChicaLogic\ChicaPC-Shield\cpcs.exe (copy)

                                                                                                                                                                                                                                                      Download File
                                                                                                                                                                                                                                                      Process:C:\Users\user\AppData\Local\Temp\is-LBG9E.tmp\chica-pc-shield-1-75-0-1300-en-win.tmp
                                                                                                                                                                                                                                                      File Type:PE32 executable (GUI) Intel 80386, for MS Windows
                                                                                                                                                                                                                                                      Category:dropped
                                                                                                                                                                                                                                                      Size (bytes):973448
                                                                                                                                                                                                                                                      Entropy (8bit):6.667557972562886
                                                                                                                                                                                                                                                      Encrypted:false
                                                                                                                                                                                                                                                      SSDEEP:12288:uSQWk9X1yhnMA53KWTCzxx+cQ/MkDKs3dyaOk8Ui2UHIEufwb4Isj:u9X1yhnMA5Ozxx+cyMApsaOk8RNad
                                                                                                                                                                                                                                                      MD5:064E37783673E0094DAE704513F29393
                                                                                                                                                                                                                                                      SHA1:96A6F17D7D3378F1368CDB6485E8355675B26527
                                                                                                                                                                                                                                                      SHA-256:845EE2CD431F30CE068B4BF4564E2CF03E91A5D0421B310571A18D298663B018
                                                                                                                                                                                                                                                      SHA-512:973241BC66BD387BF568BFBF657B172298B8D83E71C2F69ACB67A1B2596057D8763035A2725589995FCB45B6B1AF55949CCA1198F4309C3437A7C222E22BC791
                                                                                                                                                                                                                                                      Malicious:true
                                                                                                                                                                                                                                                      Antivirus:
                                                                                                                                                                                                                                                      • Antivirus: ReversingLabs, Detection: 2%
                                                                                                                                                                                                                                                      Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......W.x.....................\...4...%.......Rich............................PE..L......Q.................`...........+.......p....@...............K.......... ...............................................V..(........;..........@...H...........@.......................................8... .......8............................text....P.......`.................. ..`.data...$n...p.......p..............@....rsrc....;.......@..................@..@l.[J............MSVBVM60.DLL....................................................................................................................................................................................................................................................................................................................................................................................................................

                                                                                                                                                                                                                                                      C:\Program Files (x86)\ChicaLogic\ChicaPC-Shield\cpcsgui.exe (copy)

                                                                                                                                                                                                                                                      Download File
                                                                                                                                                                                                                                                      Process:C:\Users\user\AppData\Local\Temp\is-LBG9E.tmp\chica-pc-shield-1-75-0-1300-en-win.tmp
                                                                                                                                                                                                                                                      File Type:PE32 executable (GUI) Intel 80386, for MS Windows
                                                                                                                                                                                                                                                      Category:dropped
                                                                                                                                                                                                                                                      Size (bytes):788040
                                                                                                                                                                                                                                                      Entropy (8bit):6.397289855239814
                                                                                                                                                                                                                                                      Encrypted:false
                                                                                                                                                                                                                                                      SSDEEP:12288:8yJ84SmYtXI+OLNdc5lDAqnO129aisT2UHIEufwb4I3R:8ykhXI+iNdc5aqnO129aisdNam
                                                                                                                                                                                                                                                      MD5:9CC7642A4825E87C9EACB29391279F43
                                                                                                                                                                                                                                                      SHA1:B9F2FF58EB2107D27F1C7DEA9781F72E7E0AF475
                                                                                                                                                                                                                                                      SHA-256:B258E4CA50F5A2DDB9602F3F95CC79F1E11DEA622790E95018189721C8F13C1B
                                                                                                                                                                                                                                                      SHA-512:7267FC2B1495C416DAFF7E73D3831D4A88B6BD3D9B83E05D57F5DD4EB50BD1D5D4472E846740DB3E6241B234BC24CFA453A8645C120C7FD3AD2FD5E1CCE11CBB
                                                                                                                                                                                                                                                      Malicious:true
                                                                                                                                                                                                                                                      Antivirus:
                                                                                                                                                                                                                                                      • Antivirus: ReversingLabs, Detection: 2%
                                                                                                                                                                                                                                                      Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$..........H..............[.......n.......o.V.....Y......V.......................j......._.......X.....Rich............PE..L...../Q.................X..................p....@..........................@......X.....@.................................L...........................H........I...s..................................@............p...............................text....V.......X.................. ..`.rdata..B"...p...$...\..............@..@.data....[.......6..................@....rsrc...............................@..@.reloc...m.......n...~..............@..B........................................................................................................................................................................................................................................................................................................................

                                                                                                                                                                                                                                                      C:\Program Files (x86)\ChicaLogic\ChicaPC-Shield\cpcspt.exe (copy)

                                                                                                                                                                                                                                                      Download File
                                                                                                                                                                                                                                                      Process:C:\Users\user\AppData\Local\Temp\is-LBG9E.tmp\chica-pc-shield-1-75-0-1300-en-win.tmp
                                                                                                                                                                                                                                                      File Type:PE32 executable (GUI) Intel 80386, for MS Windows
                                                                                                                                                                                                                                                      Category:dropped
                                                                                                                                                                                                                                                      Size (bytes):40008
                                                                                                                                                                                                                                                      Entropy (8bit):6.271830222041746
                                                                                                                                                                                                                                                      Encrypted:false
                                                                                                                                                                                                                                                      SSDEEP:384:xrMoO34N7GQd6hoAwMR9PzO6UUhQGgmN2gWNKUGfOvEDH8b0nuy4mPvfXNeeMWRx:uoIN1jO6hh6mgVmyEDcAn2mPNNuH
                                                                                                                                                                                                                                                      MD5:D325C6C919A7E56731E8835B7A8350EF
                                                                                                                                                                                                                                                      SHA1:26C662140BA567468D68C5D09482C4A18B0ECE08
                                                                                                                                                                                                                                                      SHA-256:16E52579BF5FB3AECE000CCC2D8217C91B94545A0CBE4061EB3C167583CC44C5
                                                                                                                                                                                                                                                      SHA-512:E609164CD2CC64E7FF0AD9FA3C5B630A5B96D5A28151D36EC41C340EAF7AB348CFB84710568EFCEB45D6A14EF64891A24F2334D8AB239E5A552277DB1846F0BA
                                                                                                                                                                                                                                                      Malicious:false
                                                                                                                                                                                                                                                      Antivirus:
                                                                                                                                                                                                                                                      • Antivirus: ReversingLabs, Detection: 0%
                                                                                                                                                                                                                                                      Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......?.V.{.8M{.8M{.8M..Mq.8M..Ms.8M..MC.8Mr.Mx.8M{.9MG.8M{.8Mz.8M..Mz.8M..Mz.8M{..Mz.8M..Mz.8MRich{.8M................PE..L...0./Q.................D...H...............`....@......................................@.................................Lz..(.......................H............a...............................x..@............`...............................text....C.......D.................. ..`.rdata..>....`... ...H..............@..@.data................h..............@....rsrc................t..............@..@.reloc..^............z..............@..B................................................................................................................................................................................................................................................................................................................

                                                                                                                                                                                                                                                      C:\Program Files (x86)\ChicaLogic\ChicaPC-Shield\cpcsscheduler.exe (copy)

                                                                                                                                                                                                                                                      Download File
                                                                                                                                                                                                                                                      Process:C:\Users\user\AppData\Local\Temp\is-LBG9E.tmp\chica-pc-shield-1-75-0-1300-en-win.tmp
                                                                                                                                                                                                                                                      File Type:PE32 executable (console) Intel 80386, for MS Windows
                                                                                                                                                                                                                                                      Category:dropped
                                                                                                                                                                                                                                                      Size (bytes):418376
                                                                                                                                                                                                                                                      Entropy (8bit):6.499528532289575
                                                                                                                                                                                                                                                      Encrypted:false
                                                                                                                                                                                                                                                      SSDEEP:12288:sVZ7DhFUcAWNPHzqswHZahEpQUfTxWXtc9uhZ:U/JfWswHZahEpQaxitc9uhZ
                                                                                                                                                                                                                                                      MD5:C56F757EB2A6D9B850FAD5F075008A57
                                                                                                                                                                                                                                                      SHA1:5495FB9CC42D55C4D3B79B47E8A583CB5DA8AABF
                                                                                                                                                                                                                                                      SHA-256:CDD73A8974B724A62266ED73F7A5E89B52E882D61B2766A994F6D1CDDE027113
                                                                                                                                                                                                                                                      SHA-512:5069F6F6E7F1B5C9E4427721D088321C6856C89CE27C0F197EAE664C9C87797F2A759327249A131582F189E124790F2940A3E148A144541C3091500714BA8D88
                                                                                                                                                                                                                                                      Malicious:true
                                                                                                                                                                                                                                                      Antivirus:
                                                                                                                                                                                                                                                      • Antivirus: ReversingLabs, Detection: 3%
                                                                                                                                                                                                                                                      Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......Q.{.............z.......z...T...z.......z...............................z.../...z..............z.......Rich............PE..L... ./Q............................k.............@..................................d....@..........................................0...............H..H....@..P@...................................J..@...............(............................text............................... ..`.rdata..V...........................@..@.data....Z.......6..................@....rsrc........0......................@..@.reloc..@\...@...^..................@..B................................................................................................................................................................................................................................................................................................................

                                                                                                                                                                                                                                                      C:\Program Files (x86)\ChicaLogic\ChicaPC-Shield\cpcsservice.exe (copy)

                                                                                                                                                                                                                                                      Download File
                                                                                                                                                                                                                                                      Process:C:\Users\user\AppData\Local\Temp\is-LBG9E.tmp\chica-pc-shield-1-75-0-1300-en-win.tmp
                                                                                                                                                                                                                                                      File Type:PE32 executable (console) Intel 80386, for MS Windows
                                                                                                                                                                                                                                                      Category:dropped
                                                                                                                                                                                                                                                      Size (bytes):701512
                                                                                                                                                                                                                                                      Entropy (8bit):6.491661073895199
                                                                                                                                                                                                                                                      Encrypted:false
                                                                                                                                                                                                                                                      SSDEEP:12288:SsxYiXcF3Y5icaHzy2mkonRpouFnrUTf7Bw+gcoc2jOPdjm3VOTrAItqCR:SsxYiXcFaicaHe2ceuFnrQfFwpcYOPFJ
                                                                                                                                                                                                                                                      MD5:C6BF2747298011BBCAAEAE96E5EC34D1
                                                                                                                                                                                                                                                      SHA1:E5AE7CAE8B3FC18F459B54976F572CE657BA0E99
                                                                                                                                                                                                                                                      SHA-256:DA0F8F13DF923976791FEFFB1C4EB683939CA188AE5D4799521664DF767C843E
                                                                                                                                                                                                                                                      SHA-512:D574D977DD17C7FAA98B31F38A860D26C812392BAD7881F754D90BA364CD954E66D8D8679955A04E944FE8BEF9B32A5B101528D349DC4F737AD8E1D5B43A6F33
                                                                                                                                                                                                                                                      Malicious:false
                                                                                                                                                                                                                                                      Antivirus:
                                                                                                                                                                                                                                                      • Antivirus: ReversingLabs, Detection: 0%
                                                                                                                                                                                                                                                      Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$........V...7...7...7..An.7..Ao.~7..AY..7..A[..7...OV..7...7...6...7...7..Aj.7..A_..7...7R..7..AX..7..Rich.7..................PE..L...../Q..................................... ....@.......................................@.....................................,....@..................H....P...d..`$............................................... ...............................text............................... ..`.rdata..P.... ......................@..@.data... _.......:..................@....rsrc........@......................@..@.reloc..r....P......................@..B........................................................................................................................................................................................................................................................................................................

                                                                                                                                                                                                                                                      C:\Program Files (x86)\ChicaLogic\ChicaPC-Shield\is-0DUR6.tmp

                                                                                                                                                                                                                                                      Download File
                                                                                                                                                                                                                                                      Process:C:\Users\user\AppData\Local\Temp\is-LBG9E.tmp\chica-pc-shield-1-75-0-1300-en-win.tmp
                                                                                                                                                                                                                                                      File Type:PE32 executable (GUI) Intel 80386, for MS Windows
                                                                                                                                                                                                                                                      Category:dropped
                                                                                                                                                                                                                                                      Size (bytes):788040
                                                                                                                                                                                                                                                      Entropy (8bit):6.397289855239814
                                                                                                                                                                                                                                                      Encrypted:false
                                                                                                                                                                                                                                                      SSDEEP:12288:8yJ84SmYtXI+OLNdc5lDAqnO129aisT2UHIEufwb4I3R:8ykhXI+iNdc5aqnO129aisdNam
                                                                                                                                                                                                                                                      MD5:9CC7642A4825E87C9EACB29391279F43
                                                                                                                                                                                                                                                      SHA1:B9F2FF58EB2107D27F1C7DEA9781F72E7E0AF475
                                                                                                                                                                                                                                                      SHA-256:B258E4CA50F5A2DDB9602F3F95CC79F1E11DEA622790E95018189721C8F13C1B
                                                                                                                                                                                                                                                      SHA-512:7267FC2B1495C416DAFF7E73D3831D4A88B6BD3D9B83E05D57F5DD4EB50BD1D5D4472E846740DB3E6241B234BC24CFA453A8645C120C7FD3AD2FD5E1CCE11CBB
                                                                                                                                                                                                                                                      Malicious:false
                                                                                                                                                                                                                                                      Antivirus:
                                                                                                                                                                                                                                                      • Antivirus: ReversingLabs, Detection: 2%
                                                                                                                                                                                                                                                      Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$..........H..............[.......n.......o.V.....Y......V.......................j......._.......X.....Rich............PE..L...../Q.................X..................p....@..........................@......X.....@.................................L...........................H........I...s..................................@............p...............................text....V.......X.................. ..`.rdata..B"...p...$...\..............@..@.data....[.......6..................@....rsrc...............................@..@.reloc...m.......n...~..............@..B........................................................................................................................................................................................................................................................................................................................

                                                                                                                                                                                                                                                      C:\Program Files (x86)\ChicaLogic\ChicaPC-Shield\is-382MP.tmp

                                                                                                                                                                                                                                                      Download File
                                                                                                                                                                                                                                                      Process:C:\Users\user\AppData\Local\Temp\is-LBG9E.tmp\chica-pc-shield-1-75-0-1300-en-win.tmp
                                                                                                                                                                                                                                                      File Type:Unicode text, UTF-16, little-endian text, with CRLF line terminators
                                                                                                                                                                                                                                                      Category:dropped
                                                                                                                                                                                                                                                      Size (bytes):178
                                                                                                                                                                                                                                                      Entropy (8bit):3.451125105766001
                                                                                                                                                                                                                                                      Encrypted:false
                                                                                                                                                                                                                                                      SSDEEP:3:QmXlM1xlC3JpBIBdRUUOlWF5uERUNo1/fFaAJyMPlfRwkGlMZ1CNWly0uM2vl:QmGDE5wby3lDEtaAJyMPNO6L2iUM29
                                                                                                                                                                                                                                                      MD5:BB3FDC8A63D5D0AEE231A1B48087BF32
                                                                                                                                                                                                                                                      SHA1:AB71C287D0A31AB100CEBA863C22E4F782DBFBA6
                                                                                                                                                                                                                                                      SHA-256:8F413AFD995C6F75F3B056F66EF222FCE061A7F5BDFC6D31CB6423FBFFC19F52
                                                                                                                                                                                                                                                      SHA-512:17F55B945F5F6DA51BCCF23827CE515F02B8C23FFACEA1476D28AABE892E1DEBA7D44497DA55AA53CA57D079EEB9D2B2BEAA0407F76BB875B5DF36E95E4EAE89
                                                                                                                                                                                                                                                      Malicious:false
                                                                                                                                                                                                                                                      Preview:..C.h.i.c.a.P.C.-.S.h.i.e.l.d. .1...7.5...0...1.3.0.0.........N.e.w. .F.e.a.t.u.r.e.s.:....." . . .A.d.d.e.d. .a.b.i.l.i.t.y. .t.o. .s.c.a.n. .w.i.t.h.i.n. .a.r.c.h.i.v.e.s.....

                                                                                                                                                                                                                                                      C:\Program Files (x86)\ChicaLogic\ChicaPC-Shield\is-6H2TN.tmp

                                                                                                                                                                                                                                                      Download File
                                                                                                                                                                                                                                                      Process:C:\Users\user\AppData\Local\Temp\is-LBG9E.tmp\chica-pc-shield-1-75-0-1300-en-win.tmp
                                                                                                                                                                                                                                                      File Type:PE32 executable (DLL) (GUI) Intel 80386, for MS Windows
                                                                                                                                                                                                                                                      Category:dropped
                                                                                                                                                                                                                                                      Size (bytes):74312
                                                                                                                                                                                                                                                      Entropy (8bit):6.291733112880314
                                                                                                                                                                                                                                                      Encrypted:false
                                                                                                                                                                                                                                                      SSDEEP:768:J2qlA0Jww5dns1jG2rbt7nIdRkRexdhb1I2kkVJCED7nuj1dxD6S/omj/7P72UPv:JFG0JbVwra/BLkqL8xDZww/7KUP
                                                                                                                                                                                                                                                      MD5:D8B30620769A323FCB6253BCBA9542B6
                                                                                                                                                                                                                                                      SHA1:9FA60EA7F2D5FA49C633AA5AC07F1DE287E45D8B
                                                                                                                                                                                                                                                      SHA-256:B8FAC26DC5E2F773417D3F9E716AC531C37D09E59E50D659AD79F72E86E075A9
                                                                                                                                                                                                                                                      SHA-512:119A323DC959B91B5F2F2CD9F05A98E6C222C0130950BFCA3062FBDD4B32CA6D2BF620FBA40B1C42C427ECB56F202C918CEBA36B7A8A5EA9B6DF5626286B4531
                                                                                                                                                                                                                                                      Malicious:false
                                                                                                                                                                                                                                                      Antivirus:
                                                                                                                                                                                                                                                      • Antivirus: ReversingLabs, Detection: 4%
                                                                                                                                                                                                                                                      Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.........nF...................l......................l.......................................Rich............PE..L....J.P...........!.........|.......S.......................................P............@.........................`...M...,...(.... ..................H....0..........................................@............................................text............................... ..`.rdata...8.......:..................@..@.data....&..........................@....rsrc........ ......................@..@.reloc.......0......................@..B................................................................................................................................................................................................................................................................................................................................

                                                                                                                                                                                                                                                      C:\Program Files (x86)\ChicaLogic\ChicaPC-Shield\is-6PN99.tmp

                                                                                                                                                                                                                                                      Download File
                                                                                                                                                                                                                                                      Process:C:\Users\user\AppData\Local\Temp\is-LBG9E.tmp\chica-pc-shield-1-75-0-1300-en-win.tmp
                                                                                                                                                                                                                                                      File Type:PE32 executable (DLL) (GUI) Intel 80386, for MS Windows
                                                                                                                                                                                                                                                      Category:dropped
                                                                                                                                                                                                                                                      Size (bytes):914432
                                                                                                                                                                                                                                                      Entropy (8bit):6.481500443477186
                                                                                                                                                                                                                                                      Encrypted:false
                                                                                                                                                                                                                                                      SSDEEP:24576:TW+wsDaQw6DDz3qRyPnmGfrnvVUKueY8RmneWtJ:TasY6DwOBfrnvV7UeWt
                                                                                                                                                                                                                                                      MD5:04AD4B80880B32C94BE8D0886482C774
                                                                                                                                                                                                                                                      SHA1:344FAF61C3EB76F4A2FB6452E83ED16C9CCE73E0
                                                                                                                                                                                                                                                      SHA-256:A1E1D1F0FFF4FCCCFBDFA313F3BDFEA4D3DFE2C2D9174A615BBC39A0A6929338
                                                                                                                                                                                                                                                      SHA-512:3E3AAF01B769471B18126E443A721C9E9A0269E9F5E48D0A10251BC1EE309855BD71EDE266CAA6828B007359B21BA562C2A5A3469078760F564FB7BD43ACABFB
                                                                                                                                                                                                                                                      Malicious:false
                                                                                                                                                                                                                                                      Antivirus:
                                                                                                                                                                                                                                                      • Antivirus: ReversingLabs, Detection: 0%
                                                                                                                                                                                                                                                      Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$..........0;.tc;.tc;.tcT..c8.tc..zc3.tcT.~c?.tcT.pc9.tc..+c:.tc;.ucH.tc..)c<.tc...c.tcT..c..tcT..c9.tc..rc:.tc.pc:.tcRich;.tc........................PE..L....S.L...........!.....:...................P......................................................................p.......L...d........{......................8q...................................................P..(............................text....8.......:.................. ..`.rdata..bR...P...T...>..............@..@.data............^..................@....sxdata......p......................@....rsrc....{.......|..................@..@.reloc...............n..............@..B................................................................................................................................................................................................................................................

                                                                                                                                                                                                                                                      C:\Program Files (x86)\ChicaLogic\ChicaPC-Shield\is-9INTD.tmp

                                                                                                                                                                                                                                                      Download File
                                                                                                                                                                                                                                                      Process:C:\Users\user\AppData\Local\Temp\is-LBG9E.tmp\chica-pc-shield-1-75-0-1300-en-win.tmp
                                                                                                                                                                                                                                                      File Type:PE32 executable (DLL) (console) Intel 80386, for MS Windows
                                                                                                                                                                                                                                                      Category:dropped
                                                                                                                                                                                                                                                      Size (bytes):2191944
                                                                                                                                                                                                                                                      Entropy (8bit):6.642037719289481
                                                                                                                                                                                                                                                      Encrypted:false
                                                                                                                                                                                                                                                      SSDEEP:49152:M+uzsaJOaZZ5ULvyDB1bwJrbwnDOT00pnke2u6ln1GUcV4Zb4B:MVxJOwU7CrbwJwnDqke2ukn
                                                                                                                                                                                                                                                      MD5:6E4470AEA570CA88F4FAEF57BA59F0C5
                                                                                                                                                                                                                                                      SHA1:D02C99A75D596D1CFD928AD687842BF826B7703C
                                                                                                                                                                                                                                                      SHA-256:6D56B3F5CF27FEFEDD8CC823F8583FC082EE20B42E041B927975DFAF2C9CBAEB
                                                                                                                                                                                                                                                      SHA-512:F845C8DD32B9C6E2E221F4CA714AE979D400BC93D275954CD2B4DBD2E91B68D526EB34D782F4679D2F993655D44F340F2E2987D6157946F10832D049387CD224
                                                                                                                                                                                                                                                      Malicious:false
                                                                                                                                                                                                                                                      Antivirus:
                                                                                                                                                                                                                                                      • Antivirus: ReversingLabs, Detection: 2%
                                                                                                                                                                                                                                                      Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.........DM..*...*...*.......*.......*.......*.......*......*...+...*...*...*.......*.......*.......*......*.......*.Rich..*.................PE..L...../Q...........!.........................0................................!......."...@..........................I..m....7.......................X!.H.......xY...8..................................@............0..`............................text............................... ..`.rdata.......0....... ..............@..@.data...<S...P.......>..............@....rsrc................0..............@..@.reloc... ......."...6..............@..B................................................................................................................................................................................................................................................................................................

                                                                                                                                                                                                                                                      C:\Program Files (x86)\ChicaLogic\ChicaPC-Shield\is-CI4PM.tmp

                                                                                                                                                                                                                                                      Download File
                                                                                                                                                                                                                                                      Process:C:\Users\user\AppData\Local\Temp\is-LBG9E.tmp\chica-pc-shield-1-75-0-1300-en-win.tmp
                                                                                                                                                                                                                                                      File Type:PE32 executable (GUI) Intel 80386, for MS Windows
                                                                                                                                                                                                                                                      Category:dropped
                                                                                                                                                                                                                                                      Size (bytes):40008
                                                                                                                                                                                                                                                      Entropy (8bit):6.271830222041746
                                                                                                                                                                                                                                                      Encrypted:false
                                                                                                                                                                                                                                                      SSDEEP:384:xrMoO34N7GQd6hoAwMR9PzO6UUhQGgmN2gWNKUGfOvEDH8b0nuy4mPvfXNeeMWRx:uoIN1jO6hh6mgVmyEDcAn2mPNNuH
                                                                                                                                                                                                                                                      MD5:D325C6C919A7E56731E8835B7A8350EF
                                                                                                                                                                                                                                                      SHA1:26C662140BA567468D68C5D09482C4A18B0ECE08
                                                                                                                                                                                                                                                      SHA-256:16E52579BF5FB3AECE000CCC2D8217C91B94545A0CBE4061EB3C167583CC44C5
                                                                                                                                                                                                                                                      SHA-512:E609164CD2CC64E7FF0AD9FA3C5B630A5B96D5A28151D36EC41C340EAF7AB348CFB84710568EFCEB45D6A14EF64891A24F2334D8AB239E5A552277DB1846F0BA
                                                                                                                                                                                                                                                      Malicious:false
                                                                                                                                                                                                                                                      Antivirus:
                                                                                                                                                                                                                                                      • Antivirus: ReversingLabs, Detection: 0%
                                                                                                                                                                                                                                                      Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......?.V.{.8M{.8M{.8M..Mq.8M..Ms.8M..MC.8Mr.Mx.8M{.9MG.8M{.8Mz.8M..Mz.8M..Mz.8M{..Mz.8M..Mz.8MRich{.8M................PE..L...0./Q.................D...H...............`....@......................................@.................................Lz..(.......................H............a...............................x..@............`...............................text....C.......D.................. ..`.rdata..>....`... ...H..............@..@.data................h..............@....rsrc................t..............@..@.reloc..^............z..............@..B................................................................................................................................................................................................................................................................................................................

                                                                                                                                                                                                                                                      C:\Program Files (x86)\ChicaLogic\ChicaPC-Shield\is-CU77C.tmp

                                                                                                                                                                                                                                                      Download File
                                                                                                                                                                                                                                                      Process:C:\Users\user\AppData\Local\Temp\is-LBG9E.tmp\chica-pc-shield-1-75-0-1300-en-win.tmp
                                                                                                                                                                                                                                                      File Type:PE32 executable (console) Intel 80386, for MS Windows
                                                                                                                                                                                                                                                      Category:dropped
                                                                                                                                                                                                                                                      Size (bytes):701512
                                                                                                                                                                                                                                                      Entropy (8bit):6.491661073895199
                                                                                                                                                                                                                                                      Encrypted:false
                                                                                                                                                                                                                                                      SSDEEP:12288:SsxYiXcF3Y5icaHzy2mkonRpouFnrUTf7Bw+gcoc2jOPdjm3VOTrAItqCR:SsxYiXcFaicaHe2ceuFnrQfFwpcYOPFJ
                                                                                                                                                                                                                                                      MD5:C6BF2747298011BBCAAEAE96E5EC34D1
                                                                                                                                                                                                                                                      SHA1:E5AE7CAE8B3FC18F459B54976F572CE657BA0E99
                                                                                                                                                                                                                                                      SHA-256:DA0F8F13DF923976791FEFFB1C4EB683939CA188AE5D4799521664DF767C843E
                                                                                                                                                                                                                                                      SHA-512:D574D977DD17C7FAA98B31F38A860D26C812392BAD7881F754D90BA364CD954E66D8D8679955A04E944FE8BEF9B32A5B101528D349DC4F737AD8E1D5B43A6F33
                                                                                                                                                                                                                                                      Malicious:false
                                                                                                                                                                                                                                                      Antivirus:
                                                                                                                                                                                                                                                      • Antivirus: ReversingLabs, Detection: 0%
                                                                                                                                                                                                                                                      Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$........V...7...7...7..An.7..Ao.~7..AY..7..A[..7...OV..7...7...6...7...7..Aj.7..A_..7...7R..7..AX..7..Rich.7..................PE..L...../Q..................................... ....@.......................................@.....................................,....@..................H....P...d..`$............................................... ...............................text............................... ..`.rdata..P.... ......................@..@.data... _.......:..................@....rsrc........@......................@..@.reloc..r....P......................@..B........................................................................................................................................................................................................................................................................................................

                                                                                                                                                                                                                                                      C:\Program Files (x86)\ChicaLogic\ChicaPC-Shield\is-DB4G5.tmp

                                                                                                                                                                                                                                                      Download File
                                                                                                                                                                                                                                                      Process:C:\Users\user\AppData\Local\Temp\is-LBG9E.tmp\chica-pc-shield-1-75-0-1300-en-win.tmp
                                                                                                                                                                                                                                                      File Type:PE32 executable (GUI) Intel 80386, for MS Windows
                                                                                                                                                                                                                                                      Category:dropped
                                                                                                                                                                                                                                                      Size (bytes):712264
                                                                                                                                                                                                                                                      Entropy (8bit):6.524059965918702
                                                                                                                                                                                                                                                      Encrypted:false
                                                                                                                                                                                                                                                      SSDEEP:12288:qTPcYn5c/rPx37/zHBA6a5UeypkxmFERhD7rNdR81QNERxyF:iPcYn5c/rPx37/zHBA6pDpk8FEK1uERU
                                                                                                                                                                                                                                                      MD5:C2BE7988C8762E314534B2908C4D6E49
                                                                                                                                                                                                                                                      SHA1:CBC373D596D389F5ABEA8177D1F86EE767284466
                                                                                                                                                                                                                                                      SHA-256:4A53C567369F2F30571019E17B13F650680280962B9C4105B2B3CF306FE47C36
                                                                                                                                                                                                                                                      SHA-512:EEFA58E16BBFBEFD1AFBF63409CDF5907FBE87BDD5BCFFEB9FEC47790E0428E3290ED22108EAE4BCD6711C9CD92D947E87CFBF68EBCF37FE4A68405142776216
                                                                                                                                                                                                                                                      Malicious:false
                                                                                                                                                                                                                                                      Antivirus:
                                                                                                                                                                                                                                                      • Antivirus: ReversingLabs, Detection: 4%
                                                                                                                                                                                                                                                      Preview:MZP.....................@.......................InUn....................!..L.!..This program must be run under Win32..$7........................................................................................................................................PE..L....^B*.................z........................@..............................................@...............................%......................H...........................................................................................CODE.....y.......z.................. ..`DATA.................~..............@...BSS......................................idata...%.......&..................@....tls.....................................rdata..............................@..P.reloc....... ......................@..P.rsrc...............................@..P.....................P..............@..P........................................................................................................................................

                                                                                                                                                                                                                                                      C:\Program Files (x86)\ChicaLogic\ChicaPC-Shield\is-J2CDD.tmp

                                                                                                                                                                                                                                                      Download File
                                                                                                                                                                                                                                                      Process:C:\Users\user\AppData\Local\Temp\is-LBG9E.tmp\chica-pc-shield-1-75-0-1300-en-win.tmp
                                                                                                                                                                                                                                                      File Type:PE32 executable (DLL) (GUI) Intel 80386, for MS Windows
                                                                                                                                                                                                                                                      Category:dropped
                                                                                                                                                                                                                                                      Size (bytes):46416
                                                                                                                                                                                                                                                      Entropy (8bit):4.872445450776674
                                                                                                                                                                                                                                                      Encrypted:false
                                                                                                                                                                                                                                                      SSDEEP:768:JjBzwlSCIuAXEDsyPFHhOlLA57EkcAZnhtyFmNj/LWFbCF:JLuAUocFHMlL07fRZPHDaNCF
                                                                                                                                                                                                                                                      MD5:91EA28804EC3A71126841554199E28BC
                                                                                                                                                                                                                                                      SHA1:00D568F31E6D4E2110F54C3FEA93219092181891
                                                                                                                                                                                                                                                      SHA-256:E5F85613264ED15FCA01E332068CB4515D56FB7F4F7267B4A94DEB06B7944063
                                                                                                                                                                                                                                                      SHA-512:F8209A77DD64B9562057ECC2DA1DE46FE763E1B0E6459FF4CFB5EFAE05300B8027BC71C3F44033D8BE0B2115AAF3ACDAD6A8B83796F26044F88BC76E5C466E82
                                                                                                                                                                                                                                                      Malicious:false
                                                                                                                                                                                                                                                      Antivirus:
                                                                                                                                                                                                                                                      • Antivirus: ReversingLabs, Detection: 0%
                                                                                                                                                                                                                                                      Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$........_.._>.._>.._>..."..^>......Z>......^>......^>..Rich_>..........PE..L.....3>...........!.....P...@...............`.......................................................................W.......S..(....p..................P...................................................X... ....................................text....H.......P.................. ..`.data........`.......`..............@....rsrc........p... ...p..............@..@.reloc..z...........................@..B'.};............MSVBVM60.DLL....................................................................................................................................................................................................................................................................................................................................................................................

                                                                                                                                                                                                                                                      C:\Program Files (x86)\ChicaLogic\ChicaPC-Shield\is-K9CAE.tmp

                                                                                                                                                                                                                                                      Download File
                                                                                                                                                                                                                                                      Process:C:\Users\user\AppData\Local\Temp\is-LBG9E.tmp\chica-pc-shield-1-75-0-1300-en-win.tmp
                                                                                                                                                                                                                                                      File Type:PE32+ executable (DLL) (GUI) x86-64, for MS Windows
                                                                                                                                                                                                                                                      Category:dropped
                                                                                                                                                                                                                                                      Size (bytes):95304
                                                                                                                                                                                                                                                      Entropy (8bit):5.981207201467423
                                                                                                                                                                                                                                                      Encrypted:false
                                                                                                                                                                                                                                                      SSDEEP:1536:K74We9oCdZ6GNDNe+D+Tfb0WdeSe+w4IW1DmeuvF5uV7s88Wf:K7E9h/J7+Tfb0y2+Z5mrvF5uNsjY
                                                                                                                                                                                                                                                      MD5:76549804F14999EDEB55598A84E2804B
                                                                                                                                                                                                                                                      SHA1:B6D8FAE4C7E4BC1376D7B0381EBCE9043E4A4AC2
                                                                                                                                                                                                                                                      SHA-256:5EAF813C597F9FEAD461771687BC452A30F0CBB66CC0BB843060CAA45C7AD987
                                                                                                                                                                                                                                                      SHA-512:6AF33E80F27D035F0B4F6CBFB4E862258AA3A75D522E62F7DA1196F368FA040D4B2D6F238D1249F4BB99B4007A0BF7EAC4013B5B910B610784CD13788AE77A73
                                                                                                                                                                                                                                                      Malicious:false
                                                                                                                                                                                                                                                      Antivirus:
                                                                                                                                                                                                                                                      • Antivirus: ReversingLabs, Detection: 2%
                                                                                                                                                                                                                                                      Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......r1.6P..6P..6P..Y&..nP..Y&..<P..@...4P..?(..'P..6P..\P..Y&/..P..Y&..7P..Y&..7P..Y&..7P..Rich6P..........................PE..d...6./Q.........." ................ E..............................................L.....@.........................................p3.......(..................0....Z..H...............................................................@............................text............................... ..`.rdata...T.......V..................@..@.data....;...@......................@....pdata..0............4..............@..@.rsrc................B..............@..@.reloc...............T..............@..B........................................................................................................................................................................................................................................................

                                                                                                                                                                                                                                                      C:\Program Files (x86)\ChicaLogic\ChicaPC-Shield\is-KP3IJ.tmp

                                                                                                                                                                                                                                                      Download File
                                                                                                                                                                                                                                                      Process:C:\Users\user\AppData\Local\Temp\is-LBG9E.tmp\chica-pc-shield-1-75-0-1300-en-win.tmp
                                                                                                                                                                                                                                                      File Type:PE32 executable (GUI) Intel 80386, for MS Windows
                                                                                                                                                                                                                                                      Category:dropped
                                                                                                                                                                                                                                                      Size (bytes):973448
                                                                                                                                                                                                                                                      Entropy (8bit):6.667557972562886
                                                                                                                                                                                                                                                      Encrypted:false
                                                                                                                                                                                                                                                      SSDEEP:12288:uSQWk9X1yhnMA53KWTCzxx+cQ/MkDKs3dyaOk8Ui2UHIEufwb4Isj:u9X1yhnMA5Ozxx+cyMApsaOk8RNad
                                                                                                                                                                                                                                                      MD5:064E37783673E0094DAE704513F29393
                                                                                                                                                                                                                                                      SHA1:96A6F17D7D3378F1368CDB6485E8355675B26527
                                                                                                                                                                                                                                                      SHA-256:845EE2CD431F30CE068B4BF4564E2CF03E91A5D0421B310571A18D298663B018
                                                                                                                                                                                                                                                      SHA-512:973241BC66BD387BF568BFBF657B172298B8D83E71C2F69ACB67A1B2596057D8763035A2725589995FCB45B6B1AF55949CCA1198F4309C3437A7C222E22BC791
                                                                                                                                                                                                                                                      Malicious:false
                                                                                                                                                                                                                                                      Antivirus:
                                                                                                                                                                                                                                                      • Antivirus: ReversingLabs, Detection: 2%
                                                                                                                                                                                                                                                      Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......W.x.....................\...4...%.......Rich............................PE..L......Q.................`...........+.......p....@...............K.......... ...............................................V..(........;..........@...H...........@.......................................8... .......8............................text....P.......`.................. ..`.data...$n...p.......p..............@....rsrc....;.......@..................@..@l.[J............MSVBVM60.DLL....................................................................................................................................................................................................................................................................................................................................................................................................................

                                                                                                                                                                                                                                                      C:\Program Files (x86)\ChicaLogic\ChicaPC-Shield\is-L12IJ.tmp

                                                                                                                                                                                                                                                      Download File
                                                                                                                                                                                                                                                      Process:C:\Users\user\AppData\Local\Temp\is-LBG9E.tmp\chica-pc-shield-1-75-0-1300-en-win.tmp
                                                                                                                                                                                                                                                      File Type:PE32 executable (DLL) (console) Intel 80386, for MS Windows
                                                                                                                                                                                                                                                      Category:dropped
                                                                                                                                                                                                                                                      Size (bytes):1127496
                                                                                                                                                                                                                                                      Entropy (8bit):6.488890971256239
                                                                                                                                                                                                                                                      Encrypted:false
                                                                                                                                                                                                                                                      SSDEEP:24576:m7+uEDVpEDH52BvDSG6XNAkV40/Q1tNqOgTDNhTmlnqnzu:OrTLo0/QTNqhTphqlnqnzu
                                                                                                                                                                                                                                                      MD5:F8340FF46DD9F7CF070F6C707EBA11C6
                                                                                                                                                                                                                                                      SHA1:02BC5EEC85A0FD2EC84775B5B88CB3D0610DC283
                                                                                                                                                                                                                                                      SHA-256:81712DD284B1E834E7BB16613DE348E453A6FD8244CFAA14AF6A8907F8C83ADE
                                                                                                                                                                                                                                                      SHA-512:FDD0C3E97D780ADE35A9363A4FEAD0AE8792E2ECD4C586CCE8BC83A79F582986425F7BD0182C755B7CC7F69E5DCA0371067DEBE7A8A69B9659856EF9AEE7AB02
                                                                                                                                                                                                                                                      Malicious:false
                                                                                                                                                                                                                                                      Antivirus:
                                                                                                                                                                                                                                                      • Antivirus: ReversingLabs, Detection: 2%
                                                                                                                                                                                                                                                      Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$........w$s..J ..J ..J .`. ..J .`. >.J .n. ..J .`. ..J .n. ..J ..K w.J ..J ..J .`. ..J .`. ..J .`. ..J ... ..J .`. ..J Rich..J ........................PE..L.....]Q...........!.....6..................P...............................p.......a....@.........................................0...x..............H...........S...............................................P..(............................text....4.......6.................. ..`.rdata..rf...P...h...:..............@..@.data....b.......>..................@....rsrc....x...0...z..................@..@.reloc..l............Z..............@..B........................................................................................................................................................................................................................................................................................

                                                                                                                                                                                                                                                      C:\Program Files (x86)\ChicaLogic\ChicaPC-Shield\is-S0PAI.tmp

                                                                                                                                                                                                                                                      Download File
                                                                                                                                                                                                                                                      Process:C:\Users\user\AppData\Local\Temp\is-LBG9E.tmp\chica-pc-shield-1-75-0-1300-en-win.tmp
                                                                                                                                                                                                                                                      File Type:PE32 executable (console) Intel 80386, for MS Windows
                                                                                                                                                                                                                                                      Category:dropped
                                                                                                                                                                                                                                                      Size (bytes):418376
                                                                                                                                                                                                                                                      Entropy (8bit):6.499528532289575
                                                                                                                                                                                                                                                      Encrypted:false
                                                                                                                                                                                                                                                      SSDEEP:12288:sVZ7DhFUcAWNPHzqswHZahEpQUfTxWXtc9uhZ:U/JfWswHZahEpQaxitc9uhZ
                                                                                                                                                                                                                                                      MD5:C56F757EB2A6D9B850FAD5F075008A57
                                                                                                                                                                                                                                                      SHA1:5495FB9CC42D55C4D3B79B47E8A583CB5DA8AABF
                                                                                                                                                                                                                                                      SHA-256:CDD73A8974B724A62266ED73F7A5E89B52E882D61B2766A994F6D1CDDE027113
                                                                                                                                                                                                                                                      SHA-512:5069F6F6E7F1B5C9E4427721D088321C6856C89CE27C0F197EAE664C9C87797F2A759327249A131582F189E124790F2940A3E148A144541C3091500714BA8D88
                                                                                                                                                                                                                                                      Malicious:false
                                                                                                                                                                                                                                                      Antivirus:
                                                                                                                                                                                                                                                      • Antivirus: ReversingLabs, Detection: 3%
                                                                                                                                                                                                                                                      Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......Q.{.............z.......z...T...z.......z...............................z.../...z..............z.......Rich............PE..L... ./Q............................k.............@..................................d....@..........................................0...............H..H....@..P@...................................J..@...............(............................text............................... ..`.rdata..V...........................@..@.data....Z.......6..................@....rsrc........0......................@..@.reloc..@\...@...^..................@..B................................................................................................................................................................................................................................................................................................................

                                                                                                                                                                                                                                                      C:\Program Files (x86)\ChicaLogic\ChicaPC-Shield\is-SJQ69.tmp

                                                                                                                                                                                                                                                      Download File
                                                                                                                                                                                                                                                      Process:C:\Users\user\AppData\Local\Temp\is-LBG9E.tmp\chica-pc-shield-1-75-0-1300-en-win.tmp
                                                                                                                                                                                                                                                      File Type:PE32 executable (DLL) (GUI) Intel 80386, for MS Windows
                                                                                                                                                                                                                                                      Category:dropped
                                                                                                                                                                                                                                                      Size (bytes):496976
                                                                                                                                                                                                                                                      Entropy (8bit):6.339735772308435
                                                                                                                                                                                                                                                      Encrypted:false
                                                                                                                                                                                                                                                      SSDEEP:6144:U82koJD/n28/8V+H0JWq8GRvWzaWKfCBQ/3o78qUc662F83Wcehs4qwdI:WkoJrn28UV+H0JWq8iEdq/FqIFQ4q2I
                                                                                                                                                                                                                                                      MD5:BAA4DE42156350754976DD563D02CDE4
                                                                                                                                                                                                                                                      SHA1:BA617EFEBE79C1A60DAF941F2766FA92FE1635DD
                                                                                                                                                                                                                                                      SHA-256:2CA8945C81BE66F6B023AF6DFA37D336FFDFB9A9A3E785F26F8891198D362295
                                                                                                                                                                                                                                                      SHA-512:B7A02698A795DBBC98A22C899CCC3E69C1070D9A2B678E9D5E682D21A31A4B4F9355A00061879310847C40D21C14253C4CE8639489C6509CE17E1E8CDB4D52A5
                                                                                                                                                                                                                                                      Malicious:false
                                                                                                                                                                                                                                                      Antivirus:
                                                                                                                                                                                                                                                      • Antivirus: ReversingLabs, Detection: 0%
                                                                                                                                                                                                                                                      Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......;Qy..0...0...0...,..~0..0...u0......~0......~0..Rich.0..........................PE..L....x)@...........!................PG.............(................................A............................... .......T...(....0..................P........o..........................................h... ....................................text............................... ..`.data...............................@....rsrc........0....... ..............@..@.reloc...{..........................@..B'.};............MSVBVM60.DLL....................................................................................................................................................................................................................................................................................................................................................................

                                                                                                                                                                                                                                                      C:\Program Files (x86)\ChicaLogic\ChicaPC-Shield\is-T6R1L.tmp

                                                                                                                                                                                                                                                      Download File
                                                                                                                                                                                                                                                      Process:C:\Users\user\AppData\Local\Temp\is-LBG9E.tmp\chica-pc-shield-1-75-0-1300-en-win.tmp
                                                                                                                                                                                                                                                      File Type:Rich Text Format data, version 1, ANSI, code page 1252
                                                                                                                                                                                                                                                      Category:dropped
                                                                                                                                                                                                                                                      Size (bytes):16810
                                                                                                                                                                                                                                                      Entropy (8bit):5.09051992169333
                                                                                                                                                                                                                                                      Encrypted:false
                                                                                                                                                                                                                                                      SSDEEP:384:e1SZQqhQ9mrDH5YAZb8dhu9Qh4MbAItA8AlghsIGjY2:6SZ9+9kFb89WAAItA8sP
                                                                                                                                                                                                                                                      MD5:A6D669BD282B70E7BDD1E6D68CBF1CA1
                                                                                                                                                                                                                                                      SHA1:7DEA2AC97B5B53795D46B6BE0FE3E9FDE09344A6
                                                                                                                                                                                                                                                      SHA-256:A2A345810202792C81F49C0E41305237141922F67E1DF1F7441266749CB83BD7
                                                                                                                                                                                                                                                      SHA-512:1370B7EE531430991EB39067859B953E68A4AB986364DB29097CC4E2158236DEB3EB4877C11D360D9A9058A83580A36CBD79FACE36AF997CE537AEDAD39076D0
                                                                                                                                                                                                                                                      Malicious:false
                                                                                                                                                                                                                                                      Preview:{\rtf1\ansi\ansicpg1252\deff0{\fonttbl{\f0\fnil\fcharset0 Times New Roman;}}..{\colortbl ;\red0\green0\blue255;}..{\*\generator Msftedit 5.41.21.2510;}\viewkind4\uc1\pard\lang1033\f0\fs20 CHICALOGIC END USER LICENSE AGREEMENT\par..\par..\par..IMPORTANT: PLEASE READ ALL OF THE TERMS AND CONDITIONS OF THIS LICENSE AGREEMENT BEFORE USING CHICALOGIC SOFTWARE. CHICALOGIC, INC. AND/OR ITS SUBSIDIARIES ("CHICALOGIC") IS PLEASED TO LICENSE THE ChicaLogic, Inc. SOFTWARE TO YOU AS THE INDIVIDUAL, COMPANY, OR OTHER LEGAL ENTITY THAT WILL BE UTILIZING THE SOFTWARE (REFERRED TO BELOW AS "YOU" OR "YOUR") ON THE CONDITION THAT YOU ACCEPT ALL OF THE TERMS OF THIS AGREEMENT. THIS IS A LEGAL AND ENFORCEABLE CONTRACT BETWEEN YOU AND CHICALOGIC. BY CLICKING ON THE "AGREE" OR "YES" BUTTON OR OTHER INDICATOR OF YOUR ELECTRONIC ACCEPTANCE OF THIS AGREEMENT, INSTALLING THE DOWNLOADED SOFTWARE, ACCESSING THE SOFTWARE ONLINE, OR, IF APPLICABLE, BREAKING THE SEAL OF THE TANGIBLE MEDIA CONTAINING THE SOFTWARE

                                                                                                                                                                                                                                                      C:\Program Files (x86)\ChicaLogic\ChicaPC-Shield\is-UQ1R3.tmp

                                                                                                                                                                                                                                                      Download File
                                                                                                                                                                                                                                                      Process:C:\Users\user\AppData\Local\Temp\is-LBG9E.tmp\chica-pc-shield-1-75-0-1300-en-win.tmp
                                                                                                                                                                                                                                                      File Type:PE32 executable (DLL) (console) Intel 80386, for MS Windows
                                                                                                                                                                                                                                                      Category:dropped
                                                                                                                                                                                                                                                      Size (bytes):527432
                                                                                                                                                                                                                                                      Entropy (8bit):6.554357599549209
                                                                                                                                                                                                                                                      Encrypted:false
                                                                                                                                                                                                                                                      SSDEEP:6144:0d3w5EjjbHtGYp1H8sPF0ZMAHzrGOF2OAN0TxlgCh/4gezc3NTkv4xl7nRlQAz31:2w5EjPHr98lZFTFH9TrZ4gcc9TKE
                                                                                                                                                                                                                                                      MD5:6043B2F884CDE44CEEA91A34EB2FAE81
                                                                                                                                                                                                                                                      SHA1:5F0A4D9D2C61B0045B5C94CE366949CA26E49A11
                                                                                                                                                                                                                                                      SHA-256:5E08FCA6421A1E89538C52E8ACB1D9A83FAEC7138EED6451BB5D5180A4F39938
                                                                                                                                                                                                                                                      SHA-512:322591B9E87900BCF9B24020FCBC601CB250EB5A8C82838D4DCE10810D803A7EB692CF1462E79E7A3193A01FD7FCE8C32AC37EC42C2A51E93D873CB19DB61B95
                                                                                                                                                                                                                                                      Malicious:false
                                                                                                                                                                                                                                                      Antivirus:
                                                                                                                                                                                                                                                      • Antivirus: ReversingLabs, Detection: 2%
                                                                                                                                                                                                                                                      Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$........1{.OP..OP..OP.. &..XP.. &...P.. &...P..F(..XP..OP...P..OP..NP.. &...P.. &..NP.. &..NP..OP..NP.. &..NP..RichOP..........................PE..L...../Q...........!.........................................................@......;.....@.........................`M..i....>..........................H........O..0...................................@...............|............................text............................... ..`.rdata...K.......L..................@..@.data....Z...`...6...J..............@....rsrc...............................@..@.reloc...k.......l..................@..B................................................................................................................................................................................................................................................................................................

                                                                                                                                                                                                                                                      C:\Program Files (x86)\ChicaLogic\ChicaPC-Shield\license.rtf (copy)

                                                                                                                                                                                                                                                      Download File
                                                                                                                                                                                                                                                      Process:C:\Users\user\AppData\Local\Temp\is-LBG9E.tmp\chica-pc-shield-1-75-0-1300-en-win.tmp
                                                                                                                                                                                                                                                      File Type:Rich Text Format data, version 1, ANSI, code page 1252
                                                                                                                                                                                                                                                      Category:dropped
                                                                                                                                                                                                                                                      Size (bytes):16810
                                                                                                                                                                                                                                                      Entropy (8bit):5.09051992169333
                                                                                                                                                                                                                                                      Encrypted:false
                                                                                                                                                                                                                                                      SSDEEP:384:e1SZQqhQ9mrDH5YAZb8dhu9Qh4MbAItA8AlghsIGjY2:6SZ9+9kFb89WAAItA8sP
                                                                                                                                                                                                                                                      MD5:A6D669BD282B70E7BDD1E6D68CBF1CA1
                                                                                                                                                                                                                                                      SHA1:7DEA2AC97B5B53795D46B6BE0FE3E9FDE09344A6
                                                                                                                                                                                                                                                      SHA-256:A2A345810202792C81F49C0E41305237141922F67E1DF1F7441266749CB83BD7
                                                                                                                                                                                                                                                      SHA-512:1370B7EE531430991EB39067859B953E68A4AB986364DB29097CC4E2158236DEB3EB4877C11D360D9A9058A83580A36CBD79FACE36AF997CE537AEDAD39076D0
                                                                                                                                                                                                                                                      Malicious:false
                                                                                                                                                                                                                                                      Preview:{\rtf1\ansi\ansicpg1252\deff0{\fonttbl{\f0\fnil\fcharset0 Times New Roman;}}..{\colortbl ;\red0\green0\blue255;}..{\*\generator Msftedit 5.41.21.2510;}\viewkind4\uc1\pard\lang1033\f0\fs20 CHICALOGIC END USER LICENSE AGREEMENT\par..\par..\par..IMPORTANT: PLEASE READ ALL OF THE TERMS AND CONDITIONS OF THIS LICENSE AGREEMENT BEFORE USING CHICALOGIC SOFTWARE. CHICALOGIC, INC. AND/OR ITS SUBSIDIARIES ("CHICALOGIC") IS PLEASED TO LICENSE THE ChicaLogic, Inc. SOFTWARE TO YOU AS THE INDIVIDUAL, COMPANY, OR OTHER LEGAL ENTITY THAT WILL BE UTILIZING THE SOFTWARE (REFERRED TO BELOW AS "YOU" OR "YOUR") ON THE CONDITION THAT YOU ACCEPT ALL OF THE TERMS OF THIS AGREEMENT. THIS IS A LEGAL AND ENFORCEABLE CONTRACT BETWEEN YOU AND CHICALOGIC. BY CLICKING ON THE "AGREE" OR "YES" BUTTON OR OTHER INDICATOR OF YOUR ELECTRONIC ACCEPTANCE OF THIS AGREEMENT, INSTALLING THE DOWNLOADED SOFTWARE, ACCESSING THE SOFTWARE ONLINE, OR, IF APPLICABLE, BREAKING THE SEAL OF THE TANGIBLE MEDIA CONTAINING THE SOFTWARE

                                                                                                                                                                                                                                                      C:\Program Files (x86)\ChicaLogic\ChicaPC-Shield\mbam.dll (copy)

                                                                                                                                                                                                                                                      Download File
                                                                                                                                                                                                                                                      Process:C:\Users\user\AppData\Local\Temp\is-LBG9E.tmp\chica-pc-shield-1-75-0-1300-en-win.tmp
                                                                                                                                                                                                                                                      File Type:PE32 executable (DLL) (console) Intel 80386, for MS Windows
                                                                                                                                                                                                                                                      Category:dropped
                                                                                                                                                                                                                                                      Size (bytes):527432
                                                                                                                                                                                                                                                      Entropy (8bit):6.554357599549209
                                                                                                                                                                                                                                                      Encrypted:false
                                                                                                                                                                                                                                                      SSDEEP:6144:0d3w5EjjbHtGYp1H8sPF0ZMAHzrGOF2OAN0TxlgCh/4gezc3NTkv4xl7nRlQAz31:2w5EjPHr98lZFTFH9TrZ4gcc9TKE
                                                                                                                                                                                                                                                      MD5:6043B2F884CDE44CEEA91A34EB2FAE81
                                                                                                                                                                                                                                                      SHA1:5F0A4D9D2C61B0045B5C94CE366949CA26E49A11
                                                                                                                                                                                                                                                      SHA-256:5E08FCA6421A1E89538C52E8ACB1D9A83FAEC7138EED6451BB5D5180A4F39938
                                                                                                                                                                                                                                                      SHA-512:322591B9E87900BCF9B24020FCBC601CB250EB5A8C82838D4DCE10810D803A7EB692CF1462E79E7A3193A01FD7FCE8C32AC37EC42C2A51E93D873CB19DB61B95
                                                                                                                                                                                                                                                      Malicious:false
                                                                                                                                                                                                                                                      Antivirus:
                                                                                                                                                                                                                                                      • Antivirus: ReversingLabs, Detection: 2%
                                                                                                                                                                                                                                                      Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$........1{.OP..OP..OP.. &..XP.. &...P.. &...P..F(..XP..OP...P..OP..NP.. &...P.. &..NP.. &..NP..OP..NP.. &..NP..RichOP..........................PE..L...../Q...........!.........................................................@......;.....@.........................`M..i....>..........................H........O..0...................................@...............|............................text............................... ..`.rdata...K.......L..................@..@.data....Z...`...6...J..............@....rsrc...............................@..@.reloc...k.......l..................@..B................................................................................................................................................................................................................................................................................................

                                                                                                                                                                                                                                                      C:\Program Files (x86)\ChicaLogic\ChicaPC-Shield\mbamcore.dll (copy)

                                                                                                                                                                                                                                                      Download File
                                                                                                                                                                                                                                                      Process:C:\Users\user\AppData\Local\Temp\is-LBG9E.tmp\chica-pc-shield-1-75-0-1300-en-win.tmp
                                                                                                                                                                                                                                                      File Type:PE32 executable (DLL) (console) Intel 80386, for MS Windows
                                                                                                                                                                                                                                                      Category:dropped
                                                                                                                                                                                                                                                      Size (bytes):1127496
                                                                                                                                                                                                                                                      Entropy (8bit):6.488890971256239
                                                                                                                                                                                                                                                      Encrypted:false
                                                                                                                                                                                                                                                      SSDEEP:24576:m7+uEDVpEDH52BvDSG6XNAkV40/Q1tNqOgTDNhTmlnqnzu:OrTLo0/QTNqhTphqlnqnzu
                                                                                                                                                                                                                                                      MD5:F8340FF46DD9F7CF070F6C707EBA11C6
                                                                                                                                                                                                                                                      SHA1:02BC5EEC85A0FD2EC84775B5B88CB3D0610DC283
                                                                                                                                                                                                                                                      SHA-256:81712DD284B1E834E7BB16613DE348E453A6FD8244CFAA14AF6A8907F8C83ADE
                                                                                                                                                                                                                                                      SHA-512:FDD0C3E97D780ADE35A9363A4FEAD0AE8792E2ECD4C586CCE8BC83A79F582986425F7BD0182C755B7CC7F69E5DCA0371067DEBE7A8A69B9659856EF9AEE7AB02
                                                                                                                                                                                                                                                      Malicious:false
                                                                                                                                                                                                                                                      Antivirus:
                                                                                                                                                                                                                                                      • Antivirus: ReversingLabs, Detection: 2%
                                                                                                                                                                                                                                                      Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$........w$s..J ..J ..J .`. ..J .`. >.J .n. ..J .`. ..J .n. ..J ..K w.J ..J ..J .`. ..J .`. ..J .`. ..J ... ..J .`. ..J Rich..J ........................PE..L.....]Q...........!.....6..................P...............................p.......a....@.........................................0...x..............H...........S...............................................P..(............................text....4.......6.................. ..`.rdata..rf...P...h...:..............@..@.data....b.......>..................@....rsrc....x...0...z..................@..@.reloc..l............Z..............@..B........................................................................................................................................................................................................................................................................................

                                                                                                                                                                                                                                                      C:\Program Files (x86)\ChicaLogic\ChicaPC-Shield\mbamext.dll (copy)

                                                                                                                                                                                                                                                      Download File
                                                                                                                                                                                                                                                      Process:C:\Users\user\AppData\Local\Temp\is-LBG9E.tmp\chica-pc-shield-1-75-0-1300-en-win.tmp
                                                                                                                                                                                                                                                      File Type:PE32+ executable (DLL) (GUI) x86-64, for MS Windows
                                                                                                                                                                                                                                                      Category:dropped
                                                                                                                                                                                                                                                      Size (bytes):95304
                                                                                                                                                                                                                                                      Entropy (8bit):5.981207201467423
                                                                                                                                                                                                                                                      Encrypted:false
                                                                                                                                                                                                                                                      SSDEEP:1536:K74We9oCdZ6GNDNe+D+Tfb0WdeSe+w4IW1DmeuvF5uV7s88Wf:K7E9h/J7+Tfb0y2+Z5mrvF5uNsjY
                                                                                                                                                                                                                                                      MD5:76549804F14999EDEB55598A84E2804B
                                                                                                                                                                                                                                                      SHA1:B6D8FAE4C7E4BC1376D7B0381EBCE9043E4A4AC2
                                                                                                                                                                                                                                                      SHA-256:5EAF813C597F9FEAD461771687BC452A30F0CBB66CC0BB843060CAA45C7AD987
                                                                                                                                                                                                                                                      SHA-512:6AF33E80F27D035F0B4F6CBFB4E862258AA3A75D522E62F7DA1196F368FA040D4B2D6F238D1249F4BB99B4007A0BF7EAC4013B5B910B610784CD13788AE77A73
                                                                                                                                                                                                                                                      Malicious:false
                                                                                                                                                                                                                                                      Antivirus:
                                                                                                                                                                                                                                                      • Antivirus: ReversingLabs, Detection: 2%
                                                                                                                                                                                                                                                      Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......r1.6P..6P..6P..Y&..nP..Y&..<P..@...4P..?(..'P..6P..\P..Y&/..P..Y&..7P..Y&..7P..Y&..7P..Rich6P..........................PE..d...6./Q.........." ................ E..............................................L.....@.........................................p3.......(..................0....Z..H...............................................................@............................text............................... ..`.rdata...T.......V..................@..@.data....;...@......................@....pdata..0............4..............@..@.rsrc................B..............@..@.reloc...............T..............@..B........................................................................................................................................................................................................................................................

                                                                                                                                                                                                                                                      C:\Program Files (x86)\ChicaLogic\ChicaPC-Shield\mbamnet.dll (copy)

                                                                                                                                                                                                                                                      Download File
                                                                                                                                                                                                                                                      Process:C:\Users\user\AppData\Local\Temp\is-LBG9E.tmp\chica-pc-shield-1-75-0-1300-en-win.tmp
                                                                                                                                                                                                                                                      File Type:PE32 executable (DLL) (console) Intel 80386, for MS Windows
                                                                                                                                                                                                                                                      Category:dropped
                                                                                                                                                                                                                                                      Size (bytes):2191944
                                                                                                                                                                                                                                                      Entropy (8bit):6.642037719289481
                                                                                                                                                                                                                                                      Encrypted:false
                                                                                                                                                                                                                                                      SSDEEP:49152:M+uzsaJOaZZ5ULvyDB1bwJrbwnDOT00pnke2u6ln1GUcV4Zb4B:MVxJOwU7CrbwJwnDqke2ukn
                                                                                                                                                                                                                                                      MD5:6E4470AEA570CA88F4FAEF57BA59F0C5
                                                                                                                                                                                                                                                      SHA1:D02C99A75D596D1CFD928AD687842BF826B7703C
                                                                                                                                                                                                                                                      SHA-256:6D56B3F5CF27FEFEDD8CC823F8583FC082EE20B42E041B927975DFAF2C9CBAEB
                                                                                                                                                                                                                                                      SHA-512:F845C8DD32B9C6E2E221F4CA714AE979D400BC93D275954CD2B4DBD2E91B68D526EB34D782F4679D2F993655D44F340F2E2987D6157946F10832D049387CD224
                                                                                                                                                                                                                                                      Malicious:false
                                                                                                                                                                                                                                                      Antivirus:
                                                                                                                                                                                                                                                      • Antivirus: ReversingLabs, Detection: 2%
                                                                                                                                                                                                                                                      Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.........DM..*...*...*.......*.......*.......*.......*......*...+...*...*...*.......*.......*.......*......*.......*.Rich..*.................PE..L...../Q...........!.........................0................................!......."...@..........................I..m....7.......................X!.H.......xY...8..................................@............0..`............................text............................... ..`.rdata.......0....... ..............@..@.data...<S...P.......>..............@....rsrc................0..............@..@.reloc... ......."...6..............@..B................................................................................................................................................................................................................................................................................................

                                                                                                                                                                                                                                                      C:\Program Files (x86)\ChicaLogic\ChicaPC-Shield\mbamtoast.dll (copy)

                                                                                                                                                                                                                                                      Download File
                                                                                                                                                                                                                                                      Process:C:\Users\user\AppData\Local\Temp\is-LBG9E.tmp\chica-pc-shield-1-75-0-1300-en-win.tmp
                                                                                                                                                                                                                                                      File Type:PE32 executable (DLL) (GUI) Intel 80386, for MS Windows
                                                                                                                                                                                                                                                      Category:dropped
                                                                                                                                                                                                                                                      Size (bytes):74312
                                                                                                                                                                                                                                                      Entropy (8bit):6.291733112880314
                                                                                                                                                                                                                                                      Encrypted:false
                                                                                                                                                                                                                                                      SSDEEP:768:J2qlA0Jww5dns1jG2rbt7nIdRkRexdhb1I2kkVJCED7nuj1dxD6S/omj/7P72UPv:JFG0JbVwra/BLkqL8xDZww/7KUP
                                                                                                                                                                                                                                                      MD5:D8B30620769A323FCB6253BCBA9542B6
                                                                                                                                                                                                                                                      SHA1:9FA60EA7F2D5FA49C633AA5AC07F1DE287E45D8B
                                                                                                                                                                                                                                                      SHA-256:B8FAC26DC5E2F773417D3F9E716AC531C37D09E59E50D659AD79F72E86E075A9
                                                                                                                                                                                                                                                      SHA-512:119A323DC959B91B5F2F2CD9F05A98E6C222C0130950BFCA3062FBDD4B32CA6D2BF620FBA40B1C42C427ECB56F202C918CEBA36B7A8A5EA9B6DF5626286B4531
                                                                                                                                                                                                                                                      Malicious:false
                                                                                                                                                                                                                                                      Antivirus:
                                                                                                                                                                                                                                                      • Antivirus: ReversingLabs, Detection: 4%
                                                                                                                                                                                                                                                      Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.........nF...................l......................l.......................................Rich............PE..L....J.P...........!.........|.......S.......................................P............@.........................`...M...,...(.... ..................H....0..........................................@............................................text............................... ..`.rdata...8.......:..................@..@.data....&..........................@....rsrc........ ......................@..@.reloc.......0......................@..B................................................................................................................................................................................................................................................................................................................................

                                                                                                                                                                                                                                                      C:\Program Files (x86)\ChicaLogic\ChicaPC-Shield\ssubtmr6.dll (copy)

                                                                                                                                                                                                                                                      Download File
                                                                                                                                                                                                                                                      Process:C:\Users\user\AppData\Local\Temp\is-LBG9E.tmp\chica-pc-shield-1-75-0-1300-en-win.tmp
                                                                                                                                                                                                                                                      File Type:PE32 executable (DLL) (GUI) Intel 80386, for MS Windows
                                                                                                                                                                                                                                                      Category:dropped
                                                                                                                                                                                                                                                      Size (bytes):46416
                                                                                                                                                                                                                                                      Entropy (8bit):4.872445450776674
                                                                                                                                                                                                                                                      Encrypted:false
                                                                                                                                                                                                                                                      SSDEEP:768:JjBzwlSCIuAXEDsyPFHhOlLA57EkcAZnhtyFmNj/LWFbCF:JLuAUocFHMlL07fRZPHDaNCF
                                                                                                                                                                                                                                                      MD5:91EA28804EC3A71126841554199E28BC
                                                                                                                                                                                                                                                      SHA1:00D568F31E6D4E2110F54C3FEA93219092181891
                                                                                                                                                                                                                                                      SHA-256:E5F85613264ED15FCA01E332068CB4515D56FB7F4F7267B4A94DEB06B7944063
                                                                                                                                                                                                                                                      SHA-512:F8209A77DD64B9562057ECC2DA1DE46FE763E1B0E6459FF4CFB5EFAE05300B8027BC71C3F44033D8BE0B2115AAF3ACDAD6A8B83796F26044F88BC76E5C466E82
                                                                                                                                                                                                                                                      Malicious:false
                                                                                                                                                                                                                                                      Antivirus:
                                                                                                                                                                                                                                                      • Antivirus: ReversingLabs, Detection: 0%
                                                                                                                                                                                                                                                      Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$........_.._>.._>.._>..."..^>......Z>......^>......^>..Rich_>..........PE..L.....3>...........!.....P...@...............`.......................................................................W.......S..(....p..................P...................................................X... ....................................text....H.......P.................. ..`.data........`.......`..............@....rsrc........p... ...p..............@..@.reloc..z...........................@..B'.};............MSVBVM60.DLL....................................................................................................................................................................................................................................................................................................................................................................................

                                                                                                                                                                                                                                                      C:\Program Files (x86)\ChicaLogic\ChicaPC-Shield\unins000.dat

                                                                                                                                                                                                                                                      Download File
                                                                                                                                                                                                                                                      Process:C:\Users\user\AppData\Local\Temp\is-LBG9E.tmp\chica-pc-shield-1-75-0-1300-en-win.tmp
                                                                                                                                                                                                                                                      File Type:InnoSetup Log ChicaPC-Shield, version 0x30, 10690 bytes, 467601\user, "C:\Program Files (x86)\ChicaLogic\ChicaPC-Shield"
                                                                                                                                                                                                                                                      Category:dropped
                                                                                                                                                                                                                                                      Size (bytes):10690
                                                                                                                                                                                                                                                      Entropy (8bit):5.168951823595991
                                                                                                                                                                                                                                                      Encrypted:false
                                                                                                                                                                                                                                                      SSDEEP:192:GClBlhfkm2ANOmG7kk0IN8ICSsAAWejTstMbGBKiCpp8CYlZE/34+JqMimOl2qUE:blh7NOmAkkLAWe7hx8l/L
                                                                                                                                                                                                                                                      MD5:E3F42B3D4A8145CB01BD3A5E739DAEE8
                                                                                                                                                                                                                                                      SHA1:755F53CC60C7684FA9A9171D26CFB0268CD53C32
                                                                                                                                                                                                                                                      SHA-256:93BBB2755DD8C8E212017555E46EF978E6D296F77CDB6497DD83D25A9829C886
                                                                                                                                                                                                                                                      SHA-512:8941FC3A0DE7C705C48E0C0188F88F9BE268D2E54AF3B88D354FDDA658195F5ED9224F20C6A9C3E186C782EF98647FD861C5BA9AF9247BF6CA247E84DDF5B091
                                                                                                                                                                                                                                                      Malicious:false
                                                                                                                                                                                                                                                      Preview:Inno Setup Uninstall Log (b)....................................ChicaPC-Shield..................................................................................................................ChicaPC-Shield..................................................................................................................0...A....)..%................................................................................................................{.]........vgu.......Q....467601.user0C:\Program Files (x86)\ChicaLogic\ChicaPC-Shield...........9.(.,.. ............IFPS........&....................................................................................................BOOLEAN..................................................................$...........!MAIN....-1..1...dll:setup:files:mbam.dll.ProtectionUninstall.......5...dll:uninstall:{app}\mbam.dll.ProtectionUninstall......./...dll:setup:files:mbam.dll.ProtectionInstall.......0...dll:setup:files:mbam.dll.SchedulerUninstall.......4...

                                                                                                                                                                                                                                                      C:\Program Files (x86)\ChicaLogic\ChicaPC-Shield\unins000.exe (copy)

                                                                                                                                                                                                                                                      Download File
                                                                                                                                                                                                                                                      Process:C:\Users\user\AppData\Local\Temp\is-LBG9E.tmp\chica-pc-shield-1-75-0-1300-en-win.tmp
                                                                                                                                                                                                                                                      File Type:PE32 executable (GUI) Intel 80386, for MS Windows
                                                                                                                                                                                                                                                      Category:dropped
                                                                                                                                                                                                                                                      Size (bytes):712264
                                                                                                                                                                                                                                                      Entropy (8bit):6.524059965918702
                                                                                                                                                                                                                                                      Encrypted:false
                                                                                                                                                                                                                                                      SSDEEP:12288:qTPcYn5c/rPx37/zHBA6a5UeypkxmFERhD7rNdR81QNERxyF:iPcYn5c/rPx37/zHBA6pDpk8FEK1uERU
                                                                                                                                                                                                                                                      MD5:C2BE7988C8762E314534B2908C4D6E49
                                                                                                                                                                                                                                                      SHA1:CBC373D596D389F5ABEA8177D1F86EE767284466
                                                                                                                                                                                                                                                      SHA-256:4A53C567369F2F30571019E17B13F650680280962B9C4105B2B3CF306FE47C36
                                                                                                                                                                                                                                                      SHA-512:EEFA58E16BBFBEFD1AFBF63409CDF5907FBE87BDD5BCFFEB9FEC47790E0428E3290ED22108EAE4BCD6711C9CD92D947E87CFBF68EBCF37FE4A68405142776216
                                                                                                                                                                                                                                                      Malicious:false
                                                                                                                                                                                                                                                      Antivirus:
                                                                                                                                                                                                                                                      • Antivirus: ReversingLabs, Detection: 4%
                                                                                                                                                                                                                                                      Preview:MZP.....................@.......................InUn....................!..L.!..This program must be run under Win32..$7........................................................................................................................................PE..L....^B*.................z........................@..............................................@...............................%......................H...........................................................................................CODE.....y.......z.................. ..`DATA.................~..............@...BSS......................................idata...%.......&..................@....tls.....................................rdata..............................@..P.reloc....... ......................@..P.rsrc...............................@..P.....................P..............@..P........................................................................................................................................

                                                                                                                                                                                                                                                      C:\Program Files (x86)\ChicaLogic\ChicaPC-Shield\unins000.msg

                                                                                                                                                                                                                                                      Download File
                                                                                                                                                                                                                                                      Process:C:\Users\user\AppData\Local\Temp\is-LBG9E.tmp\chica-pc-shield-1-75-0-1300-en-win.tmp
                                                                                                                                                                                                                                                      File Type:InnoSetup messages, version 5.5.0, 220 messages (ASCII), &About Setup...
                                                                                                                                                                                                                                                      Category:dropped
                                                                                                                                                                                                                                                      Size (bytes):11277
                                                                                                                                                                                                                                                      Entropy (8bit):4.696222526137289
                                                                                                                                                                                                                                                      Encrypted:false
                                                                                                                                                                                                                                                      SSDEEP:192:+yuyHdp77ksdrKUURqCZYcI71gWb/I+XIWCMVtos:1Fz7J5KaCZYcI71Tb/rIWCMVtF
                                                                                                                                                                                                                                                      MD5:1A5EFCDFF3AA344588E9624F73386193
                                                                                                                                                                                                                                                      SHA1:5FCE901ACEC50BAACF647404ABCDBCF328C60DC7
                                                                                                                                                                                                                                                      SHA-256:E2E13726C44B23FAAE8D1CC7BD53D83DDCB93B537CEA405A09261BFEE8B199B6
                                                                                                                                                                                                                                                      SHA-512:6A04C40BC72D2B9853848337A45F87558CD8595176A1F8508FAE130E847CCA84AC608818249598C8937F60F8FD1E257D535BA20B23F030E55BB8825895E734C6
                                                                                                                                                                                                                                                      Malicious:false
                                                                                                                                                                                                                                                      Preview:Inno Setup Messages (5.5.0)..........................................+......]..E&About Setup....%1 version %2..%3....%1 home page:..%4..About Setup.You must be logged in as an administrator when installing this program..The following applications are using files that need to be updated by Setup. It is recommended that you allow Setup to automatically close these applications..The following applications are using files that need to be updated by Setup. It is recommended that you allow Setup to automatically close these applications. After the installation has completed, Setup will attempt to restart the applications..Folder names cannot include any of the following characters:....%1.The folder name cannot include any of the following characters:....%1..Select a folder in the list below, then click OK..Browse For Folder.< &Back.&Browse....Cancel.&Finish.&Install.&Make New Folder.&Next >.&No.N&o to All.OK.B&rowse....&Yes.Yes to &All.Setup cannot continue. Please click Cancel to exit..Setu

                                                                                                                                                                                                                                                      C:\Program Files (x86)\ChicaLogic\ChicaPC-Shield\vbalsgrid6.ocx (copy)

                                                                                                                                                                                                                                                      Download File
                                                                                                                                                                                                                                                      Process:C:\Users\user\AppData\Local\Temp\is-LBG9E.tmp\chica-pc-shield-1-75-0-1300-en-win.tmp
                                                                                                                                                                                                                                                      File Type:PE32 executable (DLL) (GUI) Intel 80386, for MS Windows
                                                                                                                                                                                                                                                      Category:dropped
                                                                                                                                                                                                                                                      Size (bytes):496976
                                                                                                                                                                                                                                                      Entropy (8bit):6.339735772308435
                                                                                                                                                                                                                                                      Encrypted:false
                                                                                                                                                                                                                                                      SSDEEP:6144:U82koJD/n28/8V+H0JWq8GRvWzaWKfCBQ/3o78qUc662F83Wcehs4qwdI:WkoJrn28UV+H0JWq8iEdq/FqIFQ4q2I
                                                                                                                                                                                                                                                      MD5:BAA4DE42156350754976DD563D02CDE4
                                                                                                                                                                                                                                                      SHA1:BA617EFEBE79C1A60DAF941F2766FA92FE1635DD
                                                                                                                                                                                                                                                      SHA-256:2CA8945C81BE66F6B023AF6DFA37D336FFDFB9A9A3E785F26F8891198D362295
                                                                                                                                                                                                                                                      SHA-512:B7A02698A795DBBC98A22C899CCC3E69C1070D9A2B678E9D5E682D21A31A4B4F9355A00061879310847C40D21C14253C4CE8639489C6509CE17E1E8CDB4D52A5
                                                                                                                                                                                                                                                      Malicious:false
                                                                                                                                                                                                                                                      Antivirus:
                                                                                                                                                                                                                                                      • Antivirus: ReversingLabs, Detection: 0%
                                                                                                                                                                                                                                                      Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......;Qy..0...0...0...,..~0..0...u0......~0......~0..Rich.0..........................PE..L....x)@...........!................PG.............(................................A............................... .......T...(....0..................P........o..........................................h... ....................................text............................... ..`.data...............................@....rsrc........0....... ..............@..@.reloc...{..........................@..B'.};............MSVBVM60.DLL....................................................................................................................................................................................................................................................................................................................................................................

                                                                                                                                                                                                                                                      C:\ProgramData\ChicaLogic\ChicaPC-Shield\Configuration\build.conf (copy)

                                                                                                                                                                                                                                                      Download File
                                                                                                                                                                                                                                                      Process:C:\Users\user\AppData\Local\Temp\is-LBG9E.tmp\chica-pc-shield-1-75-0-1300-en-win.tmp
                                                                                                                                                                                                                                                      File Type:data
                                                                                                                                                                                                                                                      Category:dropped
                                                                                                                                                                                                                                                      Size (bytes):142
                                                                                                                                                                                                                                                      Entropy (8bit):6.735980306109167
                                                                                                                                                                                                                                                      Encrypted:false
                                                                                                                                                                                                                                                      SSDEEP:3:2fB1WDYZs4S8yQyun38hu3dramTusdwCd4UkGl:61WB4GQy2D3dOmTuSeUkA
                                                                                                                                                                                                                                                      MD5:2F275DA13F68A4E6C2D7154FBDDC8451
                                                                                                                                                                                                                                                      SHA1:07FD1A4D93AE8788C1934365488B6136D02B8861
                                                                                                                                                                                                                                                      SHA-256:97F76D2EEEDBA90A0B2D00723417CEA78C50DF79459DE4C4FC35574B8821A6F3
                                                                                                                                                                                                                                                      SHA-512:56846D85472A260E2FE16225804D0758AF3B2895FCD2AFF385161A29DBB31B131CC7793465612E7BA27EBCCEA590DE951BE1038E53FAF0E13455BAFFCB6BEF1D
                                                                                                                                                                                                                                                      Malicious:false
                                                                                                                                                                                                                                                      Preview:M..y+z.<b0.....+.. ...}:...y.....'...m...A..A5 ....,.Fa.*t.,F.........._.4...J.?.8`..%q...|:2...?<........._2.....Y..s..v..5.........

                                                                                                                                                                                                                                                      C:\ProgramData\ChicaLogic\ChicaPC-Shield\Configuration\config.conf (copy)

                                                                                                                                                                                                                                                      Download File
                                                                                                                                                                                                                                                      Process:C:\Users\user\AppData\Local\Temp\is-LBG9E.tmp\chica-pc-shield-1-75-0-1300-en-win.tmp
                                                                                                                                                                                                                                                      File Type:data
                                                                                                                                                                                                                                                      Category:dropped
                                                                                                                                                                                                                                                      Size (bytes):3258
                                                                                                                                                                                                                                                      Entropy (8bit):7.95290126060931
                                                                                                                                                                                                                                                      Encrypted:false
                                                                                                                                                                                                                                                      SSDEEP:96:31WdW/B7wmxHoHmCOQfBsBLw4DOU8uudSsVdYWh2:31Wd2MmBoHm9QfBsBLw4VWYG2
                                                                                                                                                                                                                                                      MD5:E6676357E76BC8771F9A0BFA6839CFBC
                                                                                                                                                                                                                                                      SHA1:55B779741717A67EDBA2F9B697937CACE43EA105
                                                                                                                                                                                                                                                      SHA-256:8768DDAE90F83A45DC87AF8B251F3B711E41D8361361C0E5F62EC3AE72B0C8B1
                                                                                                                                                                                                                                                      SHA-512:6DA7614C81B61D981ACB3FB253A861ACD6C2DB17AFB21ABD78DA40238E57591623636124206F26B846FF785C206257857465655AEE1ED81EEF2C1A955F973589
                                                                                                                                                                                                                                                      Malicious:false
                                                                                                                                                                                                                                                      Preview:.3.h<i.o.~.....od...-xhm.;-.S....f.......R.(qnQ.../.Sa.~w.g@............`......b.B$C.!v...E~g...o}"........w.....b...y..9..{h....^Gb.L.\..xM.........p=%q<..j.d.v.....=.o..t=..I.V...p.!V.,r@.mP......K...~<Gy....V3W...`+.G...K..RF..Fn.....sBD,+.*i.g.i......U.r.:.|......:~..3...SA.HE.&$...MaLt... .....JP .1-:...d*...zM......N0$P9.....M..u.Gq..~w3.<.5....R.B.E../#V...t..P.Q.qE...f...{....X.....s'F.o?g.....P.....^..vb.!.*.x./.4 bx.-.5..>..sP.........U..T.}8....U.J&y.|.......Z...b.n. n8..t...O...9....k%(.$TY..Q....z.H..d..^..k....@{... T..rC.x.\&~^`._MS....P..5=|.f.G_..Y.......kq.....Y..j-\..!.P.#.C.a....X..Dg..h...L.......N<Y.....w...)..Wu....,...`Y.....O....>w.x<Q.*..y.M/3....l+.......P._..~.k.G.UCi.8L.\j...7..q.3A;h3.)... ..T.o..us......k5.b0..m.Q ./!2.......u..6....W.....".**S...oY.......3..\:.M...6...^.......z....R..n.\.J..!.....s....q......=<5{MO.cs4..e.E.D..}.\...B3.....tI....<a...1'.._.)....hW.|W..&.W...{..=Q..,......>S..S*|....k+.

                                                                                                                                                                                                                                                      C:\ProgramData\ChicaLogic\ChicaPC-Shield\Configuration\custom.conf (copy)

                                                                                                                                                                                                                                                      Download File
                                                                                                                                                                                                                                                      Process:C:\Users\user\AppData\Local\Temp\is-LBG9E.tmp\chica-pc-shield-1-75-0-1300-en-win.tmp
                                                                                                                                                                                                                                                      File Type:data
                                                                                                                                                                                                                                                      Category:dropped
                                                                                                                                                                                                                                                      Size (bytes):20
                                                                                                                                                                                                                                                      Entropy (8bit):4.221928094887362
                                                                                                                                                                                                                                                      Encrypted:false
                                                                                                                                                                                                                                                      SSDEEP:3:KZqXK9O:CqXK9O
                                                                                                                                                                                                                                                      MD5:529584EC24AB8643D97E43EB2C0BFA6F
                                                                                                                                                                                                                                                      SHA1:95AABFB6F47E24D278808C29C0E6C2B6B1195A63
                                                                                                                                                                                                                                                      SHA-256:54FA58F6F44DFFDCED1C0AC7212C292E36A76049AAE98E09D22C3A08661EB66E
                                                                                                                                                                                                                                                      SHA-512:F4394523E28C74780DC64C779A35BBBFC61F707A1628D43D3D7FE49782593D41E0BD2CC1FAD76FC53C11C91F15CE3098537B6B628C4C5DF2BD51BE49BBC71C5D
                                                                                                                                                                                                                                                      Malicious:false
                                                                                                                                                                                                                                                      Preview:.3.h<i.o.~.....ld...

                                                                                                                                                                                                                                                      C:\ProgramData\ChicaLogic\ChicaPC-Shield\Configuration\database.conf (copy)

                                                                                                                                                                                                                                                      Download File
                                                                                                                                                                                                                                                      Process:C:\Users\user\AppData\Local\Temp\is-LBG9E.tmp\chica-pc-shield-1-75-0-1300-en-win.tmp
                                                                                                                                                                                                                                                      File Type:data
                                                                                                                                                                                                                                                      Category:dropped
                                                                                                                                                                                                                                                      Size (bytes):432
                                                                                                                                                                                                                                                      Entropy (8bit):7.497715151628741
                                                                                                                                                                                                                                                      Encrypted:false
                                                                                                                                                                                                                                                      SSDEEP:12:6qRfpkD+qglWXyYJDPTsXlet0ZWs28a0TWSUsUIBVk7r:6ekFzyGDg1ea8R82SjC
                                                                                                                                                                                                                                                      MD5:34A626D29697DE3C62D507E7E00E7DB5
                                                                                                                                                                                                                                                      SHA1:D1E98F8E33CFC97B17928EB3438511A78EFDDCCE
                                                                                                                                                                                                                                                      SHA-256:75133AF2F9E8C3E4B0360091072891A18180714D76A479FB5F8334C55CE4BFBB
                                                                                                                                                                                                                                                      SHA-512:6828D66CAE2C51C97F69A8C92DF593B23BAC54A92D30913FA9967B5074BDAB5C8965F09BBDBCF38FB3EE9B18F29B41E1D8CCB650D72437384E0994191143ED2E
                                                                                                                                                                                                                                                      Malicious:false
                                                                                                                                                                                                                                                      Preview:P..w?~.rR......<....c=<4._T~.....'.......K..q5l....;.A..*2.i.............2...S.6.PwDJ'c...N3u...+<v........S4.....-.t...7..z%....N.=..H..P1W.....Kx..$|q">..n.k.3......m..x%..\.h..|.I>.xb@.m[......Z...z.[bqG..f4D...xc....._.@....Ao.......ky.gF.t.6..P..PJc.5.s....J.K?w.F|...BA.TR.7<...3.=.c ......^.s.:l0...3{...:.......f2.%,.....O..+..%...?![.S.f[..1...E..2v....t....)......~...?N........s'F.n+x..y...KA

                                                                                                                                                                                                                                                      C:\ProgramData\ChicaLogic\ChicaPC-Shield\Configuration\html.conf (copy)

                                                                                                                                                                                                                                                      Download File
                                                                                                                                                                                                                                                      Process:C:\Users\user\AppData\Local\Temp\is-LBG9E.tmp\chica-pc-shield-1-75-0-1300-en-win.tmp
                                                                                                                                                                                                                                                      File Type:data
                                                                                                                                                                                                                                                      Category:dropped
                                                                                                                                                                                                                                                      Size (bytes):2762
                                                                                                                                                                                                                                                      Entropy (8bit):7.9377620479734405
                                                                                                                                                                                                                                                      Encrypted:false
                                                                                                                                                                                                                                                      SSDEEP:48:BOH12yXks7nYai3plXpVrb1CGSiOsYuKKFe1sWdeITOIPIigfqazavIZrHpoE:BOJnY35fCGISrWdeqngF4K7pP
                                                                                                                                                                                                                                                      MD5:FB893D6DE8B37A994A4FBD1579502E9F
                                                                                                                                                                                                                                                      SHA1:BD728D3E53F6EF34C58C854B55112F8645DDD84D
                                                                                                                                                                                                                                                      SHA-256:0825BD7F34AC058857B81E44E10753AB37043549207BE0BE61CB42E4324EB5DC
                                                                                                                                                                                                                                                      SHA-512:7FC6AC8E4898BEA68B8ACE6F79D022D7B620322783D5C2C514DB08E6DDF91549852672B19581F4AC5DAA188629E15D196A86A5F1BECBEA0C5C3486FA2F78E0F0
                                                                                                                                                                                                                                                      Malicious:false
                                                                                                                                                                                                                                                      Preview:K..m0t.<H!.....Tc.n./'.]..Mt.....k...,..i...EE_.....sP.F[.i...........NeK..D.?.f2C.7l..F3+...E@t........p......j...:..z.. M.....QJ>.H.\..b......"Q..X~o>0..g.r.:...&.v..6g.._......z..e.5(K.a[.^N...O...7)Aw8...zn@...0S.)..\...s.AG....f^_v..3P.z.d........`.".G7..6.K0i.Tz.....HL^..1!...KfRx...(a.....KE>.:gh.N.&o...pS......Xkw.-.....D..0.Ob.h|..+.f.....9...[.@.>R.....P../.....i............5k..:"|..<...._......}.. .1.<.w.|eti.1.?..b..l.Y.K.........B.y$....@.J.~c.d....}.D..\..{.'..;o.N6.......|..G.//$.z........x....u..........@)....:F..v[....4?.q....M..J...wx&.p.N..U..S..0.6p...G.O..>y@.`...t.........Mz..N6..2.]..I...^..T.E....`...zM..!.....|......{..9#..c....4.m...,..+.I/.....l2.*.K...N.]..j.j.;.X@n."..Xi..[.y..vQ7p3.=m...A...o...z7...E.+..%d..p.U=.W,.....,..:..#V....o.....m.`:....|^..S...f...n..^..2..[.J...../.@.D..$....E.?...f.}....5[......wz:]..ij.3.!.Y....)..V....(>....4P....<y.,&0..IXu...8...8..;.\...y..(B..t...\?H...b|...q<.

                                                                                                                                                                                                                                                      C:\ProgramData\ChicaLogic\ChicaPC-Shield\Configuration\is-26J2K.tmp

                                                                                                                                                                                                                                                      Download File
                                                                                                                                                                                                                                                      Process:C:\Users\user\AppData\Local\Temp\is-LBG9E.tmp\chica-pc-shield-1-75-0-1300-en-win.tmp
                                                                                                                                                                                                                                                      File Type:data
                                                                                                                                                                                                                                                      Category:dropped
                                                                                                                                                                                                                                                      Size (bytes):432
                                                                                                                                                                                                                                                      Entropy (8bit):7.497715151628741
                                                                                                                                                                                                                                                      Encrypted:false
                                                                                                                                                                                                                                                      SSDEEP:12:6qRfpkD+qglWXyYJDPTsXlet0ZWs28a0TWSUsUIBVk7r:6ekFzyGDg1ea8R82SjC
                                                                                                                                                                                                                                                      MD5:34A626D29697DE3C62D507E7E00E7DB5
                                                                                                                                                                                                                                                      SHA1:D1E98F8E33CFC97B17928EB3438511A78EFDDCCE
                                                                                                                                                                                                                                                      SHA-256:75133AF2F9E8C3E4B0360091072891A18180714D76A479FB5F8334C55CE4BFBB
                                                                                                                                                                                                                                                      SHA-512:6828D66CAE2C51C97F69A8C92DF593B23BAC54A92D30913FA9967B5074BDAB5C8965F09BBDBCF38FB3EE9B18F29B41E1D8CCB650D72437384E0994191143ED2E
                                                                                                                                                                                                                                                      Malicious:false
                                                                                                                                                                                                                                                      Preview:P..w?~.rR......<....c=<4._T~.....'.......K..q5l....;.A..*2.i.............2...S.6.PwDJ'c...N3u...+<v........S4.....-.t...7..z%....N.=..H..P1W.....Kx..$|q">..n.k.3......m..x%..\.h..|.I>.xb@.m[......Z...z.[bqG..f4D...xc....._.@....Ao.......ky.gF.t.6..P..PJc.5.s....J.K?w.F|...BA.TR.7<...3.=.c ......^.s.:l0...3{...:.......f2.%,.....O..+..%...?![.S.f[..1...E..2v....t....)......~...?N........s'F.n+x..y...KA

                                                                                                                                                                                                                                                      C:\ProgramData\ChicaLogic\ChicaPC-Shield\Configuration\is-41DE0.tmp

                                                                                                                                                                                                                                                      Download File
                                                                                                                                                                                                                                                      Process:C:\Users\user\AppData\Local\Temp\is-LBG9E.tmp\chica-pc-shield-1-75-0-1300-en-win.tmp
                                                                                                                                                                                                                                                      File Type:data
                                                                                                                                                                                                                                                      Category:dropped
                                                                                                                                                                                                                                                      Size (bytes):2762
                                                                                                                                                                                                                                                      Entropy (8bit):7.9377620479734405
                                                                                                                                                                                                                                                      Encrypted:false
                                                                                                                                                                                                                                                      SSDEEP:48:BOH12yXks7nYai3plXpVrb1CGSiOsYuKKFe1sWdeITOIPIigfqazavIZrHpoE:BOJnY35fCGISrWdeqngF4K7pP
                                                                                                                                                                                                                                                      MD5:FB893D6DE8B37A994A4FBD1579502E9F
                                                                                                                                                                                                                                                      SHA1:BD728D3E53F6EF34C58C854B55112F8645DDD84D
                                                                                                                                                                                                                                                      SHA-256:0825BD7F34AC058857B81E44E10753AB37043549207BE0BE61CB42E4324EB5DC
                                                                                                                                                                                                                                                      SHA-512:7FC6AC8E4898BEA68B8ACE6F79D022D7B620322783D5C2C514DB08E6DDF91549852672B19581F4AC5DAA188629E15D196A86A5F1BECBEA0C5C3486FA2F78E0F0
                                                                                                                                                                                                                                                      Malicious:false
                                                                                                                                                                                                                                                      Preview:K..m0t.<H!.....Tc.n./'.]..Mt.....k...,..i...EE_.....sP.F[.i...........NeK..D.?.f2C.7l..F3+...E@t........p......j...:..z.. M.....QJ>.H.\..b......"Q..X~o>0..g.r.:...&.v..6g.._......z..e.5(K.a[.^N...O...7)Aw8...zn@...0S.)..\...s.AG....f^_v..3P.z.d........`.".G7..6.K0i.Tz.....HL^..1!...KfRx...(a.....KE>.:gh.N.&o...pS......Xkw.-.....D..0.Ob.h|..+.f.....9...[.@.>R.....P../.....i............5k..:"|..<...._......}.. .1.<.w.|eti.1.?..b..l.Y.K.........B.y$....@.J.~c.d....}.D..\..{.'..;o.N6.......|..G.//$.z........x....u..........@)....:F..v[....4?.q....M..J...wx&.p.N..U..S..0.6p...G.O..>y@.`...t.........Mz..N6..2.]..I...^..T.E....`...zM..!.....|......{..9#..c....4.m...,..+.I/.....l2.*.K...N.]..j.j.;.X@n."..Xi..[.y..vQ7p3.=m...A...o...z7...E.+..%d..p.U=.W,.....,..:..#V....o.....m.`:....|^..S...f...n..^..2..[.J...../.@.D..$....E.?...f.}....5[......wz:]..ij.3.!.Y....)..V....(>....4P....<y.,&0..IXu...8...8..;.\...y..(B..t...\?H...b|...q<.

                                                                                                                                                                                                                                                      C:\ProgramData\ChicaLogic\ChicaPC-Shield\Configuration\is-7JP9T.tmp

                                                                                                                                                                                                                                                      Download File
                                                                                                                                                                                                                                                      Process:C:\Users\user\AppData\Local\Temp\is-LBG9E.tmp\chica-pc-shield-1-75-0-1300-en-win.tmp
                                                                                                                                                                                                                                                      File Type:data
                                                                                                                                                                                                                                                      Category:dropped
                                                                                                                                                                                                                                                      Size (bytes):321
                                                                                                                                                                                                                                                      Entropy (8bit):7.400769518086214
                                                                                                                                                                                                                                                      Encrypted:false
                                                                                                                                                                                                                                                      SSDEEP:6:qfL4sxiVv8OWNqbG7CG3QEcqZsa0882NM4apF9V/KmWFRoj/iNoCEEzjIX:qf0ui8NB1Q4Z1rWzV6RojOFvoX
                                                                                                                                                                                                                                                      MD5:7A7EFDD8689A4B56134730EC90ABB1B0
                                                                                                                                                                                                                                                      SHA1:0B942791A7038E97BBD265070971EB9CE0D18D98
                                                                                                                                                                                                                                                      SHA-256:0A903C89BC186426E59FE36878A0FD9103CDDD8934DC742333ADB02A92C0BCDA
                                                                                                                                                                                                                                                      SHA-512:27D0249141813C2DDACA2C9FF48E291910C6E42BD13F6B4BF6ACA0E832FBDB9CD16A34B846AB906259DC7B3AEDAAEAD6DC50FE75C566F0B5027C9D57865FEE01
                                                                                                                                                                                                                                                      Malicious:false
                                                                                                                                                                                                                                                      Preview:.3.p<o].b......6.. .I..w...u............C..*xeE.h.b..%.ka.>L............Xm...i./.Vz.~N%...Qhg...+x7.........u......|..d..5).....1,..H.T..1n.....6...$|"v9..x.*.\...../.k..#h.%.....t.U(.ab....=.\....X...5"A.u....I.V..d}....M..E....;....kUH -.*P@...........p.".....`.Kk>.Ea..._.OVP..YO...FgZz..~/....2

                                                                                                                                                                                                                                                      C:\ProgramData\ChicaLogic\ChicaPC-Shield\Configuration\is-9E5DG.tmp

                                                                                                                                                                                                                                                      Download File
                                                                                                                                                                                                                                                      Process:C:\Users\user\AppData\Local\Temp\is-LBG9E.tmp\chica-pc-shield-1-75-0-1300-en-win.tmp
                                                                                                                                                                                                                                                      File Type:data
                                                                                                                                                                                                                                                      Category:dropped
                                                                                                                                                                                                                                                      Size (bytes):131
                                                                                                                                                                                                                                                      Entropy (8bit):6.549575077985894
                                                                                                                                                                                                                                                      Encrypted:false
                                                                                                                                                                                                                                                      SSDEEP:3:KZqXK9MyLzMoVhxsmGecdt78HKqKn2z51gqwn4sMFULFFKepn:CqXK9My3ZgD3t2A4DCBFT
                                                                                                                                                                                                                                                      MD5:8661D1596435A702F403C5F35BCE19B0
                                                                                                                                                                                                                                                      SHA1:F886E49D5692CFA8F0E7A0F27A8387F07F763966
                                                                                                                                                                                                                                                      SHA-256:D81784D2414CE8BD02A241F057A00E5C0AE86D4A1AEC7A9CFFCD7B8005308444
                                                                                                                                                                                                                                                      SHA-512:4F0368D7EAA78396E61EAF9CC688700628FF9289BC3D9836DA148381AB5F7D35EA43AE7142C50693A47C3665DFA27026FBFF64C57C57D0149F8B38253772D521
                                                                                                                                                                                                                                                      Malicious:false
                                                                                                                                                                                                                                                      Preview:.3.h<i.o.~.....ld...-xk$.<*.y...p.........3a:_.o.H..i.dy.D)...........Tg......j.8`.Sd`..D7#...jp%.........=......y../T....

                                                                                                                                                                                                                                                      C:\ProgramData\ChicaLogic\ChicaPC-Shield\Configuration\is-A47L8.tmp

                                                                                                                                                                                                                                                      Download File
                                                                                                                                                                                                                                                      Process:C:\Users\user\AppData\Local\Temp\is-LBG9E.tmp\chica-pc-shield-1-75-0-1300-en-win.tmp
                                                                                                                                                                                                                                                      File Type:data
                                                                                                                                                                                                                                                      Category:dropped
                                                                                                                                                                                                                                                      Size (bytes):3258
                                                                                                                                                                                                                                                      Entropy (8bit):7.95290126060931
                                                                                                                                                                                                                                                      Encrypted:false
                                                                                                                                                                                                                                                      SSDEEP:96:31WdW/B7wmxHoHmCOQfBsBLw4DOU8uudSsVdYWh2:31Wd2MmBoHm9QfBsBLw4VWYG2
                                                                                                                                                                                                                                                      MD5:E6676357E76BC8771F9A0BFA6839CFBC
                                                                                                                                                                                                                                                      SHA1:55B779741717A67EDBA2F9B697937CACE43EA105
                                                                                                                                                                                                                                                      SHA-256:8768DDAE90F83A45DC87AF8B251F3B711E41D8361361C0E5F62EC3AE72B0C8B1
                                                                                                                                                                                                                                                      SHA-512:6DA7614C81B61D981ACB3FB253A861ACD6C2DB17AFB21ABD78DA40238E57591623636124206F26B846FF785C206257857465655AEE1ED81EEF2C1A955F973589
                                                                                                                                                                                                                                                      Malicious:false
                                                                                                                                                                                                                                                      Preview:.3.h<i.o.~.....od...-xhm.;-.S....f.......R.(qnQ.../.Sa.~w.g@............`......b.B$C.!v...E~g...o}"........w.....b...y..9..{h....^Gb.L.\..xM.........p=%q<..j.d.v.....=.o..t=..I.V...p.!V.,r@.mP......K...~<Gy....V3W...`+.G...K..RF..Fn.....sBD,+.*i.g.i......U.r.:.|......:~..3...SA.HE.&$...MaLt... .....JP .1-:...d*...zM......N0$P9.....M..u.Gq..~w3.<.5....R.B.E../#V...t..P.Q.qE...f...{....X.....s'F.o?g.....P.....^..vb.!.*.x./.4 bx.-.5..>..sP.........U..T.}8....U.J&y.|.......Z...b.n. n8..t...O...9....k%(.$TY..Q....z.H..d..^..k....@{... T..rC.x.\&~^`._MS....P..5=|.f.G_..Y.......kq.....Y..j-\..!.P.#.C.a....X..Dg..h...L.......N<Y.....w...)..Wu....,...`Y.....O....>w.x<Q.*..y.M/3....l+.......P._..~.k.G.UCi.8L.\j...7..q.3A;h3.)... ..T.o..us......k5.b0..m.Q ./!2.......u..6....W.....".**S...oY.......3..\:.M...6...^.......z....R..n.\.J..!.....s....q......=<5{MO.cs4..e.E.D..}.\...B3.....tI....<a...1'.._.)....hW.|W..&.W...{..=Q..,......>S..S*|....k+.

                                                                                                                                                                                                                                                      C:\ProgramData\ChicaLogic\ChicaPC-Shield\Configuration\is-AF3S0.tmp

                                                                                                                                                                                                                                                      Download File
                                                                                                                                                                                                                                                      Process:C:\Users\user\AppData\Local\Temp\is-LBG9E.tmp\chica-pc-shield-1-75-0-1300-en-win.tmp
                                                                                                                                                                                                                                                      File Type:data
                                                                                                                                                                                                                                                      Category:dropped
                                                                                                                                                                                                                                                      Size (bytes):142
                                                                                                                                                                                                                                                      Entropy (8bit):6.735980306109167
                                                                                                                                                                                                                                                      Encrypted:false
                                                                                                                                                                                                                                                      SSDEEP:3:2fB1WDYZs4S8yQyun38hu3dramTusdwCd4UkGl:61WB4GQy2D3dOmTuSeUkA
                                                                                                                                                                                                                                                      MD5:2F275DA13F68A4E6C2D7154FBDDC8451
                                                                                                                                                                                                                                                      SHA1:07FD1A4D93AE8788C1934365488B6136D02B8861
                                                                                                                                                                                                                                                      SHA-256:97F76D2EEEDBA90A0B2D00723417CEA78C50DF79459DE4C4FC35574B8821A6F3
                                                                                                                                                                                                                                                      SHA-512:56846D85472A260E2FE16225804D0758AF3B2895FCD2AFF385161A29DBB31B131CC7793465612E7BA27EBCCEA590DE951BE1038E53FAF0E13455BAFFCB6BEF1D
                                                                                                                                                                                                                                                      Malicious:false
                                                                                                                                                                                                                                                      Preview:M..y+z.<b0.....+.. ...}:...y.....'...m...A..A5 ....,.Fa.*t.,F.........._.4...J.?.8`..%q...|:2...?<........._2.....Y..s..v..5.........

                                                                                                                                                                                                                                                      C:\ProgramData\ChicaLogic\ChicaPC-Shield\Configuration\is-AJB53.tmp

                                                                                                                                                                                                                                                      Download File
                                                                                                                                                                                                                                                      Process:C:\Users\user\AppData\Local\Temp\is-LBG9E.tmp\chica-pc-shield-1-75-0-1300-en-win.tmp
                                                                                                                                                                                                                                                      File Type:data
                                                                                                                                                                                                                                                      Category:dropped
                                                                                                                                                                                                                                                      Size (bytes):184
                                                                                                                                                                                                                                                      Entropy (8bit):6.899681589103373
                                                                                                                                                                                                                                                      Encrypted:false
                                                                                                                                                                                                                                                      SSDEEP:3:n7eAXali3N/NtFJ7hxxQghQjjrWqlaUpDmDueJDnqS7hXrqNwo3ooqIuwoALYUHx:7eAXz/NvzGjGqlHtmDpDqwhww/5ex
                                                                                                                                                                                                                                                      MD5:5A4535CE45D1A6A84DAB4F6D3B891BBA
                                                                                                                                                                                                                                                      SHA1:59830E8DA4D813AE1A72C4C2EF8E1AD8C5059A5A
                                                                                                                                                                                                                                                      SHA-256:99C173C423F84A0C7185E883CE9BAF820135DE3AB532FB14799AECFEAF315009
                                                                                                                                                                                                                                                      SHA-512:CFE02184D2E0C4C6858CA2DC1F406EF16B337795721385480A3261FAE2BF9888F31693193CEA03D3512EDA1F849DBE5E3435D8CFA6062D3670636677443B4C72
                                                                                                                                                                                                                                                      Malicious:false
                                                                                                                                                                                                                                                      Preview:P..w?~.rR......?.. .c=<w.TRh.....6......S..$x:u.E.b.Fw.c}.s............d.#......f.\z.Br7...?"..lu8.........n.....8..{..-./)....SH5..M..b+C.....mX..$|q"...x.e.l.....`.,..)x

                                                                                                                                                                                                                                                      C:\ProgramData\ChicaLogic\ChicaPC-Shield\Configuration\is-NKMPM.tmp

                                                                                                                                                                                                                                                      Download File
                                                                                                                                                                                                                                                      Process:C:\Users\user\AppData\Local\Temp\is-LBG9E.tmp\chica-pc-shield-1-75-0-1300-en-win.tmp
                                                                                                                                                                                                                                                      File Type:data
                                                                                                                                                                                                                                                      Category:dropped
                                                                                                                                                                                                                                                      Size (bytes):1430
                                                                                                                                                                                                                                                      Entropy (8bit):7.8514817294491195
                                                                                                                                                                                                                                                      Encrypted:false
                                                                                                                                                                                                                                                      SSDEEP:24:8ICgNAfYc5fnf0Ou2xa8x6qQPLtcfl+lApM8xkNbSzePhPT83JcpF/QI:8nokB5ffTx6FLislApMxBYEPTeJcplQI
                                                                                                                                                                                                                                                      MD5:83A933C593922DA6A3712856308E56F6
                                                                                                                                                                                                                                                      SHA1:C1A37617B5FBE69988864E84ED2949BCC6AE9882
                                                                                                                                                                                                                                                      SHA-256:D4325F1C1A2D5C5F56A0D239EFD75D668E2211F981FA914797C4B147DC2B00CC
                                                                                                                                                                                                                                                      SHA-512:0F0D10911EF31CD1B154BC8F1BAD95D537E50AD880C9B422BE69957C86364A09877AF424EC7A52710DE1CE534214ADC7B7ECED82EB9E8F3D3B64074F8FA5C01B
                                                                                                                                                                                                                                                      Malicious:false
                                                                                                                                                                                                                                                      Preview:.3.h<i.o.~.....od....xo$.VIu........o..C..q..r.E.b..3.hw.(..,..........Nb...D..{.?J.Sd%...Z; ...1<.........u....}....T..7.nj....gJf.W.O..b......,...w9'g*..r.*.7.....C."..9h..A.@..r..|."1..."..L@.......z!Tnn...c,KL..Z;:.Z....m*....;....fT.k-.2Pw.....B....g.&.(n..J.K?w.Mv...Q...U.55....3.=.u|......cT1.- h.V.WB.).....C?m.FJ....,e..q..%..h`.. .f.....1.o...Zkl.....1.O..5.[T.&...<P........>f..e8f..7..A......^..wC.0.*.t.{.us"=.;.p.Uj..Ov..Q........r.l4..W.E..+.].... .].G...d.3..>f.+x...O..|O.^.'.$.#HI..|....5....&..e..z....$... E..cO.0_.-r.:.u\_.......$J0.$.+~........:.12...I.O..f-M..0...j.R.*..O...C.Uk..d.E.Lw...Z....d.o7...{...jX..!.....e.S.As.... '..g...G...o..0.....%VN...w..........O.t..,.G...:.vH.Fm...0..[.3.n$v.gg..... .{..,;.@.[.0t.s-..".Q%.j|!...P..r........V.....y.o..G..oO...J..a...u..... ...\.P.....`.W....e.C....x..Li.e....#.......<0>5.B.(#\<.$....S..h..W..U`&....o.....1p..;1!..B.{I..r...|...+.....4..&G..(...S>T..?T5....#..

                                                                                                                                                                                                                                                      C:\ProgramData\ChicaLogic\ChicaPC-Shield\Configuration\is-NN3CS.tmp

                                                                                                                                                                                                                                                      Download File
                                                                                                                                                                                                                                                      Process:C:\Users\user\AppData\Local\Temp\is-LBG9E.tmp\chica-pc-shield-1-75-0-1300-en-win.tmp
                                                                                                                                                                                                                                                      File Type:data
                                                                                                                                                                                                                                                      Category:dropped
                                                                                                                                                                                                                                                      Size (bytes):20
                                                                                                                                                                                                                                                      Entropy (8bit):4.221928094887362
                                                                                                                                                                                                                                                      Encrypted:false
                                                                                                                                                                                                                                                      SSDEEP:3:KZqXK9O:CqXK9O
                                                                                                                                                                                                                                                      MD5:529584EC24AB8643D97E43EB2C0BFA6F
                                                                                                                                                                                                                                                      SHA1:95AABFB6F47E24D278808C29C0E6C2B6B1195A63
                                                                                                                                                                                                                                                      SHA-256:54FA58F6F44DFFDCED1C0AC7212C292E36A76049AAE98E09D22C3A08661EB66E
                                                                                                                                                                                                                                                      SHA-512:F4394523E28C74780DC64C779A35BBBFC61F707A1628D43D3D7FE49782593D41E0BD2CC1FAD76FC53C11C91F15CE3098537B6B628C4C5DF2BD51BE49BBC71C5D
                                                                                                                                                                                                                                                      Malicious:false
                                                                                                                                                                                                                                                      Preview:.3.h<i.o.~.....ld...

                                                                                                                                                                                                                                                      C:\ProgramData\ChicaLogic\ChicaPC-Shield\Configuration\local.conf

                                                                                                                                                                                                                                                      Download File
                                                                                                                                                                                                                                                      Process:C:\Program Files (x86)\ChicaLogic\ChicaPC-Shield\cpcs.exe
                                                                                                                                                                                                                                                      File Type:data
                                                                                                                                                                                                                                                      Category:dropped
                                                                                                                                                                                                                                                      Size (bytes):474
                                                                                                                                                                                                                                                      Entropy (8bit):7.554711593100334
                                                                                                                                                                                                                                                      Encrypted:false
                                                                                                                                                                                                                                                      SSDEEP:12:5HPtbypzJ+DC8Yer35o10wGfNipj3EaKYMLEUlXQj5kQTBJMSI:ZPt2J+D/YerS10OjkY+EeQ2G7Y
                                                                                                                                                                                                                                                      MD5:50682FA0E3378107F37CCFB7C8C9BCEE
                                                                                                                                                                                                                                                      SHA1:C95CCCD31782E2319A339E2FE9387E4FAFFAB035
                                                                                                                                                                                                                                                      SHA-256:578C450B61348B415DEDF631C4F4E5EAFB33C3B0507C55036EA38F5E96C48F64
                                                                                                                                                                                                                                                      SHA-512:356D5C86D2C267FDBD46BCDF201B02A2E26AC4128A004BF86162A840D08DE258E3BD011B78631A47499E0BC402F001ECF6F52F853FCFB428DE7C73B0BB569A6A
                                                                                                                                                                                                                                                      Malicious:false
                                                                                                                                                                                                                                                      Preview:Q..{7h.<b0.....cI.8.c=u3...9y...~...,...R..k5p....x..%.*|.$F..........Jl...D.....`..7`...E7}....l$.........d....y..y~.~..5.....JG{.S.I..nY.....,...K?%"j..?.;.l.....n.O..9h..Z.L..=..V.,bK.~V......C...xn?68...*a.|...c{....@.@TU..;....kUH -.*P@..=..R..B^*.a.%U..J..z/.C{...B.K]...vO...GgV{...jp.....KE&.**:.B.~&..).......A0>[tH.....V..d.,p..7.O...'.....U.B...."(.....6.XQ.v.M..9...5T..I.....f0V.cs...y...\[......)t.!.h.a.x.%ry<.9.`..7..&L.........

                                                                                                                                                                                                                                                      C:\ProgramData\ChicaLogic\ChicaPC-Shield\Configuration\manifest.conf (copy)

                                                                                                                                                                                                                                                      Download File
                                                                                                                                                                                                                                                      Process:C:\Users\user\AppData\Local\Temp\is-LBG9E.tmp\chica-pc-shield-1-75-0-1300-en-win.tmp
                                                                                                                                                                                                                                                      File Type:data
                                                                                                                                                                                                                                                      Category:dropped
                                                                                                                                                                                                                                                      Size (bytes):184
                                                                                                                                                                                                                                                      Entropy (8bit):6.899681589103373
                                                                                                                                                                                                                                                      Encrypted:false
                                                                                                                                                                                                                                                      SSDEEP:3:n7eAXali3N/NtFJ7hxxQghQjjrWqlaUpDmDueJDnqS7hXrqNwo3ooqIuwoALYUHx:7eAXz/NvzGjGqlHtmDpDqwhww/5ex
                                                                                                                                                                                                                                                      MD5:5A4535CE45D1A6A84DAB4F6D3B891BBA
                                                                                                                                                                                                                                                      SHA1:59830E8DA4D813AE1A72C4C2EF8E1AD8C5059A5A
                                                                                                                                                                                                                                                      SHA-256:99C173C423F84A0C7185E883CE9BAF820135DE3AB532FB14799AECFEAF315009
                                                                                                                                                                                                                                                      SHA-512:CFE02184D2E0C4C6858CA2DC1F406EF16B337795721385480A3261FAE2BF9888F31693193CEA03D3512EDA1F849DBE5E3435D8CFA6062D3670636677443B4C72
                                                                                                                                                                                                                                                      Malicious:false
                                                                                                                                                                                                                                                      Preview:P..w?~.rR......?.. .c=<w.TRh.....6......S..$x:u.E.b.Fw.c}.s............d.#......f.\z.Br7...?"..lu8.........n.....8..{..-./)....SH5..M..b+C.....mX..$|q"...x.e.l.....`.,..)x

                                                                                                                                                                                                                                                      C:\ProgramData\ChicaLogic\ChicaPC-Shield\Configuration\messaging.conf (copy)

                                                                                                                                                                                                                                                      Download File
                                                                                                                                                                                                                                                      Process:C:\Users\user\AppData\Local\Temp\is-LBG9E.tmp\chica-pc-shield-1-75-0-1300-en-win.tmp
                                                                                                                                                                                                                                                      File Type:data
                                                                                                                                                                                                                                                      Category:dropped
                                                                                                                                                                                                                                                      Size (bytes):1430
                                                                                                                                                                                                                                                      Entropy (8bit):7.8514817294491195
                                                                                                                                                                                                                                                      Encrypted:false
                                                                                                                                                                                                                                                      SSDEEP:24:8ICgNAfYc5fnf0Ou2xa8x6qQPLtcfl+lApM8xkNbSzePhPT83JcpF/QI:8nokB5ffTx6FLislApMxBYEPTeJcplQI
                                                                                                                                                                                                                                                      MD5:83A933C593922DA6A3712856308E56F6
                                                                                                                                                                                                                                                      SHA1:C1A37617B5FBE69988864E84ED2949BCC6AE9882
                                                                                                                                                                                                                                                      SHA-256:D4325F1C1A2D5C5F56A0D239EFD75D668E2211F981FA914797C4B147DC2B00CC
                                                                                                                                                                                                                                                      SHA-512:0F0D10911EF31CD1B154BC8F1BAD95D537E50AD880C9B422BE69957C86364A09877AF424EC7A52710DE1CE534214ADC7B7ECED82EB9E8F3D3B64074F8FA5C01B
                                                                                                                                                                                                                                                      Malicious:false
                                                                                                                                                                                                                                                      Preview:.3.h<i.o.~.....od....xo$.VIu........o..C..q..r.E.b..3.hw.(..,..........Nb...D..{.?J.Sd%...Z; ...1<.........u....}....T..7.nj....gJf.W.O..b......,...w9'g*..r.*.7.....C."..9h..A.@..r..|."1..."..L@.......z!Tnn...c,KL..Z;:.Z....m*....;....fT.k-.2Pw.....B....g.&.(n..J.K?w.Mv...Q...U.55....3.=.u|......cT1.- h.V.WB.).....C?m.FJ....,e..q..%..h`.. .f.....1.o...Zkl.....1.O..5.[T.&...<P........>f..e8f..7..A......^..wC.0.*.t.{.us"=.;.p.Uj..Ov..Q........r.l4..W.E..+.].... .].G...d.3..>f.+x...O..|O.^.'.$.#HI..|....5....&..e..z....$... E..cO.0_.-r.:.u\_.......$J0.$.+~........:.12...I.O..f-M..0...j.R.*..O...C.Uk..d.E.Lw...Z....d.o7...{...jX..!.....e.S.As.... '..g...G...o..0.....%VN...w..........O.t..,.G...:.vH.Fm...0..[.3.n$v.gg..... .{..,;.@.[.0t.s-..".Q%.j|!...P..r........V.....y.o..G..oO...J..a...u..... ...\.P.....`.W....e.C....x..Li.e....#.......<0>5.B.(#\<.$....S..h..W..U`&....o.....1p..;1!..B.{I..r...|...+.....4..&G..(...S>T..?T5....#..

                                                                                                                                                                                                                                                      C:\ProgramData\ChicaLogic\ChicaPC-Shield\Configuration\news.conf (copy)

                                                                                                                                                                                                                                                      Download File
                                                                                                                                                                                                                                                      Process:C:\Users\user\AppData\Local\Temp\is-LBG9E.tmp\chica-pc-shield-1-75-0-1300-en-win.tmp
                                                                                                                                                                                                                                                      File Type:data
                                                                                                                                                                                                                                                      Category:dropped
                                                                                                                                                                                                                                                      Size (bytes):131
                                                                                                                                                                                                                                                      Entropy (8bit):6.549575077985894
                                                                                                                                                                                                                                                      Encrypted:false
                                                                                                                                                                                                                                                      SSDEEP:3:KZqXK9MyLzMoVhxsmGecdt78HKqKn2z51gqwn4sMFULFFKepn:CqXK9My3ZgD3t2A4DCBFT
                                                                                                                                                                                                                                                      MD5:8661D1596435A702F403C5F35BCE19B0
                                                                                                                                                                                                                                                      SHA1:F886E49D5692CFA8F0E7A0F27A8387F07F763966
                                                                                                                                                                                                                                                      SHA-256:D81784D2414CE8BD02A241F057A00E5C0AE86D4A1AEC7A9CFFCD7B8005308444
                                                                                                                                                                                                                                                      SHA-512:4F0368D7EAA78396E61EAF9CC688700628FF9289BC3D9836DA148381AB5F7D35EA43AE7142C50693A47C3665DFA27026FBFF64C57C57D0149F8B38253772D521
                                                                                                                                                                                                                                                      Malicious:false
                                                                                                                                                                                                                                                      Preview:.3.h<i.o.~.....ld...-xk$.<*.y...p.........3a:_.o.H..i.dy.D)...........Tg......j.8`.Sd`..D7#...jp%.........=......y../T....

                                                                                                                                                                                                                                                      C:\ProgramData\ChicaLogic\ChicaPC-Shield\is-Q97HV.tmp

                                                                                                                                                                                                                                                      Download File
                                                                                                                                                                                                                                                      Process:C:\Users\user\AppData\Local\Temp\is-LBG9E.tmp\chica-pc-shield-1-75-0-1300-en-win.tmp
                                                                                                                                                                                                                                                      File Type:data
                                                                                                                                                                                                                                                      Category:dropped
                                                                                                                                                                                                                                                      Size (bytes):6302342
                                                                                                                                                                                                                                                      Entropy (8bit):7.999972936872293
                                                                                                                                                                                                                                                      Encrypted:true
                                                                                                                                                                                                                                                      SSDEEP:196608:MPBf0K9/bDPsBDfzQqsPMkskQbSuB7OeFr7jC:MPBJJ3PWbz9/kbulL1C
                                                                                                                                                                                                                                                      MD5:1A08F442E5067494A73361F6E3137E18
                                                                                                                                                                                                                                                      SHA1:39E056E5D8FF330EDC85DCD65D9C072C239F2920
                                                                                                                                                                                                                                                      SHA-256:DB47787C60C915DC51D3115F5FC7CA69EC64F348E41406F24F0D2276759C23A6
                                                                                                                                                                                                                                                      SHA-512:AE1598E2FF9E39DA7977BB574BAF644B4833E6528792CDDC4C049BAC77C671452752F6B9FACB3F16C6112322441E15EDDB91A8E35AE3BCBD4A51B67D50BEF15D
                                                                                                                                                                                                                                                      Malicious:false
                                                                                                                                                                                                                                                      Preview:..7......~. . ...d...O.7..;.......t...JZ...O./...;.%<......1~#Hhh..(....+4.;....,..._.<h>...].........HD.IGZ..@@>?.m.}TT....wy.KI......4....?.rq&aE.=.>..b7...p..[k\E.cl...N.s.tFqtG.....&}..[..|.=...UQ3...m.o.}."..*.n.._?._.uAS....#.{e...<@.$x..<..>....7....|..._.}.....>..).\#...j.V(.5..gh...).).X....eA\:....5...[.........@M............}..]..nn$..g....."f...@2..]G.W_.3S..../........<..BZ.:-..+A.{H.%.9...9.pe...9.F_....M..&.......W.Fm}<..P....e.T.a..u.{.u.J...@g#g...I.......o.^...unK.....?.Aq...r.DG..)..m..c....<$.ST.<..2>..3....n.j......&......t.....P..{...._.%V..tf$....(...C'..i......1A.yJ..........aV.RM.xS.....=.y.~..N.m..../.{..{h.?!*S...w..Tt.U.`..V.Zz3...>...y.....cG.J.l..1"....k.....f..g.u.~1oN.....j.....4......S>...B@.,I|bO...Mug^>5.rk....,j.;..'N/W.XI.J7.hpp6...]..SF...y.'..PT..w..}M....L..y.q.<.+{CR..q..SF.........O*7.w).....d=I+.J~$Gh..x<h.E.........&6...\..l..A.g..V* .M...i.....I....si...Lv./&..p..WL...../$a..x.p.x..&.Z.%.A...

                                                                                                                                                                                                                                                      C:\ProgramData\ChicaLogic\ChicaPC-Shield\rules.ref (copy)

                                                                                                                                                                                                                                                      Download File
                                                                                                                                                                                                                                                      Process:C:\Users\user\AppData\Local\Temp\is-LBG9E.tmp\chica-pc-shield-1-75-0-1300-en-win.tmp
                                                                                                                                                                                                                                                      File Type:data
                                                                                                                                                                                                                                                      Category:dropped
                                                                                                                                                                                                                                                      Size (bytes):6302342
                                                                                                                                                                                                                                                      Entropy (8bit):7.999972936872293
                                                                                                                                                                                                                                                      Encrypted:true
                                                                                                                                                                                                                                                      SSDEEP:196608:MPBf0K9/bDPsBDfzQqsPMkskQbSuB7OeFr7jC:MPBJJ3PWbz9/kbulL1C
                                                                                                                                                                                                                                                      MD5:1A08F442E5067494A73361F6E3137E18
                                                                                                                                                                                                                                                      SHA1:39E056E5D8FF330EDC85DCD65D9C072C239F2920
                                                                                                                                                                                                                                                      SHA-256:DB47787C60C915DC51D3115F5FC7CA69EC64F348E41406F24F0D2276759C23A6
                                                                                                                                                                                                                                                      SHA-512:AE1598E2FF9E39DA7977BB574BAF644B4833E6528792CDDC4C049BAC77C671452752F6B9FACB3F16C6112322441E15EDDB91A8E35AE3BCBD4A51B67D50BEF15D
                                                                                                                                                                                                                                                      Malicious:false
                                                                                                                                                                                                                                                      Preview:..7......~. . ...d...O.7..;.......t...JZ...O./...;.%<......1~#Hhh..(....+4.;....,..._.<h>...].........HD.IGZ..@@>?.m.}TT....wy.KI......4....?.rq&aE.=.>..b7...p..[k\E.cl...N.s.tFqtG.....&}..[..|.=...UQ3...m.o.}."..*.n.._?._.uAS....#.{e...<@.$x..<..>....7....|..._.}.....>..).\#...j.V(.5..gh...).).X....eA\:....5...[.........@M............}..]..nn$..g....."f...@2..]G.W_.3S..../........<..BZ.:-..+A.{H.%.9...9.pe...9.F_....M..&.......W.Fm}<..P....e.T.a..u.{.u.J...@g#g...I.......o.^...unK.....?.Aq...r.DG..)..m..c....<$.ST.<..2>..3....n.j......&......t.....P..{...._.%V..tf$....(...C'..i......1A.yJ..........aV.RM.xS.....=.y.~..N.m..../.{..{h.?!*S...w..Tt.U.`..V.Zz3...>...y.....cG.J.l..1"....k.....f..g.u.~1oN.....j.....4......S>...B@.,I|bO...Mug^>5.rk....,j.;..'N/W.XI.J7.hpp6...]..SF...y.'..PT..w..}M....L..y.q.<.+{CR..q..SF.........O*7.w).....d=I+.J~$Gh..x<h.E.........&6...\..l..A.g..V* .M...i.....I....si...Lv./&..p..WL...../$a..x.p.x..&.Z.%.A...

                                                                                                                                                                                                                                                      C:\ProgramData\Microsoft\Network\Downloader\edb.log

                                                                                                                                                                                                                                                      Download File
                                                                                                                                                                                                                                                      Process:C:\Windows\System32\svchost.exe
                                                                                                                                                                                                                                                      File Type:data
                                                                                                                                                                                                                                                      Category:dropped
                                                                                                                                                                                                                                                      Size (bytes):1310720
                                                                                                                                                                                                                                                      Entropy (8bit):0.8307237401252656
                                                                                                                                                                                                                                                      Encrypted:false
                                                                                                                                                                                                                                                      SSDEEP:1536:gJhkM9gB0CnCm0CQ0CESJPB9JbJQfvcso0l1T4MfzzTi1FjIIXYvjbglQdmHDugn:gJjJGtpTq2yv1AuNZRY3diu8iBVqFt
                                                                                                                                                                                                                                                      MD5:8366DC6225F58CFF0402FA8A963766FC
                                                                                                                                                                                                                                                      SHA1:E4848309FD349EAE311B6E7F8832132B9F3A6B3C
                                                                                                                                                                                                                                                      SHA-256:75B6B4EB9F047A0C32FCF4FA349A853113E1E19E66DFEBC2C06A676D2D130CA4
                                                                                                                                                                                                                                                      SHA-512:DF2F4538BB0F70C23A60F1DB4F7E2315972F8394C56DEC90A229320CAC96E3D96BFD6F40E3BB538C5C59EF3624BBB3F29B31B9148B5EBB5753057C76D77E1F21
                                                                                                                                                                                                                                                      Malicious:false
                                                                                                                                                                                                                                                      Preview:...M........@..@.-...{5..;...{..........<...D./..;...{..................C:\ProgramData\Microsoft\Network\Downloader\.........................................................................................................................................................................................................................C:\ProgramData\Microsoft\Network\Downloader\..........................................................................................................................................................................................................................0u..................@...@......................4..........E.[.rXrX.#.........`h.................h.5.......3.....X\...;...{..................C.:.\.P.r.o.g.r.a.m.D.a.t.a.\.M.i.c.r.o.s.o.f.t.\.N.e.t.w.o.r.k.\.D.o.w.n.l.o.a.d.e.r.\.q.m.g.r...d.b....................................................................................................................................................................

                                                                                                                                                                                                                                                      C:\ProgramData\Microsoft\Network\Downloader\qmgr.db

                                                                                                                                                                                                                                                      Download File
                                                                                                                                                                                                                                                      Process:C:\Windows\System32\svchost.exe
                                                                                                                                                                                                                                                      File Type:Extensible storage engine DataBase, version 0x620, checksum 0xe5e072a7, page size 16384, DirtyShutdown, Windows version 10.0
                                                                                                                                                                                                                                                      Category:dropped
                                                                                                                                                                                                                                                      Size (bytes):1310720
                                                                                                                                                                                                                                                      Entropy (8bit):0.658589129396548
                                                                                                                                                                                                                                                      Encrypted:false
                                                                                                                                                                                                                                                      SSDEEP:1536:pSB2ESB2SSjlK/rv5rO1T1B0CZSJRYkr3g16P92UPkLk+kAwI/0uzn10M1Dn/di6:paza9v5hYe92UOHDnAPZ4PZf9h/9h
                                                                                                                                                                                                                                                      MD5:F5AB5BFC735C775D40A8B201BEEF5A26
                                                                                                                                                                                                                                                      SHA1:C9C25392AC45C0316A2DBC99DDA591BB5E15FCBB
                                                                                                                                                                                                                                                      SHA-256:89FAB4CDA2DCBBFBA372FA8C66B52C6A88B922D4EBFE4AFE2EA634F0D46A1719
                                                                                                                                                                                                                                                      SHA-512:CE7E4DFE3FB1D9810FAD5193DB185841AF722702648F00B00754D3AD20B8FCBAE1930947DABEFFB49E51E964A5F4A4F67F54F0361C4A0CAE2595210F256558A5
                                                                                                                                                                                                                                                      Malicious:false
                                                                                                                                                                                                                                                      Preview:..r.... ...............X\...;...{......................0.z..........{..79...|..h.|.........................D./..;...{..........................................................................................................eJ......n....@...................................................................................................... ........-...{5..............................................................................................................................................................................................2...{....................................H79...|.....................V79...|...........................#......h.|.....................................................................................................................................................................................................................................................................................................................................................

                                                                                                                                                                                                                                                      C:\ProgramData\Microsoft\Network\Downloader\qmgr.jfm

                                                                                                                                                                                                                                                      Download File
                                                                                                                                                                                                                                                      Process:C:\Windows\System32\svchost.exe
                                                                                                                                                                                                                                                      File Type:data
                                                                                                                                                                                                                                                      Category:dropped
                                                                                                                                                                                                                                                      Size (bytes):16384
                                                                                                                                                                                                                                                      Entropy (8bit):0.08147490623636147
                                                                                                                                                                                                                                                      Encrypted:false
                                                                                                                                                                                                                                                      SSDEEP:3:yrilEYelfvMrAkGuAJkhvekl1Dk8vZylillrekGltll/SPj:ozlfvMrbrxlC8v4IJe3l
                                                                                                                                                                                                                                                      MD5:CD243A3E03DD055512C5CBBD2DE3789A
                                                                                                                                                                                                                                                      SHA1:4D108D9C3D314D49C9F58963A5DEBD78C067F715
                                                                                                                                                                                                                                                      SHA-256:BAE8D017A7D52D31067891964FBCED7AA99916DB8D52B2E61B042EE4D060673F
                                                                                                                                                                                                                                                      SHA-512:C45C90578DC3494D382DE88AAEA9262E6FF6AB46F2F82570B74587FD39BC47B321CBB0F967E3674991594AAB34F249D7C3493A195FA39CCE064A7D15479E6C3C
                                                                                                                                                                                                                                                      Malicious:false
                                                                                                                                                                                                                                                      Preview:.m.......................................;...{..79...|.......{...............{.......{...XL......{.....................V79...|..........................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

                                                                                                                                                                                                                                                      C:\ProgramData\Microsoft\Windows\Start Menu\Programs\ChicaLogic\ChicaPC-Shield\ChicaPC-Shield Notifications.lnk

                                                                                                                                                                                                                                                      Download File
                                                                                                                                                                                                                                                      Process:C:\Users\user\AppData\Local\Temp\is-LBG9E.tmp\chica-pc-shield-1-75-0-1300-en-win.tmp
                                                                                                                                                                                                                                                      File Type:MS Windows shortcut, Item id list present, Points to a file or directory, Has Relative path, Has Working directory, Archive, ctime=Wed Oct 30 14:57:41 2024, mtime=Wed Oct 30 14:57:41 2024, atime=Thu Apr 4 17:51:30 2013, length=788040, window=hide
                                                                                                                                                                                                                                                      Category:dropped
                                                                                                                                                                                                                                                      Size (bytes):1431
                                                                                                                                                                                                                                                      Entropy (8bit):4.57848823639599
                                                                                                                                                                                                                                                      Encrypted:false
                                                                                                                                                                                                                                                      SSDEEP:24:8mAb83ErdOEuPhKKZ8Afacpxsdgk9U+dgksUUCaydN6nqFqygm:8mA8UrdO9PMKFSo+dD9U+dDZZNYDyg
                                                                                                                                                                                                                                                      MD5:93384F880A494F53CB54E6540272EF68
                                                                                                                                                                                                                                                      SHA1:FFE8F96B4DD6893E9BEADFC77FEC18C5B17E7F2A
                                                                                                                                                                                                                                                      SHA-256:0D668D99998C2CFE8F94B9BB1217FCBA5B14D94A18D0435B4555C8057650DEF0
                                                                                                                                                                                                                                                      SHA-512:A5E65906C268FB7F87B204BFFC2E0F98DBEF7A3C60C3FB340D62416D79EA7A01A2022D4AF0A959433B042C5D2AA841AED85816E69140FE0302BE4ADF9314DD8E
                                                                                                                                                                                                                                                      Malicious:false
                                                                                                                                                                                                                                                      Preview:L..................F.... ..../es.*..&.is.*.....ke1..H............................P.O. .:i.....+00.../C:\.....................1.....^Y5...PROGRA~2.........O.I^Y6.....................V.....-+..P.r.o.g.r.a.m. .F.i.l.e.s. .(.x.8.6.)...@.s.h.e.l.l.3.2...d.l.l.,.-.2.1.8.1.7.....^.1.....^Y5...CHICAL~1..F......^Y5.^Y6...........................-+..C.h.i.c.a.L.o.g.i.c.....f.1.....^Y6...CHICAP~1..N......^Y5.^Y6...............................C.h.i.c.a.P.C.-.S.h.i.e.l.d.....b.2.H....Bo. .cpcsgui.exe.H......^Y5.^Y5...............................c.p.c.s.g.u.i...e.x.e.......k...............-.......j.............Qw.....C:\Program Files (x86)\ChicaLogic\ChicaPC-Shield\cpcsgui.exe..N.....\.....\.....\.....\.....\.....\.....\.P.r.o.g.r.a.m. .F.i.l.e.s. .(.x.8.6.).\.C.h.i.c.a.L.o.g.i.c.\.C.h.i.c.a.P.C.-.S.h.i.e.l.d.\.c.p.c.s.g.u.i...e.x.e.0.C.:.\.P.r.o.g.r.a.m. .F.i.l.e.s. .(.x.8.6.).\.C.h.i.c.a.L.o.g.i.c.\.C.h.i.c.a.P.C.-.S.h.i.e.l.d.........*................@Z|...K.J.........`.......X.......467601

                                                                                                                                                                                                                                                      C:\ProgramData\Microsoft\Windows\Start Menu\Programs\ChicaLogic\ChicaPC-Shield\ChicaPC-Shield.lnk

                                                                                                                                                                                                                                                      Download File
                                                                                                                                                                                                                                                      Process:C:\Users\user\AppData\Local\Temp\is-LBG9E.tmp\chica-pc-shield-1-75-0-1300-en-win.tmp
                                                                                                                                                                                                                                                      File Type:MS Windows shortcut, Item id list present, Points to a file or directory, Has Relative path, Has Working directory, Archive, ctime=Wed Oct 30 14:57:41 2024, mtime=Wed Oct 30 14:57:41 2024, atime=Thu Apr 4 17:51:30 2013, length=973448, window=hide
                                                                                                                                                                                                                                                      Category:dropped
                                                                                                                                                                                                                                                      Size (bytes):1271
                                                                                                                                                                                                                                                      Entropy (8bit):4.580640568559658
                                                                                                                                                                                                                                                      Encrypted:false
                                                                                                                                                                                                                                                      SSDEEP:24:8m11+72EvdOEuQhKFA6acpxjCdgk9udgksUUCbqygm:8mW7pvdO9QMu1oodD9udDZOyg
                                                                                                                                                                                                                                                      MD5:544C68611EA365E5ADFD252834F6C4D8
                                                                                                                                                                                                                                                      SHA1:0C62FAE5CFD4CF2ACEF358EB39DC2E1EB08510A1
                                                                                                                                                                                                                                                      SHA-256:AB409652A90BCA417F1649BD25EC718A154C6CFAD8E4787F3C9338D86083DF56
                                                                                                                                                                                                                                                      SHA-512:FA5A3C1905A22982B96EA5F862AD4202EA6A70BD0D4499BA652D33430E54419D82B1A1F7DF5DA2C17B8739DA705501F59F895288AAAF8ED393F6ECCAC7AC0B77
                                                                                                                                                                                                                                                      Malicious:false
                                                                                                                                                                                                                                                      Preview:L..................F.... ...*CYs.*....^s.*.....ke1...............................P.O. .:i.....+00.../C:\.....................1.....^Y....PROGRA~2.........O.I^Y......................V.........P.r.o.g.r.a.m. .F.i.l.e.s. .(.x.8.6.)...@.s.h.e.l.l.3.2...d.l.l.,.-.2.1.8.1.7.....^.1.....^Y5...CHICAL~1..F......^Y5.^Y5...........................-+..C.h.i.c.a.L.o.g.i.c.....f.1.....^Y6...CHICAP~1..N......^Y5.^Y6...............................C.h.i.c.a.P.C.-.S.h.i.e.l.d.....Z.2......Bo. .cpcs.exe..B......^Y5.^Y5...............................c.p.c.s...e.x.e.......h...............-.......g.............Qw.....C:\Program Files (x86)\ChicaLogic\ChicaPC-Shield\cpcs.exe..K.....\.....\.....\.....\.....\.....\.....\.P.r.o.g.r.a.m. .F.i.l.e.s. .(.x.8.6.).\.C.h.i.c.a.L.o.g.i.c.\.C.h.i.c.a.P.C.-.S.h.i.e.l.d.\.c.p.c.s...e.x.e.0.C.:.\.P.r.o.g.r.a.m. .F.i.l.e.s. .(.x.8.6.).\.C.h.i.c.a.L.o.g.i.c.\.C.h.i.c.a.P.C.-.S.h.i.e.l.d.........*................@Z|...K.J.........`.......X.......467601...........hT..Cr

                                                                                                                                                                                                                                                      C:\ProgramData\Microsoft\Windows\Start Menu\Programs\ChicaLogic\ChicaPC-Shield\Uninstall ChicaPC-Shield.lnk

                                                                                                                                                                                                                                                      Download File
                                                                                                                                                                                                                                                      Process:C:\Users\user\AppData\Local\Temp\is-LBG9E.tmp\chica-pc-shield-1-75-0-1300-en-win.tmp
                                                                                                                                                                                                                                                      File Type:MS Windows shortcut, Item id list present, Points to a file or directory, Has Relative path, Has Working directory, Archive, ctime=Wed Oct 30 14:57:40 2024, mtime=Wed Oct 30 14:57:40 2024, atime=Wed Oct 30 14:57:01 2024, length=712264, window=hide
                                                                                                                                                                                                                                                      Category:dropped
                                                                                                                                                                                                                                                      Size (bytes):1295
                                                                                                                                                                                                                                                      Entropy (8bit):4.623613690638364
                                                                                                                                                                                                                                                      Encrypted:false
                                                                                                                                                                                                                                                      SSDEEP:24:8mf5K23ErdOEuPhK8uYAyVacpxH0dgki9dgksUUCfqygm:8mPUrdO9PMH/Ro2dDi9dDZyyg
                                                                                                                                                                                                                                                      MD5:3E447465E4FD643F301FD41F9365E30D
                                                                                                                                                                                                                                                      SHA1:E3A9A90F5213DBAE023F20DC99B504A813433717
                                                                                                                                                                                                                                                      SHA-256:99B8555D5BF6AC26016BB757413091CF8E7DE06F94CF1FB5DF56810D13B7DF98
                                                                                                                                                                                                                                                      SHA-512:700619F97C6D30EB25B9E2883EB90488B31E2D866E05DAEB8B16B33BD91222783D935F7E44E634DE32262F2F3DD68BDEF0E8E8B4F325EC3CEE7978DCE6495CA9
                                                                                                                                                                                                                                                      Malicious:false
                                                                                                                                                                                                                                                      Preview:L..................F.... .....s.*....s.*....i[.*..H............................P.O. .:i.....+00.../C:\.....................1.....^Y5...PROGRA~2.........O.I^Y6.....................V.....-+..P.r.o.g.r.a.m. .F.i.l.e.s. .(.x.8.6.)...@.s.h.e.l.l.3.2...d.l.l.,.-.2.1.8.1.7.....^.1.....^Y5...CHICAL~1..F......^Y5.^Y6...........................-+..C.h.i.c.a.L.o.g.i.c.....f.1.....^Y6...CHICAP~1..N......^Y5.^Y6...............................C.h.i.c.a.P.C.-.S.h.i.e.l.d.....f.2.H...^Y!. .unins000.exe..J......^Y5.^Y5.....D.....................'.w.u.n.i.n.s.0.0.0...e.x.e.......l...............-.......k.............Qw.....C:\Program Files (x86)\ChicaLogic\ChicaPC-Shield\unins000.exe..O.....\.....\.....\.....\.....\.....\.....\.P.r.o.g.r.a.m. .F.i.l.e.s. .(.x.8.6.).\.C.h.i.c.a.L.o.g.i.c.\.C.h.i.c.a.P.C.-.S.h.i.e.l.d.\.u.n.i.n.s.0.0.0...e.x.e.0.C.:.\.P.r.o.g.r.a.m. .F.i.l.e.s. .(.x.8.6.).\.C.h.i.c.a.L.o.g.i.c.\.C.h.i.c.a.P.C.-.S.h.i.e.l.d.........*................@Z|...K.J.........`.......X......

                                                                                                                                                                                                                                                      C:\Users\Public\Desktop\ChicaPC-Shield.lnk

                                                                                                                                                                                                                                                      Download File
                                                                                                                                                                                                                                                      Process:C:\Users\user\AppData\Local\Temp\is-LBG9E.tmp\chica-pc-shield-1-75-0-1300-en-win.tmp
                                                                                                                                                                                                                                                      File Type:MS Windows shortcut, Item id list present, Points to a file or directory, Has Relative path, Has Working directory, Archive, ctime=Wed Oct 30 14:57:41 2024, mtime=Wed Oct 30 14:57:42 2024, atime=Thu Apr 4 17:51:30 2013, length=973448, window=hide
                                                                                                                                                                                                                                                      Category:dropped
                                                                                                                                                                                                                                                      Size (bytes):1247
                                                                                                                                                                                                                                                      Entropy (8bit):4.599975843430075
                                                                                                                                                                                                                                                      Encrypted:false
                                                                                                                                                                                                                                                      SSDEEP:24:8m7G3ErdOEuPhKFA6acpxTedgk9udgksUUCbqygm:8maUrdO9PMu1ocdD9udDZOyg
                                                                                                                                                                                                                                                      MD5:E71758F3486FB8790B61AC5F1AEAAA48
                                                                                                                                                                                                                                                      SHA1:95457733F87B19B7AC6F8703A30A6DB83BBDECD4
                                                                                                                                                                                                                                                      SHA-256:CB6026E0DADD5A6CB3120DB1764BAFC53BD2F6EA17413AF74489437B59D954FD
                                                                                                                                                                                                                                                      SHA-512:F1D329DAA1D4C1168AF1B4EC55B4E676E5291642BEE6E5DDCCF105572FB95ED699AB6260B3ABA02825FB71422FBBC31E11BBEA0DFD6EAFEF8B73CD2403D57D11
                                                                                                                                                                                                                                                      Malicious:false
                                                                                                                                                                                                                                                      Preview:L..................F.... ...*CYs.*...v.t.*.....ke1...............................P.O. .:i.....+00.../C:\.....................1.....^Y5...PROGRA~2.........O.I^Y6.....................V.....-+..P.r.o.g.r.a.m. .F.i.l.e.s. .(.x.8.6.)...@.s.h.e.l.l.3.2...d.l.l.,.-.2.1.8.1.7.....^.1.....^Y5...CHICAL~1..F......^Y5.^Y6...........................-+..C.h.i.c.a.L.o.g.i.c.....f.1.....^Y6...CHICAP~1..N......^Y5.^Y6...............................C.h.i.c.a.P.C.-.S.h.i.e.l.d.....Z.2......Bo. .cpcs.exe..B......^Y5.^Y5...............................c.p.c.s...e.x.e.......h...............-.......g.............Qw.....C:\Program Files (x86)\ChicaLogic\ChicaPC-Shield\cpcs.exe..?.....\.....\.....\.P.r.o.g.r.a.m. .F.i.l.e.s. .(.x.8.6.).\.C.h.i.c.a.L.o.g.i.c.\.C.h.i.c.a.P.C.-.S.h.i.e.l.d.\.c.p.c.s...e.x.e.0.C.:.\.P.r.o.g.r.a.m. .F.i.l.e.s. .(.x.8.6.).\.C.h.i.c.a.L.o.g.i.c.\.C.h.i.c.a.P.C.-.S.h.i.e.l.d.........*................@Z|...K.J.........`.......X.......467601...........hT..CrF.f4... .@.2=.b...,...W.

                                                                                                                                                                                                                                                      C:\Users\user\AppData\Local\Temp\is-93AED.tmp\_isetup\_setup64.tmp

                                                                                                                                                                                                                                                      Download File
                                                                                                                                                                                                                                                      Process:C:\Users\user\AppData\Local\Temp\is-LBG9E.tmp\chica-pc-shield-1-75-0-1300-en-win.tmp
                                                                                                                                                                                                                                                      File Type:PE32+ executable (console) x86-64, for MS Windows
                                                                                                                                                                                                                                                      Category:dropped
                                                                                                                                                                                                                                                      Size (bytes):6144
                                                                                                                                                                                                                                                      Entropy (8bit):4.289297026665552
                                                                                                                                                                                                                                                      Encrypted:false
                                                                                                                                                                                                                                                      SSDEEP:48:Sv1LfWvPcXegCPUo1vlZQrAxoONfHFZONfH3d1xCWMBFNL2pGSS4k+bkg6j0KHc:wfkcXegaJ/ZAYNzcld1xaX12pfSKvkc
                                                                                                                                                                                                                                                      MD5:C8871EFD8AF2CF4D9D42D1FF8FADBF89
                                                                                                                                                                                                                                                      SHA1:D0EACD5322C036554D509C7566F0BCC7607209BD
                                                                                                                                                                                                                                                      SHA-256:E4FC574A01B272C2D0AED0EC813F6D75212E2A15A5F5C417129DD65D69768F40
                                                                                                                                                                                                                                                      SHA-512:2735BB610060F749E26ACD86F2DF2B8A05F2BDD3DCCF3E4B2946EBB21BA0805FB492C474B1EEB2C5B8BF1A421F7C1B8728245F649C644F4A9ECC5BD8770A16F6
                                                                                                                                                                                                                                                      Malicious:false
                                                                                                                                                                                                                                                      Antivirus:
                                                                                                                                                                                                                                                      • Antivirus: ReversingLabs, Detection: 0%
                                                                                                                                                                                                                                                      Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......^...............l...............=\......=\......=\......Rich............................PE..d.....HP..........#............................@.............................`..............................................................<!.......P.......@..0.................................................................... ...............................text............................... ..`.rdata..|.... ......................@..@.data...,....0......................@....pdata..0....@......................@..@.rsrc........P......................@..@................................................................................................................................................................................................................................................................................................................................

                                                                                                                                                                                                                                                      C:\Users\user\AppData\Local\Temp\is-93AED.tmp\_isetup\_shfoldr.dll

                                                                                                                                                                                                                                                      Download File
                                                                                                                                                                                                                                                      Process:C:\Users\user\AppData\Local\Temp\is-LBG9E.tmp\chica-pc-shield-1-75-0-1300-en-win.tmp
                                                                                                                                                                                                                                                      File Type:PE32 executable (DLL) (GUI) Intel 80386 (stripped to external PDB), for MS Windows
                                                                                                                                                                                                                                                      Category:dropped
                                                                                                                                                                                                                                                      Size (bytes):23312
                                                                                                                                                                                                                                                      Entropy (8bit):4.596242908851566
                                                                                                                                                                                                                                                      Encrypted:false
                                                                                                                                                                                                                                                      SSDEEP:384:+Vm08QoKkiWZ76UJuP71W55iWHHoSHigH2euwsHTGHVb+VHHmnH+aHjHqLHxmoq1:2m08QotiCjJuPGw4
                                                                                                                                                                                                                                                      MD5:92DC6EF532FBB4A5C3201469A5B5EB63
                                                                                                                                                                                                                                                      SHA1:3E89FF837147C16B4E41C30D6C796374E0B8E62C
                                                                                                                                                                                                                                                      SHA-256:9884E9D1B4F8A873CCBD81F8AD0AE257776D2348D027D811A56475E028360D87
                                                                                                                                                                                                                                                      SHA-512:9908E573921D5DBC3454A1C0A6C969AB8A81CC2E8B5385391D46B1A738FB06A76AA3282E0E58D0D2FFA6F27C85668CD5178E1500B8A39B1BBAE04366AE6A86D3
                                                                                                                                                                                                                                                      Malicious:false
                                                                                                                                                                                                                                                      Antivirus:
                                                                                                                                                                                                                                                      • Antivirus: ReversingLabs, Detection: 0%
                                                                                                                                                                                                                                                      Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......IzJ^..$...$...$...%.".$.T87...$.[."...$...$...$.Rich..$.........................PE..L.....\;...........#..... ...4.......'.......0.....q....................................................................k...l)..<....@.../...................p..T....................................................................................text...{........ .................. ..`.data...\....0.......&..............@....rsrc..../...@...0...(..............@..@.reloc.......p.......X..............@..B................................................................................................................................................................................................................................................................................................................................................................................................

                                                                                                                                                                                                                                                      C:\Users\user\AppData\Local\Temp\is-93AED.tmp\mbam.dll

                                                                                                                                                                                                                                                      Download File
                                                                                                                                                                                                                                                      Process:C:\Users\user\AppData\Local\Temp\is-LBG9E.tmp\chica-pc-shield-1-75-0-1300-en-win.tmp
                                                                                                                                                                                                                                                      File Type:PE32 executable (DLL) (console) Intel 80386, for MS Windows
                                                                                                                                                                                                                                                      Category:dropped
                                                                                                                                                                                                                                                      Size (bytes):527432
                                                                                                                                                                                                                                                      Entropy (8bit):6.554357599549209
                                                                                                                                                                                                                                                      Encrypted:false
                                                                                                                                                                                                                                                      SSDEEP:6144:0d3w5EjjbHtGYp1H8sPF0ZMAHzrGOF2OAN0TxlgCh/4gezc3NTkv4xl7nRlQAz31:2w5EjPHr98lZFTFH9TrZ4gcc9TKE
                                                                                                                                                                                                                                                      MD5:6043B2F884CDE44CEEA91A34EB2FAE81
                                                                                                                                                                                                                                                      SHA1:5F0A4D9D2C61B0045B5C94CE366949CA26E49A11
                                                                                                                                                                                                                                                      SHA-256:5E08FCA6421A1E89538C52E8ACB1D9A83FAEC7138EED6451BB5D5180A4F39938
                                                                                                                                                                                                                                                      SHA-512:322591B9E87900BCF9B24020FCBC601CB250EB5A8C82838D4DCE10810D803A7EB692CF1462E79E7A3193A01FD7FCE8C32AC37EC42C2A51E93D873CB19DB61B95
                                                                                                                                                                                                                                                      Malicious:false
                                                                                                                                                                                                                                                      Antivirus:
                                                                                                                                                                                                                                                      • Antivirus: ReversingLabs, Detection: 2%
                                                                                                                                                                                                                                                      Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$........1{.OP..OP..OP.. &..XP.. &...P.. &...P..F(..XP..OP...P..OP..NP.. &...P.. &..NP.. &..NP..OP..NP.. &..NP..RichOP..........................PE..L...../Q...........!.........................................................@......;.....@.........................`M..i....>..........................H........O..0...................................@...............|............................text............................... ..`.rdata...K.......L..................@..@.data....Z...`...6...J..............@....rsrc...............................@..@.reloc...k.......l..................@..B................................................................................................................................................................................................................................................................................................

                                                                                                                                                                                                                                                      C:\Users\user\AppData\Local\Temp\is-LBG9E.tmp\chica-pc-shield-1-75-0-1300-en-win.tmp

                                                                                                                                                                                                                                                      Download File
                                                                                                                                                                                                                                                      Process:C:\Users\user\Desktop\chica-pc-shield-1-75-0-1300-en-win.exe
                                                                                                                                                                                                                                                      File Type:PE32 executable (GUI) Intel 80386, for MS Windows
                                                                                                                                                                                                                                                      Category:dropped
                                                                                                                                                                                                                                                      Size (bytes):712264
                                                                                                                                                                                                                                                      Entropy (8bit):6.524059965918702
                                                                                                                                                                                                                                                      Encrypted:false
                                                                                                                                                                                                                                                      SSDEEP:12288:qTPcYn5c/rPx37/zHBA6a5UeypkxmFERhD7rNdR81QNERxyF:iPcYn5c/rPx37/zHBA6pDpk8FEK1uERU
                                                                                                                                                                                                                                                      MD5:C2BE7988C8762E314534B2908C4D6E49
                                                                                                                                                                                                                                                      SHA1:CBC373D596D389F5ABEA8177D1F86EE767284466
                                                                                                                                                                                                                                                      SHA-256:4A53C567369F2F30571019E17B13F650680280962B9C4105B2B3CF306FE47C36
                                                                                                                                                                                                                                                      SHA-512:EEFA58E16BBFBEFD1AFBF63409CDF5907FBE87BDD5BCFFEB9FEC47790E0428E3290ED22108EAE4BCD6711C9CD92D947E87CFBF68EBCF37FE4A68405142776216
                                                                                                                                                                                                                                                      Malicious:false
                                                                                                                                                                                                                                                      Antivirus:
                                                                                                                                                                                                                                                      • Antivirus: ReversingLabs, Detection: 4%
                                                                                                                                                                                                                                                      Preview:MZP.....................@.......................InUn....................!..L.!..This program must be run under Win32..$7........................................................................................................................................PE..L....^B*.................z........................@..............................................@...............................%......................H...........................................................................................CODE.....y.......z.................. ..`DATA.................~..............@...BSS......................................idata...%.......&..................@....tls.....................................rdata..............................@..P.reloc....... ......................@..P.rsrc...............................@..P.....................P..............@..P........................................................................................................................................

                                                                                                                                                                                                                                                      C:\Users\user\AppData\Local\Temp\~DF2964631E0BFA171F.TMP

                                                                                                                                                                                                                                                      Download File
                                                                                                                                                                                                                                                      Process:C:\Program Files (x86)\ChicaLogic\ChicaPC-Shield\cpcs.exe
                                                                                                                                                                                                                                                      File Type:Composite Document File V2 Document, Cannot read section info
                                                                                                                                                                                                                                                      Category:dropped
                                                                                                                                                                                                                                                      Size (bytes):229376
                                                                                                                                                                                                                                                      Entropy (8bit):7.815150077225042
                                                                                                                                                                                                                                                      Encrypted:false
                                                                                                                                                                                                                                                      SSDEEP:6144:MT8kDKsyI5CNkKX7QaDCsjsxzx+5xwk59j1Be3:MokDKs35e1X7TCzxx+cQ/Y
                                                                                                                                                                                                                                                      MD5:5466A34115AB65A755ED55705B8896D3
                                                                                                                                                                                                                                                      SHA1:15417ABF1578E08E6EB4481BC3693FA7D750CD3E
                                                                                                                                                                                                                                                      SHA-256:7D470A1642FAF28EB0B978D6AB8CCFE2577A1AE21521047EF2EC1E5CF1645048
                                                                                                                                                                                                                                                      SHA-512:0E61299647891CE67FB6D603E6B581BC610687D3F68E605CC857688EFE36F2E9CACB099A8E27C48AE7F12D2ECEEBDBE1EB16636B5F6DA8AE36B683ABD769CF46
                                                                                                                                                                                                                                                      Malicious:false
                                                                                                                                                                                                                                                      Preview:......................>...............................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

                                                                                                                                                                                                                                                      C:\Users\user\AppData\Local\Temp\~DF49A45B89983BB0A7.TMP

                                                                                                                                                                                                                                                      Download File
                                                                                                                                                                                                                                                      Process:C:\Program Files (x86)\ChicaLogic\ChicaPC-Shield\cpcs.exe
                                                                                                                                                                                                                                                      File Type:Composite Document File V2 Document, Cannot read section info
                                                                                                                                                                                                                                                      Category:dropped
                                                                                                                                                                                                                                                      Size (bytes):229376
                                                                                                                                                                                                                                                      Entropy (8bit):7.55347303111672
                                                                                                                                                                                                                                                      Encrypted:false
                                                                                                                                                                                                                                                      SSDEEP:6144:MT8kDKsyI5CNkKX7QaDCsjsxzx+5xwk59j1B:MokDKs35e1X7TCzxx+cQ/
                                                                                                                                                                                                                                                      MD5:A199E8FBB620A18EABB4EA75C0BF7054
                                                                                                                                                                                                                                                      SHA1:7DD1554B4D2DCB43CDE52615E8B5C255DAD7E0C4
                                                                                                                                                                                                                                                      SHA-256:9DB2BC2CF3AC0DCACBF05E1C18BEEFE7583F5DDC345D837E4F98F41B418E40A2
                                                                                                                                                                                                                                                      SHA-512:60669BBD2D58637E40EFEE62D162781D5C46992FECAB1FDA1CC2193C6FB33D43F25D68C9F1B5C3964264464EFABB76C339C1E5A21D6A1E87883A69AD91E199A4
                                                                                                                                                                                                                                                      Malicious:false
                                                                                                                                                                                                                                                      Preview:......................>...............................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

                                                                                                                                                                                                                                                      C:\Users\user\AppData\Local\Temp\~DF9084460160876095.TMP

                                                                                                                                                                                                                                                      Download File
                                                                                                                                                                                                                                                      Process:C:\Program Files (x86)\ChicaLogic\ChicaPC-Shield\cpcs.exe
                                                                                                                                                                                                                                                      File Type:Composite Document File V2 Document, Cannot read section info
                                                                                                                                                                                                                                                      Category:dropped
                                                                                                                                                                                                                                                      Size (bytes):229376
                                                                                                                                                                                                                                                      Entropy (8bit):7.815150077225042
                                                                                                                                                                                                                                                      Encrypted:false
                                                                                                                                                                                                                                                      SSDEEP:6144:MT8kDKsyI5CNkKX7QaDCsjsxzx+5xwk59j1Be3:MokDKs35e1X7TCzxx+cQ/Y
                                                                                                                                                                                                                                                      MD5:5466A34115AB65A755ED55705B8896D3
                                                                                                                                                                                                                                                      SHA1:15417ABF1578E08E6EB4481BC3693FA7D750CD3E
                                                                                                                                                                                                                                                      SHA-256:7D470A1642FAF28EB0B978D6AB8CCFE2577A1AE21521047EF2EC1E5CF1645048
                                                                                                                                                                                                                                                      SHA-512:0E61299647891CE67FB6D603E6B581BC610687D3F68E605CC857688EFE36F2E9CACB099A8E27C48AE7F12D2ECEEBDBE1EB16636B5F6DA8AE36B683ABD769CF46
                                                                                                                                                                                                                                                      Malicious:false
                                                                                                                                                                                                                                                      Preview:......................>...............................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

                                                                                                                                                                                                                                                      C:\Windows\ServiceProfiles\LocalService\AppData\Local\FontCache\Fonts\Download-1.tmp

                                                                                                                                                                                                                                                      Download File
                                                                                                                                                                                                                                                      Process:C:\Windows\System32\svchost.exe
                                                                                                                                                                                                                                                      File Type:JSON data
                                                                                                                                                                                                                                                      Category:dropped
                                                                                                                                                                                                                                                      Size (bytes):55
                                                                                                                                                                                                                                                      Entropy (8bit):4.306461250274409
                                                                                                                                                                                                                                                      Encrypted:false
                                                                                                                                                                                                                                                      SSDEEP:3:YDQRWu83XfAw2fHbY:YMRl83Xt2f7Y
                                                                                                                                                                                                                                                      MD5:DCA83F08D448911A14C22EBCACC5AD57
                                                                                                                                                                                                                                                      SHA1:91270525521B7FE0D986DB19747F47D34B6318AD
                                                                                                                                                                                                                                                      SHA-256:2B4B2D4A06044AD0BD2AE3287CFCBECD90B959FEB2F503AC258D7C0A235D6FE9
                                                                                                                                                                                                                                                      SHA-512:96F3A02DC4AE302A30A376FC7082002065C7A35ECB74573DE66254EFD701E8FD9E9D867A2C8ABEB4C482738291B715D4965A0D2412663FDF1EE6CBC0BA9FBACA
                                                                                                                                                                                                                                                      Malicious:false
                                                                                                                                                                                                                                                      Preview:{"fontSetUri":"fontset-2017-04.json","baseUri":"fonts"}

                                                                                                                                                                                                                                                      C:\Windows\System32\drivers\is-VCK25.tmp

                                                                                                                                                                                                                                                      Download File
                                                                                                                                                                                                                                                      Process:C:\Users\user\AppData\Local\Temp\is-LBG9E.tmp\chica-pc-shield-1-75-0-1300-en-win.tmp
                                                                                                                                                                                                                                                      File Type:PE32+ executable (native) x86-64, for MS Windows
                                                                                                                                                                                                                                                      Category:dropped
                                                                                                                                                                                                                                                      Size (bytes):25928
                                                                                                                                                                                                                                                      Entropy (8bit):6.18637440886807
                                                                                                                                                                                                                                                      Encrypted:false
                                                                                                                                                                                                                                                      SSDEEP:384:kHxJKo4EZvnMIMMayvbjwd0m1KJJ9NyZN3HxMr4MCPa6jfm2eMFEBns:kHxDZ+Yjm31KJJ9Nxv3meBs
                                                                                                                                                                                                                                                      MD5:26F6761FF37E7A41E8B042059DF83843
                                                                                                                                                                                                                                                      SHA1:359AA7AE9A76E63445D01A605B785BF0DF775B39
                                                                                                                                                                                                                                                      SHA-256:6B582D96220FFBC2C7AA1A046891B7008AFABF1D91DB5421993579C4D6C317D7
                                                                                                                                                                                                                                                      SHA-512:62EC5D7A919D1540EE430B21E5130E898C9C8845F709B2839A5F97FB397139994A981FAAB360DAAA1921AE2D8A2CE8117FD329B7664FB3C8089AFF3BE9456714
                                                                                                                                                                                                                                                      Malicious:false
                                                                                                                                                                                                                                                      Antivirus:
                                                                                                                                                                                                                                                      • Antivirus: ReversingLabs, Detection: 2%
                                                                                                                                                                                                                                                      Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......cZ..';}.';}.';}.';|..;}.Q... ;}.Q...%;}.....$;}.....&;}.Q...&;}.....";}.....&;}.....&;}.Rich';}.................PE..d...A./Q.........."......0...........p...............................................$......................................................dp..P............`.......F..H.......$....A...............................................@...............................text...6'.......(.................. ..h.rdata.. ....@.......,..............@..H.data........P.......2..............@....pdata.......`.......6..............@..HINIT.........p.......8.............. ....rsrc................@..............@..B.reloc..`............D..............@..B........................................................................................................................................................................................................................

                                                                                                                                                                                                                                                      C:\Windows\system32\drivers\cpcs.sys (copy)

                                                                                                                                                                                                                                                      Download File
                                                                                                                                                                                                                                                      Process:C:\Users\user\AppData\Local\Temp\is-LBG9E.tmp\chica-pc-shield-1-75-0-1300-en-win.tmp
                                                                                                                                                                                                                                                      File Type:PE32+ executable (native) x86-64, for MS Windows
                                                                                                                                                                                                                                                      Category:dropped
                                                                                                                                                                                                                                                      Size (bytes):25928
                                                                                                                                                                                                                                                      Entropy (8bit):6.18637440886807
                                                                                                                                                                                                                                                      Encrypted:false
                                                                                                                                                                                                                                                      SSDEEP:384:kHxJKo4EZvnMIMMayvbjwd0m1KJJ9NyZN3HxMr4MCPa6jfm2eMFEBns:kHxDZ+Yjm31KJJ9Nxv3meBs
                                                                                                                                                                                                                                                      MD5:26F6761FF37E7A41E8B042059DF83843
                                                                                                                                                                                                                                                      SHA1:359AA7AE9A76E63445D01A605B785BF0DF775B39
                                                                                                                                                                                                                                                      SHA-256:6B582D96220FFBC2C7AA1A046891B7008AFABF1D91DB5421993579C4D6C317D7
                                                                                                                                                                                                                                                      SHA-512:62EC5D7A919D1540EE430B21E5130E898C9C8845F709B2839A5F97FB397139994A981FAAB360DAAA1921AE2D8A2CE8117FD329B7664FB3C8089AFF3BE9456714
                                                                                                                                                                                                                                                      Malicious:false
                                                                                                                                                                                                                                                      Antivirus:
                                                                                                                                                                                                                                                      • Antivirus: ReversingLabs, Detection: 2%
                                                                                                                                                                                                                                                      Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......cZ..';}.';}.';}.';|..;}.Q... ;}.Q...%;}.....$;}.....&;}.Q...&;}.....";}.....&;}.....&;}.Rich';}.................PE..d...A./Q.........."......0...........p...............................................$......................................................dp..P............`.......F..H.......$....A...............................................@...............................text...6'.......(.................. ..h.rdata.. ....@.......,..............@..H.data........P.......2..............@....pdata.......`.......6..............@..HINIT.........p.......8.............. ....rsrc................@..............@..B.reloc..`............D..............@..B........................................................................................................................................................................................................................

                                                                                                                                                                                                                                                      Static File Info

                                                                                                                                                                                                                                                      General

                                                                                                                                                                                                                                                      File type:PE32 executable (GUI) Intel 80386, for MS Windows
                                                                                                                                                                                                                                                      Entropy (8bit):7.999608904936307
                                                                                                                                                                                                                                                      TrID:
                                                                                                                                                                                                                                                      • Win32 Executable (generic) a (10002005/4) 98.86%
                                                                                                                                                                                                                                                      • Inno Setup installer (109748/4) 1.08%
                                                                                                                                                                                                                                                      • Win16/32 Executable Delphi generic (2074/23) 0.02%
                                                                                                                                                                                                                                                      • Generic Win/DOS Executable (2004/3) 0.02%
                                                                                                                                                                                                                                                      • DOS Executable Generic (2002/1) 0.02%
                                                                                                                                                                                                                                                      File name:chica-pc-shield-1-75-0-1300-en-win.exe
                                                                                                                                                                                                                                                      File size:8'967'808 bytes
                                                                                                                                                                                                                                                      MD5:1870fbe03e739325c142eacbe1667ff3
                                                                                                                                                                                                                                                      SHA1:7b86308efbcde9175b405445179bbceb196d0f73
                                                                                                                                                                                                                                                      SHA256:fba0337b65c15b029ee4f87b3db5fcfc6ce61a29289d9e6c58d0bcebee995ce0
                                                                                                                                                                                                                                                      SHA512:ccef3baab4f4b0314e3e0ce0eecb3cae8424a38dd931813bb40bd05121ba25c434ffe1f33d2057b578c4aa3a5e6fb2d42b6c3d6360a3551bf1b9f7af9a583b3e
                                                                                                                                                                                                                                                      SSDEEP:196608:N7H8qcOrHa05E8utKAcbZzchsPRt1EWZ4ufcJhANtXzrfOpa:NQ3OrHNvgK7lzw+EBuEDCzDSa
                                                                                                                                                                                                                                                      TLSH:439633EDC095A5B1C98856758BABFF9A6E9C533248ECD9CD328C79A80B3F1F009D4705
                                                                                                                                                                                                                                                      File Content Preview:MZP.....................@...............................................!..L.!..This program must be run under Win32..$7.......................................................................................................................................

                                                                                                                                                                                                                                                      File Icon

                                                                                                                                                                                                                                                      Icon Hash:2d2e3797b32b2b99

                                                                                                                                                                                                                                                      Static PE Info

                                                                                                                                                                                                                                                      General

                                                                                                                                                                                                                                                      Entrypoint:0x409c40
                                                                                                                                                                                                                                                      Entrypoint Section:CODE
                                                                                                                                                                                                                                                      Digitally signed:true
                                                                                                                                                                                                                                                      Imagebase:0x400000
                                                                                                                                                                                                                                                      Subsystem:windows gui
                                                                                                                                                                                                                                                      Image File Characteristics:RELOCS_STRIPPED, EXECUTABLE_IMAGE, LINE_NUMS_STRIPPED, LOCAL_SYMS_STRIPPED, BYTES_REVERSED_LO, 32BIT_MACHINE, BYTES_REVERSED_HI
                                                                                                                                                                                                                                                      DLL Characteristics:TERMINAL_SERVER_AWARE
                                                                                                                                                                                                                                                      Time Stamp:0x2A425E19 [Fri Jun 19 22:22:17 1992 UTC]
                                                                                                                                                                                                                                                      TLS Callbacks:
                                                                                                                                                                                                                                                      CLR (.Net) Version:
                                                                                                                                                                                                                                                      OS Version Major:1
                                                                                                                                                                                                                                                      OS Version Minor:0
                                                                                                                                                                                                                                                      File Version Major:1
                                                                                                                                                                                                                                                      File Version Minor:0
                                                                                                                                                                                                                                                      Subsystem Version Major:1
                                                                                                                                                                                                                                                      Subsystem Version Minor:0
                                                                                                                                                                                                                                                      Import Hash:884310b1928934402ea6fec1dbd3cf5e

                                                                                                                                                                                                                                                      Authenticode Signature

                                                                                                                                                                                                                                                      Signature Valid:true
                                                                                                                                                                                                                                                      Signature Issuer:CN=VeriSign Class 3 Code Signing 2010 CA, OU=Terms of use at https://www.verisign.com/rpa (c)10, OU=VeriSign Trust Network, O="VeriSign, Inc.", C=US
                                                                                                                                                                                                                                                      Signature Validation Error:The operation completed successfully
                                                                                                                                                                                                                                                      Error Number:0
                                                                                                                                                                                                                                                      Not Before, Not After
                                                                                                                                                                                                                                                      • 23/05/2011 20:00:00 04/06/2013 19:59:59
                                                                                                                                                                                                                                                      Subject Chain
                                                                                                                                                                                                                                                      • CN=Malwarebytes Corporation, OU=Digital ID Class 3 - Microsoft Software Validation v2, O=Malwarebytes Corporation, L=San Jose, S=California, C=US
                                                                                                                                                                                                                                                      Version:3
                                                                                                                                                                                                                                                      Thumbprint MD5:E1B30BACA0EA129562156225F2A61B51
                                                                                                                                                                                                                                                      Thumbprint SHA-1:96D578E1B0D4854F8E870BAE1DF5CB8BAB78E124
                                                                                                                                                                                                                                                      Thumbprint SHA-256:9EFEE65EAC008E4F64FDF30C1830C4A54A9D5C2706FEE9A9E8231ED0EC07663A
                                                                                                                                                                                                                                                      Serial:635725F2493191F6F4F686234034FE80

                                                                                                                                                                                                                                                      Entrypoint Preview

                                                                                                                                                                                                                                                      Instruction
                                                                                                                                                                                                                                                      push ebp
                                                                                                                                                                                                                                                      mov ebp, esp
                                                                                                                                                                                                                                                      add esp, FFFFFFC4h
                                                                                                                                                                                                                                                      push ebx
                                                                                                                                                                                                                                                      push esi
                                                                                                                                                                                                                                                      push edi
                                                                                                                                                                                                                                                      xor eax, eax
                                                                                                                                                                                                                                                      mov dword ptr [ebp-10h], eax
                                                                                                                                                                                                                                                      mov dword ptr [ebp-24h], eax
                                                                                                                                                                                                                                                      call 00007FBFD8B6252Bh
                                                                                                                                                                                                                                                      call 00007FBFD8B63732h
                                                                                                                                                                                                                                                      call 00007FBFD8B639C1h
                                                                                                                                                                                                                                                      call 00007FBFD8B63A64h
                                                                                                                                                                                                                                                      call 00007FBFD8B65A03h
                                                                                                                                                                                                                                                      call 00007FBFD8B6836Eh
                                                                                                                                                                                                                                                      call 00007FBFD8B684D5h
                                                                                                                                                                                                                                                      xor eax, eax
                                                                                                                                                                                                                                                      push ebp
                                                                                                                                                                                                                                                      push 0040A2FCh
                                                                                                                                                                                                                                                      push dword ptr fs:[eax]
                                                                                                                                                                                                                                                      mov dword ptr fs:[eax], esp
                                                                                                                                                                                                                                                      xor edx, edx
                                                                                                                                                                                                                                                      push ebp
                                                                                                                                                                                                                                                      push 0040A2C5h
                                                                                                                                                                                                                                                      push dword ptr fs:[edx]
                                                                                                                                                                                                                                                      mov dword ptr fs:[edx], esp
                                                                                                                                                                                                                                                      mov eax, dword ptr [0040C014h]
                                                                                                                                                                                                                                                      call 00007FBFD8B68F3Bh
                                                                                                                                                                                                                                                      call 00007FBFD8B68B6Eh
                                                                                                                                                                                                                                                      lea edx, dword ptr [ebp-10h]
                                                                                                                                                                                                                                                      xor eax, eax
                                                                                                                                                                                                                                                      call 00007FBFD8B66028h
                                                                                                                                                                                                                                                      mov edx, dword ptr [ebp-10h]
                                                                                                                                                                                                                                                      mov eax, 0040CE24h
                                                                                                                                                                                                                                                      call 00007FBFD8B625D7h
                                                                                                                                                                                                                                                      push 00000002h
                                                                                                                                                                                                                                                      push 00000000h
                                                                                                                                                                                                                                                      push 00000001h
                                                                                                                                                                                                                                                      mov ecx, dword ptr [0040CE24h]
                                                                                                                                                                                                                                                      mov dl, 01h
                                                                                                                                                                                                                                                      mov eax, 0040738Ch
                                                                                                                                                                                                                                                      call 00007FBFD8B668B7h
                                                                                                                                                                                                                                                      mov dword ptr [0040CE28h], eax
                                                                                                                                                                                                                                                      xor edx, edx
                                                                                                                                                                                                                                                      push ebp
                                                                                                                                                                                                                                                      push 0040A27Dh
                                                                                                                                                                                                                                                      push dword ptr fs:[edx]
                                                                                                                                                                                                                                                      mov dword ptr fs:[edx], esp
                                                                                                                                                                                                                                                      call 00007FBFD8B68FABh
                                                                                                                                                                                                                                                      mov dword ptr [0040CE30h], eax
                                                                                                                                                                                                                                                      mov eax, dword ptr [0040CE30h]
                                                                                                                                                                                                                                                      cmp dword ptr [eax+0Ch], 01h
                                                                                                                                                                                                                                                      jne 00007FBFD8B690EAh
                                                                                                                                                                                                                                                      mov eax, dword ptr [0040CE30h]
                                                                                                                                                                                                                                                      mov edx, 00000028h
                                                                                                                                                                                                                                                      call 00007FBFD8B66CB8h
                                                                                                                                                                                                                                                      mov edx, dword ptr [00000030h]

                                                                                                                                                                                                                                                      Data Directories

                                                                                                                                                                                                                                                      NameVirtual AddressVirtual Size Is in Section
                                                                                                                                                                                                                                                      IMAGE_DIRECTORY_ENTRY_EXPORT0x00x0
                                                                                                                                                                                                                                                      IMAGE_DIRECTORY_ENTRY_IMPORT0xd0000x950.idata
                                                                                                                                                                                                                                                      IMAGE_DIRECTORY_ENTRY_RESOURCE0x110000x2c00.rsrc
                                                                                                                                                                                                                                                      IMAGE_DIRECTORY_ENTRY_EXCEPTION0x00x0
                                                                                                                                                                                                                                                      IMAGE_DIRECTORY_ENTRY_SECURITY0x88bc380x1a48
                                                                                                                                                                                                                                                      IMAGE_DIRECTORY_ENTRY_BASERELOC0x00x0
                                                                                                                                                                                                                                                      IMAGE_DIRECTORY_ENTRY_DEBUG0x00x0
                                                                                                                                                                                                                                                      IMAGE_DIRECTORY_ENTRY_COPYRIGHT0x00x0
                                                                                                                                                                                                                                                      IMAGE_DIRECTORY_ENTRY_GLOBALPTR0x00x0
                                                                                                                                                                                                                                                      IMAGE_DIRECTORY_ENTRY_TLS0xf0000x18.rdata
                                                                                                                                                                                                                                                      IMAGE_DIRECTORY_ENTRY_LOAD_CONFIG0x00x0
                                                                                                                                                                                                                                                      IMAGE_DIRECTORY_ENTRY_BOUND_IMPORT0x00x0
                                                                                                                                                                                                                                                      IMAGE_DIRECTORY_ENTRY_IAT0x00x0
                                                                                                                                                                                                                                                      IMAGE_DIRECTORY_ENTRY_DELAY_IMPORT0x00x0
                                                                                                                                                                                                                                                      IMAGE_DIRECTORY_ENTRY_COM_DESCRIPTOR0x00x0
                                                                                                                                                                                                                                                      IMAGE_DIRECTORY_ENTRY_RESERVED0x00x0

                                                                                                                                                                                                                                                      Sections

                                                                                                                                                                                                                                                      NameVirtual AddressVirtual SizeRaw SizeMD5Xored PEZLIB ComplexityFile TypeEntropyCharacteristics
                                                                                                                                                                                                                                                      CODE0x10000x93640x9400e8a38c5eb0d717d3fb478c7e19f20477False0.6147856841216216data6.563139352016593IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ
                                                                                                                                                                                                                                                      DATA0xb0000x24c0x4005d98c64569668b0235ae89005918165aFalse0.3046875data2.7373065622921344IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE
                                                                                                                                                                                                                                                      BSS0xc0000xe880x0d41d8cd98f00b204e9800998ecf8427eFalse0empty0.0IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE
                                                                                                                                                                                                                                                      .idata0xd0000x9500xa00bb5485bf968b970e5ea81292af2acdbaFalse0.414453125data4.430733069799036IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE
                                                                                                                                                                                                                                                      .tls0xe0000x80x0d41d8cd98f00b204e9800998ecf8427eFalse0empty0.0IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE
                                                                                                                                                                                                                                                      .rdata0xf0000x180x2009ba824905bf9c7922b6fc87a38b74366False0.052734375data0.2044881574398449IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_SHARED, IMAGE_SCN_MEM_READ
                                                                                                                                                                                                                                                      .reloc0x100000x8b40x0d41d8cd98f00b204e9800998ecf8427eFalse0empty0.0IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_SHARED, IMAGE_SCN_MEM_READ
                                                                                                                                                                                                                                                      .rsrc0x110000x2c000x2c00c8b70628c08dacef6e3c4870d6a9f23eFalse0.3328302556818182data4.527154480221984IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_SHARED, IMAGE_SCN_MEM_READ

                                                                                                                                                                                                                                                      Resources

                                                                                                                                                                                                                                                      NameRVASizeTypeLanguageCountryZLIB Complexity
                                                                                                                                                                                                                                                      RT_ICON0x113540x128Device independent bitmap graphic, 16 x 32 x 4, image size 192DutchNetherlands0.5675675675675675
                                                                                                                                                                                                                                                      RT_ICON0x1147c0x568Device independent bitmap graphic, 16 x 32 x 8, image size 320DutchNetherlands0.4486994219653179
                                                                                                                                                                                                                                                      RT_ICON0x119e40x2e8Device independent bitmap graphic, 32 x 64 x 4, image size 640DutchNetherlands0.4637096774193548
                                                                                                                                                                                                                                                      RT_ICON0x11ccc0x8a8Device independent bitmap graphic, 32 x 64 x 8, image size 1152DutchNetherlands0.3935018050541516
                                                                                                                                                                                                                                                      RT_STRING0x125740x2f2data0.35543766578249336
                                                                                                                                                                                                                                                      RT_STRING0x128680x30cdata0.3871794871794872
                                                                                                                                                                                                                                                      RT_STRING0x12b740x2cedata0.42618384401114207
                                                                                                                                                                                                                                                      RT_STRING0x12e440x68data0.75
                                                                                                                                                                                                                                                      RT_STRING0x12eac0xb4data0.6277777777777778
                                                                                                                                                                                                                                                      RT_STRING0x12f600xaedata0.5344827586206896
                                                                                                                                                                                                                                                      RT_RCDATA0x130100x2cdata1.2045454545454546
                                                                                                                                                                                                                                                      RT_GROUP_ICON0x1303c0x3edataEnglishUnited States0.8387096774193549
                                                                                                                                                                                                                                                      RT_VERSION0x1307c0x4b8COM executable for DOSEnglishUnited States0.3344370860927152
                                                                                                                                                                                                                                                      RT_MANIFEST0x135340x5a4XML 1.0 document, ASCII text, with CRLF line terminatorsEnglishUnited States0.42590027700831024

                                                                                                                                                                                                                                                      Imports

                                                                                                                                                                                                                                                      DLLImport
                                                                                                                                                                                                                                                      kernel32.dllDeleteCriticalSection, LeaveCriticalSection, EnterCriticalSection, InitializeCriticalSection, VirtualFree, VirtualAlloc, LocalFree, LocalAlloc, WideCharToMultiByte, TlsSetValue, TlsGetValue, MultiByteToWideChar, GetModuleHandleA, GetLastError, GetCommandLineA, WriteFile, SetFilePointer, SetEndOfFile, RtlUnwind, ReadFile, RaiseException, GetStdHandle, GetFileSize, GetSystemTime, GetFileType, ExitProcess, CreateFileA, CloseHandle
                                                                                                                                                                                                                                                      user32.dllMessageBoxA
                                                                                                                                                                                                                                                      oleaut32.dllVariantChangeTypeEx, VariantCopyInd, VariantClear, SysStringLen, SysAllocStringLen
                                                                                                                                                                                                                                                      advapi32.dllRegQueryValueExA, RegOpenKeyExA, RegCloseKey, OpenProcessToken, LookupPrivilegeValueA
                                                                                                                                                                                                                                                      kernel32.dllWriteFile, VirtualQuery, VirtualProtect, VirtualFree, VirtualAlloc, Sleep, SizeofResource, SetLastError, SetFilePointer, SetErrorMode, SetEndOfFile, RemoveDirectoryA, ReadFile, LockResource, LoadResource, LoadLibraryA, IsDBCSLeadByte, GetWindowsDirectoryA, GetVersionExA, GetUserDefaultLangID, GetSystemInfo, GetSystemDefaultLCID, GetProcAddress, GetModuleHandleA, GetModuleFileNameA, GetLocaleInfoA, GetLastError, GetFullPathNameA, GetFileSize, GetFileAttributesA, GetExitCodeProcess, GetEnvironmentVariableA, GetCurrentProcess, GetCommandLineA, GetACP, InterlockedExchange, FormatMessageA, FindResourceA, DeleteFileA, CreateProcessA, CreateFileA, CreateDirectoryA, CloseHandle
                                                                                                                                                                                                                                                      user32.dllTranslateMessage, SetWindowLongA, PeekMessageA, MsgWaitForMultipleObjects, MessageBoxA, LoadStringA, ExitWindowsEx, DispatchMessageA, DestroyWindow, CreateWindowExA, CallWindowProcA, CharPrevA
                                                                                                                                                                                                                                                      comctl32.dllInitCommonControls
                                                                                                                                                                                                                                                      advapi32.dllAdjustTokenPrivileges

                                                                                                                                                                                                                                                      Possible Origin

                                                                                                                                                                                                                                                      Language of compilation systemCountry where language is spokenMap
                                                                                                                                                                                                                                                      DutchNetherlands
                                                                                                                                                                                                                                                      EnglishUnited States

                                                                                                                                                                                                                                                      Network Behavior

                                                                                                                                                                                                                                                      Network Port Distribution

                                                                                                                                                                                                                                                      TCP Packets

                                                                                                                                                                                                                                                      TimestampSource PortDest PortSource IPDest IP
                                                                                                                                                                                                                                                      Oct 30, 2024 16:58:06.262907982 CET4991580192.168.2.565.9.66.84
                                                                                                                                                                                                                                                      Oct 30, 2024 16:58:06.268697977 CET804991565.9.66.84192.168.2.5
                                                                                                                                                                                                                                                      Oct 30, 2024 16:58:06.268809080 CET4991580192.168.2.565.9.66.84
                                                                                                                                                                                                                                                      Oct 30, 2024 16:58:06.269777060 CET4991580192.168.2.565.9.66.84
                                                                                                                                                                                                                                                      Oct 30, 2024 16:58:06.275378942 CET804991565.9.66.84192.168.2.5
                                                                                                                                                                                                                                                      Oct 30, 2024 16:58:07.109765053 CET804991565.9.66.84192.168.2.5
                                                                                                                                                                                                                                                      Oct 30, 2024 16:58:07.113111973 CET49921443192.168.2.565.9.66.84
                                                                                                                                                                                                                                                      Oct 30, 2024 16:58:07.113152027 CET4434992165.9.66.84192.168.2.5
                                                                                                                                                                                                                                                      Oct 30, 2024 16:58:07.113334894 CET49921443192.168.2.565.9.66.84
                                                                                                                                                                                                                                                      Oct 30, 2024 16:58:07.113486052 CET49921443192.168.2.565.9.66.84
                                                                                                                                                                                                                                                      Oct 30, 2024 16:58:07.113502026 CET4434992165.9.66.84192.168.2.5
                                                                                                                                                                                                                                                      Oct 30, 2024 16:58:07.192919970 CET4991580192.168.2.565.9.66.84
                                                                                                                                                                                                                                                      Oct 30, 2024 16:58:07.226910114 CET804991565.9.66.84192.168.2.5
                                                                                                                                                                                                                                                      Oct 30, 2024 16:58:07.226988077 CET4991580192.168.2.565.9.66.84
                                                                                                                                                                                                                                                      Oct 30, 2024 16:58:07.992438078 CET4434992165.9.66.84192.168.2.5
                                                                                                                                                                                                                                                      Oct 30, 2024 16:58:07.992582083 CET49921443192.168.2.565.9.66.84
                                                                                                                                                                                                                                                      Oct 30, 2024 16:58:07.997845888 CET49921443192.168.2.565.9.66.84
                                                                                                                                                                                                                                                      Oct 30, 2024 16:58:07.997859001 CET4434992165.9.66.84192.168.2.5
                                                                                                                                                                                                                                                      Oct 30, 2024 16:58:07.998087883 CET4434992165.9.66.84192.168.2.5
                                                                                                                                                                                                                                                      Oct 30, 2024 16:58:07.998140097 CET49921443192.168.2.565.9.66.84
                                                                                                                                                                                                                                                      Oct 30, 2024 16:58:08.001452923 CET49921443192.168.2.565.9.66.84
                                                                                                                                                                                                                                                      Oct 30, 2024 16:58:08.017810106 CET4991580192.168.2.565.9.66.84
                                                                                                                                                                                                                                                      Oct 30, 2024 16:58:08.023252010 CET804991565.9.66.84192.168.2.5
                                                                                                                                                                                                                                                      Oct 30, 2024 16:58:08.477693081 CET4992880192.168.2.565.9.66.84
                                                                                                                                                                                                                                                      Oct 30, 2024 16:58:08.483076096 CET804992865.9.66.84192.168.2.5
                                                                                                                                                                                                                                                      Oct 30, 2024 16:58:08.483166933 CET4992880192.168.2.565.9.66.84
                                                                                                                                                                                                                                                      Oct 30, 2024 16:58:08.484103918 CET4992880192.168.2.565.9.66.84
                                                                                                                                                                                                                                                      Oct 30, 2024 16:58:08.489578009 CET804992865.9.66.84192.168.2.5
                                                                                                                                                                                                                                                      Oct 30, 2024 16:58:09.317945957 CET804992865.9.66.84192.168.2.5
                                                                                                                                                                                                                                                      Oct 30, 2024 16:58:09.321659088 CET49933443192.168.2.565.9.66.84
                                                                                                                                                                                                                                                      Oct 30, 2024 16:58:09.321687937 CET4434993365.9.66.84192.168.2.5
                                                                                                                                                                                                                                                      Oct 30, 2024 16:58:09.321779966 CET49933443192.168.2.565.9.66.84
                                                                                                                                                                                                                                                      Oct 30, 2024 16:58:09.333846092 CET49933443192.168.2.565.9.66.84
                                                                                                                                                                                                                                                      Oct 30, 2024 16:58:09.333862066 CET4434993365.9.66.84192.168.2.5
                                                                                                                                                                                                                                                      Oct 30, 2024 16:58:09.364865065 CET4992880192.168.2.565.9.66.84
                                                                                                                                                                                                                                                      Oct 30, 2024 16:58:09.437561035 CET804992865.9.66.84192.168.2.5
                                                                                                                                                                                                                                                      Oct 30, 2024 16:58:09.437661886 CET4992880192.168.2.565.9.66.84
                                                                                                                                                                                                                                                      Oct 30, 2024 16:58:10.177403927 CET4434993365.9.66.84192.168.2.5
                                                                                                                                                                                                                                                      Oct 30, 2024 16:58:10.177541971 CET49933443192.168.2.565.9.66.84
                                                                                                                                                                                                                                                      Oct 30, 2024 16:58:10.177990913 CET49933443192.168.2.565.9.66.84
                                                                                                                                                                                                                                                      Oct 30, 2024 16:58:10.177998066 CET4434993365.9.66.84192.168.2.5
                                                                                                                                                                                                                                                      Oct 30, 2024 16:58:10.178139925 CET49933443192.168.2.565.9.66.84
                                                                                                                                                                                                                                                      Oct 30, 2024 16:58:10.179524899 CET4992880192.168.2.565.9.66.84
                                                                                                                                                                                                                                                      Oct 30, 2024 16:58:10.185012102 CET804992865.9.66.84192.168.2.5
                                                                                                                                                                                                                                                      Oct 30, 2024 16:58:10.305924892 CET4993980192.168.2.565.9.66.84
                                                                                                                                                                                                                                                      Oct 30, 2024 16:58:10.311453104 CET804993965.9.66.84192.168.2.5
                                                                                                                                                                                                                                                      Oct 30, 2024 16:58:10.311521053 CET4993980192.168.2.565.9.66.84
                                                                                                                                                                                                                                                      Oct 30, 2024 16:58:10.313683987 CET4993980192.168.2.565.9.66.84
                                                                                                                                                                                                                                                      Oct 30, 2024 16:58:10.319257021 CET804993965.9.66.84192.168.2.5
                                                                                                                                                                                                                                                      Oct 30, 2024 16:58:11.153893948 CET804993965.9.66.84192.168.2.5
                                                                                                                                                                                                                                                      Oct 30, 2024 16:58:11.170835018 CET49945443192.168.2.565.9.66.84
                                                                                                                                                                                                                                                      Oct 30, 2024 16:58:11.170871019 CET4434994565.9.66.84192.168.2.5
                                                                                                                                                                                                                                                      Oct 30, 2024 16:58:11.170942068 CET49945443192.168.2.565.9.66.84
                                                                                                                                                                                                                                                      Oct 30, 2024 16:58:11.172338963 CET49945443192.168.2.565.9.66.84
                                                                                                                                                                                                                                                      Oct 30, 2024 16:58:11.172348022 CET4434994565.9.66.84192.168.2.5
                                                                                                                                                                                                                                                      Oct 30, 2024 16:58:11.208540916 CET4993980192.168.2.565.9.66.84
                                                                                                                                                                                                                                                      Oct 30, 2024 16:58:11.272866011 CET804993965.9.66.84192.168.2.5
                                                                                                                                                                                                                                                      Oct 30, 2024 16:58:11.272995949 CET4993980192.168.2.565.9.66.84
                                                                                                                                                                                                                                                      Oct 30, 2024 16:58:12.021594048 CET4434994565.9.66.84192.168.2.5
                                                                                                                                                                                                                                                      Oct 30, 2024 16:58:12.021656990 CET49945443192.168.2.565.9.66.84
                                                                                                                                                                                                                                                      Oct 30, 2024 16:58:12.022048950 CET49945443192.168.2.565.9.66.84
                                                                                                                                                                                                                                                      Oct 30, 2024 16:58:12.022066116 CET4434994565.9.66.84192.168.2.5
                                                                                                                                                                                                                                                      Oct 30, 2024 16:58:12.022370100 CET49945443192.168.2.565.9.66.84
                                                                                                                                                                                                                                                      Oct 30, 2024 16:58:12.023361921 CET4993980192.168.2.565.9.66.84
                                                                                                                                                                                                                                                      Oct 30, 2024 16:58:12.028939962 CET804993965.9.66.84192.168.2.5
                                                                                                                                                                                                                                                      Oct 30, 2024 16:58:12.114260912 CET4995180192.168.2.565.9.66.84
                                                                                                                                                                                                                                                      Oct 30, 2024 16:58:12.440874100 CET804995165.9.66.84192.168.2.5
                                                                                                                                                                                                                                                      Oct 30, 2024 16:58:12.440962076 CET4995180192.168.2.565.9.66.84
                                                                                                                                                                                                                                                      Oct 30, 2024 16:58:12.442065001 CET4995180192.168.2.565.9.66.84
                                                                                                                                                                                                                                                      Oct 30, 2024 16:58:12.447560072 CET804995165.9.66.84192.168.2.5
                                                                                                                                                                                                                                                      Oct 30, 2024 16:58:13.286956072 CET804995165.9.66.84192.168.2.5
                                                                                                                                                                                                                                                      Oct 30, 2024 16:58:13.291567087 CET49957443192.168.2.565.9.66.84
                                                                                                                                                                                                                                                      Oct 30, 2024 16:58:13.291616917 CET4434995765.9.66.84192.168.2.5
                                                                                                                                                                                                                                                      Oct 30, 2024 16:58:13.291713953 CET49957443192.168.2.565.9.66.84
                                                                                                                                                                                                                                                      Oct 30, 2024 16:58:13.291913986 CET49957443192.168.2.565.9.66.84
                                                                                                                                                                                                                                                      Oct 30, 2024 16:58:13.291924000 CET4434995765.9.66.84192.168.2.5
                                                                                                                                                                                                                                                      Oct 30, 2024 16:58:13.333544016 CET4995180192.168.2.565.9.66.84
                                                                                                                                                                                                                                                      Oct 30, 2024 16:58:13.406924009 CET804995165.9.66.84192.168.2.5
                                                                                                                                                                                                                                                      Oct 30, 2024 16:58:13.407032013 CET4995180192.168.2.565.9.66.84
                                                                                                                                                                                                                                                      Oct 30, 2024 16:58:14.153090954 CET4434995765.9.66.84192.168.2.5
                                                                                                                                                                                                                                                      Oct 30, 2024 16:58:14.153199911 CET49957443192.168.2.565.9.66.84
                                                                                                                                                                                                                                                      Oct 30, 2024 16:58:14.153536081 CET49957443192.168.2.565.9.66.84
                                                                                                                                                                                                                                                      Oct 30, 2024 16:58:14.153548002 CET4434995765.9.66.84192.168.2.5
                                                                                                                                                                                                                                                      Oct 30, 2024 16:58:14.153649092 CET49957443192.168.2.565.9.66.84
                                                                                                                                                                                                                                                      Oct 30, 2024 16:58:14.154844999 CET4995180192.168.2.565.9.66.84
                                                                                                                                                                                                                                                      Oct 30, 2024 16:58:14.160202026 CET804995165.9.66.84192.168.2.5
                                                                                                                                                                                                                                                      Oct 30, 2024 16:58:27.588076115 CET4999480192.168.2.565.9.66.107
                                                                                                                                                                                                                                                      Oct 30, 2024 16:58:27.593462944 CET804999465.9.66.107192.168.2.5
                                                                                                                                                                                                                                                      Oct 30, 2024 16:58:27.593530893 CET4999480192.168.2.565.9.66.107
                                                                                                                                                                                                                                                      Oct 30, 2024 16:58:27.594381094 CET4999480192.168.2.565.9.66.107
                                                                                                                                                                                                                                                      Oct 30, 2024 16:58:27.599817038 CET804999465.9.66.107192.168.2.5
                                                                                                                                                                                                                                                      Oct 30, 2024 16:58:28.628958941 CET804999465.9.66.107192.168.2.5
                                                                                                                                                                                                                                                      Oct 30, 2024 16:58:28.630316019 CET804999465.9.66.107192.168.2.5
                                                                                                                                                                                                                                                      Oct 30, 2024 16:58:28.630393028 CET4999480192.168.2.565.9.66.107
                                                                                                                                                                                                                                                      Oct 30, 2024 16:58:28.630403042 CET804999465.9.66.107192.168.2.5
                                                                                                                                                                                                                                                      Oct 30, 2024 16:58:28.630439997 CET4999480192.168.2.565.9.66.107
                                                                                                                                                                                                                                                      Oct 30, 2024 16:58:28.632875919 CET49995443192.168.2.565.9.66.107
                                                                                                                                                                                                                                                      Oct 30, 2024 16:58:28.632904053 CET4434999565.9.66.107192.168.2.5
                                                                                                                                                                                                                                                      Oct 30, 2024 16:58:28.632978916 CET49995443192.168.2.565.9.66.107
                                                                                                                                                                                                                                                      Oct 30, 2024 16:58:28.633112907 CET49995443192.168.2.565.9.66.107
                                                                                                                                                                                                                                                      Oct 30, 2024 16:58:28.633126974 CET4434999565.9.66.107192.168.2.5
                                                                                                                                                                                                                                                      Oct 30, 2024 16:58:29.477541924 CET4434999565.9.66.107192.168.2.5
                                                                                                                                                                                                                                                      Oct 30, 2024 16:58:29.477629900 CET49995443192.168.2.565.9.66.107
                                                                                                                                                                                                                                                      Oct 30, 2024 16:58:29.478230953 CET49995443192.168.2.565.9.66.107
                                                                                                                                                                                                                                                      Oct 30, 2024 16:58:29.478240967 CET4434999565.9.66.107192.168.2.5
                                                                                                                                                                                                                                                      Oct 30, 2024 16:58:29.478389978 CET49995443192.168.2.565.9.66.107
                                                                                                                                                                                                                                                      Oct 30, 2024 16:58:29.478393078 CET4434999565.9.66.107192.168.2.5
                                                                                                                                                                                                                                                      Oct 30, 2024 16:58:29.478441954 CET49995443192.168.2.565.9.66.107
                                                                                                                                                                                                                                                      Oct 30, 2024 16:58:29.479763031 CET4999480192.168.2.565.9.66.107
                                                                                                                                                                                                                                                      Oct 30, 2024 16:58:29.485383034 CET804999465.9.66.107192.168.2.5
                                                                                                                                                                                                                                                      Oct 30, 2024 16:58:29.607661963 CET4999680192.168.2.565.9.66.107
                                                                                                                                                                                                                                                      Oct 30, 2024 16:58:29.613166094 CET804999665.9.66.107192.168.2.5
                                                                                                                                                                                                                                                      Oct 30, 2024 16:58:29.613400936 CET4999680192.168.2.565.9.66.107
                                                                                                                                                                                                                                                      Oct 30, 2024 16:58:29.614396095 CET4999680192.168.2.565.9.66.107
                                                                                                                                                                                                                                                      Oct 30, 2024 16:58:29.619841099 CET804999665.9.66.107192.168.2.5
                                                                                                                                                                                                                                                      Oct 30, 2024 16:58:30.446577072 CET804999665.9.66.107192.168.2.5
                                                                                                                                                                                                                                                      Oct 30, 2024 16:58:30.450289965 CET49997443192.168.2.565.9.66.107
                                                                                                                                                                                                                                                      Oct 30, 2024 16:58:30.450321913 CET4434999765.9.66.107192.168.2.5
                                                                                                                                                                                                                                                      Oct 30, 2024 16:58:30.450390100 CET49997443192.168.2.565.9.66.107
                                                                                                                                                                                                                                                      Oct 30, 2024 16:58:30.450529099 CET49997443192.168.2.565.9.66.107
                                                                                                                                                                                                                                                      Oct 30, 2024 16:58:30.450541019 CET4434999765.9.66.107192.168.2.5
                                                                                                                                                                                                                                                      Oct 30, 2024 16:58:30.489854097 CET4999680192.168.2.565.9.66.107
                                                                                                                                                                                                                                                      Oct 30, 2024 16:58:30.572948933 CET804999665.9.66.107192.168.2.5
                                                                                                                                                                                                                                                      Oct 30, 2024 16:58:30.573034048 CET4999680192.168.2.565.9.66.107
                                                                                                                                                                                                                                                      Oct 30, 2024 16:58:31.292285919 CET4434999765.9.66.107192.168.2.5
                                                                                                                                                                                                                                                      Oct 30, 2024 16:58:31.292432070 CET49997443192.168.2.565.9.66.107
                                                                                                                                                                                                                                                      Oct 30, 2024 16:58:31.292826891 CET49997443192.168.2.565.9.66.107
                                                                                                                                                                                                                                                      Oct 30, 2024 16:58:31.292839050 CET4434999765.9.66.107192.168.2.5
                                                                                                                                                                                                                                                      Oct 30, 2024 16:58:31.292958975 CET49997443192.168.2.565.9.66.107
                                                                                                                                                                                                                                                      Oct 30, 2024 16:58:31.294203997 CET4999680192.168.2.565.9.66.107
                                                                                                                                                                                                                                                      Oct 30, 2024 16:58:31.299519062 CET804999665.9.66.107192.168.2.5
                                                                                                                                                                                                                                                      Oct 30, 2024 16:58:31.369019985 CET4999880192.168.2.565.9.66.107
                                                                                                                                                                                                                                                      Oct 30, 2024 16:58:31.374610901 CET804999865.9.66.107192.168.2.5
                                                                                                                                                                                                                                                      Oct 30, 2024 16:58:31.374696970 CET4999880192.168.2.565.9.66.107
                                                                                                                                                                                                                                                      Oct 30, 2024 16:58:31.375678062 CET4999880192.168.2.565.9.66.107
                                                                                                                                                                                                                                                      Oct 30, 2024 16:58:31.381014109 CET804999865.9.66.107192.168.2.5
                                                                                                                                                                                                                                                      Oct 30, 2024 16:58:32.204783916 CET804999865.9.66.107192.168.2.5
                                                                                                                                                                                                                                                      Oct 30, 2024 16:58:32.208282948 CET49999443192.168.2.565.9.66.107
                                                                                                                                                                                                                                                      Oct 30, 2024 16:58:32.208343983 CET4434999965.9.66.107192.168.2.5
                                                                                                                                                                                                                                                      Oct 30, 2024 16:58:32.208422899 CET49999443192.168.2.565.9.66.107
                                                                                                                                                                                                                                                      Oct 30, 2024 16:58:32.208605051 CET49999443192.168.2.565.9.66.107
                                                                                                                                                                                                                                                      Oct 30, 2024 16:58:32.208625078 CET4434999965.9.66.107192.168.2.5
                                                                                                                                                                                                                                                      Oct 30, 2024 16:58:32.255639076 CET4999880192.168.2.565.9.66.107
                                                                                                                                                                                                                                                      Oct 30, 2024 16:58:32.324404001 CET804999865.9.66.107192.168.2.5
                                                                                                                                                                                                                                                      Oct 30, 2024 16:58:32.324482918 CET4999880192.168.2.565.9.66.107
                                                                                                                                                                                                                                                      Oct 30, 2024 16:58:33.056402922 CET4434999965.9.66.107192.168.2.5
                                                                                                                                                                                                                                                      Oct 30, 2024 16:58:33.056569099 CET49999443192.168.2.565.9.66.107
                                                                                                                                                                                                                                                      Oct 30, 2024 16:58:33.056994915 CET49999443192.168.2.565.9.66.107
                                                                                                                                                                                                                                                      Oct 30, 2024 16:58:33.057007074 CET4434999965.9.66.107192.168.2.5
                                                                                                                                                                                                                                                      Oct 30, 2024 16:58:33.057137012 CET49999443192.168.2.565.9.66.107
                                                                                                                                                                                                                                                      Oct 30, 2024 16:58:33.058271885 CET4999880192.168.2.565.9.66.107
                                                                                                                                                                                                                                                      Oct 30, 2024 16:58:33.063725948 CET804999865.9.66.107192.168.2.5
                                                                                                                                                                                                                                                      Oct 30, 2024 16:58:33.133497000 CET5000080192.168.2.565.9.66.107
                                                                                                                                                                                                                                                      Oct 30, 2024 16:58:33.139131069 CET805000065.9.66.107192.168.2.5
                                                                                                                                                                                                                                                      Oct 30, 2024 16:58:33.139220953 CET5000080192.168.2.565.9.66.107
                                                                                                                                                                                                                                                      Oct 30, 2024 16:58:33.140016079 CET5000080192.168.2.565.9.66.107
                                                                                                                                                                                                                                                      Oct 30, 2024 16:58:33.145344973 CET805000065.9.66.107192.168.2.5
                                                                                                                                                                                                                                                      Oct 30, 2024 16:58:33.968961954 CET805000065.9.66.107192.168.2.5
                                                                                                                                                                                                                                                      Oct 30, 2024 16:58:33.972255945 CET50001443192.168.2.565.9.66.107
                                                                                                                                                                                                                                                      Oct 30, 2024 16:58:33.972301960 CET4435000165.9.66.107192.168.2.5
                                                                                                                                                                                                                                                      Oct 30, 2024 16:58:33.972395897 CET50001443192.168.2.565.9.66.107
                                                                                                                                                                                                                                                      Oct 30, 2024 16:58:33.974309921 CET50001443192.168.2.565.9.66.107
                                                                                                                                                                                                                                                      Oct 30, 2024 16:58:33.974323988 CET4435000165.9.66.107192.168.2.5
                                                                                                                                                                                                                                                      Oct 30, 2024 16:58:34.021059036 CET5000080192.168.2.565.9.66.107
                                                                                                                                                                                                                                                      Oct 30, 2024 16:58:34.088640928 CET805000065.9.66.107192.168.2.5
                                                                                                                                                                                                                                                      Oct 30, 2024 16:58:34.088705063 CET5000080192.168.2.565.9.66.107
                                                                                                                                                                                                                                                      Oct 30, 2024 16:58:34.821316957 CET4435000165.9.66.107192.168.2.5
                                                                                                                                                                                                                                                      Oct 30, 2024 16:58:34.821392059 CET50001443192.168.2.565.9.66.107
                                                                                                                                                                                                                                                      Oct 30, 2024 16:58:34.825154066 CET50001443192.168.2.565.9.66.107
                                                                                                                                                                                                                                                      Oct 30, 2024 16:58:34.825165033 CET4435000165.9.66.107192.168.2.5
                                                                                                                                                                                                                                                      Oct 30, 2024 16:58:34.825268030 CET50001443192.168.2.565.9.66.107
                                                                                                                                                                                                                                                      Oct 30, 2024 16:58:34.850488901 CET5000080192.168.2.565.9.66.107
                                                                                                                                                                                                                                                      Oct 30, 2024 16:58:34.855950117 CET805000065.9.66.107192.168.2.5

                                                                                                                                                                                                                                                      UDP Packets

                                                                                                                                                                                                                                                      TimestampSource PortDest PortSource IPDest IP
                                                                                                                                                                                                                                                      Oct 30, 2024 16:57:56.760685921 CET5616253192.168.2.51.1.1.1
                                                                                                                                                                                                                                                      Oct 30, 2024 16:57:56.798024893 CET53561621.1.1.1192.168.2.5
                                                                                                                                                                                                                                                      Oct 30, 2024 16:58:05.677694082 CET5679753192.168.2.51.1.1.1
                                                                                                                                                                                                                                                      Oct 30, 2024 16:58:05.804199934 CET53567971.1.1.1192.168.2.5
                                                                                                                                                                                                                                                      Oct 30, 2024 16:58:06.243360043 CET6338353192.168.2.51.1.1.1
                                                                                                                                                                                                                                                      Oct 30, 2024 16:58:06.252377033 CET53633831.1.1.1192.168.2.5
                                                                                                                                                                                                                                                      Oct 30, 2024 16:58:08.214833021 CET6365853192.168.2.51.1.1.1
                                                                                                                                                                                                                                                      Oct 30, 2024 16:58:08.240667105 CET53636581.1.1.1192.168.2.5
                                                                                                                                                                                                                                                      Oct 30, 2024 16:58:08.261063099 CET5861653192.168.2.51.1.1.1
                                                                                                                                                                                                                                                      Oct 30, 2024 16:58:08.313143015 CET53586161.1.1.1192.168.2.5
                                                                                                                                                                                                                                                      Oct 30, 2024 16:58:08.328507900 CET5720853192.168.2.51.1.1.1
                                                                                                                                                                                                                                                      Oct 30, 2024 16:58:08.354501009 CET53572081.1.1.1192.168.2.5
                                                                                                                                                                                                                                                      Oct 30, 2024 16:58:14.162930965 CET5395253192.168.2.51.1.1.1
                                                                                                                                                                                                                                                      Oct 30, 2024 16:58:14.177217007 CET53539521.1.1.1192.168.2.5
                                                                                                                                                                                                                                                      Oct 30, 2024 16:58:14.185138941 CET5537653192.168.2.51.1.1.1
                                                                                                                                                                                                                                                      Oct 30, 2024 16:58:14.226819038 CET53553761.1.1.1192.168.2.5
                                                                                                                                                                                                                                                      Oct 30, 2024 16:58:14.235162973 CET6266153192.168.2.51.1.1.1
                                                                                                                                                                                                                                                      Oct 30, 2024 16:58:14.252624035 CET53626611.1.1.1192.168.2.5
                                                                                                                                                                                                                                                      Oct 30, 2024 16:58:16.911119938 CET6228653192.168.2.51.1.1.1
                                                                                                                                                                                                                                                      Oct 30, 2024 16:58:17.035631895 CET53622861.1.1.1192.168.2.5
                                                                                                                                                                                                                                                      Oct 30, 2024 16:58:24.956726074 CET5715053192.168.2.51.1.1.1
                                                                                                                                                                                                                                                      Oct 30, 2024 16:58:24.991597891 CET53571501.1.1.1192.168.2.5
                                                                                                                                                                                                                                                      Oct 30, 2024 16:58:27.562947035 CET5118353192.168.2.51.1.1.1
                                                                                                                                                                                                                                                      Oct 30, 2024 16:58:27.580851078 CET53511831.1.1.1192.168.2.5
                                                                                                                                                                                                                                                      Oct 30, 2024 16:58:29.487251997 CET5493853192.168.2.51.1.1.1
                                                                                                                                                                                                                                                      Oct 30, 2024 16:58:29.505378008 CET53549381.1.1.1192.168.2.5
                                                                                                                                                                                                                                                      Oct 30, 2024 16:58:29.513526917 CET4988653192.168.2.51.1.1.1
                                                                                                                                                                                                                                                      Oct 30, 2024 16:58:29.535346031 CET53498861.1.1.1192.168.2.5
                                                                                                                                                                                                                                                      Oct 30, 2024 16:58:29.543807983 CET5555953192.168.2.51.1.1.1
                                                                                                                                                                                                                                                      Oct 30, 2024 16:58:29.561161041 CET53555591.1.1.1192.168.2.5
                                                                                                                                                                                                                                                      Oct 30, 2024 16:58:34.878112078 CET4960253192.168.2.51.1.1.1
                                                                                                                                                                                                                                                      Oct 30, 2024 16:58:34.915891886 CET53496021.1.1.1192.168.2.5
                                                                                                                                                                                                                                                      Oct 30, 2024 16:58:34.925713062 CET6279453192.168.2.51.1.1.1
                                                                                                                                                                                                                                                      Oct 30, 2024 16:58:34.966917038 CET53627941.1.1.1192.168.2.5
                                                                                                                                                                                                                                                      Oct 30, 2024 16:58:34.974634886 CET5691453192.168.2.51.1.1.1
                                                                                                                                                                                                                                                      Oct 30, 2024 16:58:34.991583109 CET53569141.1.1.1192.168.2.5
                                                                                                                                                                                                                                                      Oct 30, 2024 16:58:38.216120005 CET5890253192.168.2.51.1.1.1
                                                                                                                                                                                                                                                      Oct 30, 2024 16:58:38.271272898 CET53589021.1.1.1192.168.2.5

                                                                                                                                                                                                                                                      DNS Queries

                                                                                                                                                                                                                                                      TimestampSource IPDest IPTrans IDOP CodeNameTypeClassDNS over HTTPS
                                                                                                                                                                                                                                                      Oct 30, 2024 16:57:56.760685921 CET192.168.2.51.1.1.10x68ecStandard query (0)stats.mbamupdates.comA (IP address)IN (0x0001)false
                                                                                                                                                                                                                                                      Oct 30, 2024 16:58:05.677694082 CET192.168.2.51.1.1.10x9b26Standard query (0)stats.mbamupdates.comA (IP address)IN (0x0001)false
                                                                                                                                                                                                                                                      Oct 30, 2024 16:58:06.243360043 CET192.168.2.51.1.1.10x4f73Standard query (0)data-cdn.mbamupdates.comA (IP address)IN (0x0001)false
                                                                                                                                                                                                                                                      Oct 30, 2024 16:58:08.214833021 CET192.168.2.51.1.1.10xe57eStandard query (0)edge.data-cdn.mbamupdates.comA (IP address)IN (0x0001)false
                                                                                                                                                                                                                                                      Oct 30, 2024 16:58:08.261063099 CET192.168.2.51.1.1.10x9ad6Standard query (0)hw.data-cdn.mbamupdates.comA (IP address)IN (0x0001)false
                                                                                                                                                                                                                                                      Oct 30, 2024 16:58:08.328507900 CET192.168.2.51.1.1.10x9743Standard query (0)llnw.data-cdn.mbamupdates.comA (IP address)IN (0x0001)false
                                                                                                                                                                                                                                                      Oct 30, 2024 16:58:14.162930965 CET192.168.2.51.1.1.10x1975Standard query (0)edge.data-cdn.mbamupdates.comA (IP address)IN (0x0001)false
                                                                                                                                                                                                                                                      Oct 30, 2024 16:58:14.185138941 CET192.168.2.51.1.1.10x84a3Standard query (0)hw.data-cdn.mbamupdates.comA (IP address)IN (0x0001)false
                                                                                                                                                                                                                                                      Oct 30, 2024 16:58:14.235162973 CET192.168.2.51.1.1.10x1c23Standard query (0)llnw.data-cdn.mbamupdates.comA (IP address)IN (0x0001)false
                                                                                                                                                                                                                                                      Oct 30, 2024 16:58:16.911119938 CET192.168.2.51.1.1.10x103fStandard query (0)stats.mbamupdates.comA (IP address)IN (0x0001)false
                                                                                                                                                                                                                                                      Oct 30, 2024 16:58:24.956726074 CET192.168.2.51.1.1.10x2932Standard query (0)stats.mbamupdates.comA (IP address)IN (0x0001)false
                                                                                                                                                                                                                                                      Oct 30, 2024 16:58:27.562947035 CET192.168.2.51.1.1.10x138dStandard query (0)data-cdn.mbamupdates.comA (IP address)IN (0x0001)false
                                                                                                                                                                                                                                                      Oct 30, 2024 16:58:29.487251997 CET192.168.2.51.1.1.10x9229Standard query (0)edge.data-cdn.mbamupdates.comA (IP address)IN (0x0001)false
                                                                                                                                                                                                                                                      Oct 30, 2024 16:58:29.513526917 CET192.168.2.51.1.1.10xb56Standard query (0)hw.data-cdn.mbamupdates.comA (IP address)IN (0x0001)false
                                                                                                                                                                                                                                                      Oct 30, 2024 16:58:29.543807983 CET192.168.2.51.1.1.10xe722Standard query (0)llnw.data-cdn.mbamupdates.comA (IP address)IN (0x0001)false
                                                                                                                                                                                                                                                      Oct 30, 2024 16:58:34.878112078 CET192.168.2.51.1.1.10x2bdcStandard query (0)edge.data-cdn.mbamupdates.comA (IP address)IN (0x0001)false
                                                                                                                                                                                                                                                      Oct 30, 2024 16:58:34.925713062 CET192.168.2.51.1.1.10xa145Standard query (0)hw.data-cdn.mbamupdates.comA (IP address)IN (0x0001)false
                                                                                                                                                                                                                                                      Oct 30, 2024 16:58:34.974634886 CET192.168.2.51.1.1.10x5103Standard query (0)llnw.data-cdn.mbamupdates.comA (IP address)IN (0x0001)false
                                                                                                                                                                                                                                                      Oct 30, 2024 16:58:38.216120005 CET192.168.2.51.1.1.10xbbdeStandard query (0)stats.mbamupdates.comA (IP address)IN (0x0001)false

                                                                                                                                                                                                                                                      DNS Answers

                                                                                                                                                                                                                                                      TimestampSource IPDest IPTrans IDReply CodeNameCNameAddressTypeClassDNS over HTTPS
                                                                                                                                                                                                                                                      Oct 30, 2024 16:57:56.798024893 CET1.1.1.1192.168.2.50x68ecNo error (0)stats.mbamupdates.comlegacy-telemetry.malwarebytes.comCNAME (Canonical name)IN (0x0001)false
                                                                                                                                                                                                                                                      Oct 30, 2024 16:58:05.804199934 CET1.1.1.1192.168.2.50x9b26No error (0)stats.mbamupdates.comlegacy-telemetry.malwarebytes.comCNAME (Canonical name)IN (0x0001)false
                                                                                                                                                                                                                                                      Oct 30, 2024 16:58:06.252377033 CET1.1.1.1192.168.2.50x4f73No error (0)data-cdn.mbamupdates.com65.9.66.84A (IP address)IN (0x0001)false
                                                                                                                                                                                                                                                      Oct 30, 2024 16:58:06.252377033 CET1.1.1.1192.168.2.50x4f73No error (0)data-cdn.mbamupdates.com65.9.66.85A (IP address)IN (0x0001)false
                                                                                                                                                                                                                                                      Oct 30, 2024 16:58:06.252377033 CET1.1.1.1192.168.2.50x4f73No error (0)data-cdn.mbamupdates.com65.9.66.107A (IP address)IN (0x0001)false
                                                                                                                                                                                                                                                      Oct 30, 2024 16:58:06.252377033 CET1.1.1.1192.168.2.50x4f73No error (0)data-cdn.mbamupdates.com65.9.66.47A (IP address)IN (0x0001)false
                                                                                                                                                                                                                                                      Oct 30, 2024 16:58:08.240667105 CET1.1.1.1192.168.2.50xe57eName error (3)edge.data-cdn.mbamupdates.comnonenoneA (IP address)IN (0x0001)false
                                                                                                                                                                                                                                                      Oct 30, 2024 16:58:08.313143015 CET1.1.1.1192.168.2.50x9ad6Name error (3)hw.data-cdn.mbamupdates.comnonenoneA (IP address)IN (0x0001)false
                                                                                                                                                                                                                                                      Oct 30, 2024 16:58:08.354501009 CET1.1.1.1192.168.2.50x9743Name error (3)llnw.data-cdn.mbamupdates.comnonenoneA (IP address)IN (0x0001)false
                                                                                                                                                                                                                                                      Oct 30, 2024 16:58:14.177217007 CET1.1.1.1192.168.2.50x1975Name error (3)edge.data-cdn.mbamupdates.comnonenoneA (IP address)IN (0x0001)false
                                                                                                                                                                                                                                                      Oct 30, 2024 16:58:14.226819038 CET1.1.1.1192.168.2.50x84a3Name error (3)hw.data-cdn.mbamupdates.comnonenoneA (IP address)IN (0x0001)false
                                                                                                                                                                                                                                                      Oct 30, 2024 16:58:14.252624035 CET1.1.1.1192.168.2.50x1c23Name error (3)llnw.data-cdn.mbamupdates.comnonenoneA (IP address)IN (0x0001)false
                                                                                                                                                                                                                                                      Oct 30, 2024 16:58:17.035631895 CET1.1.1.1192.168.2.50x103fNo error (0)stats.mbamupdates.comlegacy-telemetry.malwarebytes.comCNAME (Canonical name)IN (0x0001)false
                                                                                                                                                                                                                                                      Oct 30, 2024 16:58:24.991597891 CET1.1.1.1192.168.2.50x2932No error (0)stats.mbamupdates.comlegacy-telemetry.malwarebytes.comCNAME (Canonical name)IN (0x0001)false
                                                                                                                                                                                                                                                      Oct 30, 2024 16:58:27.580851078 CET1.1.1.1192.168.2.50x138dNo error (0)data-cdn.mbamupdates.com65.9.66.107A (IP address)IN (0x0001)false
                                                                                                                                                                                                                                                      Oct 30, 2024 16:58:27.580851078 CET1.1.1.1192.168.2.50x138dNo error (0)data-cdn.mbamupdates.com65.9.66.47A (IP address)IN (0x0001)false
                                                                                                                                                                                                                                                      Oct 30, 2024 16:58:27.580851078 CET1.1.1.1192.168.2.50x138dNo error (0)data-cdn.mbamupdates.com65.9.66.85A (IP address)IN (0x0001)false
                                                                                                                                                                                                                                                      Oct 30, 2024 16:58:27.580851078 CET1.1.1.1192.168.2.50x138dNo error (0)data-cdn.mbamupdates.com65.9.66.84A (IP address)IN (0x0001)false
                                                                                                                                                                                                                                                      Oct 30, 2024 16:58:29.505378008 CET1.1.1.1192.168.2.50x9229Name error (3)edge.data-cdn.mbamupdates.comnonenoneA (IP address)IN (0x0001)false
                                                                                                                                                                                                                                                      Oct 30, 2024 16:58:29.535346031 CET1.1.1.1192.168.2.50xb56Name error (3)hw.data-cdn.mbamupdates.comnonenoneA (IP address)IN (0x0001)false
                                                                                                                                                                                                                                                      Oct 30, 2024 16:58:29.561161041 CET1.1.1.1192.168.2.50xe722Name error (3)llnw.data-cdn.mbamupdates.comnonenoneA (IP address)IN (0x0001)false
                                                                                                                                                                                                                                                      Oct 30, 2024 16:58:34.915891886 CET1.1.1.1192.168.2.50x2bdcName error (3)edge.data-cdn.mbamupdates.comnonenoneA (IP address)IN (0x0001)false
                                                                                                                                                                                                                                                      Oct 30, 2024 16:58:34.966917038 CET1.1.1.1192.168.2.50xa145Name error (3)hw.data-cdn.mbamupdates.comnonenoneA (IP address)IN (0x0001)false
                                                                                                                                                                                                                                                      Oct 30, 2024 16:58:34.991583109 CET1.1.1.1192.168.2.50x5103Name error (3)llnw.data-cdn.mbamupdates.comnonenoneA (IP address)IN (0x0001)false
                                                                                                                                                                                                                                                      Oct 30, 2024 16:58:38.271272898 CET1.1.1.1192.168.2.50xbbdeNo error (0)stats.mbamupdates.comlegacy-telemetry.malwarebytes.comCNAME (Canonical name)IN (0x0001)false

                                                                                                                                                                                                                                                      HTTP Request Dependency Graph

                                                                                                                                                                                                                                                      • data-cdn.mbamupdates.com

                                                                                                                                                                                                                                                      HTTP Packets

                                                                                                                                                                                                                                                      Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                                                                                                                                                                                                                                      0192.168.2.54991565.9.66.84805440C:\Program Files (x86)\ChicaLogic\ChicaPC-Shield\cpcs.exe
                                                                                                                                                                                                                                                      TimestampBytes transferredDirectionData
                                                                                                                                                                                                                                                      Oct 30, 2024 16:58:06.269777060 CET213OUTGET /v1/config/chicalogic/version.chk HTTP/1.1
                                                                                                                                                                                                                                                      Accept-Encoding: gzip
                                                                                                                                                                                                                                                      Connection: Close
                                                                                                                                                                                                                                                      Host: data-cdn.mbamupdates.com
                                                                                                                                                                                                                                                      User-Agent: mbam - chicalogic_trial (scanner) - base:1.75.0.1300 - rules:v2013.04.04.07
                                                                                                                                                                                                                                                      Oct 30, 2024 16:58:07.109765053 CET601INHTTP/1.1 301 Moved Permanently
                                                                                                                                                                                                                                                      Server: CloudFront
                                                                                                                                                                                                                                                      Date: Wed, 30 Oct 2024 15:58:06 GMT
                                                                                                                                                                                                                                                      Content-Type: text/html
                                                                                                                                                                                                                                                      Content-Length: 167
                                                                                                                                                                                                                                                      Connection: close
                                                                                                                                                                                                                                                      Location: https://data-cdn.mbamupdates.com/v1/config/chicalogic/version.chk
                                                                                                                                                                                                                                                      X-Cache: Redirect from cloudfront
                                                                                                                                                                                                                                                      Via: 1.1 cae542650fb32c773cc494fc6e7e71e6.cloudfront.net (CloudFront)
                                                                                                                                                                                                                                                      X-Amz-Cf-Pop: FRA56-C1
                                                                                                                                                                                                                                                      X-Amz-Cf-Id: RwDeUTmEDQY8g-_8QNMAWuJOrNIJeqkKUJB0NNhfh_gH0x3RUAjzPQ==
                                                                                                                                                                                                                                                      Data Raw: 3c 68 74 6d 6c 3e 0d 0a 3c 68 65 61 64 3e 3c 74 69 74 6c 65 3e 33 30 31 20 4d 6f 76 65 64 20 50 65 72 6d 61 6e 65 6e 74 6c 79 3c 2f 74 69 74 6c 65 3e 3c 2f 68 65 61 64 3e 0d 0a 3c 62 6f 64 79 3e 0d 0a 3c 63 65 6e 74 65 72 3e 3c 68 31 3e 33 30 31 20 4d 6f 76 65 64 20 50 65 72 6d 61 6e 65 6e 74 6c 79 3c 2f 68 31 3e 3c 2f 63 65 6e 74 65 72 3e 0d 0a 3c 68 72 3e 3c 63 65 6e 74 65 72 3e 43 6c 6f 75 64 46 72 6f 6e 74 3c 2f 63 65 6e 74 65 72 3e 0d 0a 3c 2f 62 6f 64 79 3e 0d 0a 3c 2f 68 74 6d 6c 3e 0d 0a
                                                                                                                                                                                                                                                      Data Ascii: <html><head><title>301 Moved Permanently</title></head><body><center><h1>301 Moved Permanently</h1></center><hr><center>CloudFront</center></body></html>


                                                                                                                                                                                                                                                      Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                                                                                                                                                                                                                                      1192.168.2.54992865.9.66.84805440C:\Program Files (x86)\ChicaLogic\ChicaPC-Shield\cpcs.exe
                                                                                                                                                                                                                                                      TimestampBytes transferredDirectionData
                                                                                                                                                                                                                                                      Oct 30, 2024 16:58:08.484103918 CET211OUTGET /v1/news/chicalogic/version.chk HTTP/1.1
                                                                                                                                                                                                                                                      Accept-Encoding: gzip
                                                                                                                                                                                                                                                      Connection: Close
                                                                                                                                                                                                                                                      Host: data-cdn.mbamupdates.com
                                                                                                                                                                                                                                                      User-Agent: mbam - chicalogic_trial (scanner) - base:1.75.0.1300 - rules:v2013.04.04.07
                                                                                                                                                                                                                                                      Oct 30, 2024 16:58:09.317945957 CET599INHTTP/1.1 301 Moved Permanently
                                                                                                                                                                                                                                                      Server: CloudFront
                                                                                                                                                                                                                                                      Date: Wed, 30 Oct 2024 15:58:09 GMT
                                                                                                                                                                                                                                                      Content-Type: text/html
                                                                                                                                                                                                                                                      Content-Length: 167
                                                                                                                                                                                                                                                      Connection: close
                                                                                                                                                                                                                                                      Location: https://data-cdn.mbamupdates.com/v1/news/chicalogic/version.chk
                                                                                                                                                                                                                                                      X-Cache: Redirect from cloudfront
                                                                                                                                                                                                                                                      Via: 1.1 120ade321ed0e3697c81eb1eb19b5f62.cloudfront.net (CloudFront)
                                                                                                                                                                                                                                                      X-Amz-Cf-Pop: FRA56-C1
                                                                                                                                                                                                                                                      X-Amz-Cf-Id: gX1pBN0L5qOw-8JRuoRlWw5kfT9q_YMWuQ6RY_PBwmq8t4cOt6AwDg==
                                                                                                                                                                                                                                                      Data Raw: 3c 68 74 6d 6c 3e 0d 0a 3c 68 65 61 64 3e 3c 74 69 74 6c 65 3e 33 30 31 20 4d 6f 76 65 64 20 50 65 72 6d 61 6e 65 6e 74 6c 79 3c 2f 74 69 74 6c 65 3e 3c 2f 68 65 61 64 3e 0d 0a 3c 62 6f 64 79 3e 0d 0a 3c 63 65 6e 74 65 72 3e 3c 68 31 3e 33 30 31 20 4d 6f 76 65 64 20 50 65 72 6d 61 6e 65 6e 74 6c 79 3c 2f 68 31 3e 3c 2f 63 65 6e 74 65 72 3e 0d 0a 3c 68 72 3e 3c 63 65 6e 74 65 72 3e 43 6c 6f 75 64 46 72 6f 6e 74 3c 2f 63 65 6e 74 65 72 3e 0d 0a 3c 2f 62 6f 64 79 3e 0d 0a 3c 2f 68 74 6d 6c 3e 0d 0a
                                                                                                                                                                                                                                                      Data Ascii: <html><head><title>301 Moved Permanently</title></head><body><center><h1>301 Moved Permanently</h1></center><hr><center>CloudFront</center></body></html>


                                                                                                                                                                                                                                                      Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                                                                                                                                                                                                                                      2192.168.2.54993965.9.66.84805440C:\Program Files (x86)\ChicaLogic\ChicaPC-Shield\cpcs.exe
                                                                                                                                                                                                                                                      TimestampBytes transferredDirectionData
                                                                                                                                                                                                                                                      Oct 30, 2024 16:58:10.313683987 CET213OUTGET /v1/custom/chicalogic/version.chk HTTP/1.1
                                                                                                                                                                                                                                                      Accept-Encoding: gzip
                                                                                                                                                                                                                                                      Connection: Close
                                                                                                                                                                                                                                                      Host: data-cdn.mbamupdates.com
                                                                                                                                                                                                                                                      User-Agent: mbam - chicalogic_trial (scanner) - base:1.75.0.1300 - rules:v2013.04.04.07
                                                                                                                                                                                                                                                      Oct 30, 2024 16:58:11.153893948 CET601INHTTP/1.1 301 Moved Permanently
                                                                                                                                                                                                                                                      Server: CloudFront
                                                                                                                                                                                                                                                      Date: Wed, 30 Oct 2024 15:58:11 GMT
                                                                                                                                                                                                                                                      Content-Type: text/html
                                                                                                                                                                                                                                                      Content-Length: 167
                                                                                                                                                                                                                                                      Connection: close
                                                                                                                                                                                                                                                      Location: https://data-cdn.mbamupdates.com/v1/custom/chicalogic/version.chk
                                                                                                                                                                                                                                                      X-Cache: Redirect from cloudfront
                                                                                                                                                                                                                                                      Via: 1.1 36d9e1bd4f00d39c57a56679dc44e264.cloudfront.net (CloudFront)
                                                                                                                                                                                                                                                      X-Amz-Cf-Pop: FRA56-C1
                                                                                                                                                                                                                                                      X-Amz-Cf-Id: 0gc7n3i0exkkZ7vNK4_GAoMUbdOAtlGAdJ3kMe0XGaF5yOHNTAKfWQ==
                                                                                                                                                                                                                                                      Data Raw: 3c 68 74 6d 6c 3e 0d 0a 3c 68 65 61 64 3e 3c 74 69 74 6c 65 3e 33 30 31 20 4d 6f 76 65 64 20 50 65 72 6d 61 6e 65 6e 74 6c 79 3c 2f 74 69 74 6c 65 3e 3c 2f 68 65 61 64 3e 0d 0a 3c 62 6f 64 79 3e 0d 0a 3c 63 65 6e 74 65 72 3e 3c 68 31 3e 33 30 31 20 4d 6f 76 65 64 20 50 65 72 6d 61 6e 65 6e 74 6c 79 3c 2f 68 31 3e 3c 2f 63 65 6e 74 65 72 3e 0d 0a 3c 68 72 3e 3c 63 65 6e 74 65 72 3e 43 6c 6f 75 64 46 72 6f 6e 74 3c 2f 63 65 6e 74 65 72 3e 0d 0a 3c 2f 62 6f 64 79 3e 0d 0a 3c 2f 68 74 6d 6c 3e 0d 0a
                                                                                                                                                                                                                                                      Data Ascii: <html><head><title>301 Moved Permanently</title></head><body><center><h1>301 Moved Permanently</h1></center><hr><center>CloudFront</center></body></html>


                                                                                                                                                                                                                                                      Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                                                                                                                                                                                                                                      3192.168.2.54995165.9.66.84805440C:\Program Files (x86)\ChicaLogic\ChicaPC-Shield\cpcs.exe
                                                                                                                                                                                                                                                      TimestampBytes transferredDirectionData
                                                                                                                                                                                                                                                      Oct 30, 2024 16:58:12.442065001 CET221OUTGET /v0/clients/chicalogic/mbam.check.program HTTP/1.1
                                                                                                                                                                                                                                                      Accept-Encoding: gzip
                                                                                                                                                                                                                                                      Connection: Close
                                                                                                                                                                                                                                                      Host: data-cdn.mbamupdates.com
                                                                                                                                                                                                                                                      User-Agent: mbam - chicalogic_trial (scanner) - base:1.75.0.1300 - rules:v2013.04.04.07
                                                                                                                                                                                                                                                      Oct 30, 2024 16:58:13.286956072 CET609INHTTP/1.1 301 Moved Permanently
                                                                                                                                                                                                                                                      Server: CloudFront
                                                                                                                                                                                                                                                      Date: Wed, 30 Oct 2024 15:58:13 GMT
                                                                                                                                                                                                                                                      Content-Type: text/html
                                                                                                                                                                                                                                                      Content-Length: 167
                                                                                                                                                                                                                                                      Connection: close
                                                                                                                                                                                                                                                      Location: https://data-cdn.mbamupdates.com/v0/clients/chicalogic/mbam.check.program
                                                                                                                                                                                                                                                      X-Cache: Redirect from cloudfront
                                                                                                                                                                                                                                                      Via: 1.1 95e0c26862caa0a0aa5e9580919524f8.cloudfront.net (CloudFront)
                                                                                                                                                                                                                                                      X-Amz-Cf-Pop: FRA56-C1
                                                                                                                                                                                                                                                      X-Amz-Cf-Id: 0pl4kPGhdyPZ7Zv2xOItIyL_q_0-yMP7IZOOzBv3sA4CBgKSbwaHpA==
                                                                                                                                                                                                                                                      Data Raw: 3c 68 74 6d 6c 3e 0d 0a 3c 68 65 61 64 3e 3c 74 69 74 6c 65 3e 33 30 31 20 4d 6f 76 65 64 20 50 65 72 6d 61 6e 65 6e 74 6c 79 3c 2f 74 69 74 6c 65 3e 3c 2f 68 65 61 64 3e 0d 0a 3c 62 6f 64 79 3e 0d 0a 3c 63 65 6e 74 65 72 3e 3c 68 31 3e 33 30 31 20 4d 6f 76 65 64 20 50 65 72 6d 61 6e 65 6e 74 6c 79 3c 2f 68 31 3e 3c 2f 63 65 6e 74 65 72 3e 0d 0a 3c 68 72 3e 3c 63 65 6e 74 65 72 3e 43 6c 6f 75 64 46 72 6f 6e 74 3c 2f 63 65 6e 74 65 72 3e 0d 0a 3c 2f 62 6f 64 79 3e 0d 0a 3c 2f 68 74 6d 6c 3e 0d 0a
                                                                                                                                                                                                                                                      Data Ascii: <html><head><title>301 Moved Permanently</title></head><body><center><h1>301 Moved Permanently</h1></center><hr><center>CloudFront</center></body></html>


                                                                                                                                                                                                                                                      Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                                                                                                                                                                                                                                      4192.168.2.54999465.9.66.107803472C:\Program Files (x86)\ChicaLogic\ChicaPC-Shield\cpcs.exe
                                                                                                                                                                                                                                                      TimestampBytes transferredDirectionData
                                                                                                                                                                                                                                                      Oct 30, 2024 16:58:27.594381094 CET213OUTGET /v1/config/chicalogic/version.chk HTTP/1.1
                                                                                                                                                                                                                                                      Accept-Encoding: gzip
                                                                                                                                                                                                                                                      Connection: Close
                                                                                                                                                                                                                                                      Host: data-cdn.mbamupdates.com
                                                                                                                                                                                                                                                      User-Agent: mbam - chicalogic_trial (scanner) - base:1.75.0.1300 - rules:v2013.04.04.07
                                                                                                                                                                                                                                                      Oct 30, 2024 16:58:28.628958941 CET601INHTTP/1.1 301 Moved Permanently
                                                                                                                                                                                                                                                      Server: CloudFront
                                                                                                                                                                                                                                                      Date: Wed, 30 Oct 2024 15:58:28 GMT
                                                                                                                                                                                                                                                      Content-Type: text/html
                                                                                                                                                                                                                                                      Content-Length: 167
                                                                                                                                                                                                                                                      Connection: close
                                                                                                                                                                                                                                                      Location: https://data-cdn.mbamupdates.com/v1/config/chicalogic/version.chk
                                                                                                                                                                                                                                                      X-Cache: Redirect from cloudfront
                                                                                                                                                                                                                                                      Via: 1.1 4874e0c922f34c928345f4c183ea11b4.cloudfront.net (CloudFront)
                                                                                                                                                                                                                                                      X-Amz-Cf-Pop: FRA56-C1
                                                                                                                                                                                                                                                      X-Amz-Cf-Id: sZmqCTCGdETUb6pxVxGHq1lTkgEd6wRL52p8wQaYoYfKh6qTyA0DiA==
                                                                                                                                                                                                                                                      Data Raw: 3c 68 74 6d 6c 3e 0d 0a 3c 68 65 61 64 3e 3c 74 69 74 6c 65 3e 33 30 31 20 4d 6f 76 65 64 20 50 65 72 6d 61 6e 65 6e 74 6c 79 3c 2f 74 69 74 6c 65 3e 3c 2f 68 65 61 64 3e 0d 0a 3c 62 6f 64 79 3e 0d 0a 3c 63 65 6e 74 65 72 3e 3c 68 31 3e 33 30 31 20 4d 6f 76 65 64 20 50 65 72 6d 61 6e 65 6e 74 6c 79 3c 2f 68 31 3e 3c 2f 63 65 6e 74 65 72 3e 0d 0a 3c 68 72 3e 3c 63 65 6e 74 65 72 3e 43 6c 6f 75 64 46 72 6f 6e 74 3c 2f 63 65 6e 74 65 72 3e 0d 0a 3c 2f 62 6f 64 79 3e 0d 0a 3c 2f 68 74 6d 6c 3e 0d 0a
                                                                                                                                                                                                                                                      Data Ascii: <html><head><title>301 Moved Permanently</title></head><body><center><h1>301 Moved Permanently</h1></center><hr><center>CloudFront</center></body></html>


                                                                                                                                                                                                                                                      Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                                                                                                                                                                                                                                      5192.168.2.54999665.9.66.107803472C:\Program Files (x86)\ChicaLogic\ChicaPC-Shield\cpcs.exe
                                                                                                                                                                                                                                                      TimestampBytes transferredDirectionData
                                                                                                                                                                                                                                                      Oct 30, 2024 16:58:29.614396095 CET211OUTGET /v1/news/chicalogic/version.chk HTTP/1.1
                                                                                                                                                                                                                                                      Accept-Encoding: gzip
                                                                                                                                                                                                                                                      Connection: Close
                                                                                                                                                                                                                                                      Host: data-cdn.mbamupdates.com
                                                                                                                                                                                                                                                      User-Agent: mbam - chicalogic_trial (scanner) - base:1.75.0.1300 - rules:v2013.04.04.07
                                                                                                                                                                                                                                                      Oct 30, 2024 16:58:30.446577072 CET599INHTTP/1.1 301 Moved Permanently
                                                                                                                                                                                                                                                      Server: CloudFront
                                                                                                                                                                                                                                                      Date: Wed, 30 Oct 2024 15:58:30 GMT
                                                                                                                                                                                                                                                      Content-Type: text/html
                                                                                                                                                                                                                                                      Content-Length: 167
                                                                                                                                                                                                                                                      Connection: close
                                                                                                                                                                                                                                                      Location: https://data-cdn.mbamupdates.com/v1/news/chicalogic/version.chk
                                                                                                                                                                                                                                                      X-Cache: Redirect from cloudfront
                                                                                                                                                                                                                                                      Via: 1.1 2fc0d20914c32e5cd76477ed042298d0.cloudfront.net (CloudFront)
                                                                                                                                                                                                                                                      X-Amz-Cf-Pop: FRA56-C1
                                                                                                                                                                                                                                                      X-Amz-Cf-Id: JL44E_jV1YbmPixQwhwmn2w5DY8Qa2ZIcBcMB5FlIOTUeyvw-9Wjvg==
                                                                                                                                                                                                                                                      Data Raw: 3c 68 74 6d 6c 3e 0d 0a 3c 68 65 61 64 3e 3c 74 69 74 6c 65 3e 33 30 31 20 4d 6f 76 65 64 20 50 65 72 6d 61 6e 65 6e 74 6c 79 3c 2f 74 69 74 6c 65 3e 3c 2f 68 65 61 64 3e 0d 0a 3c 62 6f 64 79 3e 0d 0a 3c 63 65 6e 74 65 72 3e 3c 68 31 3e 33 30 31 20 4d 6f 76 65 64 20 50 65 72 6d 61 6e 65 6e 74 6c 79 3c 2f 68 31 3e 3c 2f 63 65 6e 74 65 72 3e 0d 0a 3c 68 72 3e 3c 63 65 6e 74 65 72 3e 43 6c 6f 75 64 46 72 6f 6e 74 3c 2f 63 65 6e 74 65 72 3e 0d 0a 3c 2f 62 6f 64 79 3e 0d 0a 3c 2f 68 74 6d 6c 3e 0d 0a
                                                                                                                                                                                                                                                      Data Ascii: <html><head><title>301 Moved Permanently</title></head><body><center><h1>301 Moved Permanently</h1></center><hr><center>CloudFront</center></body></html>


                                                                                                                                                                                                                                                      Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                                                                                                                                                                                                                                      6192.168.2.54999865.9.66.107803472C:\Program Files (x86)\ChicaLogic\ChicaPC-Shield\cpcs.exe
                                                                                                                                                                                                                                                      TimestampBytes transferredDirectionData
                                                                                                                                                                                                                                                      Oct 30, 2024 16:58:31.375678062 CET213OUTGET /v1/custom/chicalogic/version.chk HTTP/1.1
                                                                                                                                                                                                                                                      Accept-Encoding: gzip
                                                                                                                                                                                                                                                      Connection: Close
                                                                                                                                                                                                                                                      Host: data-cdn.mbamupdates.com
                                                                                                                                                                                                                                                      User-Agent: mbam - chicalogic_trial (scanner) - base:1.75.0.1300 - rules:v2013.04.04.07
                                                                                                                                                                                                                                                      Oct 30, 2024 16:58:32.204783916 CET601INHTTP/1.1 301 Moved Permanently
                                                                                                                                                                                                                                                      Server: CloudFront
                                                                                                                                                                                                                                                      Date: Wed, 30 Oct 2024 15:58:32 GMT
                                                                                                                                                                                                                                                      Content-Type: text/html
                                                                                                                                                                                                                                                      Content-Length: 167
                                                                                                                                                                                                                                                      Connection: close
                                                                                                                                                                                                                                                      Location: https://data-cdn.mbamupdates.com/v1/custom/chicalogic/version.chk
                                                                                                                                                                                                                                                      X-Cache: Redirect from cloudfront
                                                                                                                                                                                                                                                      Via: 1.1 b3dc72c60418e8887de31f772538f118.cloudfront.net (CloudFront)
                                                                                                                                                                                                                                                      X-Amz-Cf-Pop: FRA56-C1
                                                                                                                                                                                                                                                      X-Amz-Cf-Id: qBT2PM10OVQHLQ1zMkEWN8M3jFSTxOGD_zxFqw29RVegebmDzkeCzg==
                                                                                                                                                                                                                                                      Data Raw: 3c 68 74 6d 6c 3e 0d 0a 3c 68 65 61 64 3e 3c 74 69 74 6c 65 3e 33 30 31 20 4d 6f 76 65 64 20 50 65 72 6d 61 6e 65 6e 74 6c 79 3c 2f 74 69 74 6c 65 3e 3c 2f 68 65 61 64 3e 0d 0a 3c 62 6f 64 79 3e 0d 0a 3c 63 65 6e 74 65 72 3e 3c 68 31 3e 33 30 31 20 4d 6f 76 65 64 20 50 65 72 6d 61 6e 65 6e 74 6c 79 3c 2f 68 31 3e 3c 2f 63 65 6e 74 65 72 3e 0d 0a 3c 68 72 3e 3c 63 65 6e 74 65 72 3e 43 6c 6f 75 64 46 72 6f 6e 74 3c 2f 63 65 6e 74 65 72 3e 0d 0a 3c 2f 62 6f 64 79 3e 0d 0a 3c 2f 68 74 6d 6c 3e 0d 0a
                                                                                                                                                                                                                                                      Data Ascii: <html><head><title>301 Moved Permanently</title></head><body><center><h1>301 Moved Permanently</h1></center><hr><center>CloudFront</center></body></html>


                                                                                                                                                                                                                                                      Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                                                                                                                                                                                                                                      7192.168.2.55000065.9.66.107803472C:\Program Files (x86)\ChicaLogic\ChicaPC-Shield\cpcs.exe
                                                                                                                                                                                                                                                      TimestampBytes transferredDirectionData
                                                                                                                                                                                                                                                      Oct 30, 2024 16:58:33.140016079 CET221OUTGET /v0/clients/chicalogic/mbam.check.program HTTP/1.1
                                                                                                                                                                                                                                                      Accept-Encoding: gzip
                                                                                                                                                                                                                                                      Connection: Close
                                                                                                                                                                                                                                                      Host: data-cdn.mbamupdates.com
                                                                                                                                                                                                                                                      User-Agent: mbam - chicalogic_trial (scanner) - base:1.75.0.1300 - rules:v2013.04.04.07
                                                                                                                                                                                                                                                      Oct 30, 2024 16:58:33.968961954 CET609INHTTP/1.1 301 Moved Permanently
                                                                                                                                                                                                                                                      Server: CloudFront
                                                                                                                                                                                                                                                      Date: Wed, 30 Oct 2024 15:58:33 GMT
                                                                                                                                                                                                                                                      Content-Type: text/html
                                                                                                                                                                                                                                                      Content-Length: 167
                                                                                                                                                                                                                                                      Connection: close
                                                                                                                                                                                                                                                      Location: https://data-cdn.mbamupdates.com/v0/clients/chicalogic/mbam.check.program
                                                                                                                                                                                                                                                      X-Cache: Redirect from cloudfront
                                                                                                                                                                                                                                                      Via: 1.1 6def1f0ddc805dce17407cce01d5b32c.cloudfront.net (CloudFront)
                                                                                                                                                                                                                                                      X-Amz-Cf-Pop: FRA56-C1
                                                                                                                                                                                                                                                      X-Amz-Cf-Id: E-khktZr2EkGV8rDfDZd6p1_uhFmm6TmZfj8Ir5Kr9jnMwQbEbmPvA==
                                                                                                                                                                                                                                                      Data Raw: 3c 68 74 6d 6c 3e 0d 0a 3c 68 65 61 64 3e 3c 74 69 74 6c 65 3e 33 30 31 20 4d 6f 76 65 64 20 50 65 72 6d 61 6e 65 6e 74 6c 79 3c 2f 74 69 74 6c 65 3e 3c 2f 68 65 61 64 3e 0d 0a 3c 62 6f 64 79 3e 0d 0a 3c 63 65 6e 74 65 72 3e 3c 68 31 3e 33 30 31 20 4d 6f 76 65 64 20 50 65 72 6d 61 6e 65 6e 74 6c 79 3c 2f 68 31 3e 3c 2f 63 65 6e 74 65 72 3e 0d 0a 3c 68 72 3e 3c 63 65 6e 74 65 72 3e 43 6c 6f 75 64 46 72 6f 6e 74 3c 2f 63 65 6e 74 65 72 3e 0d 0a 3c 2f 62 6f 64 79 3e 0d 0a 3c 2f 68 74 6d 6c 3e 0d 0a
                                                                                                                                                                                                                                                      Data Ascii: <html><head><title>301 Moved Permanently</title></head><body><center><h1>301 Moved Permanently</h1></center><hr><center>CloudFront</center></body></html>


                                                                                                                                                                                                                                                      Statistics

                                                                                                                                                                                                                                                      CPU Usage

                                                                                                                                                                                                                                                      Click to jump to process

                                                                                                                                                                                                                                                      Memory Usage

                                                                                                                                                                                                                                                      Click to jump to process

                                                                                                                                                                                                                                                      High Level Behavior Distribution

                                                                                                                                                                                                                                                      Click to dive into process behavior distribution

                                                                                                                                                                                                                                                      Behavior

                                                                                                                                                                                                                                                      Click to jump to process

                                                                                                                                                                                                                                                      System Behavior

                                                                                                                                                                                                                                                      General

                                                                                                                                                                                                                                                      Target ID:0
                                                                                                                                                                                                                                                      Start time:11:57:01
                                                                                                                                                                                                                                                      Start date:30/10/2024
                                                                                                                                                                                                                                                      Path:C:\Users\user\Desktop\chica-pc-shield-1-75-0-1300-en-win.exe
                                                                                                                                                                                                                                                      Wow64 process (32bit):true
                                                                                                                                                                                                                                                      Commandline:"C:\Users\user\Desktop\chica-pc-shield-1-75-0-1300-en-win.exe"
                                                                                                                                                                                                                                                      Imagebase:0x400000
                                                                                                                                                                                                                                                      File size:8'967'808 bytes
                                                                                                                                                                                                                                                      MD5 hash:1870FBE03E739325C142EACBE1667FF3
                                                                                                                                                                                                                                                      Has elevated privileges:true
                                                                                                                                                                                                                                                      Has administrator privileges:true
                                                                                                                                                                                                                                                      Programmed in:C, C++ or other language
                                                                                                                                                                                                                                                      Reputation:low
                                                                                                                                                                                                                                                      Has exited:true

                                                                                                                                                                                                                                                      General

                                                                                                                                                                                                                                                      Target ID:1
                                                                                                                                                                                                                                                      Start time:11:57:01
                                                                                                                                                                                                                                                      Start date:30/10/2024
                                                                                                                                                                                                                                                      Path:C:\Users\user\AppData\Local\Temp\is-LBG9E.tmp\chica-pc-shield-1-75-0-1300-en-win.tmp
                                                                                                                                                                                                                                                      Wow64 process (32bit):true
                                                                                                                                                                                                                                                      Commandline:"C:\Users\user\AppData\Local\Temp\is-LBG9E.tmp\chica-pc-shield-1-75-0-1300-en-win.tmp" /SL5="$20430,8630815,54272,C:\Users\user\Desktop\chica-pc-shield-1-75-0-1300-en-win.exe"
                                                                                                                                                                                                                                                      Imagebase:0x400000
                                                                                                                                                                                                                                                      File size:712'264 bytes
                                                                                                                                                                                                                                                      MD5 hash:C2BE7988C8762E314534B2908C4D6E49
                                                                                                                                                                                                                                                      Has elevated privileges:true
                                                                                                                                                                                                                                                      Has administrator privileges:true
                                                                                                                                                                                                                                                      Programmed in:C, C++ or other language
                                                                                                                                                                                                                                                      Antivirus matches:
                                                                                                                                                                                                                                                      • Detection: 4%, ReversingLabs
                                                                                                                                                                                                                                                      Reputation:low
                                                                                                                                                                                                                                                      Has exited:true

                                                                                                                                                                                                                                                      General

                                                                                                                                                                                                                                                      Target ID:4
                                                                                                                                                                                                                                                      Start time:11:57:40
                                                                                                                                                                                                                                                      Start date:30/10/2024
                                                                                                                                                                                                                                                      Path:C:\Windows\System32\regsvr32.exe
                                                                                                                                                                                                                                                      Wow64 process (32bit):false
                                                                                                                                                                                                                                                      Commandline:"C:\Windows\system32\regsvr32.exe" /s "C:\Program Files (x86)\ChicaLogic\ChicaPC-Shield\mbamext.dll"
                                                                                                                                                                                                                                                      Imagebase:0x7ff7c4160000
                                                                                                                                                                                                                                                      File size:25'088 bytes
                                                                                                                                                                                                                                                      MD5 hash:B0C2FA35D14A9FAD919E99D9D75E1B9E
                                                                                                                                                                                                                                                      Has elevated privileges:true
                                                                                                                                                                                                                                                      Has administrator privileges:true
                                                                                                                                                                                                                                                      Programmed in:C, C++ or other language
                                                                                                                                                                                                                                                      Reputation:high
                                                                                                                                                                                                                                                      Has exited:true

                                                                                                                                                                                                                                                      General

                                                                                                                                                                                                                                                      Target ID:5
                                                                                                                                                                                                                                                      Start time:11:57:42
                                                                                                                                                                                                                                                      Start date:30/10/2024
                                                                                                                                                                                                                                                      Path:C:\Windows\SysWOW64\regsvr32.exe
                                                                                                                                                                                                                                                      Wow64 process (32bit):true
                                                                                                                                                                                                                                                      Commandline:"C:\Windows\system32\regsvr32.exe" /s "C:\Program Files (x86)\ChicaLogic\ChicaPC-Shield\ssubtmr6.dll"
                                                                                                                                                                                                                                                      Imagebase:0xb40000
                                                                                                                                                                                                                                                      File size:20'992 bytes
                                                                                                                                                                                                                                                      MD5 hash:878E47C8656E53AE8A8A21E927C6F7E0
                                                                                                                                                                                                                                                      Has elevated privileges:true
                                                                                                                                                                                                                                                      Has administrator privileges:true
                                                                                                                                                                                                                                                      Programmed in:C, C++ or other language
                                                                                                                                                                                                                                                      Reputation:high
                                                                                                                                                                                                                                                      Has exited:true

                                                                                                                                                                                                                                                      General

                                                                                                                                                                                                                                                      Target ID:6
                                                                                                                                                                                                                                                      Start time:11:57:42
                                                                                                                                                                                                                                                      Start date:30/10/2024
                                                                                                                                                                                                                                                      Path:C:\Windows\SysWOW64\regsvr32.exe
                                                                                                                                                                                                                                                      Wow64 process (32bit):true
                                                                                                                                                                                                                                                      Commandline:"C:\Windows\system32\regsvr32.exe" /s "C:\Program Files (x86)\ChicaLogic\ChicaPC-Shield\vbalsgrid6.ocx"
                                                                                                                                                                                                                                                      Imagebase:0xb40000
                                                                                                                                                                                                                                                      File size:20'992 bytes
                                                                                                                                                                                                                                                      MD5 hash:878E47C8656E53AE8A8A21E927C6F7E0
                                                                                                                                                                                                                                                      Has elevated privileges:true
                                                                                                                                                                                                                                                      Has administrator privileges:true
                                                                                                                                                                                                                                                      Programmed in:C, C++ or other language
                                                                                                                                                                                                                                                      Reputation:high
                                                                                                                                                                                                                                                      Has exited:true

                                                                                                                                                                                                                                                      General

                                                                                                                                                                                                                                                      Target ID:9
                                                                                                                                                                                                                                                      Start time:11:57:47
                                                                                                                                                                                                                                                      Start date:30/10/2024
                                                                                                                                                                                                                                                      Path:C:\Program Files (x86)\ChicaLogic\ChicaPC-Shield\cpcs.exe
                                                                                                                                                                                                                                                      Wow64 process (32bit):true
                                                                                                                                                                                                                                                      Commandline:"C:\Program Files (x86)\ChicaLogic\ChicaPC-Shield\cpcs.exe" /starttrial
                                                                                                                                                                                                                                                      Imagebase:0x400000
                                                                                                                                                                                                                                                      File size:973'448 bytes
                                                                                                                                                                                                                                                      MD5 hash:064E37783673E0094DAE704513F29393
                                                                                                                                                                                                                                                      Has elevated privileges:true
                                                                                                                                                                                                                                                      Has administrator privileges:true
                                                                                                                                                                                                                                                      Programmed in:C, C++ or other language
                                                                                                                                                                                                                                                      Yara matches:
                                                                                                                                                                                                                                                      • Rule: thequickbrow_APT1, Description: unknown, Source: 00000009.00000003.2529281722.0000000009BA5000.00000004.00000020.00020000.00000000.sdmp, Author: AlienVault Labs
                                                                                                                                                                                                                                                      • Rule: xtremrat, Description: Xtrem RAT v3.5, Source: 00000009.00000003.2546777163.000000000C828000.00000004.00000020.00020000.00000000.sdmp, Author: Jean-Philippe Teissier / @Jipe_
                                                                                                                                                                                                                                                      • Rule: xtremrat, Description: Xtrem RAT v3.5, Source: 00000009.00000003.2545861202.000000000D4FA000.00000004.00000020.00020000.00000000.sdmp, Author: Jean-Philippe Teissier / @Jipe_
                                                                                                                                                                                                                                                      • Rule: JoeSecurity_AntiVM_3, Description: Yara detected AntiVM_3, Source: 00000009.00000003.2556561426.0000000008334000.00000004.00000020.00020000.00000000.sdmp, Author: Joe Security
                                                                                                                                                                                                                                                      • Rule: clearlog, Description: Detects Fireball malware - file clearlog.dll, Source: 00000009.00000003.2556561426.0000000008334000.00000004.00000020.00020000.00000000.sdmp, Author: Florian Roth
                                                                                                                                                                                                                                                      Reputation:low
                                                                                                                                                                                                                                                      Has exited:true

                                                                                                                                                                                                                                                      General

                                                                                                                                                                                                                                                      Target ID:10
                                                                                                                                                                                                                                                      Start time:11:57:47
                                                                                                                                                                                                                                                      Start date:30/10/2024
                                                                                                                                                                                                                                                      Path:C:\Windows\SysWOW64\regsvr32.exe
                                                                                                                                                                                                                                                      Wow64 process (32bit):true
                                                                                                                                                                                                                                                      Commandline:regsvr32.exe /s "C:\Program Files (x86)\ChicaLogic\ChicaPC-Shield\ssubtmr6.dll"
                                                                                                                                                                                                                                                      Imagebase:0xb40000
                                                                                                                                                                                                                                                      File size:20'992 bytes
                                                                                                                                                                                                                                                      MD5 hash:878E47C8656E53AE8A8A21E927C6F7E0
                                                                                                                                                                                                                                                      Has elevated privileges:true
                                                                                                                                                                                                                                                      Has administrator privileges:true
                                                                                                                                                                                                                                                      Programmed in:C, C++ or other language
                                                                                                                                                                                                                                                      Reputation:high
                                                                                                                                                                                                                                                      Has exited:true

                                                                                                                                                                                                                                                      General

                                                                                                                                                                                                                                                      Target ID:11
                                                                                                                                                                                                                                                      Start time:11:57:48
                                                                                                                                                                                                                                                      Start date:30/10/2024
                                                                                                                                                                                                                                                      Path:C:\Windows\SysWOW64\regsvr32.exe
                                                                                                                                                                                                                                                      Wow64 process (32bit):true
                                                                                                                                                                                                                                                      Commandline:regsvr32.exe /s "C:\Program Files (x86)\ChicaLogic\ChicaPC-Shield\vbalsgrid6.ocx"
                                                                                                                                                                                                                                                      Imagebase:0xb40000
                                                                                                                                                                                                                                                      File size:20'992 bytes
                                                                                                                                                                                                                                                      MD5 hash:878E47C8656E53AE8A8A21E927C6F7E0
                                                                                                                                                                                                                                                      Has elevated privileges:true
                                                                                                                                                                                                                                                      Has administrator privileges:true
                                                                                                                                                                                                                                                      Programmed in:C, C++ or other language
                                                                                                                                                                                                                                                      Reputation:high
                                                                                                                                                                                                                                                      Has exited:true

                                                                                                                                                                                                                                                      General

                                                                                                                                                                                                                                                      Target ID:12
                                                                                                                                                                                                                                                      Start time:11:57:54
                                                                                                                                                                                                                                                      Start date:30/10/2024
                                                                                                                                                                                                                                                      Path:C:\Program Files (x86)\ChicaLogic\ChicaPC-Shield\cpcsgui.exe
                                                                                                                                                                                                                                                      Wow64 process (32bit):true
                                                                                                                                                                                                                                                      Commandline:"C:\Program Files (x86)\ChicaLogic\ChicaPC-Shield\cpcsgui.exe" /install /silent
                                                                                                                                                                                                                                                      Imagebase:0x5b0000
                                                                                                                                                                                                                                                      File size:788'040 bytes
                                                                                                                                                                                                                                                      MD5 hash:9CC7642A4825E87C9EACB29391279F43
                                                                                                                                                                                                                                                      Has elevated privileges:false
                                                                                                                                                                                                                                                      Has administrator privileges:false
                                                                                                                                                                                                                                                      Programmed in:C, C++ or other language
                                                                                                                                                                                                                                                      Reputation:low
                                                                                                                                                                                                                                                      Has exited:true

                                                                                                                                                                                                                                                      General

                                                                                                                                                                                                                                                      Target ID:13
                                                                                                                                                                                                                                                      Start time:11:57:54
                                                                                                                                                                                                                                                      Start date:30/10/2024
                                                                                                                                                                                                                                                      Path:C:\Windows\System32\svchost.exe
                                                                                                                                                                                                                                                      Wow64 process (32bit):false
                                                                                                                                                                                                                                                      Commandline:C:\Windows\System32\svchost.exe -k netsvcs -p -s BITS
                                                                                                                                                                                                                                                      Imagebase:0x7ff7e52b0000
                                                                                                                                                                                                                                                      File size:55'320 bytes
                                                                                                                                                                                                                                                      MD5 hash:B7F884C1B74A263F746EE12A5F7C9F6A
                                                                                                                                                                                                                                                      Has elevated privileges:true
                                                                                                                                                                                                                                                      Has administrator privileges:true
                                                                                                                                                                                                                                                      Programmed in:C, C++ or other language
                                                                                                                                                                                                                                                      Reputation:high
                                                                                                                                                                                                                                                      Has exited:false

                                                                                                                                                                                                                                                      General

                                                                                                                                                                                                                                                      Target ID:14
                                                                                                                                                                                                                                                      Start time:11:57:56
                                                                                                                                                                                                                                                      Start date:30/10/2024
                                                                                                                                                                                                                                                      Path:C:\Program Files (x86)\ChicaLogic\ChicaPC-Shield\cpcsscheduler.exe
                                                                                                                                                                                                                                                      Wow64 process (32bit):true
                                                                                                                                                                                                                                                      Commandline:"C:\Program Files (x86)\ChicaLogic\ChicaPC-Shield\cpcsscheduler.exe"
                                                                                                                                                                                                                                                      Imagebase:0x8e0000
                                                                                                                                                                                                                                                      File size:418'376 bytes
                                                                                                                                                                                                                                                      MD5 hash:C56F757EB2A6D9B850FAD5F075008A57
                                                                                                                                                                                                                                                      Has elevated privileges:true
                                                                                                                                                                                                                                                      Has administrator privileges:true
                                                                                                                                                                                                                                                      Programmed in:C, C++ or other language
                                                                                                                                                                                                                                                      Reputation:low
                                                                                                                                                                                                                                                      Has exited:false

                                                                                                                                                                                                                                                      General

                                                                                                                                                                                                                                                      Target ID:15
                                                                                                                                                                                                                                                      Start time:11:57:57
                                                                                                                                                                                                                                                      Start date:30/10/2024
                                                                                                                                                                                                                                                      Path:C:\Program Files (x86)\ChicaLogic\ChicaPC-Shield\cpcs.exe
                                                                                                                                                                                                                                                      Wow64 process (32bit):true
                                                                                                                                                                                                                                                      Commandline:"C:\Program Files (x86)\ChicaLogic\ChicaPC-Shield\cpcs.exe" /update
                                                                                                                                                                                                                                                      Imagebase:0x400000
                                                                                                                                                                                                                                                      File size:973'448 bytes
                                                                                                                                                                                                                                                      MD5 hash:064E37783673E0094DAE704513F29393
                                                                                                                                                                                                                                                      Has elevated privileges:true
                                                                                                                                                                                                                                                      Has administrator privileges:true
                                                                                                                                                                                                                                                      Programmed in:C, C++ or other language
                                                                                                                                                                                                                                                      Yara matches:
                                                                                                                                                                                                                                                      • Rule: JoeSecurity_GhostRat, Description: Yara detected GhostRat, Source: 0000000F.00000003.2652428311.0000000004663000.00000004.00000020.00020000.00000000.sdmp, Author: Joe Security
                                                                                                                                                                                                                                                      • Rule: JoeSecurity_AntiVM_3, Description: Yara detected AntiVM_3, Source: 0000000F.00000003.2652428311.0000000004663000.00000004.00000020.00020000.00000000.sdmp, Author: Joe Security
                                                                                                                                                                                                                                                      • Rule: APT9002Strings, Description: 9002 Identifying Strings, Source: 0000000F.00000003.2652428311.0000000004663000.00000004.00000020.00020000.00000000.sdmp, Author: Seth Hardy
                                                                                                                                                                                                                                                      • Rule: JoeSecurity_AntiVM_3, Description: Yara detected AntiVM_3, Source: 0000000F.00000003.2648389472.0000000008271000.00000004.00000020.00020000.00000000.sdmp, Author: Joe Security
                                                                                                                                                                                                                                                      • Rule: clearlog, Description: Detects Fireball malware - file clearlog.dll, Source: 0000000F.00000003.2648389472.0000000008271000.00000004.00000020.00020000.00000000.sdmp, Author: Florian Roth
                                                                                                                                                                                                                                                      Reputation:low
                                                                                                                                                                                                                                                      Has exited:true

                                                                                                                                                                                                                                                      General

                                                                                                                                                                                                                                                      Target ID:16
                                                                                                                                                                                                                                                      Start time:11:57:57
                                                                                                                                                                                                                                                      Start date:30/10/2024
                                                                                                                                                                                                                                                      Path:C:\Windows\SysWOW64\regsvr32.exe
                                                                                                                                                                                                                                                      Wow64 process (32bit):true
                                                                                                                                                                                                                                                      Commandline:regsvr32.exe /s "C:\Program Files (x86)\ChicaLogic\ChicaPC-Shield\ssubtmr6.dll"
                                                                                                                                                                                                                                                      Imagebase:0xb40000
                                                                                                                                                                                                                                                      File size:20'992 bytes
                                                                                                                                                                                                                                                      MD5 hash:878E47C8656E53AE8A8A21E927C6F7E0
                                                                                                                                                                                                                                                      Has elevated privileges:true
                                                                                                                                                                                                                                                      Has administrator privileges:true
                                                                                                                                                                                                                                                      Programmed in:C, C++ or other language
                                                                                                                                                                                                                                                      Reputation:high
                                                                                                                                                                                                                                                      Has exited:true

                                                                                                                                                                                                                                                      General

                                                                                                                                                                                                                                                      Target ID:17
                                                                                                                                                                                                                                                      Start time:11:57:57
                                                                                                                                                                                                                                                      Start date:30/10/2024
                                                                                                                                                                                                                                                      Path:C:\Windows\SysWOW64\regsvr32.exe
                                                                                                                                                                                                                                                      Wow64 process (32bit):true
                                                                                                                                                                                                                                                      Commandline:regsvr32.exe /s "C:\Program Files (x86)\ChicaLogic\ChicaPC-Shield\vbalsgrid6.ocx"
                                                                                                                                                                                                                                                      Imagebase:0xb40000
                                                                                                                                                                                                                                                      File size:20'992 bytes
                                                                                                                                                                                                                                                      MD5 hash:878E47C8656E53AE8A8A21E927C6F7E0
                                                                                                                                                                                                                                                      Has elevated privileges:true
                                                                                                                                                                                                                                                      Has administrator privileges:true
                                                                                                                                                                                                                                                      Programmed in:C, C++ or other language
                                                                                                                                                                                                                                                      Reputation:high
                                                                                                                                                                                                                                                      Has exited:true

                                                                                                                                                                                                                                                      General

                                                                                                                                                                                                                                                      Target ID:18
                                                                                                                                                                                                                                                      Start time:11:58:16
                                                                                                                                                                                                                                                      Start date:30/10/2024
                                                                                                                                                                                                                                                      Path:C:\Program Files (x86)\ChicaLogic\ChicaPC-Shield\cpcs.exe
                                                                                                                                                                                                                                                      Wow64 process (32bit):true
                                                                                                                                                                                                                                                      Commandline:"C:\Program Files (x86)\ChicaLogic\ChicaPC-Shield\cpcs.exe"
                                                                                                                                                                                                                                                      Imagebase:0x400000
                                                                                                                                                                                                                                                      File size:973'448 bytes
                                                                                                                                                                                                                                                      MD5 hash:064E37783673E0094DAE704513F29393
                                                                                                                                                                                                                                                      Has elevated privileges:true
                                                                                                                                                                                                                                                      Has administrator privileges:true
                                                                                                                                                                                                                                                      Programmed in:C, C++ or other language
                                                                                                                                                                                                                                                      Yara matches:
                                                                                                                                                                                                                                                      • Rule: xtremrat, Description: Xtrem RAT v3.5, Source: 00000012.00000003.2839561000.000000000CFD9000.00000004.00000020.00020000.00000000.sdmp, Author: Jean-Philippe Teissier / @Jipe_
                                                                                                                                                                                                                                                      • Rule: xtremrat, Description: Xtrem RAT v3.5, Source: 00000012.00000003.2839681114.000000000D42B000.00000004.00000020.00020000.00000000.sdmp, Author: Jean-Philippe Teissier / @Jipe_
                                                                                                                                                                                                                                                      • Rule: JoeSecurity_AntiVM_3, Description: Yara detected AntiVM_3, Source: 00000012.00000003.2843530652.000000000847A000.00000004.00000020.00020000.00000000.sdmp, Author: Joe Security
                                                                                                                                                                                                                                                      • Rule: clearlog, Description: Detects Fireball malware - file clearlog.dll, Source: 00000012.00000003.2843530652.000000000847A000.00000004.00000020.00020000.00000000.sdmp, Author: Florian Roth
                                                                                                                                                                                                                                                      Reputation:low
                                                                                                                                                                                                                                                      Has exited:false

                                                                                                                                                                                                                                                      General

                                                                                                                                                                                                                                                      Target ID:19
                                                                                                                                                                                                                                                      Start time:11:58:16
                                                                                                                                                                                                                                                      Start date:30/10/2024
                                                                                                                                                                                                                                                      Path:C:\Windows\SysWOW64\regsvr32.exe
                                                                                                                                                                                                                                                      Wow64 process (32bit):true
                                                                                                                                                                                                                                                      Commandline:regsvr32.exe /s "C:\Program Files (x86)\ChicaLogic\ChicaPC-Shield\ssubtmr6.dll"
                                                                                                                                                                                                                                                      Imagebase:0xb40000
                                                                                                                                                                                                                                                      File size:20'992 bytes
                                                                                                                                                                                                                                                      MD5 hash:878E47C8656E53AE8A8A21E927C6F7E0
                                                                                                                                                                                                                                                      Has elevated privileges:true
                                                                                                                                                                                                                                                      Has administrator privileges:true
                                                                                                                                                                                                                                                      Programmed in:C, C++ or other language
                                                                                                                                                                                                                                                      Reputation:high
                                                                                                                                                                                                                                                      Has exited:true

                                                                                                                                                                                                                                                      General

                                                                                                                                                                                                                                                      Target ID:20
                                                                                                                                                                                                                                                      Start time:11:58:17
                                                                                                                                                                                                                                                      Start date:30/10/2024
                                                                                                                                                                                                                                                      Path:C:\Windows\SysWOW64\regsvr32.exe
                                                                                                                                                                                                                                                      Wow64 process (32bit):true
                                                                                                                                                                                                                                                      Commandline:regsvr32.exe /s "C:\Program Files (x86)\ChicaLogic\ChicaPC-Shield\vbalsgrid6.ocx"
                                                                                                                                                                                                                                                      Imagebase:0xb40000
                                                                                                                                                                                                                                                      File size:20'992 bytes
                                                                                                                                                                                                                                                      MD5 hash:878E47C8656E53AE8A8A21E927C6F7E0
                                                                                                                                                                                                                                                      Has elevated privileges:true
                                                                                                                                                                                                                                                      Has administrator privileges:true
                                                                                                                                                                                                                                                      Programmed in:C, C++ or other language
                                                                                                                                                                                                                                                      Reputation:high
                                                                                                                                                                                                                                                      Has exited:true

                                                                                                                                                                                                                                                      Disassembly

                                                                                                                                                                                                                                                      Reset < >

                                                                                                                                                                                                                                                        Execution Graph

                                                                                                                                                                                                                                                        Execution Coverage:23%
                                                                                                                                                                                                                                                        Dynamic/Decrypted Code Coverage:0%
                                                                                                                                                                                                                                                        Signature Coverage:2.5%
                                                                                                                                                                                                                                                        Total number of Nodes:1451
                                                                                                                                                                                                                                                        Total number of Limit Nodes:26
                                                                                                                                                                                                                                                        execution_graph 4977 409c40 5018 4030dc 4977->5018 4979 409c56 5021 4042e8 4979->5021 4981 409c5b 5024 40457c GetModuleHandleA GetProcAddress 4981->5024 4985 409c65 5032 4065c8 4985->5032 4987 409c6a 5041 4090a4 GetModuleHandleA GetProcAddress GetModuleHandleA GetProcAddress 4987->5041 5004 409d43 5103 4074a0 5004->5103 5006 409d05 5006->5004 5136 409aa0 5006->5136 5007 409d84 5107 407a28 5007->5107 5008 409d69 5008->5007 5009 409aa0 18 API calls 5008->5009 5009->5007 5011 409da9 5117 408b08 5011->5117 5015 409def 5016 408b08 35 API calls 5015->5016 5017 409e28 5015->5017 5016->5015 5146 403094 5018->5146 5020 4030e1 GetModuleHandleA GetCommandLineA 5020->4979 5023 404323 5021->5023 5147 403154 5021->5147 5023->4981 5025 404598 5024->5025 5026 40459f GetProcAddress 5024->5026 5025->5026 5027 4045b5 GetProcAddress 5026->5027 5028 4045ae 5026->5028 5029 4045c4 SetProcessDEPPolicy 5027->5029 5030 4045c8 5027->5030 5028->5027 5029->5030 5031 404624 6F541CD0 5030->5031 5031->4985 5160 405ca8 5032->5160 5042 4090f7 5041->5042 5322 406fa0 SetErrorMode 5042->5322 5047 403198 4 API calls 5048 40913c 5047->5048 5049 409b30 GetSystemInfo VirtualQuery 5048->5049 5050 409be4 5049->5050 5053 409b5a 5049->5053 5055 409768 5050->5055 5051 409bc5 VirtualQuery 5051->5050 5051->5053 5052 409b84 VirtualProtect 5052->5053 5053->5050 5053->5051 5053->5052 5054 409bb3 VirtualProtect 5053->5054 5054->5051 5332 406bd0 GetCommandLineA 5055->5332 5057 409825 5058 4031b8 4 API calls 5057->5058 5060 40983f 5058->5060 5059 406c2c 20 API calls 5061 409785 5059->5061 5063 406c2c 5060->5063 5061->5057 5061->5059 5062 403454 18 API calls 5061->5062 5062->5061 5064 406c53 GetModuleFileNameA 5063->5064 5065 406c77 GetCommandLineA 5063->5065 5066 403278 18 API calls 5064->5066 5069 406c7c 5065->5069 5067 406c75 5066->5067 5070 406ca4 5067->5070 5068 406c81 5071 403198 4 API calls 5068->5071 5069->5068 5072 406af0 18 API calls 5069->5072 5073 406c89 5069->5073 5074 403198 4 API calls 5070->5074 5071->5073 5072->5069 5076 40322c 4 API calls 5073->5076 5075 406cb9 5074->5075 5077 4031e8 5075->5077 5076->5070 5078 4031ec 5077->5078 5081 4031fc 5077->5081 5080 403254 18 API calls 5078->5080 5078->5081 5079 403228 5083 4074e0 5079->5083 5080->5081 5081->5079 5082 4025ac 4 API calls 5081->5082 5082->5079 5084 4074ea 5083->5084 5353 407576 5084->5353 5356 407578 5084->5356 5085 407516 5087 40752a 5085->5087 5359 40748c GetLastError 5085->5359 5090 409bec FindResourceA 5087->5090 5091 409c01 5090->5091 5092 409c06 SizeofResource 5090->5092 5093 409aa0 18 API calls 5091->5093 5094 409c13 5092->5094 5095 409c18 LoadResource 5092->5095 5093->5092 5096 409aa0 18 API calls 5094->5096 5097 409c26 5095->5097 5098 409c2b LockResource 5095->5098 5096->5095 5099 409aa0 18 API calls 5097->5099 5100 409c37 5098->5100 5101 409c3c 5098->5101 5099->5098 5102 409aa0 18 API calls 5100->5102 5101->5006 5133 407918 5101->5133 5102->5101 5104 4074b4 5103->5104 5105 4074c4 5104->5105 5106 4073ec 34 API calls 5104->5106 5105->5008 5106->5105 5108 407a35 5107->5108 5109 405890 18 API calls 5108->5109 5110 407a89 5108->5110 5109->5110 5111 407918 InterlockedExchange 5110->5111 5112 407a9b 5111->5112 5113 405890 18 API calls 5112->5113 5114 407ab1 5112->5114 5113->5114 5115 407af4 5114->5115 5116 405890 18 API calls 5114->5116 5115->5011 5116->5115 5126 408b39 5117->5126 5132 408b82 5117->5132 5118 407cb8 35 API calls 5118->5126 5119 408bcd 5467 407cb8 5119->5467 5121 407cb8 35 API calls 5121->5132 5123 408be4 5125 4031b8 4 API calls 5123->5125 5124 4034f0 18 API calls 5124->5132 5127 408bfe 5125->5127 5126->5118 5128 403420 18 API calls 5126->5128 5129 4031e8 18 API calls 5126->5129 5126->5132 5458 4034f0 5126->5458 5143 404c20 5127->5143 5128->5126 5129->5126 5130 403420 18 API calls 5130->5132 5131 4031e8 18 API calls 5131->5132 5132->5119 5132->5121 5132->5124 5132->5130 5132->5131 5493 4078c4 5133->5493 5137 409ac1 5136->5137 5138 409aa9 5136->5138 5140 405890 18 API calls 5137->5140 5139 405890 18 API calls 5138->5139 5141 409abb 5139->5141 5142 409ad2 5140->5142 5141->5004 5142->5004 5144 402594 18 API calls 5143->5144 5145 404c2b 5144->5145 5145->5015 5146->5020 5148 403164 5147->5148 5149 40318c TlsGetValue 5147->5149 5148->5023 5150 403196 5149->5150 5151 40316f 5149->5151 5150->5023 5155 40310c 5151->5155 5153 403174 TlsGetValue 5154 403184 5153->5154 5154->5023 5156 403120 LocalAlloc 5155->5156 5157 403116 5155->5157 5158 40313e TlsSetValue 5156->5158 5159 403132 5156->5159 5157->5156 5158->5159 5159->5153 5232 405940 5160->5232 5163 405280 GetSystemDefaultLCID 5167 4052b6 5163->5167 5164 40520c 19 API calls 5164->5167 5165 4031e8 18 API calls 5165->5167 5166 404cdc 19 API calls 5166->5167 5167->5164 5167->5165 5167->5166 5171 405318 5167->5171 5168 4031e8 18 API calls 5168->5171 5169 404cdc 19 API calls 5169->5171 5170 40520c 19 API calls 5170->5171 5171->5168 5171->5169 5171->5170 5172 40539b 5171->5172 5300 4031b8 5172->5300 5175 4053c4 GetSystemDefaultLCID 5304 40520c GetLocaleInfoA 5175->5304 5178 4031e8 18 API calls 5179 405404 5178->5179 5180 40520c 19 API calls 5179->5180 5181 405419 5180->5181 5182 40520c 19 API calls 5181->5182 5183 40543d 5182->5183 5310 405258 GetLocaleInfoA 5183->5310 5186 405258 GetLocaleInfoA 5187 40546d 5186->5187 5188 40520c 19 API calls 5187->5188 5189 405487 5188->5189 5190 405258 GetLocaleInfoA 5189->5190 5191 4054a4 5190->5191 5192 40520c 19 API calls 5191->5192 5193 4054be 5192->5193 5194 4031e8 18 API calls 5193->5194 5195 4054cb 5194->5195 5196 40520c 19 API calls 5195->5196 5197 4054e0 5196->5197 5198 4031e8 18 API calls 5197->5198 5199 4054ed 5198->5199 5200 405258 GetLocaleInfoA 5199->5200 5201 4054fb 5200->5201 5202 40520c 19 API calls 5201->5202 5203 405515 5202->5203 5204 4031e8 18 API calls 5203->5204 5205 405522 5204->5205 5206 40520c 19 API calls 5205->5206 5207 405537 5206->5207 5208 4031e8 18 API calls 5207->5208 5209 405544 5208->5209 5210 40520c 19 API calls 5209->5210 5211 405559 5210->5211 5212 405576 5211->5212 5213 405567 5211->5213 5215 40322c 4 API calls 5212->5215 5318 40322c 5213->5318 5216 405574 5215->5216 5217 40520c 19 API calls 5216->5217 5218 405598 5217->5218 5219 4055b5 5218->5219 5220 4055a6 5218->5220 5222 403198 4 API calls 5219->5222 5221 40322c 4 API calls 5220->5221 5223 4055b3 5221->5223 5222->5223 5312 4033b4 5223->5312 5225 4055d7 5226 4033b4 18 API calls 5225->5226 5227 4055f1 5226->5227 5228 4031b8 LocalAlloc TlsSetValue TlsGetValue TlsGetValue 5227->5228 5229 40560b 5228->5229 5230 405cf4 GetVersionExA 5229->5230 5231 405d0b 5230->5231 5231->4987 5233 40594c 5232->5233 5240 404cdc LoadStringA 5233->5240 5236 4031e8 18 API calls 5237 40597d 5236->5237 5243 403198 5237->5243 5247 403278 5240->5247 5244 4031b7 5243->5244 5245 40319e 5243->5245 5244->5163 5245->5244 5296 4025ac 5245->5296 5252 403254 5247->5252 5249 403288 5250 403198 4 API calls 5249->5250 5251 4032a0 5250->5251 5251->5236 5253 403274 5252->5253 5254 403258 5252->5254 5253->5249 5257 402594 5254->5257 5258 402598 5257->5258 5261 4025a2 5257->5261 5263 401fd4 5258->5263 5259 40259e 5260 403154 4 API calls 5259->5260 5259->5261 5260->5261 5261->5249 5264 401fe8 5263->5264 5265 401fed 5263->5265 5274 401918 RtlInitializeCriticalSection 5264->5274 5266 402012 RtlEnterCriticalSection 5265->5266 5268 40201c 5265->5268 5269 401ff1 5265->5269 5266->5268 5268->5269 5281 401ee0 5268->5281 5269->5259 5272 402147 5272->5259 5273 40213d RtlLeaveCriticalSection 5273->5272 5275 401946 5274->5275 5276 40193c RtlEnterCriticalSection 5274->5276 5277 401964 LocalAlloc 5275->5277 5276->5275 5278 40197e 5277->5278 5279 4019c3 RtlLeaveCriticalSection 5278->5279 5280 4019cd 5278->5280 5279->5280 5280->5265 5285 401ef0 5281->5285 5282 401f1c 5286 401f40 5282->5286 5292 401d00 5282->5292 5285->5282 5285->5286 5287 401e58 5285->5287 5286->5272 5286->5273 5288 4016d8 LocalAlloc VirtualAlloc VirtualFree VirtualFree VirtualAlloc 5287->5288 5289 401e68 5288->5289 5290 401dcc 9 API calls 5289->5290 5291 401e75 5289->5291 5290->5291 5291->5285 5293 401d4e 5292->5293 5294 401d1e 5292->5294 5293->5294 5295 401c68 9 API calls 5293->5295 5294->5286 5295->5294 5297 4025b0 5296->5297 5298 4025ba 5296->5298 5297->5298 5299 403154 4 API calls 5297->5299 5298->5244 5298->5298 5299->5298 5302 4031be 5300->5302 5301 4031e3 5301->5175 5302->5301 5303 4025ac 4 API calls 5302->5303 5303->5302 5305 405233 5304->5305 5306 405245 5304->5306 5307 403278 18 API calls 5305->5307 5308 40322c 4 API calls 5306->5308 5309 405243 5307->5309 5308->5309 5309->5178 5311 405274 5310->5311 5311->5186 5313 4033bc 5312->5313 5314 403254 18 API calls 5313->5314 5315 4033cf 5314->5315 5316 4031e8 18 API calls 5315->5316 5317 4033f7 5316->5317 5320 403230 5318->5320 5319 403252 5319->5216 5320->5319 5321 4025ac 4 API calls 5320->5321 5321->5319 5330 403414 5322->5330 5325 406fee 5326 407284 FormatMessageA 5325->5326 5327 4072aa 5326->5327 5328 403278 18 API calls 5327->5328 5329 4072c7 5328->5329 5329->5047 5331 403418 LoadLibraryA 5330->5331 5331->5325 5339 406af0 5332->5339 5334 406bf3 5335 406c05 5334->5335 5336 406af0 18 API calls 5334->5336 5337 403198 4 API calls 5335->5337 5336->5334 5338 406c1a 5337->5338 5338->5061 5340 406b1c 5339->5340 5341 403278 18 API calls 5340->5341 5342 406b29 5341->5342 5349 403420 5342->5349 5344 406b31 5345 4031e8 18 API calls 5344->5345 5346 406b49 5345->5346 5347 403198 4 API calls 5346->5347 5348 406b6b 5347->5348 5348->5334 5350 403426 5349->5350 5352 403437 5349->5352 5351 403254 18 API calls 5350->5351 5350->5352 5351->5352 5352->5344 5354 407578 5353->5354 5355 4075b7 CreateFileA 5354->5355 5355->5085 5357 403414 5356->5357 5358 4075b7 CreateFileA 5357->5358 5358->5085 5362 4073ec 5359->5362 5363 407284 19 API calls 5362->5363 5364 407414 5363->5364 5365 407434 5364->5365 5371 405194 5364->5371 5374 405890 5365->5374 5368 407443 5369 403198 4 API calls 5368->5369 5370 407460 5369->5370 5370->5087 5378 4051a8 5371->5378 5375 405897 5374->5375 5376 4031e8 18 API calls 5375->5376 5377 4058af 5376->5377 5377->5368 5379 4051c5 5378->5379 5386 404e58 5379->5386 5382 4051f1 5383 403278 18 API calls 5382->5383 5385 4051a3 5383->5385 5385->5365 5388 404e73 5386->5388 5387 404e85 5387->5382 5391 404be4 5387->5391 5388->5387 5394 404f7a 5388->5394 5401 404e4c 5388->5401 5392 405940 19 API calls 5391->5392 5393 404bf5 5392->5393 5393->5382 5395 404f8b 5394->5395 5398 404fd9 5394->5398 5397 40505f 5395->5397 5395->5398 5400 404ff7 5397->5400 5408 404e38 5397->5408 5398->5400 5404 404df4 5398->5404 5400->5388 5402 403198 4 API calls 5401->5402 5403 404e56 5402->5403 5403->5388 5405 404e02 5404->5405 5411 404bfc 5405->5411 5407 404e30 5407->5398 5424 4039a4 5408->5424 5414 4059b0 5411->5414 5413 404c15 5413->5407 5415 4059be 5414->5415 5416 404cdc 19 API calls 5415->5416 5417 4059e8 5416->5417 5418 405194 33 API calls 5417->5418 5419 4059f6 5418->5419 5420 4031e8 18 API calls 5419->5420 5421 405a01 5420->5421 5422 4031b8 LocalAlloc TlsSetValue TlsGetValue TlsGetValue 5421->5422 5423 405a1b 5422->5423 5423->5413 5425 4039ab 5424->5425 5430 4038b4 5425->5430 5427 4039cb 5428 403198 4 API calls 5427->5428 5429 4039d2 5428->5429 5429->5400 5431 4038d5 5430->5431 5432 4038c8 5430->5432 5433 403934 5431->5433 5434 4038db 5431->5434 5435 403780 6 API calls 5432->5435 5438 403993 5433->5438 5439 40393b 5433->5439 5436 4038e1 5434->5436 5437 4038ee 5434->5437 5440 4038d0 5435->5440 5441 403894 6 API calls 5436->5441 5442 403894 6 API calls 5437->5442 5443 4037f4 VariantClear VariantChangeTypeEx VariantChangeTypeEx 5438->5443 5444 403941 5439->5444 5445 40394b 5439->5445 5440->5427 5441->5440 5447 4038fc 5442->5447 5443->5440 5448 403864 23 API calls 5444->5448 5446 4037f4 VariantClear VariantChangeTypeEx VariantChangeTypeEx 5445->5446 5449 40395d 5446->5449 5450 4037f4 VariantClear VariantChangeTypeEx VariantChangeTypeEx 5447->5450 5448->5440 5451 403864 23 API calls 5449->5451 5452 403917 5450->5452 5453 403976 5451->5453 5454 40374c VariantClear 5452->5454 5455 40374c VariantClear 5453->5455 5456 40392c 5454->5456 5457 40398b 5455->5457 5456->5427 5457->5427 5459 4034fd 5458->5459 5466 40352d 5458->5466 5460 403526 5459->5460 5462 403509 5459->5462 5463 403254 18 API calls 5460->5463 5461 403198 4 API calls 5464 403517 5461->5464 5473 4025c4 5462->5473 5463->5466 5464->5126 5466->5461 5468 407cd3 5467->5468 5471 407cc8 5467->5471 5477 407c5c 5468->5477 5471->5123 5472 405890 18 API calls 5472->5471 5474 4025ca 5473->5474 5475 4025dc 5474->5475 5476 403154 4 API calls 5474->5476 5475->5464 5475->5475 5476->5475 5478 407caf 5477->5478 5479 407c70 5477->5479 5478->5471 5478->5472 5479->5478 5481 407bac 5479->5481 5482 407bb7 5481->5482 5485 407bc8 5481->5485 5483 405890 18 API calls 5482->5483 5483->5485 5484 4074a0 34 API calls 5486 407bdc 5484->5486 5485->5484 5487 4074a0 34 API calls 5486->5487 5488 407bfd 5487->5488 5489 407918 InterlockedExchange 5488->5489 5490 407c12 5489->5490 5491 407c28 5490->5491 5492 405890 18 API calls 5490->5492 5491->5479 5492->5491 5494 4078d6 5493->5494 5495 4078e7 5493->5495 5496 4078db InterlockedExchange 5494->5496 5495->5006 5496->5495 6169 409e47 6170 409e6c 6169->6170 6171 4098f4 29 API calls 6170->6171 6174 409e71 6171->6174 6172 409ec4 6203 4026c4 GetSystemTime 6172->6203 6174->6172 6177 408dd8 18 API calls 6174->6177 6175 409ec9 6176 409330 46 API calls 6175->6176 6178 409ed1 6176->6178 6179 409ea0 6177->6179 6180 4031e8 18 API calls 6178->6180 6183 409ea8 MessageBoxA 6179->6183 6181 409ede 6180->6181 6182 406928 19 API calls 6181->6182 6184 409eeb 6182->6184 6183->6172 6185 409eb5 6183->6185 6186 4066c0 19 API calls 6184->6186 6187 405864 19 API calls 6185->6187 6188 409efb 6186->6188 6187->6172 6189 406638 19 API calls 6188->6189 6190 409f0c 6189->6190 6191 403340 18 API calls 6190->6191 6192 409f1a 6191->6192 6193 4031e8 18 API calls 6192->6193 6194 409f2a 6193->6194 6195 4074e0 37 API calls 6194->6195 6196 409f69 6195->6196 6197 402594 18 API calls 6196->6197 6198 409f89 6197->6198 6199 407a28 19 API calls 6198->6199 6200 409fcb 6199->6200 6201 407cb8 35 API calls 6200->6201 6202 409ff2 6201->6202 6203->6175 6082 407548 6083 407554 CloseHandle 6082->6083 6084 40755d 6082->6084 6083->6084 6655 402b48 RaiseException 6085 407749 6086 4076dc WriteFile 6085->6086 6096 407724 6085->6096 6087 4076e8 6086->6087 6088 4076ef 6086->6088 6089 40748c 35 API calls 6087->6089 6090 407700 6088->6090 6091 4073ec 34 API calls 6088->6091 6089->6088 6091->6090 6092 4077e0 6093 4078db InterlockedExchange 6092->6093 6094 407890 6092->6094 6095 4078e7 6093->6095 6096->6085 6096->6092 6656 40294a 6659 402952 6656->6659 6657 403554 4 API calls 6657->6659 6658 402967 6659->6657 6659->6658 6660 403f4a 6661 403f53 6660->6661 6662 403f5c 6660->6662 6663 403f07 4 API calls 6661->6663 6663->6662 6204 403a52 6205 403a74 6204->6205 6206 403a5a WriteFile 6204->6206 6206->6205 6207 403a78 GetLastError 6206->6207 6207->6205 6208 402654 6209 403154 4 API calls 6208->6209 6210 402614 6209->6210 6211 402632 6210->6211 6212 403154 4 API calls 6210->6212 6211->6211 6212->6211 6672 405160 6673 405173 6672->6673 6674 404e58 33 API calls 6673->6674 6675 405187 6674->6675 5497 409e62 5498 409aa0 18 API calls 5497->5498 5499 409e67 5498->5499 5500 409e6c 5499->5500 5600 402f24 5499->5600 5534 4098f4 5500->5534 5503 409ec4 5539 4026c4 GetSystemTime 5503->5539 5505 409e71 5505->5503 5605 408dd8 5505->5605 5506 409ec9 5540 409330 5506->5540 5510 409ea0 5514 409ea8 MessageBoxA 5510->5514 5511 4031e8 18 API calls 5512 409ede 5511->5512 5558 406928 5512->5558 5514->5503 5516 409eb5 5514->5516 5608 405864 5516->5608 5521 409f0c 5585 403340 5521->5585 5523 409f1a 5524 4031e8 18 API calls 5523->5524 5525 409f2a 5524->5525 5526 4074e0 37 API calls 5525->5526 5527 409f69 5526->5527 5528 402594 18 API calls 5527->5528 5529 409f89 5528->5529 5530 407a28 19 API calls 5529->5530 5531 409fcb 5530->5531 5532 407cb8 35 API calls 5531->5532 5533 409ff2 5532->5533 5612 40953c 5534->5612 5539->5506 5543 409350 5540->5543 5544 409375 CreateDirectoryA 5543->5544 5549 408dd8 18 API calls 5543->5549 5553 407284 19 API calls 5543->5553 5557 405890 18 API calls 5543->5557 5704 406cf4 5543->5704 5727 409224 5543->5727 5746 404c94 5543->5746 5749 408da8 5543->5749 5545 4093ed 5544->5545 5546 40937f GetLastError 5544->5546 5547 40322c 4 API calls 5545->5547 5546->5543 5548 4093f7 5547->5548 5551 4031b8 4 API calls 5548->5551 5549->5543 5552 409411 5551->5552 5554 4031b8 4 API calls 5552->5554 5553->5543 5555 40941e 5554->5555 5555->5511 5557->5543 5859 406820 5558->5859 5561 403454 18 API calls 5562 40694a 5561->5562 5563 4066c0 5562->5563 5864 4068e4 5563->5864 5566 4066f0 5568 403340 18 API calls 5566->5568 5567 4066fe 5569 403454 18 API calls 5567->5569 5571 4066fc 5568->5571 5570 406711 5569->5570 5572 403340 18 API calls 5570->5572 5573 403198 4 API calls 5571->5573 5572->5571 5574 406733 5573->5574 5575 406638 5574->5575 5576 406642 5575->5576 5577 406665 5575->5577 5870 406950 5576->5870 5579 40322c 4 API calls 5577->5579 5581 40666e 5579->5581 5580 406649 5580->5577 5582 406654 5580->5582 5581->5521 5583 403340 18 API calls 5582->5583 5584 406662 5583->5584 5584->5521 5586 403344 5585->5586 5587 4033a5 5585->5587 5588 4031e8 5586->5588 5589 40334c 5586->5589 5590 4031fc 5588->5590 5593 403254 18 API calls 5588->5593 5589->5587 5592 4031e8 18 API calls 5589->5592 5595 40335b 5589->5595 5591 403228 5590->5591 5596 4025ac 4 API calls 5590->5596 5591->5523 5592->5595 5593->5590 5594 403254 18 API calls 5597 403375 5594->5597 5595->5594 5596->5591 5598 4031e8 18 API calls 5597->5598 5599 4033a1 5598->5599 5599->5523 5601 403154 4 API calls 5600->5601 5602 402f29 5601->5602 5876 402bcc 5602->5876 5604 402f51 5604->5604 5606 408da8 18 API calls 5605->5606 5607 408df4 5606->5607 5607->5510 5609 405869 5608->5609 5610 405940 19 API calls 5609->5610 5611 40587b 5610->5611 5611->5611 5619 40955b 5612->5619 5613 409590 5615 40959d GetUserDefaultLangID 5613->5615 5620 409592 5613->5620 5614 409594 5630 407024 GetModuleHandleA GetProcAddress 5614->5630 5615->5620 5618 40956f 5624 409884 5618->5624 5619->5613 5619->5614 5619->5618 5620->5618 5621 4095cb GetACP 5620->5621 5622 4095ef 5620->5622 5621->5618 5621->5620 5622->5618 5623 409615 GetACP 5622->5623 5623->5618 5623->5622 5625 40988c 5624->5625 5629 4098c6 5624->5629 5626 403420 18 API calls 5625->5626 5625->5629 5627 4098c0 5626->5627 5688 408e80 5627->5688 5629->5505 5631 407067 5630->5631 5632 40705e 5630->5632 5633 407070 5631->5633 5634 4070a8 5631->5634 5641 403198 4 API calls 5632->5641 5651 406f68 5633->5651 5636 406f68 RegOpenKeyExA 5634->5636 5639 4070c1 5636->5639 5637 407089 5638 4070de 5637->5638 5654 406f5c 5637->5654 5643 40322c 4 API calls 5638->5643 5639->5638 5642 406f5c 20 API calls 5639->5642 5645 407120 5641->5645 5646 4070d5 RegCloseKey 5642->5646 5647 4070eb 5643->5647 5648 403198 4 API calls 5645->5648 5646->5638 5657 4032fc 5647->5657 5650 407128 5648->5650 5650->5620 5652 406f73 5651->5652 5653 406f79 RegOpenKeyExA 5651->5653 5652->5653 5653->5637 5671 406e10 5654->5671 5658 403300 5657->5658 5659 40333f 5657->5659 5660 4031e8 5658->5660 5661 40330a 5658->5661 5659->5632 5667 403254 18 API calls 5660->5667 5668 4031fc 5660->5668 5662 403334 5661->5662 5663 40331d 5661->5663 5664 4034f0 18 API calls 5662->5664 5666 4034f0 18 API calls 5663->5666 5670 403322 5664->5670 5665 403228 5665->5632 5666->5670 5667->5668 5668->5665 5669 4025ac 4 API calls 5668->5669 5669->5665 5670->5632 5672 406e36 RegQueryValueExA 5671->5672 5673 406e7b 5672->5673 5678 406e59 5672->5678 5675 403198 4 API calls 5673->5675 5674 406e73 5676 403198 4 API calls 5674->5676 5677 406f47 RegCloseKey 5675->5677 5676->5673 5677->5638 5678->5673 5678->5674 5679 403278 18 API calls 5678->5679 5680 403420 18 API calls 5678->5680 5679->5678 5681 406eb0 RegQueryValueExA 5680->5681 5681->5672 5682 406ecc 5681->5682 5682->5673 5683 4034f0 18 API calls 5682->5683 5684 406f0e 5683->5684 5685 406f20 5684->5685 5687 403420 18 API calls 5684->5687 5686 4031e8 18 API calls 5685->5686 5686->5673 5687->5685 5689 408e8e 5688->5689 5691 408ea6 5689->5691 5701 408e18 5689->5701 5692 408e18 18 API calls 5691->5692 5693 408eca 5691->5693 5692->5693 5694 407918 InterlockedExchange 5693->5694 5695 408ee5 5694->5695 5696 408e18 18 API calls 5695->5696 5698 408ef8 5695->5698 5696->5698 5697 408e18 18 API calls 5697->5698 5698->5697 5699 403278 18 API calls 5698->5699 5700 408f27 5698->5700 5699->5698 5700->5629 5702 405890 18 API calls 5701->5702 5703 408e29 5702->5703 5703->5691 5753 406a58 5704->5753 5707 406d26 5708 406a58 19 API calls 5707->5708 5711 406d72 5707->5711 5710 406d36 5708->5710 5713 406a34 21 API calls 5710->5713 5715 406d42 5710->5715 5761 406888 5711->5761 5713->5715 5714 406d67 5714->5711 5773 406cc8 GetWindowsDirectoryA 5714->5773 5715->5711 5715->5714 5717 406a58 19 API calls 5715->5717 5720 406d5b 5717->5720 5719 406638 19 API calls 5721 406d87 5719->5721 5720->5714 5723 406a34 21 API calls 5720->5723 5722 40322c 4 API calls 5721->5722 5724 406d91 5722->5724 5723->5714 5725 4031b8 4 API calls 5724->5725 5726 406dab 5725->5726 5726->5543 5728 409244 5727->5728 5729 406638 19 API calls 5728->5729 5730 40925d 5729->5730 5731 40322c 4 API calls 5730->5731 5732 409268 5731->5732 5733 406978 20 API calls 5732->5733 5735 408dd8 18 API calls 5732->5735 5736 4033b4 18 API calls 5732->5736 5737 405890 18 API calls 5732->5737 5739 4092e4 5732->5739 5813 4091b0 5732->5813 5821 409034 5732->5821 5733->5732 5735->5732 5736->5732 5737->5732 5740 40322c 4 API calls 5739->5740 5741 4092ef 5740->5741 5742 4031b8 4 API calls 5741->5742 5743 409309 5742->5743 5744 403198 4 API calls 5743->5744 5745 409311 5744->5745 5745->5543 5747 4051a8 33 API calls 5746->5747 5748 404cb2 5747->5748 5748->5543 5750 408dc8 5749->5750 5849 408c80 5750->5849 5754 4034f0 18 API calls 5753->5754 5756 406a6b 5754->5756 5755 406a82 GetEnvironmentVariableA 5755->5756 5757 406a8e 5755->5757 5756->5755 5760 406a95 5756->5760 5775 406dec 5756->5775 5759 403198 4 API calls 5757->5759 5759->5760 5760->5707 5770 406a34 5760->5770 5762 403414 5761->5762 5763 4068ab GetFullPathNameA 5762->5763 5764 4068b7 5763->5764 5765 4068ce 5763->5765 5764->5765 5766 4068bf 5764->5766 5767 40322c 4 API calls 5765->5767 5768 403278 18 API calls 5766->5768 5769 4068cc 5767->5769 5768->5769 5769->5719 5779 4069dc 5770->5779 5774 406ce9 5773->5774 5774->5711 5776 406dfa 5775->5776 5777 4034f0 18 API calls 5776->5777 5778 406e08 5777->5778 5778->5756 5786 406978 5779->5786 5781 4069fe 5782 406a06 GetFileAttributesA 5781->5782 5783 406a1b 5782->5783 5784 403198 4 API calls 5783->5784 5785 406a23 5784->5785 5785->5707 5796 406744 5786->5796 5788 4069b0 5790 4069c6 5788->5790 5791 4069bb 5788->5791 5804 403454 5790->5804 5793 40322c 4 API calls 5791->5793 5792 406989 5792->5788 5803 406970 CharPrevA 5792->5803 5795 4069c4 5793->5795 5795->5781 5799 406755 5796->5799 5797 4067b9 5798 406680 IsDBCSLeadByte 5797->5798 5801 4067b4 5797->5801 5798->5801 5799->5797 5800 406773 5799->5800 5800->5801 5811 406680 IsDBCSLeadByte 5800->5811 5801->5792 5803->5792 5805 403486 5804->5805 5807 403459 5804->5807 5806 403198 4 API calls 5805->5806 5808 40347c 5806->5808 5807->5805 5809 40346d 5807->5809 5808->5795 5810 403278 18 API calls 5809->5810 5810->5808 5812 406694 5811->5812 5812->5800 5814 403198 4 API calls 5813->5814 5816 4091d1 5814->5816 5818 4091fe 5816->5818 5830 4032a8 5816->5830 5833 403494 5816->5833 5819 403198 4 API calls 5818->5819 5820 409213 5819->5820 5820->5732 5837 408f70 5821->5837 5823 40904a 5824 40904e 5823->5824 5843 406a48 5823->5843 5824->5732 5827 409081 5846 408fac 5827->5846 5831 403278 18 API calls 5830->5831 5832 4032b5 5831->5832 5832->5816 5834 403498 5833->5834 5835 4034c3 5833->5835 5836 4034f0 18 API calls 5834->5836 5835->5816 5836->5835 5838 408f7a 5837->5838 5839 408f7e 5837->5839 5838->5823 5840 408fa0 SetLastError 5839->5840 5841 408f87 Wow64DisableWow64FsRedirection 5839->5841 5842 408f9b 5840->5842 5841->5842 5842->5823 5844 4069dc 21 API calls 5843->5844 5845 406a52 GetLastError 5844->5845 5845->5827 5847 408fb1 Wow64RevertWow64FsRedirection 5846->5847 5848 408fbb 5846->5848 5847->5848 5848->5732 5850 403198 4 API calls 5849->5850 5858 408cb1 5849->5858 5850->5858 5851 408cdc 5852 4031b8 4 API calls 5851->5852 5853 408d69 5852->5853 5853->5543 5854 408cc8 5856 4032fc 18 API calls 5854->5856 5855 403278 18 API calls 5855->5858 5856->5851 5857 4032fc 18 API calls 5857->5858 5858->5851 5858->5854 5858->5855 5858->5857 5860 406744 IsDBCSLeadByte 5859->5860 5862 406835 5860->5862 5861 40687f 5861->5561 5862->5861 5863 406680 IsDBCSLeadByte 5862->5863 5863->5862 5865 4068f3 5864->5865 5866 406820 IsDBCSLeadByte 5865->5866 5869 4068fe 5866->5869 5867 4066ea 5867->5566 5867->5567 5868 406680 IsDBCSLeadByte 5868->5869 5869->5867 5869->5868 5871 406957 5870->5871 5872 40695b 5870->5872 5871->5580 5875 406970 CharPrevA 5872->5875 5874 40696c 5874->5580 5875->5874 5877 402bd5 RaiseException 5876->5877 5878 402be6 5876->5878 5877->5878 5878->5604 6213 402e64 6214 402e69 6213->6214 6215 402e7a RtlUnwind 6214->6215 6216 402e5e 6214->6216 6217 402e9d 6215->6217 6230 40667c IsDBCSLeadByte 6231 406694 6230->6231 6688 403f7d 6689 403fa2 6688->6689 6692 403f84 6688->6692 6691 403e8e 4 API calls 6689->6691 6689->6692 6690 403f8c 6691->6692 6692->6690 6693 402674 4 API calls 6692->6693 6694 403fca 6693->6694 5937 403d02 5939 403d12 5937->5939 5938 403ddf ExitProcess 5939->5938 5940 403db8 5939->5940 5942 403dea 5939->5942 5947 403da4 5939->5947 5948 403d8f MessageBoxA 5939->5948 5953 403cc8 5940->5953 5944 403cc8 4 API calls 5945 403dcc 5944->5945 5957 4019dc 5945->5957 5969 403fe4 5947->5969 5948->5940 5949 403dd1 5949->5938 5949->5942 5955 403cd6 5953->5955 5954 403ceb 5954->5944 5955->5954 5973 402674 5955->5973 5958 401abb 5957->5958 5959 4019ed 5957->5959 5958->5949 5960 401a04 RtlEnterCriticalSection 5959->5960 5961 401a0e LocalFree 5959->5961 5960->5961 5962 401a41 5961->5962 5963 401a2f VirtualFree 5962->5963 5964 401a49 5962->5964 5963->5962 5965 401a70 LocalFree 5964->5965 5966 401a87 5964->5966 5965->5965 5965->5966 5967 401aa9 RtlDeleteCriticalSection 5966->5967 5968 401a9f RtlLeaveCriticalSection 5966->5968 5967->5949 5968->5967 5970 403fe8 5969->5970 5976 403f07 5970->5976 5972 404006 5974 403154 4 API calls 5973->5974 5975 40267a 5974->5975 5975->5954 5979 403f09 5976->5979 5978 403f3c 5978->5972 5981 403154 4 API calls 5979->5981 5983 403e9c 5979->5983 5986 403f3d 5979->5986 5999 403e9c 5979->5999 5980 403ecf 5980->5972 5981->5979 5982 403ef2 5985 402674 4 API calls 5982->5985 5983->5978 5983->5982 5988 403ea9 5983->5988 5990 403e8e 5983->5990 5985->5980 5986->5972 5988->5980 5989 402674 4 API calls 5988->5989 5989->5980 5991 403e4c 5990->5991 5992 403e67 5991->5992 5993 403e62 5991->5993 5994 403e7b 5991->5994 5997 403e78 5992->5997 5998 402674 4 API calls 5992->5998 5996 403cc8 4 API calls 5993->5996 5995 402674 4 API calls 5994->5995 5995->5997 5996->5992 5997->5982 5997->5988 5998->5997 6000 403ed7 5999->6000 6006 403ea9 5999->6006 6002 403ef2 6000->6002 6003 403e8e 4 API calls 6000->6003 6001 403ecf 6001->5979 6004 402674 4 API calls 6002->6004 6005 403ee6 6003->6005 6004->6001 6005->6002 6005->6006 6006->6001 6007 402674 4 API calls 6006->6007 6007->6001 6236 404206 6237 4041cc 6236->6237 6240 40420a 6236->6240 6238 404282 6239 403154 4 API calls 6241 404323 6239->6241 6240->6238 6240->6239 6242 402c08 6245 402c82 6242->6245 6246 402c19 6242->6246 6243 402c56 RtlUnwind 6244 403154 4 API calls 6243->6244 6244->6245 6246->6243 6246->6245 6249 402b28 6246->6249 6250 402b31 RaiseException 6249->6250 6251 402b47 6249->6251 6250->6251 6251->6243 6252 408c10 6253 408c17 6252->6253 6254 403198 4 API calls 6253->6254 6262 408cb1 6254->6262 6255 408cdc 6256 4031b8 4 API calls 6255->6256 6257 408d69 6256->6257 6258 408cc8 6260 4032fc 18 API calls 6258->6260 6259 403278 18 API calls 6259->6262 6260->6255 6261 4032fc 18 API calls 6261->6262 6262->6255 6262->6258 6262->6259 6262->6261 6263 40a011 6264 40a036 6263->6264 6265 407918 InterlockedExchange 6264->6265 6266 40a060 6265->6266 6267 40a070 6266->6267 6268 409aa0 18 API calls 6266->6268 6273 4076ac SetEndOfFile 6267->6273 6268->6267 6270 40a08c 6271 4025ac 4 API calls 6270->6271 6272 40a0c3 6271->6272 6274 4076c3 6273->6274 6275 4076bc 6273->6275 6274->6270 6276 40748c 35 API calls 6275->6276 6276->6274 6701 409916 6703 409918 6701->6703 6702 40993a 6703->6702 6704 409956 CallWindowProcA 6703->6704 6704->6702 6158 407017 6159 407008 SetErrorMode 6158->6159 6281 403018 6282 403070 6281->6282 6283 403025 6281->6283 6284 40302a RtlUnwind 6283->6284 6285 40304e 6284->6285 6287 402f78 6285->6287 6288 402be8 6285->6288 6289 402bf1 RaiseException 6288->6289 6290 402c04 6288->6290 6289->6290 6290->6282 6711 409918 6712 40993a 6711->6712 6714 409927 6711->6714 6713 409956 CallWindowProcA 6713->6712 6714->6712 6714->6713 6295 40901e 6296 409010 6295->6296 6297 408fac Wow64RevertWow64FsRedirection 6296->6297 6298 409018 6297->6298 6299 409020 SetLastError 6300 409029 6299->6300 6315 403a28 ReadFile 6316 403a46 6315->6316 6317 403a49 GetLastError 6315->6317 6102 40762c ReadFile 6103 407663 6102->6103 6104 40764c 6102->6104 6105 407652 GetLastError 6104->6105 6106 40765c 6104->6106 6105->6103 6105->6106 6107 40748c 35 API calls 6106->6107 6107->6103 6322 40a02c 6323 409aa0 18 API calls 6322->6323 6324 40a031 6323->6324 6325 40a036 6324->6325 6326 402f24 5 API calls 6324->6326 6327 407918 InterlockedExchange 6325->6327 6326->6325 6328 40a060 6327->6328 6329 40a070 6328->6329 6330 409aa0 18 API calls 6328->6330 6331 4076ac 36 API calls 6329->6331 6330->6329 6332 40a08c 6331->6332 6333 4025ac 4 API calls 6332->6333 6334 40a0c3 6333->6334 6719 40712e 6720 407118 6719->6720 6721 403198 4 API calls 6720->6721 6722 407120 6721->6722 6723 403198 4 API calls 6722->6723 6724 407128 6723->6724 6725 408f30 6728 408dfc 6725->6728 6729 408e05 6728->6729 6730 403198 4 API calls 6729->6730 6731 408e13 6729->6731 6730->6729 6732 403932 6733 403924 6732->6733 6736 40374c 6733->6736 6735 40392c 6737 403759 6736->6737 6738 403766 6736->6738 6737->6738 6739 403779 VariantClear 6737->6739 6738->6735 6739->6735 6008 4075c4 SetFilePointer 6009 4075f7 6008->6009 6010 4075e7 GetLastError 6008->6010 6010->6009 6011 4075f0 6010->6011 6012 40748c 35 API calls 6011->6012 6012->6009 6335 4076c8 WriteFile 6336 4076e8 6335->6336 6337 4076ef 6335->6337 6338 40748c 35 API calls 6336->6338 6339 407700 6337->6339 6340 4073ec 34 API calls 6337->6340 6338->6337 6340->6339 6341 40a2ca 6350 4096fc 6341->6350 6344 402f24 5 API calls 6345 40a2d4 6344->6345 6346 403198 4 API calls 6345->6346 6347 40a2f3 6346->6347 6348 403198 4 API calls 6347->6348 6349 40a2fb 6348->6349 6359 4056ac 6350->6359 6352 409717 6353 409745 6352->6353 6365 40720c 6352->6365 6356 403198 4 API calls 6353->6356 6355 409735 6358 40973d MessageBoxA 6355->6358 6357 40975a 6356->6357 6357->6344 6358->6353 6360 403154 4 API calls 6359->6360 6361 4056b1 6360->6361 6362 4056c9 6361->6362 6363 403154 4 API calls 6361->6363 6362->6352 6364 4056bf 6363->6364 6364->6352 6366 4056ac 4 API calls 6365->6366 6367 40721b 6366->6367 6368 407221 6367->6368 6369 40722f 6367->6369 6370 40322c 4 API calls 6368->6370 6372 40724b 6369->6372 6373 40723f 6369->6373 6371 40722d 6370->6371 6371->6355 6383 4032b8 6372->6383 6376 4071d0 6373->6376 6377 40322c 4 API calls 6376->6377 6378 4071df 6377->6378 6379 4071fc 6378->6379 6380 406950 CharPrevA 6378->6380 6379->6371 6381 4071eb 6380->6381 6381->6379 6382 4032fc 18 API calls 6381->6382 6382->6379 6384 403278 18 API calls 6383->6384 6385 4032c2 6384->6385 6385->6371 6386 402ccc 6389 402cfe 6386->6389 6391 402cdd 6386->6391 6387 402d88 RtlUnwind 6388 403154 4 API calls 6387->6388 6388->6389 6390 402b28 RaiseException 6392 402d7f 6390->6392 6391->6387 6391->6389 6391->6390 6392->6387 6748 403fcd 6749 403f07 4 API calls 6748->6749 6750 403fd6 6749->6750 6751 403e9c 4 API calls 6750->6751 6752 403fe2 6751->6752 6393 4024d0 6394 4024e4 6393->6394 6395 4024e9 6393->6395 6398 401918 4 API calls 6394->6398 6396 402518 6395->6396 6397 40250e RtlEnterCriticalSection 6395->6397 6400 4024ed 6395->6400 6408 402300 6396->6408 6397->6396 6398->6395 6402 402525 6404 402581 6402->6404 6405 402577 RtlLeaveCriticalSection 6402->6405 6403 401fd4 14 API calls 6406 402531 6403->6406 6405->6404 6406->6402 6418 40215c 6406->6418 6409 402314 6408->6409 6411 402335 6409->6411 6412 4023b8 6409->6412 6410 402344 6410->6402 6410->6403 6411->6410 6432 401b74 6411->6432 6412->6410 6416 402455 6412->6416 6435 401d80 6412->6435 6439 401e84 6412->6439 6416->6410 6417 401d00 9 API calls 6416->6417 6417->6410 6419 40217a 6418->6419 6420 402175 6418->6420 6422 4021ab RtlEnterCriticalSection 6419->6422 6424 4021b5 6419->6424 6426 40217e 6419->6426 6421 401918 4 API calls 6420->6421 6421->6419 6422->6424 6423 4021c1 6427 4022e3 RtlLeaveCriticalSection 6423->6427 6428 4022ed 6423->6428 6424->6423 6425 402244 6424->6425 6430 402270 6424->6430 6425->6426 6429 401d80 7 API calls 6425->6429 6426->6402 6427->6428 6428->6402 6429->6426 6430->6423 6431 401d00 7 API calls 6430->6431 6431->6423 6433 40215c 9 API calls 6432->6433 6434 401b95 6433->6434 6434->6410 6436 401d92 6435->6436 6437 401d89 6435->6437 6436->6412 6437->6436 6438 401b74 9 API calls 6437->6438 6438->6436 6444 401768 6439->6444 6441 401e99 6442 401ea6 6441->6442 6455 401dcc 6441->6455 6442->6412 6446 401787 6444->6446 6445 401494 LocalAlloc VirtualAlloc VirtualAlloc VirtualFree 6445->6446 6446->6445 6447 40183b 6446->6447 6449 40132c LocalAlloc 6446->6449 6450 401821 6446->6450 6451 4017d6 6446->6451 6452 4017e7 6447->6452 6466 4015c4 6447->6466 6449->6446 6453 40150c VirtualFree 6450->6453 6462 40150c 6451->6462 6452->6441 6453->6452 6456 401d80 9 API calls 6455->6456 6457 401de0 6456->6457 6470 40132c 6457->6470 6459 401df0 6460 401df8 6459->6460 6474 401b44 6459->6474 6460->6442 6465 40153b 6462->6465 6463 401594 6463->6452 6464 401568 VirtualFree 6464->6465 6465->6463 6465->6464 6467 40160a 6466->6467 6468 401626 VirtualAlloc 6467->6468 6469 40163a 6467->6469 6468->6467 6468->6469 6469->6452 6471 401348 6470->6471 6479 4012e4 6471->6479 6475 401b61 6474->6475 6476 401b52 6474->6476 6475->6460 6477 401d00 9 API calls 6476->6477 6478 401b5f 6477->6478 6478->6460 6482 40128c 6479->6482 6483 401298 LocalAlloc 6482->6483 6484 4012aa 6482->6484 6483->6484 6484->6459 6485 4028d2 6486 4028da 6485->6486 6487 403554 4 API calls 6486->6487 6488 4028ef 6486->6488 6487->6486 6489 4025ac 4 API calls 6488->6489 6490 4028f4 6489->6490 6753 4019d3 6754 4019ba 6753->6754 6755 4019c3 RtlLeaveCriticalSection 6754->6755 6756 4019cd 6754->6756 6755->6756 6112 407fd4 6113 407fe6 6112->6113 6115 407fed 6112->6115 6123 407f10 6113->6123 6116 408017 6115->6116 6118 408015 6115->6118 6121 408021 6115->6121 6134 407d7c 6116->6134 6117 40804e 6137 407e2c 6118->6137 6120 407d7c 33 API calls 6120->6117 6121->6117 6121->6120 6124 407f25 6123->6124 6125 407d7c 33 API calls 6124->6125 6126 407f34 6124->6126 6125->6126 6127 407d7c 33 API calls 6126->6127 6129 407f6e 6126->6129 6127->6129 6128 407f82 6133 407fae 6128->6133 6144 407eb8 6128->6144 6129->6128 6130 407d7c 33 API calls 6129->6130 6130->6128 6133->6115 6147 4058c4 6134->6147 6136 407d9e 6136->6121 6138 405194 33 API calls 6137->6138 6139 407e57 6138->6139 6155 407de4 6139->6155 6141 407e5f 6142 403198 4 API calls 6141->6142 6143 407e74 6142->6143 6143->6121 6145 407ec7 VirtualFree 6144->6145 6146 407ed9 VirtualAlloc 6144->6146 6145->6146 6146->6133 6148 4058d0 6147->6148 6149 405194 33 API calls 6148->6149 6150 4058fd 6149->6150 6151 4031e8 18 API calls 6150->6151 6152 405908 6151->6152 6153 403198 4 API calls 6152->6153 6154 40591d 6153->6154 6154->6136 6156 4058c4 33 API calls 6155->6156 6157 407e06 6156->6157 6157->6141 6495 405ad4 6496 405adc 6495->6496 6500 405ae4 6495->6500 6497 405ae2 6496->6497 6498 405aeb 6496->6498 6502 405a4c 6497->6502 6499 405940 19 API calls 6498->6499 6499->6500 6503 405a54 6502->6503 6504 405a6e 6503->6504 6505 403154 4 API calls 6503->6505 6506 405a73 6504->6506 6507 405a8a 6504->6507 6505->6503 6508 405940 19 API calls 6506->6508 6509 403154 4 API calls 6507->6509 6510 405a86 6508->6510 6511 405a8f 6509->6511 6513 403154 4 API calls 6510->6513 6512 4059b0 33 API calls 6511->6512 6512->6510 6514 405ab8 6513->6514 6515 403154 4 API calls 6514->6515 6516 405ac6 6515->6516 6516->6500 6517 40a0d5 6518 40a105 6517->6518 6519 40a10f CreateWindowExA SetWindowLongA 6518->6519 6520 405194 33 API calls 6519->6520 6521 40a192 6520->6521 6522 4032fc 18 API calls 6521->6522 6523 40a1a0 6522->6523 6524 4032fc 18 API calls 6523->6524 6525 40a1ad 6524->6525 6526 406b7c 19 API calls 6525->6526 6527 40a1b9 6526->6527 6528 4032fc 18 API calls 6527->6528 6529 40a1c2 6528->6529 6530 4099a4 43 API calls 6529->6530 6531 40a1d4 6530->6531 6532 409884 19 API calls 6531->6532 6533 40a1e7 6531->6533 6532->6533 6534 40a220 6533->6534 6535 4094d8 9 API calls 6533->6535 6536 40a239 6534->6536 6539 40a233 RemoveDirectoryA 6534->6539 6535->6534 6537 40a242 DestroyWindow 6536->6537 6538 40a24d 6536->6538 6537->6538 6540 40a275 6538->6540 6541 40357c 4 API calls 6538->6541 6539->6536 6542 40a26b 6541->6542 6543 4025ac 4 API calls 6542->6543 6543->6540 6013 40a0e7 6014 40a0eb SetLastError 6013->6014 6044 409648 GetLastError 6014->6044 6017 40a105 6019 40a10f CreateWindowExA SetWindowLongA 6017->6019 6018 402f24 5 API calls 6018->6017 6020 405194 33 API calls 6019->6020 6021 40a192 6020->6021 6022 4032fc 18 API calls 6021->6022 6023 40a1a0 6022->6023 6024 4032fc 18 API calls 6023->6024 6025 40a1ad 6024->6025 6057 406b7c GetCommandLineA 6025->6057 6028 4032fc 18 API calls 6029 40a1c2 6028->6029 6062 4099a4 6029->6062 6032 409884 19 API calls 6033 40a1e7 6032->6033 6034 40a220 6033->6034 6035 4094d8 9 API calls 6033->6035 6036 40a239 6034->6036 6039 40a233 RemoveDirectoryA 6034->6039 6035->6034 6037 40a242 DestroyWindow 6036->6037 6038 40a24d 6036->6038 6037->6038 6040 40a275 6038->6040 6041 40357c 4 API calls 6038->6041 6039->6036 6042 40a26b 6041->6042 6043 4025ac 4 API calls 6042->6043 6043->6040 6045 404c94 33 API calls 6044->6045 6046 40968f 6045->6046 6047 407284 19 API calls 6046->6047 6048 40969f 6047->6048 6049 408da8 18 API calls 6048->6049 6050 4096b4 6049->6050 6051 405890 18 API calls 6050->6051 6052 4096c3 6051->6052 6053 4031b8 4 API calls 6052->6053 6054 4096e2 6053->6054 6055 403198 4 API calls 6054->6055 6056 4096ea 6055->6056 6056->6017 6056->6018 6058 406af0 18 API calls 6057->6058 6059 406ba1 6058->6059 6060 403198 4 API calls 6059->6060 6061 406bbf 6060->6061 6061->6028 6063 4033b4 18 API calls 6062->6063 6064 4099df 6063->6064 6065 409a11 CreateProcessA 6064->6065 6066 409a24 CloseHandle 6065->6066 6067 409a1d 6065->6067 6069 409a2d 6066->6069 6068 409648 35 API calls 6067->6068 6068->6066 6078 409978 6069->6078 6072 409a49 6073 409978 3 API calls 6072->6073 6074 409a4e GetExitCodeProcess CloseHandle 6073->6074 6075 409a6e 6074->6075 6076 403198 4 API calls 6075->6076 6077 409a76 6076->6077 6077->6032 6077->6033 6079 40998c PeekMessageA 6078->6079 6080 409980 TranslateMessage DispatchMessageA 6079->6080 6081 40999e MsgWaitForMultipleObjects 6079->6081 6080->6079 6081->6069 6081->6072 6760 402be9 RaiseException 6761 402c04 6760->6761 6550 402af2 6551 402afe 6550->6551 6554 402ed0 6551->6554 6555 403154 4 API calls 6554->6555 6557 402ee0 6555->6557 6556 402b03 6557->6556 6559 402b0c 6557->6559 6560 402b25 6559->6560 6561 402b15 RaiseException 6559->6561 6560->6556 6561->6560 6762 402dfa 6763 402e26 6762->6763 6764 402e0d 6762->6764 6766 402ba4 6764->6766 6767 402bc9 6766->6767 6768 402bad 6766->6768 6767->6763 6769 402bb5 RaiseException 6768->6769 6769->6767 6770 4075fa GetFileSize 6771 407626 6770->6771 6772 407616 GetLastError 6770->6772 6772->6771 6773 40761f 6772->6773 6774 40748c 35 API calls 6773->6774 6774->6771 6775 406ffb 6776 407008 SetErrorMode 6775->6776 6566 403a80 CloseHandle 6567 403a90 6566->6567 6568 403a91 GetLastError 6566->6568 5879 40a282 5881 40a1f4 5879->5881 5880 40a220 5883 40a239 5880->5883 5886 40a233 RemoveDirectoryA 5880->5886 5881->5880 5891 4094d8 5881->5891 5884 40a242 DestroyWindow 5883->5884 5885 40a24d 5883->5885 5884->5885 5887 40a275 5885->5887 5899 40357c 5885->5899 5886->5883 5889 40a26b 5890 4025ac 4 API calls 5889->5890 5890->5887 5892 409532 5891->5892 5894 4094eb 5891->5894 5892->5880 5893 4094f3 Sleep 5893->5894 5894->5892 5894->5893 5895 409503 Sleep 5894->5895 5897 40951a GetLastError 5894->5897 5912 408fbc 5894->5912 5895->5894 5897->5892 5898 409524 GetLastError 5897->5898 5898->5892 5898->5894 5900 4035a0 5899->5900 5901 403591 5899->5901 5902 4035b1 5900->5902 5903 4035b8 5900->5903 5906 4035d0 5901->5906 5907 40359b 5901->5907 5908 4035b6 5901->5908 5904 403198 4 API calls 5902->5904 5905 4031b8 4 API calls 5903->5905 5904->5908 5905->5908 5906->5908 5910 40357c 4 API calls 5906->5910 5907->5900 5909 4035ec 5907->5909 5908->5889 5909->5908 5920 403554 5909->5920 5910->5906 5913 408f70 2 API calls 5912->5913 5914 408fd2 5913->5914 5915 408fd6 5914->5915 5916 408ff2 DeleteFileA GetLastError 5914->5916 5915->5894 5917 409010 5916->5917 5918 408fac Wow64RevertWow64FsRedirection 5917->5918 5919 409018 5918->5919 5919->5894 5921 403566 5920->5921 5923 403578 5921->5923 5924 403604 5921->5924 5923->5909 5925 40357c 5924->5925 5926 4035a0 5925->5926 5927 4035b6 5925->5927 5932 4035d0 5925->5932 5933 40359b 5925->5933 5928 4035b1 5926->5928 5929 4035b8 5926->5929 5927->5921 5930 403198 4 API calls 5928->5930 5931 4031b8 4 API calls 5929->5931 5930->5927 5931->5927 5932->5927 5934 40357c 4 API calls 5932->5934 5933->5926 5936 4035ec 5933->5936 5934->5932 5935 403554 4 API calls 5935->5936 5936->5927 5936->5935 6569 404283 6570 4042c3 6569->6570 6571 403154 4 API calls 6570->6571 6572 404323 6571->6572 6777 404185 6778 4041ff 6777->6778 6779 4041cc 6778->6779 6780 403154 4 API calls 6778->6780 6781 404323 6780->6781 6573 40a287 6574 40a290 6573->6574 6576 40a2bb 6573->6576 6583 409448 6574->6583 6578 403198 4 API calls 6576->6578 6577 40a295 6577->6576 6580 40a2b3 MessageBoxA 6577->6580 6579 40a2f3 6578->6579 6581 403198 4 API calls 6579->6581 6580->6576 6582 40a2fb 6581->6582 6584 409454 GetCurrentProcess OpenProcessToken 6583->6584 6585 4094af ExitWindowsEx 6583->6585 6586 409466 6584->6586 6587 40946a LookupPrivilegeValueA AdjustTokenPrivileges GetLastError 6584->6587 6585->6586 6586->6577 6587->6585 6587->6586 6588 403e87 6589 403e4c 6588->6589 6590 403e62 6589->6590 6591 403e7b 6589->6591 6592 403e67 6589->6592 6594 403cc8 4 API calls 6590->6594 6593 402674 4 API calls 6591->6593 6595 403e78 6592->6595 6596 402674 4 API calls 6592->6596 6593->6595 6594->6592 6596->6595 6605 407e90 6606 407eb8 VirtualFree 6605->6606 6607 407e9d 6606->6607 6786 403991 6787 403983 6786->6787 6788 40374c VariantClear 6787->6788 6789 40398b 6788->6789 6619 403a97 6620 403aac 6619->6620 6621 403bbc GetStdHandle 6620->6621 6622 403b0e CreateFileA 6620->6622 6632 403ab2 6620->6632 6623 403c17 GetLastError 6621->6623 6627 403bba 6621->6627 6622->6623 6624 403b2c 6622->6624 6623->6632 6626 403b3b GetFileSize 6624->6626 6624->6627 6626->6623 6628 403b4e SetFilePointer 6626->6628 6629 403be7 GetFileType 6627->6629 6627->6632 6628->6623 6633 403b6a ReadFile 6628->6633 6631 403c02 CloseHandle 6629->6631 6629->6632 6631->6632 6633->6623 6634 403b8c 6633->6634 6634->6627 6635 403b9f SetFilePointer 6634->6635 6635->6623 6636 403bb0 SetEndOfFile 6635->6636 6636->6623 6636->6627 6794 405ba2 6796 405ba4 6794->6796 6795 405be0 6799 405940 19 API calls 6795->6799 6796->6795 6797 405bf7 6796->6797 6798 405bda 6796->6798 6803 404cdc 19 API calls 6797->6803 6798->6795 6800 405c4c 6798->6800 6801 405bf3 6799->6801 6802 4059b0 33 API calls 6800->6802 6805 403198 4 API calls 6801->6805 6802->6801 6804 405c20 6803->6804 6806 4059b0 33 API calls 6804->6806 6807 405c86 6805->6807 6806->6801 6808 408da4 6809 408dc8 6808->6809 6810 408c80 18 API calls 6809->6810 6811 408dd1 6810->6811 6637 402caa 6638 403154 4 API calls 6637->6638 6639 402caf 6638->6639 6826 4011aa 6827 4011ac GetStdHandle 6826->6827 6108 4076ac SetEndOfFile 6109 4076c3 6108->6109 6110 4076bc 6108->6110 6111 40748c 35 API calls 6110->6111 6111->6109 6640 4028ac 6641 402594 18 API calls 6640->6641 6642 4028b6 6641->6642 6643 401ab9 6644 401a96 6643->6644 6645 401aa9 RtlDeleteCriticalSection 6644->6645 6646 401a9f RtlLeaveCriticalSection 6644->6646 6646->6645

                                                                                                                                                                                                                                                        Executed Functions

                                                                                                                                                                                                                                                        Function 00409B30 Relevance: 7.6, APIs: 5, Instructions: 78memoryCOMMON
                                                                                                                                                                                                                                                        Download Yara Rule

                                                                                                                                                                                                                                                        Control-flow Graph

                                                                                                                                                                                                                                                        • Executed
                                                                                                                                                                                                                                                        • Not Executed
                                                                                                                                                                                                                                                        control_flow_graph 135 409b30-409b54 GetSystemInfo VirtualQuery 136 409be4-409beb 135->136 137 409b5a 135->137 138 409bd9-409bde 137->138 138->136 139 409b5c-409b63 138->139 140 409bc5-409bd7 VirtualQuery 139->140 141 409b65-409b69 139->141 140->136 140->138 141->140 142 409b6b-409b73 141->142 143 409b84-409b95 VirtualProtect 142->143 144 409b75-409b78 142->144 145 409b97 143->145 146 409b99-409b9b 143->146 144->143 147 409b7a-409b7d 144->147 145->146 149 409baa-409bad 146->149 147->143 148 409b7f-409b82 147->148 148->143 148->146 150 409b9d-409ba6 call 409b28 149->150 151 409baf-409bb1 149->151 150->149 151->140 153 409bb3-409bc0 VirtualProtect 151->153 153->140
                                                                                                                                                                                                                                                        APIs
                                                                                                                                                                                                                                                        • GetSystemInfo.KERNEL32(?), ref: 00409B42
                                                                                                                                                                                                                                                        • VirtualQuery.KERNEL32(00400000,?,0000001C,?), ref: 00409B4D
                                                                                                                                                                                                                                                        • VirtualProtect.KERNEL32(?,?,00000040,?,00400000,?,0000001C,?), ref: 00409B8E
                                                                                                                                                                                                                                                        • VirtualProtect.KERNEL32(?,?,?,?,?,?,00000040,?,00400000,?,0000001C,?), ref: 00409BC0
                                                                                                                                                                                                                                                        • VirtualQuery.KERNEL32(?,?,0000001C,00400000,?,0000001C,?), ref: 00409BD0
                                                                                                                                                                                                                                                        Memory Dump Source
                                                                                                                                                                                                                                                        • Source File: 00000000.00000002.2795554773.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                                                                                                                        • Associated: 00000000.00000002.2795520483.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                        • Associated: 00000000.00000002.2795589664.000000000040B000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                        • Associated: 00000000.00000002.2795629951.0000000000411000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                        Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                                        • Snapshot File: hcaresult_0_2_400000_chica-pc-shield-1-75-0-1300-en-win.jbxd
                                                                                                                                                                                                                                                        Similarity
                                                                                                                                                                                                                                                        • API ID: Virtual$ProtectQuery$InfoSystem
                                                                                                                                                                                                                                                        • String ID:
                                                                                                                                                                                                                                                        • API String ID: 2441996862-0
                                                                                                                                                                                                                                                        • Opcode ID: 9fe1c1492d4e2c4f54cecc4c125b8c20c153f3aea56d010d52fe367946264e59
                                                                                                                                                                                                                                                        • Instruction ID: 3002c4020e31fcb34e6ffc2d5983d7aa910ebdc8277ab133fd4bc27d875cdae8
                                                                                                                                                                                                                                                        • Opcode Fuzzy Hash: 9fe1c1492d4e2c4f54cecc4c125b8c20c153f3aea56d010d52fe367946264e59
                                                                                                                                                                                                                                                        • Instruction Fuzzy Hash: F4219DB12003046BD7709AA99C85E5777E9EB85370F04082BFA89E32D3D239FC40C669
                                                                                                                                                                                                                                                        Function 0040520C Relevance: 1.5, APIs: 1, Instructions: 29COMMON
                                                                                                                                                                                                                                                        Download Yara Rule
                                                                                                                                                                                                                                                        APIs
                                                                                                                                                                                                                                                        • GetLocaleInfoA.KERNEL32(?,00000044,?,00000100,0040C4BC,00000001,?,004052D7,?,00000000,004053B6), ref: 0040522A
                                                                                                                                                                                                                                                        Memory Dump Source
                                                                                                                                                                                                                                                        • Source File: 00000000.00000002.2795554773.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                                                                                                                        • Associated: 00000000.00000002.2795520483.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                        • Associated: 00000000.00000002.2795589664.000000000040B000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                        • Associated: 00000000.00000002.2795629951.0000000000411000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                        Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                                        • Snapshot File: hcaresult_0_2_400000_chica-pc-shield-1-75-0-1300-en-win.jbxd
                                                                                                                                                                                                                                                        Similarity
                                                                                                                                                                                                                                                        • API ID: InfoLocale
                                                                                                                                                                                                                                                        • String ID:
                                                                                                                                                                                                                                                        • API String ID: 2299586839-0
                                                                                                                                                                                                                                                        • Opcode ID: 08facca5f8c818d7ae0117448837c5e97f15c9e55cb3aedc2694e0bc5091a832
                                                                                                                                                                                                                                                        • Instruction ID: 1248db9972fbf410c55bf070b604c98f5d62b90992f8f49b6b6440a9954d2c50
                                                                                                                                                                                                                                                        • Opcode Fuzzy Hash: 08facca5f8c818d7ae0117448837c5e97f15c9e55cb3aedc2694e0bc5091a832
                                                                                                                                                                                                                                                        • Instruction Fuzzy Hash: E2E0927170021427D710A9A99C86AEB725CEB58310F0002BFB904E73C6EDB49E804AED
                                                                                                                                                                                                                                                        Function 0040457C Relevance: 15.8, APIs: 5, Strings: 4, Instructions: 27libraryloaderCOMMON
                                                                                                                                                                                                                                                        Download Yara Rule

                                                                                                                                                                                                                                                        Control-flow Graph

                                                                                                                                                                                                                                                        APIs
                                                                                                                                                                                                                                                        • GetModuleHandleA.KERNEL32(kernel32.dll,?,00409C60), ref: 00404582
                                                                                                                                                                                                                                                        • GetProcAddress.KERNEL32(00000000,SetDllDirectoryW), ref: 0040458F
                                                                                                                                                                                                                                                        • GetProcAddress.KERNEL32(00000000,SetSearchPathMode), ref: 004045A5
                                                                                                                                                                                                                                                        • GetProcAddress.KERNEL32(00000000,SetProcessDEPPolicy), ref: 004045BB
                                                                                                                                                                                                                                                        • SetProcessDEPPolicy.KERNEL32(00000001,00000000,SetProcessDEPPolicy,00000000,SetSearchPathMode,kernel32.dll,?,00409C60), ref: 004045C6
                                                                                                                                                                                                                                                        Strings
                                                                                                                                                                                                                                                        Memory Dump Source
                                                                                                                                                                                                                                                        • Source File: 00000000.00000002.2795554773.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                                                                                                                        • Associated: 00000000.00000002.2795520483.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                        • Associated: 00000000.00000002.2795589664.000000000040B000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                        • Associated: 00000000.00000002.2795629951.0000000000411000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                        Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                                        • Snapshot File: hcaresult_0_2_400000_chica-pc-shield-1-75-0-1300-en-win.jbxd
                                                                                                                                                                                                                                                        Similarity
                                                                                                                                                                                                                                                        • API ID: AddressProc$HandleModulePolicyProcess
                                                                                                                                                                                                                                                        • String ID: SetDllDirectoryW$SetProcessDEPPolicy$SetSearchPathMode$kernel32.dll
                                                                                                                                                                                                                                                        • API String ID: 3256987805-3653653586
                                                                                                                                                                                                                                                        • Opcode ID: 5152b1c660b0fef0348360efae9d442e0d6811f491f57bfacbbc157bf84edc67
                                                                                                                                                                                                                                                        • Instruction ID: 1f393095ee8ecda9e1e01b6ca7d440447e938bbc9796bcd5dbe8d266940e5f64
                                                                                                                                                                                                                                                        • Opcode Fuzzy Hash: 5152b1c660b0fef0348360efae9d442e0d6811f491f57bfacbbc157bf84edc67
                                                                                                                                                                                                                                                        • Instruction Fuzzy Hash: 5FE02DD03813013AEA5032F20D83B2B20884AD0B49B2414377F25B61C3EDBDDA40587E
                                                                                                                                                                                                                                                        Function 0040A0E7 Relevance: 14.1, APIs: 5, Strings: 3, Instructions: 111COMMON
                                                                                                                                                                                                                                                        Download Yara Rule

                                                                                                                                                                                                                                                        Control-flow Graph

                                                                                                                                                                                                                                                        APIs
                                                                                                                                                                                                                                                        • SetLastError.KERNEL32 ref: 0040A0F4
                                                                                                                                                                                                                                                          • Part of subcall function 00409648: GetLastError.KERNEL32(00000000,004096EB,?,0040B240,?,020F0EAC), ref: 0040966C
                                                                                                                                                                                                                                                        • CreateWindowExA.USER32(00000000,STATIC,InnoSetupLdrWindow,00000000,00000000,00000000,00000000,00000000,00000000,00000000,00400000,00000000), ref: 0040A131
                                                                                                                                                                                                                                                        • SetWindowLongA.USER32(00020430,000000FC,00409918), ref: 0040A148
                                                                                                                                                                                                                                                        • RemoveDirectoryA.KERNEL32(00000000,0040A287,?,?,?,?,?,?,?,?,?,?,?,?), ref: 0040A234
                                                                                                                                                                                                                                                        • DestroyWindow.USER32(00020430,0040A287,?,?,?,?,?,?,?,?,?,?,?,?), ref: 0040A248
                                                                                                                                                                                                                                                        Strings
                                                                                                                                                                                                                                                        Memory Dump Source
                                                                                                                                                                                                                                                        • Source File: 00000000.00000002.2795554773.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                                                                                                                        • Associated: 00000000.00000002.2795520483.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                        • Associated: 00000000.00000002.2795589664.000000000040B000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                        • Associated: 00000000.00000002.2795629951.0000000000411000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                        Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                                        • Snapshot File: hcaresult_0_2_400000_chica-pc-shield-1-75-0-1300-en-win.jbxd
                                                                                                                                                                                                                                                        Similarity
                                                                                                                                                                                                                                                        • API ID: Window$ErrorLast$CreateDestroyDirectoryLongRemove
                                                                                                                                                                                                                                                        • String ID: /SL5="$%x,%d,%d,$InnoSetupLdrWindow$STATIC
                                                                                                                                                                                                                                                        • API String ID: 3757039580-3001827809
                                                                                                                                                                                                                                                        • Opcode ID: 92d7a146f7fa7ea583be229cf1972f4387f7e731d45899e9009fd1a518b8a977
                                                                                                                                                                                                                                                        • Instruction ID: f6a9afe5b3848034850d92184c83b7d566fc641e007638e18ad9d31f508a71de
                                                                                                                                                                                                                                                        • Opcode Fuzzy Hash: 92d7a146f7fa7ea583be229cf1972f4387f7e731d45899e9009fd1a518b8a977
                                                                                                                                                                                                                                                        • Instruction Fuzzy Hash: 3B411071600204DFD710EBA9EE86B9977A4EB45304F10467EF514B73E2C7B89811CB9D
                                                                                                                                                                                                                                                        Function 004090A4 Relevance: 14.0, APIs: 4, Strings: 4, Instructions: 46libraryloaderCOMMON
                                                                                                                                                                                                                                                        Download Yara Rule

                                                                                                                                                                                                                                                        Control-flow Graph

                                                                                                                                                                                                                                                        APIs
                                                                                                                                                                                                                                                        • GetModuleHandleA.KERNEL32(kernel32.dll,Wow64DisableWow64FsRedirection,00000000,0040913D,?,?,?,?,00000000,?,00409C74), ref: 004090C4
                                                                                                                                                                                                                                                        • GetProcAddress.KERNEL32(00000000,kernel32.dll), ref: 004090CA
                                                                                                                                                                                                                                                        • GetModuleHandleA.KERNEL32(kernel32.dll,Wow64RevertWow64FsRedirection,00000000,kernel32.dll,Wow64DisableWow64FsRedirection,00000000,0040913D,?,?,?,?,00000000,?,00409C74), ref: 004090DE
                                                                                                                                                                                                                                                        • GetProcAddress.KERNEL32(00000000,kernel32.dll), ref: 004090E4
                                                                                                                                                                                                                                                        Strings
                                                                                                                                                                                                                                                        Memory Dump Source
                                                                                                                                                                                                                                                        • Source File: 00000000.00000002.2795554773.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                                                                                                                        • Associated: 00000000.00000002.2795520483.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                        • Associated: 00000000.00000002.2795589664.000000000040B000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                        • Associated: 00000000.00000002.2795629951.0000000000411000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                        Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                                        • Snapshot File: hcaresult_0_2_400000_chica-pc-shield-1-75-0-1300-en-win.jbxd
                                                                                                                                                                                                                                                        Similarity
                                                                                                                                                                                                                                                        • API ID: AddressHandleModuleProc
                                                                                                                                                                                                                                                        • String ID: Wow64DisableWow64FsRedirection$Wow64RevertWow64FsRedirection$kernel32.dll$shell32.dll
                                                                                                                                                                                                                                                        • API String ID: 1646373207-2130885113
                                                                                                                                                                                                                                                        • Opcode ID: acfb4439f313785c2c2b120c37d6defef782ad7ac64c67e7eba3e924cf2abd75
                                                                                                                                                                                                                                                        • Instruction ID: 4a4222b704d734fa8d0781b40c04fe9f9c76e7b4f133337d95099c0c8a01123f
                                                                                                                                                                                                                                                        • Opcode Fuzzy Hash: acfb4439f313785c2c2b120c37d6defef782ad7ac64c67e7eba3e924cf2abd75
                                                                                                                                                                                                                                                        • Instruction Fuzzy Hash: 20017170748342AEFB00BB72DD4AB163A68E785704F50457BF5407A2D3DABD4C04DA6D
                                                                                                                                                                                                                                                        Function 0040A0D5 Relevance: 12.4, APIs: 4, Strings: 3, Instructions: 105COMMON
                                                                                                                                                                                                                                                        Download Yara Rule

                                                                                                                                                                                                                                                        Control-flow Graph

                                                                                                                                                                                                                                                        APIs
                                                                                                                                                                                                                                                        • CreateWindowExA.USER32(00000000,STATIC,InnoSetupLdrWindow,00000000,00000000,00000000,00000000,00000000,00000000,00000000,00400000,00000000), ref: 0040A131
                                                                                                                                                                                                                                                        • SetWindowLongA.USER32(00020430,000000FC,00409918), ref: 0040A148
                                                                                                                                                                                                                                                          • Part of subcall function 00406B7C: GetCommandLineA.KERNEL32(00000000,00406BC0,?,?,?,?,00000000,?,0040A1B9,?), ref: 00406B94
                                                                                                                                                                                                                                                          • Part of subcall function 004099A4: CreateProcessA.KERNEL32(00000000,00000000,00000000,00000000,00000000,00000000,00000000,00000000,00000044,?,?,00409A9C,020F0EAC,00409A90,00000000,00409A77), ref: 00409A14
                                                                                                                                                                                                                                                          • Part of subcall function 004099A4: CloseHandle.KERNEL32(?,00000000,00000000,00000000,00000000,00000000,00000000,00000000,00000000,00000044,?,?,00409A9C,020F0EAC,00409A90,00000000), ref: 00409A28
                                                                                                                                                                                                                                                          • Part of subcall function 004099A4: MsgWaitForMultipleObjects.USER32(00000001,?,00000000,000000FF,000000FF), ref: 00409A41
                                                                                                                                                                                                                                                          • Part of subcall function 004099A4: GetExitCodeProcess.KERNEL32(?,0040B240), ref: 00409A53
                                                                                                                                                                                                                                                          • Part of subcall function 004099A4: CloseHandle.KERNEL32(?,?,00000000,00000000,00000000,00000000,00000000,00000000,00000000,00000000,00000044,?,?,00409A9C,020F0EAC,00409A90), ref: 00409A5C
                                                                                                                                                                                                                                                        • RemoveDirectoryA.KERNEL32(00000000,0040A287,?,?,?,?,?,?,?,?,?,?,?,?), ref: 0040A234
                                                                                                                                                                                                                                                        • DestroyWindow.USER32(00020430,0040A287,?,?,?,?,?,?,?,?,?,?,?,?), ref: 0040A248
                                                                                                                                                                                                                                                        Strings
                                                                                                                                                                                                                                                        Memory Dump Source
                                                                                                                                                                                                                                                        • Source File: 00000000.00000002.2795554773.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                                                                                                                        • Associated: 00000000.00000002.2795520483.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                        • Associated: 00000000.00000002.2795589664.000000000040B000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                        • Associated: 00000000.00000002.2795629951.0000000000411000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                        Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                                        • Snapshot File: hcaresult_0_2_400000_chica-pc-shield-1-75-0-1300-en-win.jbxd
                                                                                                                                                                                                                                                        Similarity
                                                                                                                                                                                                                                                        • API ID: Window$CloseCreateHandleProcess$CodeCommandDestroyDirectoryExitLineLongMultipleObjectsRemoveWait
                                                                                                                                                                                                                                                        • String ID: /SL5="$%x,%d,%d,$InnoSetupLdrWindow$STATIC
                                                                                                                                                                                                                                                        • API String ID: 3586484885-3001827809
                                                                                                                                                                                                                                                        • Opcode ID: a64027cc69530ce26e0d020b421cb23cd984c73ff13cd53596b8d38fe4c4ed4c
                                                                                                                                                                                                                                                        • Instruction ID: bf8877be64b1eb53a955be5febe4cb156f3d413c702a3b20994545be7baf65d7
                                                                                                                                                                                                                                                        • Opcode Fuzzy Hash: a64027cc69530ce26e0d020b421cb23cd984c73ff13cd53596b8d38fe4c4ed4c
                                                                                                                                                                                                                                                        • Instruction Fuzzy Hash: 75411A71604204DFD714EBA9EE86B5A77A4EB49304F10427EE514B73E1CBB8A810CB9D
                                                                                                                                                                                                                                                        Function 004099A4 Relevance: 10.6, APIs: 5, Strings: 1, Instructions: 77processCOMMON
                                                                                                                                                                                                                                                        Download Yara Rule

                                                                                                                                                                                                                                                        Control-flow Graph

                                                                                                                                                                                                                                                        APIs
                                                                                                                                                                                                                                                        • CreateProcessA.KERNEL32(00000000,00000000,00000000,00000000,00000000,00000000,00000000,00000000,00000044,?,?,00409A9C,020F0EAC,00409A90,00000000,00409A77), ref: 00409A14
                                                                                                                                                                                                                                                        • CloseHandle.KERNEL32(?,00000000,00000000,00000000,00000000,00000000,00000000,00000000,00000000,00000044,?,?,00409A9C,020F0EAC,00409A90,00000000), ref: 00409A28
                                                                                                                                                                                                                                                        • MsgWaitForMultipleObjects.USER32(00000001,?,00000000,000000FF,000000FF), ref: 00409A41
                                                                                                                                                                                                                                                        • GetExitCodeProcess.KERNEL32(?,0040B240), ref: 00409A53
                                                                                                                                                                                                                                                        • CloseHandle.KERNEL32(?,?,00000000,00000000,00000000,00000000,00000000,00000000,00000000,00000000,00000044,?,?,00409A9C,020F0EAC,00409A90), ref: 00409A5C
                                                                                                                                                                                                                                                          • Part of subcall function 00409648: GetLastError.KERNEL32(00000000,004096EB,?,0040B240,?,020F0EAC), ref: 0040966C
                                                                                                                                                                                                                                                        Strings
                                                                                                                                                                                                                                                        Memory Dump Source
                                                                                                                                                                                                                                                        • Source File: 00000000.00000002.2795554773.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                                                                                                                        • Associated: 00000000.00000002.2795520483.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                        • Associated: 00000000.00000002.2795589664.000000000040B000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                        • Associated: 00000000.00000002.2795629951.0000000000411000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                        Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                                        • Snapshot File: hcaresult_0_2_400000_chica-pc-shield-1-75-0-1300-en-win.jbxd
                                                                                                                                                                                                                                                        Similarity
                                                                                                                                                                                                                                                        • API ID: CloseHandleProcess$CodeCreateErrorExitLastMultipleObjectsWait
                                                                                                                                                                                                                                                        • String ID: D
                                                                                                                                                                                                                                                        • API String ID: 3356880605-2746444292
                                                                                                                                                                                                                                                        • Opcode ID: 752074f715f169f8c9b0a2dfdb1d62babdf7ca20371da5ab86507c15e851728d
                                                                                                                                                                                                                                                        • Instruction ID: 6ea97129cf5aa135a7f7046e3a99eae43c862e8aca722617c6144c18eae127a8
                                                                                                                                                                                                                                                        • Opcode Fuzzy Hash: 752074f715f169f8c9b0a2dfdb1d62babdf7ca20371da5ab86507c15e851728d
                                                                                                                                                                                                                                                        • Instruction Fuzzy Hash: 3A1142B17442486EDB10EBE68C42FAEB7ACEF49714F50017BB604F72C2DA785D048A69
                                                                                                                                                                                                                                                        Function 004019DC Relevance: 9.1, APIs: 6, Instructions: 59COMMON
                                                                                                                                                                                                                                                        Download Yara Rule

                                                                                                                                                                                                                                                        Control-flow Graph

                                                                                                                                                                                                                                                        • Executed
                                                                                                                                                                                                                                                        • Not Executed
                                                                                                                                                                                                                                                        control_flow_graph 116 4019dc-4019e7 117 401abb-401abd 116->117 118 4019ed-401a02 116->118 119 401a04-401a09 RtlEnterCriticalSection 118->119 120 401a0e-401a2d LocalFree 118->120 119->120 121 401a41-401a47 120->121 122 401a49-401a6e call 4012dc * 3 121->122 123 401a2f-401a3f VirtualFree 121->123 130 401a70-401a85 LocalFree 122->130 131 401a87-401a9d 122->131 123->121 130->130 130->131 133 401aa9-401ab3 RtlDeleteCriticalSection 131->133 134 401a9f-401aa4 RtlLeaveCriticalSection 131->134 134->133
                                                                                                                                                                                                                                                        APIs
                                                                                                                                                                                                                                                        • RtlEnterCriticalSection.KERNEL32(0040C41C,00000000,00401AB4), ref: 00401A09
                                                                                                                                                                                                                                                        • LocalFree.KERNEL32(00000000,00000000,00401AB4), ref: 00401A1B
                                                                                                                                                                                                                                                        • VirtualFree.KERNEL32(00000000,00000000,00008000,00000000,00000000,00401AB4), ref: 00401A3A
                                                                                                                                                                                                                                                        • LocalFree.KERNEL32(00000000,00000000,00000000,00008000,00000000,00000000,00401AB4), ref: 00401A79
                                                                                                                                                                                                                                                        • RtlLeaveCriticalSection.KERNEL32(0040C41C,00401ABB), ref: 00401AA4
                                                                                                                                                                                                                                                        • RtlDeleteCriticalSection.KERNEL32(0040C41C,00401ABB), ref: 00401AAE
                                                                                                                                                                                                                                                        Memory Dump Source
                                                                                                                                                                                                                                                        • Source File: 00000000.00000002.2795554773.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                                                                                                                        • Associated: 00000000.00000002.2795520483.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                        • Associated: 00000000.00000002.2795589664.000000000040B000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                        • Associated: 00000000.00000002.2795629951.0000000000411000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                        Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                                        • Snapshot File: hcaresult_0_2_400000_chica-pc-shield-1-75-0-1300-en-win.jbxd
                                                                                                                                                                                                                                                        Similarity
                                                                                                                                                                                                                                                        • API ID: CriticalFreeSection$Local$DeleteEnterLeaveVirtual
                                                                                                                                                                                                                                                        • String ID:
                                                                                                                                                                                                                                                        • API String ID: 3782394904-0
                                                                                                                                                                                                                                                        • Opcode ID: 2760f6fc436d2282df077fa3fe2c561b0ff429e9c23b98cc44d100e589fe962f
                                                                                                                                                                                                                                                        • Instruction ID: 5447b05044442752c1d56c7733342563ab4b4f61826a3093f511f794066d9233
                                                                                                                                                                                                                                                        • Opcode Fuzzy Hash: 2760f6fc436d2282df077fa3fe2c561b0ff429e9c23b98cc44d100e589fe962f
                                                                                                                                                                                                                                                        • Instruction Fuzzy Hash: 91116330341280DAD711ABA59EE2F623668B785748F44437EF444B62F2C67C9840CA9D
                                                                                                                                                                                                                                                        Function 00403D02 Relevance: 7.1, APIs: 2, Strings: 2, Instructions: 72windowCOMMON
                                                                                                                                                                                                                                                        Download Yara Rule

                                                                                                                                                                                                                                                        Control-flow Graph

                                                                                                                                                                                                                                                        • Executed
                                                                                                                                                                                                                                                        • Not Executed
                                                                                                                                                                                                                                                        control_flow_graph 155 403d02-403d10 156 403d12-403d19 155->156 157 403d29-403d30 155->157 158 403ddf-403de5 ExitProcess 156->158 159 403d1f 156->159 160 403d32-403d3c 157->160 161 403d3e-403d45 157->161 159->157 164 403d21-403d23 159->164 160->157 162 403d47-403d51 161->162 163 403db8-403dcc call 403cc8 * 2 call 4019dc 161->163 165 403d56-403d62 162->165 180 403dd1-403dd8 163->180 164->157 167 403dea-403e19 call 4030b4 164->167 165->165 169 403d64-403d6e 165->169 172 403d73-403d84 169->172 172->172 175 403d86-403d8d 172->175 178 403da4-403db3 call 403fe4 call 403f67 175->178 179 403d8f-403da2 MessageBoxA 175->179 178->163 179->163 180->167 182 403dda call 4030b4 180->182 182->158
                                                                                                                                                                                                                                                        APIs
                                                                                                                                                                                                                                                        • MessageBoxA.USER32(00000000,Runtime error at 00000000,Error,00000000), ref: 00403D9D
                                                                                                                                                                                                                                                        • ExitProcess.KERNEL32 ref: 00403DE5
                                                                                                                                                                                                                                                        Strings
                                                                                                                                                                                                                                                        Memory Dump Source
                                                                                                                                                                                                                                                        • Source File: 00000000.00000002.2795554773.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                                                                                                                        • Associated: 00000000.00000002.2795520483.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                        • Associated: 00000000.00000002.2795589664.000000000040B000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                        • Associated: 00000000.00000002.2795629951.0000000000411000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                        Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                                        • Snapshot File: hcaresult_0_2_400000_chica-pc-shield-1-75-0-1300-en-win.jbxd
                                                                                                                                                                                                                                                        Similarity
                                                                                                                                                                                                                                                        • API ID: ExitMessageProcess
                                                                                                                                                                                                                                                        • String ID: Error$Runtime error at 00000000
                                                                                                                                                                                                                                                        • API String ID: 1220098344-2970929446
                                                                                                                                                                                                                                                        • Opcode ID: 0b7abc0913d0e9b6482778e2bb40dc1e8adb9ed549d30d0444a38b969016e341
                                                                                                                                                                                                                                                        • Instruction ID: db3008c0e6bc5d60e05df0545d3e9f81ce91e923819fa2a9fb93000da4b6b716
                                                                                                                                                                                                                                                        • Opcode Fuzzy Hash: 0b7abc0913d0e9b6482778e2bb40dc1e8adb9ed549d30d0444a38b969016e341
                                                                                                                                                                                                                                                        • Instruction Fuzzy Hash: B521F830A04341CAE714EFA59AD17153E98AB49349F04837BD500B73E3C77C8A45C76E
                                                                                                                                                                                                                                                        Function 00401918 Relevance: 6.0, APIs: 4, Instructions: 48memoryCOMMON
                                                                                                                                                                                                                                                        Download Yara Rule

                                                                                                                                                                                                                                                        Control-flow Graph

                                                                                                                                                                                                                                                        • Executed
                                                                                                                                                                                                                                                        • Not Executed
                                                                                                                                                                                                                                                        control_flow_graph 186 401918-40193a RtlInitializeCriticalSection 187 401946-40197c call 4012dc * 3 LocalAlloc 186->187 188 40193c-401941 RtlEnterCriticalSection 186->188 195 4019ad-4019c1 187->195 196 40197e 187->196 188->187 200 4019c3-4019c8 RtlLeaveCriticalSection 195->200 201 4019cd 195->201 197 401983-401995 196->197 197->197 199 401997-4019a6 197->199 199->195 200->201
                                                                                                                                                                                                                                                        APIs
                                                                                                                                                                                                                                                        • RtlInitializeCriticalSection.KERNEL32(0040C41C,00000000,004019CE,?,?,0040217A,?,?,?,?,?,00401B95,00401DBB,00401DE0), ref: 0040192E
                                                                                                                                                                                                                                                        • RtlEnterCriticalSection.KERNEL32(0040C41C,0040C41C,00000000,004019CE,?,?,0040217A,?,?,?,?,?,00401B95,00401DBB,00401DE0), ref: 00401941
                                                                                                                                                                                                                                                        • LocalAlloc.KERNEL32(00000000,00000FF8,0040C41C,00000000,004019CE,?,?,0040217A,?,?,?,?,?,00401B95,00401DBB,00401DE0), ref: 0040196B
                                                                                                                                                                                                                                                        • RtlLeaveCriticalSection.KERNEL32(0040C41C,004019D5,00000000,004019CE,?,?,0040217A,?,?,?,?,?,00401B95,00401DBB,00401DE0), ref: 004019C8
                                                                                                                                                                                                                                                        Memory Dump Source
                                                                                                                                                                                                                                                        • Source File: 00000000.00000002.2795554773.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                                                                                                                        • Associated: 00000000.00000002.2795520483.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                        • Associated: 00000000.00000002.2795589664.000000000040B000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                        • Associated: 00000000.00000002.2795629951.0000000000411000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                        Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                                        • Snapshot File: hcaresult_0_2_400000_chica-pc-shield-1-75-0-1300-en-win.jbxd
                                                                                                                                                                                                                                                        Similarity
                                                                                                                                                                                                                                                        • API ID: CriticalSection$AllocEnterInitializeLeaveLocal
                                                                                                                                                                                                                                                        • String ID:
                                                                                                                                                                                                                                                        • API String ID: 730355536-0
                                                                                                                                                                                                                                                        • Opcode ID: 38709c719971e1168baf9cdc3c67f999ad3db3ab521e9349fb3b390a12b3c6f3
                                                                                                                                                                                                                                                        • Instruction ID: 093a8b970c40f4dda7bd37408b901a2e20e4e29fb74a5496b56404d4d89a3717
                                                                                                                                                                                                                                                        • Opcode Fuzzy Hash: 38709c719971e1168baf9cdc3c67f999ad3db3ab521e9349fb3b390a12b3c6f3
                                                                                                                                                                                                                                                        • Instruction Fuzzy Hash: CC0161B0684240DEE715ABA999E6B353AA4E786744F10427FF080F62F2C67C4450CB9D
                                                                                                                                                                                                                                                        Function 00409E47 Relevance: 5.4, APIs: 1, Strings: 2, Instructions: 117windowCOMMON
                                                                                                                                                                                                                                                        Download Yara Rule

                                                                                                                                                                                                                                                        Control-flow Graph

                                                                                                                                                                                                                                                        APIs
                                                                                                                                                                                                                                                        • MessageBoxA.USER32(00000000,00000000,00000000,00000024), ref: 00409EAB
                                                                                                                                                                                                                                                        Strings
                                                                                                                                                                                                                                                        Memory Dump Source
                                                                                                                                                                                                                                                        • Source File: 00000000.00000002.2795554773.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                                                                                                                        • Associated: 00000000.00000002.2795520483.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                        • Associated: 00000000.00000002.2795589664.000000000040B000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                        • Associated: 00000000.00000002.2795629951.0000000000411000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                        Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                                        • Snapshot File: hcaresult_0_2_400000_chica-pc-shield-1-75-0-1300-en-win.jbxd
                                                                                                                                                                                                                                                        Similarity
                                                                                                                                                                                                                                                        • API ID: Message
                                                                                                                                                                                                                                                        • String ID: .tmp$y@
                                                                                                                                                                                                                                                        • API String ID: 2030045667-2396523267
                                                                                                                                                                                                                                                        • Opcode ID: 025cb7c8070ceb0a973f57dc2423f3e96cefce6b80174f3a3145c26c436c6efd
                                                                                                                                                                                                                                                        • Instruction ID: 436c98ae07f88f71ec52beeb6e72a39fdb1c754e3b127fd60db974180cd34f4e
                                                                                                                                                                                                                                                        • Opcode Fuzzy Hash: 025cb7c8070ceb0a973f57dc2423f3e96cefce6b80174f3a3145c26c436c6efd
                                                                                                                                                                                                                                                        • Instruction Fuzzy Hash: 7541AC30600200DFC715EF25DE96A5A77A5EB49304B50463AF804B73E2CBB9AC05CBAD
                                                                                                                                                                                                                                                        Function 00409E62 Relevance: 5.4, APIs: 1, Strings: 2, Instructions: 113windowCOMMON
                                                                                                                                                                                                                                                        Download Yara Rule

                                                                                                                                                                                                                                                        Control-flow Graph

                                                                                                                                                                                                                                                        APIs
                                                                                                                                                                                                                                                        • MessageBoxA.USER32(00000000,00000000,00000000,00000024), ref: 00409EAB
                                                                                                                                                                                                                                                        Strings
                                                                                                                                                                                                                                                        Memory Dump Source
                                                                                                                                                                                                                                                        • Source File: 00000000.00000002.2795554773.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                                                                                                                        • Associated: 00000000.00000002.2795520483.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                        • Associated: 00000000.00000002.2795589664.000000000040B000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                        • Associated: 00000000.00000002.2795629951.0000000000411000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                        Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                                        • Snapshot File: hcaresult_0_2_400000_chica-pc-shield-1-75-0-1300-en-win.jbxd
                                                                                                                                                                                                                                                        Similarity
                                                                                                                                                                                                                                                        • API ID: Message
                                                                                                                                                                                                                                                        • String ID: .tmp$y@
                                                                                                                                                                                                                                                        • API String ID: 2030045667-2396523267
                                                                                                                                                                                                                                                        • Opcode ID: cf567291c84692d100e5ec609b282d55b3c5af0b5f3d357f2e8f357a6d06844b
                                                                                                                                                                                                                                                        • Instruction ID: effdcd9541676c6323f3fad609c54d18bb0bf767b5f2530b550772909ae59cb2
                                                                                                                                                                                                                                                        • Opcode Fuzzy Hash: cf567291c84692d100e5ec609b282d55b3c5af0b5f3d357f2e8f357a6d06844b
                                                                                                                                                                                                                                                        • Instruction Fuzzy Hash: 1F418D70610204DFC715EF25DED6A5A77A5EB49308B50463AF804B73E2CBB9AC05CBAD
                                                                                                                                                                                                                                                        Function 00409330 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 83COMMON
                                                                                                                                                                                                                                                        Download Yara Rule

                                                                                                                                                                                                                                                        Control-flow Graph

                                                                                                                                                                                                                                                        APIs
                                                                                                                                                                                                                                                        • CreateDirectoryA.KERNEL32(00000000,00000000,?,00000000,0040941F,?,?,?,?,00000000,00000000,00000000,00000000,00000000,00000000,00000000), ref: 00409376
                                                                                                                                                                                                                                                        • GetLastError.KERNEL32(00000000,00000000,?,00000000,0040941F,?,?,?,?,00000000,00000000,00000000,00000000,00000000,00000000,00000000), ref: 0040937F
                                                                                                                                                                                                                                                        Strings
                                                                                                                                                                                                                                                        Memory Dump Source
                                                                                                                                                                                                                                                        • Source File: 00000000.00000002.2795554773.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                                                                                                                        • Associated: 00000000.00000002.2795520483.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                        • Associated: 00000000.00000002.2795589664.000000000040B000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                        • Associated: 00000000.00000002.2795629951.0000000000411000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                        Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                                        • Snapshot File: hcaresult_0_2_400000_chica-pc-shield-1-75-0-1300-en-win.jbxd
                                                                                                                                                                                                                                                        Similarity
                                                                                                                                                                                                                                                        • API ID: CreateDirectoryErrorLast
                                                                                                                                                                                                                                                        • String ID: .tmp
                                                                                                                                                                                                                                                        • API String ID: 1375471231-2986845003
                                                                                                                                                                                                                                                        • Opcode ID: 7ba2b511fbcbba0bdafc57409f78771f2ffb69bdc1885ec5b7c8c3418ce725e0
                                                                                                                                                                                                                                                        • Instruction ID: 229665e4fb482f752e04f7b041ef1ce89d659938bfc828767b82506ffacbf3f4
                                                                                                                                                                                                                                                        • Opcode Fuzzy Hash: 7ba2b511fbcbba0bdafc57409f78771f2ffb69bdc1885ec5b7c8c3418ce725e0
                                                                                                                                                                                                                                                        • Instruction Fuzzy Hash: 7C213774A04208ABDB05EFA1C8429DFB7B9EF88304F50457BE901B73C2DA7C9E059A65
                                                                                                                                                                                                                                                        Function 004094D8 Relevance: 5.0, APIs: 4, Instructions: 45sleepCOMMON
                                                                                                                                                                                                                                                        Download Yara Rule

                                                                                                                                                                                                                                                        Control-flow Graph

                                                                                                                                                                                                                                                        • Executed
                                                                                                                                                                                                                                                        • Not Executed
                                                                                                                                                                                                                                                        control_flow_graph 327 4094d8-4094e9 328 409532-409537 327->328 329 4094eb-4094ec 327->329 330 4094ee-4094f1 329->330 331 4094f3-4094fc Sleep 330->331 332 4094fe-409501 330->332 333 40950c-409511 call 408fbc 331->333 332->333 334 409503-409507 Sleep 332->334 336 409516-409518 333->336 334->333 336->328 337 40951a-409522 GetLastError 336->337 337->328 338 409524-40952c GetLastError 337->338 338->328 339 40952e-409530 338->339 339->328 339->330
                                                                                                                                                                                                                                                        APIs
                                                                                                                                                                                                                                                        • Sleep.KERNEL32(?,?,?,?,0000000D,?,0040A220,000000FA,00000032,0040A287), ref: 004094F7
                                                                                                                                                                                                                                                        • Sleep.KERNEL32(?,?,?,?,0000000D,?,0040A220,000000FA,00000032,0040A287), ref: 00409507
                                                                                                                                                                                                                                                        • GetLastError.KERNEL32(?,?,?,0000000D,?,0040A220,000000FA,00000032,0040A287), ref: 0040951A
                                                                                                                                                                                                                                                        • GetLastError.KERNEL32(?,?,?,0000000D,?,0040A220,000000FA,00000032,0040A287), ref: 00409524
                                                                                                                                                                                                                                                        Memory Dump Source
                                                                                                                                                                                                                                                        • Source File: 00000000.00000002.2795554773.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                                                                                                                        • Associated: 00000000.00000002.2795520483.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                        • Associated: 00000000.00000002.2795589664.000000000040B000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                        • Associated: 00000000.00000002.2795629951.0000000000411000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                        Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                                        • Snapshot File: hcaresult_0_2_400000_chica-pc-shield-1-75-0-1300-en-win.jbxd
                                                                                                                                                                                                                                                        Similarity
                                                                                                                                                                                                                                                        • API ID: ErrorLastSleep
                                                                                                                                                                                                                                                        • String ID:
                                                                                                                                                                                                                                                        • API String ID: 1458359878-0
                                                                                                                                                                                                                                                        • Opcode ID: 597fcf42490b874720d4ad81cf19761f51130dad350fd41d24dc31ad960abd38
                                                                                                                                                                                                                                                        • Instruction ID: cd4a420f7ace5638a97e0bdb8a1e9fccbb234b9240edd4770f97938e6011a3cc
                                                                                                                                                                                                                                                        • Opcode Fuzzy Hash: 597fcf42490b874720d4ad81cf19761f51130dad350fd41d24dc31ad960abd38
                                                                                                                                                                                                                                                        • Instruction Fuzzy Hash: 16F0967360451477CA35A5AF9D81A5F634DDAD1354B10813BE945F3283C538DD0142A9
                                                                                                                                                                                                                                                        Function 00407749 Relevance: 3.3, APIs: 2, Instructions: 284fileCOMMON
                                                                                                                                                                                                                                                        Download Yara Rule

                                                                                                                                                                                                                                                        Control-flow Graph

                                                                                                                                                                                                                                                        • Executed
                                                                                                                                                                                                                                                        • Not Executed
                                                                                                                                                                                                                                                        control_flow_graph 400 407749-40774a 401 4076dc-4076e6 WriteFile 400->401 402 40774c-40776f 400->402 403 4076e8-4076ea call 40748c 401->403 404 4076ef-4076f2 401->404 405 407770-407785 402->405 403->404 409 407700-407704 404->409 410 4076f4-4076fb call 4073ec 404->410 406 407787 405->406 407 4077f9 405->407 411 40778a-40778f 406->411 412 4077fd-407802 406->412 413 40783b-40783d 407->413 414 4077fb 407->414 410->409 417 407803-407819 411->417 420 407791-407792 411->420 412->417 418 407841-407843 413->418 414->412 419 40785b-40785c 417->419 429 40781b 417->429 418->419 421 4078d6-4078eb call 407890 InterlockedExchange 419->421 422 40785e-40788c 419->422 423 407724-407741 420->423 424 407794-4077b4 420->424 442 407912-407917 421->442 443 4078ed-407910 421->443 438 407820-407823 422->438 439 407890-407893 422->439 428 4077b5 423->428 430 407743 423->430 424->428 433 4077b6-4077b7 428->433 434 4077f7-4077f8 428->434 435 40781e-40781f 429->435 436 407746-407747 430->436 437 4077b9 430->437 433->437 434->407 435->438 436->400 441 4077bb-4077cd 436->441 437->441 444 407824 438->444 445 407898 438->445 439->445 441->418 446 4077cf-4077d4 441->446 443->442 443->443 447 407825 444->447 448 40789a 444->448 445->448 446->413 452 4077d6-4077de 446->452 450 407896-407897 447->450 451 407826-40782d 447->451 453 40789f 448->453 450->445 454 4078a1 451->454 455 40782f 451->455 452->405 463 4077e0 452->463 453->454 460 4078a3 454->460 461 4078ac 454->461 457 407832-407833 455->457 458 4078a5-4078aa 455->458 457->413 457->435 462 4078ae-4078af 458->462 460->458 461->462 462->453 464 4078b1-4078bd 462->464 463->434 464->445 465 4078bf-4078c0 464->465
                                                                                                                                                                                                                                                        APIs
                                                                                                                                                                                                                                                        • WriteFile.KERNEL32(?,?,?,?,00000000), ref: 004076DF
                                                                                                                                                                                                                                                        Memory Dump Source
                                                                                                                                                                                                                                                        • Source File: 00000000.00000002.2795554773.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                                                                                                                        • Associated: 00000000.00000002.2795520483.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                        • Associated: 00000000.00000002.2795589664.000000000040B000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                        • Associated: 00000000.00000002.2795629951.0000000000411000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                        Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                                        • Snapshot File: hcaresult_0_2_400000_chica-pc-shield-1-75-0-1300-en-win.jbxd
                                                                                                                                                                                                                                                        Similarity
                                                                                                                                                                                                                                                        • API ID: FileWrite
                                                                                                                                                                                                                                                        • String ID:
                                                                                                                                                                                                                                                        • API String ID: 3934441357-0
                                                                                                                                                                                                                                                        • Opcode ID: 43d3196ec1ce5242573e8f450cfa6a0a1bc6604aabb0088ea34051851cbbaa4a
                                                                                                                                                                                                                                                        • Instruction ID: 20d0a63744b7af467993d3e8aec565234b7be2d060ba20bf9fd199bb98bd5a4e
                                                                                                                                                                                                                                                        • Opcode Fuzzy Hash: 43d3196ec1ce5242573e8f450cfa6a0a1bc6604aabb0088ea34051851cbbaa4a
                                                                                                                                                                                                                                                        • Instruction Fuzzy Hash: 8251D12294D2910FC7126B7849685A53FE0FE5331132E92FBC5C1AB1A3D27CA847D35B
                                                                                                                                                                                                                                                        Function 00401FD4 Relevance: 3.1, APIs: 2, Instructions: 122COMMON
                                                                                                                                                                                                                                                        Download Yara Rule
                                                                                                                                                                                                                                                        APIs
                                                                                                                                                                                                                                                        • RtlEnterCriticalSection.KERNEL32(0040C41C,00000000,00402148), ref: 00402017
                                                                                                                                                                                                                                                          • Part of subcall function 00401918: RtlInitializeCriticalSection.KERNEL32(0040C41C,00000000,004019CE,?,?,0040217A,?,?,?,?,?,00401B95,00401DBB,00401DE0), ref: 0040192E
                                                                                                                                                                                                                                                          • Part of subcall function 00401918: RtlEnterCriticalSection.KERNEL32(0040C41C,0040C41C,00000000,004019CE,?,?,0040217A,?,?,?,?,?,00401B95,00401DBB,00401DE0), ref: 00401941
                                                                                                                                                                                                                                                          • Part of subcall function 00401918: LocalAlloc.KERNEL32(00000000,00000FF8,0040C41C,00000000,004019CE,?,?,0040217A,?,?,?,?,?,00401B95,00401DBB,00401DE0), ref: 0040196B
                                                                                                                                                                                                                                                          • Part of subcall function 00401918: RtlLeaveCriticalSection.KERNEL32(0040C41C,004019D5,00000000,004019CE,?,?,0040217A,?,?,?,?,?,00401B95,00401DBB,00401DE0), ref: 004019C8
                                                                                                                                                                                                                                                        Memory Dump Source
                                                                                                                                                                                                                                                        • Source File: 00000000.00000002.2795554773.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                                                                                                                        • Associated: 00000000.00000002.2795520483.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                        • Associated: 00000000.00000002.2795589664.000000000040B000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                        • Associated: 00000000.00000002.2795629951.0000000000411000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                        Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                                        • Snapshot File: hcaresult_0_2_400000_chica-pc-shield-1-75-0-1300-en-win.jbxd
                                                                                                                                                                                                                                                        Similarity
                                                                                                                                                                                                                                                        • API ID: CriticalSection$Enter$AllocInitializeLeaveLocal
                                                                                                                                                                                                                                                        • String ID:
                                                                                                                                                                                                                                                        • API String ID: 296031713-0
                                                                                                                                                                                                                                                        • Opcode ID: e41243de7c80276a36dcdd2c2c0e451bb1a6f3055e5ddec7aea90b49354f7273
                                                                                                                                                                                                                                                        • Instruction ID: b272be6629c35a549fc4f1c5a19e6e0df2414f51bb24a7fd7fb800939d1160d0
                                                                                                                                                                                                                                                        • Opcode Fuzzy Hash: e41243de7c80276a36dcdd2c2c0e451bb1a6f3055e5ddec7aea90b49354f7273
                                                                                                                                                                                                                                                        • Instruction Fuzzy Hash: D4419CB2A40711DFDB108F69DEC562A77A0FB58314B25837AD984B73E1D378A842CB48
                                                                                                                                                                                                                                                        Function 00408FBC Relevance: 3.0, APIs: 2, Instructions: 42fileCOMMON
                                                                                                                                                                                                                                                        Download Yara Rule
                                                                                                                                                                                                                                                        APIs
                                                                                                                                                                                                                                                        • DeleteFileA.KERNEL32(00000000,00000000,00409019,?,0000000D,00000000), ref: 00408FF3
                                                                                                                                                                                                                                                        • GetLastError.KERNEL32(00000000,00000000,00409019,?,0000000D,00000000), ref: 00408FFB
                                                                                                                                                                                                                                                        Memory Dump Source
                                                                                                                                                                                                                                                        • Source File: 00000000.00000002.2795554773.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                                                                                                                        • Associated: 00000000.00000002.2795520483.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                        • Associated: 00000000.00000002.2795589664.000000000040B000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                        • Associated: 00000000.00000002.2795629951.0000000000411000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                        Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                                        • Snapshot File: hcaresult_0_2_400000_chica-pc-shield-1-75-0-1300-en-win.jbxd
                                                                                                                                                                                                                                                        Similarity
                                                                                                                                                                                                                                                        • API ID: DeleteErrorFileLast
                                                                                                                                                                                                                                                        • String ID:
                                                                                                                                                                                                                                                        • API String ID: 2018770650-0
                                                                                                                                                                                                                                                        • Opcode ID: 51b14d3c2f7fde5c1a6bb776c84878c326085b2b0be15ffc15f9635c9f9f5f18
                                                                                                                                                                                                                                                        • Instruction ID: 1f0403e6899a51d1d5356f81b6020870d4ad1054c4e625117792cee712869c3b
                                                                                                                                                                                                                                                        • Opcode Fuzzy Hash: 51b14d3c2f7fde5c1a6bb776c84878c326085b2b0be15ffc15f9635c9f9f5f18
                                                                                                                                                                                                                                                        • Instruction Fuzzy Hash: 16F0C871A04704ABCB01DF759D4159DB3E8DB8831475045BBF814F3682EA385E108599
                                                                                                                                                                                                                                                        Function 0040A282 Relevance: 3.0, APIs: 2, Instructions: 33COMMON
                                                                                                                                                                                                                                                        Download Yara Rule
                                                                                                                                                                                                                                                        APIs
                                                                                                                                                                                                                                                        • RemoveDirectoryA.KERNEL32(00000000,0040A287,?,?,?,?,?,?,?,?,?,?,?,?), ref: 0040A234
                                                                                                                                                                                                                                                        • DestroyWindow.USER32(00020430,0040A287,?,?,?,?,?,?,?,?,?,?,?,?), ref: 0040A248
                                                                                                                                                                                                                                                          • Part of subcall function 004094D8: Sleep.KERNEL32(?,?,?,?,0000000D,?,0040A220,000000FA,00000032,0040A287), ref: 004094F7
                                                                                                                                                                                                                                                          • Part of subcall function 004094D8: GetLastError.KERNEL32(?,?,?,0000000D,?,0040A220,000000FA,00000032,0040A287), ref: 0040951A
                                                                                                                                                                                                                                                          • Part of subcall function 004094D8: GetLastError.KERNEL32(?,?,?,0000000D,?,0040A220,000000FA,00000032,0040A287), ref: 00409524
                                                                                                                                                                                                                                                        Memory Dump Source
                                                                                                                                                                                                                                                        • Source File: 00000000.00000002.2795554773.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                                                                                                                        • Associated: 00000000.00000002.2795520483.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                        • Associated: 00000000.00000002.2795589664.000000000040B000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                        • Associated: 00000000.00000002.2795629951.0000000000411000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                        Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                                        • Snapshot File: hcaresult_0_2_400000_chica-pc-shield-1-75-0-1300-en-win.jbxd
                                                                                                                                                                                                                                                        Similarity
                                                                                                                                                                                                                                                        • API ID: ErrorLast$DestroyDirectoryRemoveSleepWindow
                                                                                                                                                                                                                                                        • String ID:
                                                                                                                                                                                                                                                        • API String ID: 2192421792-0
                                                                                                                                                                                                                                                        • Opcode ID: cfb4816e8e93690030a7db02d377f330bfa753c6875f065e2bcd958c08ae31af
                                                                                                                                                                                                                                                        • Instruction ID: 660582e0dfefc282ab61bc82749075141bf2bb6394dcfcd8a4149d52366551bd
                                                                                                                                                                                                                                                        • Opcode Fuzzy Hash: cfb4816e8e93690030a7db02d377f330bfa753c6875f065e2bcd958c08ae31af
                                                                                                                                                                                                                                                        • Instruction Fuzzy Hash: EDF03C71601200DBD724EB69EEC9B1632A4A785349F14463FA504B63F1CBBC9CA1CBDE
                                                                                                                                                                                                                                                        Function 00406FA0 Relevance: 3.0, APIs: 2, Instructions: 33libraryCOMMON
                                                                                                                                                                                                                                                        Download Yara Rule
                                                                                                                                                                                                                                                        APIs
                                                                                                                                                                                                                                                        • SetErrorMode.KERNEL32(00008000), ref: 00406FAA
                                                                                                                                                                                                                                                        • LoadLibraryA.KERNEL32(00000000,00000000,00406FF4,?,00000000,00407012,?,00008000), ref: 00406FD9
                                                                                                                                                                                                                                                        Memory Dump Source
                                                                                                                                                                                                                                                        • Source File: 00000000.00000002.2795554773.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                                                                                                                        • Associated: 00000000.00000002.2795520483.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                        • Associated: 00000000.00000002.2795589664.000000000040B000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                        • Associated: 00000000.00000002.2795629951.0000000000411000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                        Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                                        • Snapshot File: hcaresult_0_2_400000_chica-pc-shield-1-75-0-1300-en-win.jbxd
                                                                                                                                                                                                                                                        Similarity
                                                                                                                                                                                                                                                        • API ID: ErrorLibraryLoadMode
                                                                                                                                                                                                                                                        • String ID:
                                                                                                                                                                                                                                                        • API String ID: 2987862817-0
                                                                                                                                                                                                                                                        • Opcode ID: 9b48b29771c4fc6652b627c4d055133170331230f079557c80f3f4e2880abe46
                                                                                                                                                                                                                                                        • Instruction ID: 292e1fc4e19851716b0ab93d2d43454b233f1d25ff8a05a0d03104374ea2dcbc
                                                                                                                                                                                                                                                        • Opcode Fuzzy Hash: 9b48b29771c4fc6652b627c4d055133170331230f079557c80f3f4e2880abe46
                                                                                                                                                                                                                                                        • Instruction Fuzzy Hash: D6F08270A14704BEDB129FB68C5282ABBECEB4DB0475349BAF914A26D2E53C5C209568
                                                                                                                                                                                                                                                        Function 0040766C Relevance: 3.0, APIs: 2, Instructions: 30COMMON
                                                                                                                                                                                                                                                        Download Yara Rule
                                                                                                                                                                                                                                                        APIs
                                                                                                                                                                                                                                                        • SetFilePointer.KERNEL32(?,?,?,00000000), ref: 0040768B
                                                                                                                                                                                                                                                        • GetLastError.KERNEL32(?,?,?,00000000), ref: 00407693
                                                                                                                                                                                                                                                          • Part of subcall function 0040748C: GetLastError.KERNEL32(0040738C,0040752A,?,?,020F03AC,?,00409CCE,00000001,00000000,00000002,00000000,0040A2C5,?,00000000,0040A2FC), ref: 0040748F
                                                                                                                                                                                                                                                        Memory Dump Source
                                                                                                                                                                                                                                                        • Source File: 00000000.00000002.2795554773.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                                                                                                                        • Associated: 00000000.00000002.2795520483.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                        • Associated: 00000000.00000002.2795589664.000000000040B000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                        • Associated: 00000000.00000002.2795629951.0000000000411000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                        Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                                        • Snapshot File: hcaresult_0_2_400000_chica-pc-shield-1-75-0-1300-en-win.jbxd
                                                                                                                                                                                                                                                        Similarity
                                                                                                                                                                                                                                                        • API ID: ErrorLast$FilePointer
                                                                                                                                                                                                                                                        • String ID:
                                                                                                                                                                                                                                                        • API String ID: 1156039329-0
                                                                                                                                                                                                                                                        • Opcode ID: cf8b3d77442686d6cce32677ffa2556d95a4d660bd32a6059a32509021572d83
                                                                                                                                                                                                                                                        • Instruction ID: 64daf3b7b2b4cd691f255a674f922558070816022eb0a012369b73df1192a31e
                                                                                                                                                                                                                                                        • Opcode Fuzzy Hash: cf8b3d77442686d6cce32677ffa2556d95a4d660bd32a6059a32509021572d83
                                                                                                                                                                                                                                                        • Instruction Fuzzy Hash: B2E092766081016FD600D55EC881B9B37DCDFC5364F104536B654EB2D1D679EC108776
                                                                                                                                                                                                                                                        Function 0040762C Relevance: 3.0, APIs: 2, Instructions: 30fileCOMMON
                                                                                                                                                                                                                                                        Download Yara Rule
                                                                                                                                                                                                                                                        APIs
                                                                                                                                                                                                                                                        • ReadFile.KERNEL32(?,?,?,?,00000000), ref: 00407643
                                                                                                                                                                                                                                                        • GetLastError.KERNEL32(?,?,?,?,00000000), ref: 00407652
                                                                                                                                                                                                                                                        Memory Dump Source
                                                                                                                                                                                                                                                        • Source File: 00000000.00000002.2795554773.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                                                                                                                        • Associated: 00000000.00000002.2795520483.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                        • Associated: 00000000.00000002.2795589664.000000000040B000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                        • Associated: 00000000.00000002.2795629951.0000000000411000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                        Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                                        • Snapshot File: hcaresult_0_2_400000_chica-pc-shield-1-75-0-1300-en-win.jbxd
                                                                                                                                                                                                                                                        Similarity
                                                                                                                                                                                                                                                        • API ID: ErrorFileLastRead
                                                                                                                                                                                                                                                        • String ID:
                                                                                                                                                                                                                                                        • API String ID: 1948546556-0
                                                                                                                                                                                                                                                        • Opcode ID: 1b4aea639ae4b78e93b9ef79541d7064bf1f98a27d237b51b731e51654b8bdcb
                                                                                                                                                                                                                                                        • Instruction ID: e2f452503b48da12a69c10a9d1416f2aa512a4714c212e67fea7d8588799396e
                                                                                                                                                                                                                                                        • Opcode Fuzzy Hash: 1b4aea639ae4b78e93b9ef79541d7064bf1f98a27d237b51b731e51654b8bdcb
                                                                                                                                                                                                                                                        • Instruction Fuzzy Hash: 69E012A1A081106ADB24A66E9CC5F6B6BDCCBC5724F14457BF504DB382D678DC0487BB
                                                                                                                                                                                                                                                        Function 004075C4 Relevance: 3.0, APIs: 2, Instructions: 24COMMON
                                                                                                                                                                                                                                                        Download Yara Rule
                                                                                                                                                                                                                                                        APIs
                                                                                                                                                                                                                                                        • SetFilePointer.KERNEL32(?,00000000,?,00000001), ref: 004075DB
                                                                                                                                                                                                                                                        • GetLastError.KERNEL32(?,00000000,?,00000001), ref: 004075E7
                                                                                                                                                                                                                                                          • Part of subcall function 0040748C: GetLastError.KERNEL32(0040738C,0040752A,?,?,020F03AC,?,00409CCE,00000001,00000000,00000002,00000000,0040A2C5,?,00000000,0040A2FC), ref: 0040748F
                                                                                                                                                                                                                                                        Memory Dump Source
                                                                                                                                                                                                                                                        • Source File: 00000000.00000002.2795554773.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                                                                                                                        • Associated: 00000000.00000002.2795520483.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                        • Associated: 00000000.00000002.2795589664.000000000040B000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                        • Associated: 00000000.00000002.2795629951.0000000000411000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                        Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                                        • Snapshot File: hcaresult_0_2_400000_chica-pc-shield-1-75-0-1300-en-win.jbxd
                                                                                                                                                                                                                                                        Similarity
                                                                                                                                                                                                                                                        • API ID: ErrorLast$FilePointer
                                                                                                                                                                                                                                                        • String ID:
                                                                                                                                                                                                                                                        • API String ID: 1156039329-0
                                                                                                                                                                                                                                                        • Opcode ID: 7730a1f6a5d1c383143cef2e1ec1cb69b5af0836910a757b2920ce96cbe13b7f
                                                                                                                                                                                                                                                        • Instruction ID: 74cf86129294d2faf5969c20f66175129728110ffa3c668ef2bae8a95e28f18b
                                                                                                                                                                                                                                                        • Opcode Fuzzy Hash: 7730a1f6a5d1c383143cef2e1ec1cb69b5af0836910a757b2920ce96cbe13b7f
                                                                                                                                                                                                                                                        • Instruction Fuzzy Hash: C4E04FB1600210AFDB10EEB98D81B9676D89F48364F0485B6EA14DF2C6D274DC00C766
                                                                                                                                                                                                                                                        Function 00401430 Relevance: 2.5, APIs: 2, Instructions: 37memoryCOMMON
                                                                                                                                                                                                                                                        Download Yara Rule
                                                                                                                                                                                                                                                        APIs
                                                                                                                                                                                                                                                        • VirtualAlloc.KERNEL32(00000000,?,00002000,00000001,?,?,?,00401739), ref: 0040145F
                                                                                                                                                                                                                                                        • VirtualFree.KERNEL32(00000000,00000000,00008000,00000000,?,00002000,00000001,?,?,?,00401739), ref: 00401486
                                                                                                                                                                                                                                                        Memory Dump Source
                                                                                                                                                                                                                                                        • Source File: 00000000.00000002.2795554773.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                                                                                                                        • Associated: 00000000.00000002.2795520483.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                        • Associated: 00000000.00000002.2795589664.000000000040B000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                        • Associated: 00000000.00000002.2795629951.0000000000411000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                        Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                                        • Snapshot File: hcaresult_0_2_400000_chica-pc-shield-1-75-0-1300-en-win.jbxd
                                                                                                                                                                                                                                                        Similarity
                                                                                                                                                                                                                                                        • API ID: Virtual$AllocFree
                                                                                                                                                                                                                                                        • String ID:
                                                                                                                                                                                                                                                        • API String ID: 2087232378-0
                                                                                                                                                                                                                                                        • Opcode ID: efc6f27fa4c1f0416fcf42a0cb9c981ca4ea103f0f96f52908972bf4ed8d2b74
                                                                                                                                                                                                                                                        • Instruction ID: 29306f1da17679ce7d7d3cecb65679b0075e6f6f2ddca0a826851c871ac90975
                                                                                                                                                                                                                                                        • Opcode Fuzzy Hash: efc6f27fa4c1f0416fcf42a0cb9c981ca4ea103f0f96f52908972bf4ed8d2b74
                                                                                                                                                                                                                                                        • Instruction Fuzzy Hash: 57F02772B0032057DB206A6A0CC1B636AC59F85B90F1541BBFA4CFF3F9D2B98C0042A9
                                                                                                                                                                                                                                                        Function 00405280 Relevance: 1.6, APIs: 1, Instructions: 99COMMON
                                                                                                                                                                                                                                                        Download Yara Rule
                                                                                                                                                                                                                                                        APIs
                                                                                                                                                                                                                                                        • GetSystemDefaultLCID.KERNEL32(00000000,004053B6), ref: 0040529F
                                                                                                                                                                                                                                                          • Part of subcall function 00404CDC: LoadStringA.USER32(00400000,0000FF87,?,00000400), ref: 00404CF9
                                                                                                                                                                                                                                                          • Part of subcall function 0040520C: GetLocaleInfoA.KERNEL32(?,00000044,?,00000100,0040C4BC,00000001,?,004052D7,?,00000000,004053B6), ref: 0040522A
                                                                                                                                                                                                                                                        Memory Dump Source
                                                                                                                                                                                                                                                        • Source File: 00000000.00000002.2795554773.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                                                                                                                        • Associated: 00000000.00000002.2795520483.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                        • Associated: 00000000.00000002.2795589664.000000000040B000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                        • Associated: 00000000.00000002.2795629951.0000000000411000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                        Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                                        • Snapshot File: hcaresult_0_2_400000_chica-pc-shield-1-75-0-1300-en-win.jbxd
                                                                                                                                                                                                                                                        Similarity
                                                                                                                                                                                                                                                        • API ID: DefaultInfoLoadLocaleStringSystem
                                                                                                                                                                                                                                                        • String ID:
                                                                                                                                                                                                                                                        • API String ID: 1658689577-0
                                                                                                                                                                                                                                                        • Opcode ID: ef449c44a2a61a26d18614e24c7ade2666283ce56a0d8fcdc2eeed56ad2c4646
                                                                                                                                                                                                                                                        • Instruction ID: b95c725f163960c8622ba1b0af82130980b93a97e76f79286a035b518bc8de08
                                                                                                                                                                                                                                                        • Opcode Fuzzy Hash: ef449c44a2a61a26d18614e24c7ade2666283ce56a0d8fcdc2eeed56ad2c4646
                                                                                                                                                                                                                                                        • Instruction Fuzzy Hash: 90314F75E01509ABCB00DF95C8C19EEB379FF84304F158577E815BB286E739AE068B98
                                                                                                                                                                                                                                                        Function 00407576 Relevance: 1.5, APIs: 1, Instructions: 30fileCOMMON
                                                                                                                                                                                                                                                        Download Yara Rule
                                                                                                                                                                                                                                                        APIs
                                                                                                                                                                                                                                                        • CreateFileA.KERNEL32(00000000,?,?,00000000,?,00000080,00000000), ref: 004075B8
                                                                                                                                                                                                                                                        Memory Dump Source
                                                                                                                                                                                                                                                        • Source File: 00000000.00000002.2795554773.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                                                                                                                        • Associated: 00000000.00000002.2795520483.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                        • Associated: 00000000.00000002.2795589664.000000000040B000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                        • Associated: 00000000.00000002.2795629951.0000000000411000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                        Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                                        • Snapshot File: hcaresult_0_2_400000_chica-pc-shield-1-75-0-1300-en-win.jbxd
                                                                                                                                                                                                                                                        Similarity
                                                                                                                                                                                                                                                        • API ID: CreateFile
                                                                                                                                                                                                                                                        • String ID:
                                                                                                                                                                                                                                                        • API String ID: 823142352-0
                                                                                                                                                                                                                                                        • Opcode ID: c8aa5b1e1f382d9b7ab40d46c96f796d669d4b8c7333918930cf1677525ebce7
                                                                                                                                                                                                                                                        • Instruction ID: d860c9bcffbd3325f9178b4d72e9b59b5a3ff3896166b15a891a1a6cde46a7a7
                                                                                                                                                                                                                                                        • Opcode Fuzzy Hash: c8aa5b1e1f382d9b7ab40d46c96f796d669d4b8c7333918930cf1677525ebce7
                                                                                                                                                                                                                                                        • Instruction Fuzzy Hash: 6EE06D713442082EE3409AEC6C51FA277DCD309354F008032B988DB342D5719D108BE8
                                                                                                                                                                                                                                                        Function 00407578 Relevance: 1.5, APIs: 1, Instructions: 29fileCOMMON
                                                                                                                                                                                                                                                        Download Yara Rule
                                                                                                                                                                                                                                                        APIs
                                                                                                                                                                                                                                                        • CreateFileA.KERNEL32(00000000,?,?,00000000,?,00000080,00000000), ref: 004075B8
                                                                                                                                                                                                                                                        Memory Dump Source
                                                                                                                                                                                                                                                        • Source File: 00000000.00000002.2795554773.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                                                                                                                        • Associated: 00000000.00000002.2795520483.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                        • Associated: 00000000.00000002.2795589664.000000000040B000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                        • Associated: 00000000.00000002.2795629951.0000000000411000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                        Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                                        • Snapshot File: hcaresult_0_2_400000_chica-pc-shield-1-75-0-1300-en-win.jbxd
                                                                                                                                                                                                                                                        Similarity
                                                                                                                                                                                                                                                        • API ID: CreateFile
                                                                                                                                                                                                                                                        • String ID:
                                                                                                                                                                                                                                                        • API String ID: 823142352-0
                                                                                                                                                                                                                                                        • Opcode ID: 3bd7282c13d8f152a8301508d2aa72b6e2817799d08f3caede8a9fdcd0036c45
                                                                                                                                                                                                                                                        • Instruction ID: d44512077142226ebef1615cfdb59f208ea4aebd3ed4d24446e2b73eb7949d4a
                                                                                                                                                                                                                                                        • Opcode Fuzzy Hash: 3bd7282c13d8f152a8301508d2aa72b6e2817799d08f3caede8a9fdcd0036c45
                                                                                                                                                                                                                                                        • Instruction Fuzzy Hash: A7E06D713442082ED2409AEC6C51F92779C9309354F008022B988DB342D5719D108BE8
                                                                                                                                                                                                                                                        Function 004069DC Relevance: 1.5, APIs: 1, Instructions: 29COMMON
                                                                                                                                                                                                                                                        Download Yara Rule
                                                                                                                                                                                                                                                        APIs
                                                                                                                                                                                                                                                        • GetFileAttributesA.KERNEL32(00000000,00000000,00406A24,?,?,?,?,00000000,?,00406A39,00406D67,00000000,00406DAC,?,?,?), ref: 00406A07
                                                                                                                                                                                                                                                        Memory Dump Source
                                                                                                                                                                                                                                                        • Source File: 00000000.00000002.2795554773.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                                                                                                                        • Associated: 00000000.00000002.2795520483.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                        • Associated: 00000000.00000002.2795589664.000000000040B000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                        • Associated: 00000000.00000002.2795629951.0000000000411000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                        Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                                        • Snapshot File: hcaresult_0_2_400000_chica-pc-shield-1-75-0-1300-en-win.jbxd
                                                                                                                                                                                                                                                        Similarity
                                                                                                                                                                                                                                                        • API ID: AttributesFile
                                                                                                                                                                                                                                                        • String ID:
                                                                                                                                                                                                                                                        • API String ID: 3188754299-0
                                                                                                                                                                                                                                                        • Opcode ID: 2f6b808c0a98facf9b4219f47e50352985dbcf5de86cc118cb6830f30f21a29b
                                                                                                                                                                                                                                                        • Instruction ID: ccd219c895c276d3a4f2ed408fb3af00451e62210c6f1137e8185e88dac79a2a
                                                                                                                                                                                                                                                        • Opcode Fuzzy Hash: 2f6b808c0a98facf9b4219f47e50352985dbcf5de86cc118cb6830f30f21a29b
                                                                                                                                                                                                                                                        • Instruction Fuzzy Hash: A0E0ED30300304BBD301FBA6CC42E4ABBECDB8A708BA28476B400B2682D6786E108428
                                                                                                                                                                                                                                                        Function 004076C8 Relevance: 1.5, APIs: 1, Instructions: 29fileCOMMON
                                                                                                                                                                                                                                                        Download Yara Rule
                                                                                                                                                                                                                                                        APIs
                                                                                                                                                                                                                                                        • WriteFile.KERNEL32(?,?,?,?,00000000), ref: 004076DF
                                                                                                                                                                                                                                                          • Part of subcall function 0040748C: GetLastError.KERNEL32(0040738C,0040752A,?,?,020F03AC,?,00409CCE,00000001,00000000,00000002,00000000,0040A2C5,?,00000000,0040A2FC), ref: 0040748F
                                                                                                                                                                                                                                                        Memory Dump Source
                                                                                                                                                                                                                                                        • Source File: 00000000.00000002.2795554773.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                                                                                                                        • Associated: 00000000.00000002.2795520483.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                        • Associated: 00000000.00000002.2795589664.000000000040B000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                        • Associated: 00000000.00000002.2795629951.0000000000411000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                        Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                                        • Snapshot File: hcaresult_0_2_400000_chica-pc-shield-1-75-0-1300-en-win.jbxd
                                                                                                                                                                                                                                                        Similarity
                                                                                                                                                                                                                                                        • API ID: ErrorFileLastWrite
                                                                                                                                                                                                                                                        • String ID:
                                                                                                                                                                                                                                                        • API String ID: 442123175-0
                                                                                                                                                                                                                                                        • Opcode ID: 8d2af3ab7a63a8387ab01b8eb17bee2761ee08039256abb6018552f25082062b
                                                                                                                                                                                                                                                        • Instruction ID: d11fc940c1eb4d9ab9bd5ee1403c634941755763b259216c6d34bff68e3e8731
                                                                                                                                                                                                                                                        • Opcode Fuzzy Hash: 8d2af3ab7a63a8387ab01b8eb17bee2761ee08039256abb6018552f25082062b
                                                                                                                                                                                                                                                        • Instruction Fuzzy Hash: 6DE0ED766081106BD710A65AD880EAB67DCDFC5764F00407BF904DB291D574AC049676
                                                                                                                                                                                                                                                        Function 00407284 Relevance: 1.5, APIs: 1, Instructions: 28windowCOMMON
                                                                                                                                                                                                                                                        Download Yara Rule
                                                                                                                                                                                                                                                        APIs
                                                                                                                                                                                                                                                        • FormatMessageA.KERNEL32(00003200,00000000,4C783AFB,00000000,?,00000400,00000000,?,00409127,00000000,kernel32.dll,Wow64RevertWow64FsRedirection,00000000,kernel32.dll,Wow64DisableWow64FsRedirection,00000000), ref: 004072A3
                                                                                                                                                                                                                                                        Memory Dump Source
                                                                                                                                                                                                                                                        • Source File: 00000000.00000002.2795554773.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                                                                                                                        • Associated: 00000000.00000002.2795520483.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                        • Associated: 00000000.00000002.2795589664.000000000040B000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                        • Associated: 00000000.00000002.2795629951.0000000000411000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                        Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                                        • Snapshot File: hcaresult_0_2_400000_chica-pc-shield-1-75-0-1300-en-win.jbxd
                                                                                                                                                                                                                                                        Similarity
                                                                                                                                                                                                                                                        • API ID: FormatMessage
                                                                                                                                                                                                                                                        • String ID:
                                                                                                                                                                                                                                                        • API String ID: 1306739567-0
                                                                                                                                                                                                                                                        • Opcode ID: 7ef42d69529baecca532a801bf1eab389dc79dba057db81877db687b261eaad4
                                                                                                                                                                                                                                                        • Instruction ID: 7b38442d06f496379890204edef453c821f476d6c52b93f329ea0e63e965d40b
                                                                                                                                                                                                                                                        • Opcode Fuzzy Hash: 7ef42d69529baecca532a801bf1eab389dc79dba057db81877db687b261eaad4
                                                                                                                                                                                                                                                        • Instruction Fuzzy Hash: 17E0D8A0B8830136F22414544C87B77220E47C0700F10807E7700ED3C6D6BEA906815F
                                                                                                                                                                                                                                                        Function 004076AC Relevance: 1.5, APIs: 1, Instructions: 11fileCOMMON
                                                                                                                                                                                                                                                        Download Yara Rule
                                                                                                                                                                                                                                                        APIs
                                                                                                                                                                                                                                                        • SetEndOfFile.KERNEL32(?,02128000,0040A08C,00000000), ref: 004076B3
                                                                                                                                                                                                                                                          • Part of subcall function 0040748C: GetLastError.KERNEL32(0040738C,0040752A,?,?,020F03AC,?,00409CCE,00000001,00000000,00000002,00000000,0040A2C5,?,00000000,0040A2FC), ref: 0040748F
                                                                                                                                                                                                                                                        Memory Dump Source
                                                                                                                                                                                                                                                        • Source File: 00000000.00000002.2795554773.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                                                                                                                        • Associated: 00000000.00000002.2795520483.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                        • Associated: 00000000.00000002.2795589664.000000000040B000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                        • Associated: 00000000.00000002.2795629951.0000000000411000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                        Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                                        • Snapshot File: hcaresult_0_2_400000_chica-pc-shield-1-75-0-1300-en-win.jbxd
                                                                                                                                                                                                                                                        Similarity
                                                                                                                                                                                                                                                        • API ID: ErrorFileLast
                                                                                                                                                                                                                                                        • String ID:
                                                                                                                                                                                                                                                        • API String ID: 734332943-0
                                                                                                                                                                                                                                                        • Opcode ID: 3c9e02bda174eefd6a6752df40b73b0cbe28e66d981a9881f8e50d89b6fd2d40
                                                                                                                                                                                                                                                        • Instruction ID: f788b2e916ece263959a2b362e6cc5638f15ca068e5e6b6e193a7bb405067b9b
                                                                                                                                                                                                                                                        • Opcode Fuzzy Hash: 3c9e02bda174eefd6a6752df40b73b0cbe28e66d981a9881f8e50d89b6fd2d40
                                                                                                                                                                                                                                                        • Instruction Fuzzy Hash: BEC04CA1A1410047CB40A6BE89C1A1666D85A4821530485B6B908DB297D679E8004666
                                                                                                                                                                                                                                                        Function 00406FFB Relevance: 1.5, APIs: 1, Instructions: 10COMMON
                                                                                                                                                                                                                                                        Download Yara Rule
                                                                                                                                                                                                                                                        APIs
                                                                                                                                                                                                                                                        • SetErrorMode.KERNEL32(?,00407019), ref: 0040700C
                                                                                                                                                                                                                                                        Memory Dump Source
                                                                                                                                                                                                                                                        • Source File: 00000000.00000002.2795554773.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                                                                                                                        • Associated: 00000000.00000002.2795520483.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                        • Associated: 00000000.00000002.2795589664.000000000040B000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                        • Associated: 00000000.00000002.2795629951.0000000000411000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                        Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                                        • Snapshot File: hcaresult_0_2_400000_chica-pc-shield-1-75-0-1300-en-win.jbxd
                                                                                                                                                                                                                                                        Similarity
                                                                                                                                                                                                                                                        • API ID: ErrorMode
                                                                                                                                                                                                                                                        • String ID:
                                                                                                                                                                                                                                                        • API String ID: 2340568224-0
                                                                                                                                                                                                                                                        • Opcode ID: 070e151ae7371931e812c23e1680e2574253ea8634671ff6451d3f815f7c1847
                                                                                                                                                                                                                                                        • Instruction ID: c47f2f618e2971e07f5b1abb1c43dc6c143ad8b034d1ddbdae76011a93498253
                                                                                                                                                                                                                                                        • Opcode Fuzzy Hash: 070e151ae7371931e812c23e1680e2574253ea8634671ff6451d3f815f7c1847
                                                                                                                                                                                                                                                        • Instruction Fuzzy Hash: 54B09B76A1C2415DE705DAD5745153863D4D7C47143A14977F104D35C0D53DA4144519
                                                                                                                                                                                                                                                        Function 00407017 Relevance: 1.5, APIs: 1, Instructions: 5COMMON
                                                                                                                                                                                                                                                        Download Yara Rule
                                                                                                                                                                                                                                                        APIs
                                                                                                                                                                                                                                                        • SetErrorMode.KERNEL32(?,00407019), ref: 0040700C
                                                                                                                                                                                                                                                        Memory Dump Source
                                                                                                                                                                                                                                                        • Source File: 00000000.00000002.2795554773.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                                                                                                                        • Associated: 00000000.00000002.2795520483.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                        • Associated: 00000000.00000002.2795589664.000000000040B000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                        • Associated: 00000000.00000002.2795629951.0000000000411000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                        Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                                        • Snapshot File: hcaresult_0_2_400000_chica-pc-shield-1-75-0-1300-en-win.jbxd
                                                                                                                                                                                                                                                        Similarity
                                                                                                                                                                                                                                                        • API ID: ErrorMode
                                                                                                                                                                                                                                                        • String ID:
                                                                                                                                                                                                                                                        • API String ID: 2340568224-0
                                                                                                                                                                                                                                                        • Opcode ID: 258b7047379ce46b8540a294da6ad57472ce1849ceeb23a1b4b516eeda09cad2
                                                                                                                                                                                                                                                        • Instruction ID: a55afa0689d716a84ca499c05243e055e04a08b2ab071a0afeb25d409e08decd
                                                                                                                                                                                                                                                        • Opcode Fuzzy Hash: 258b7047379ce46b8540a294da6ad57472ce1849ceeb23a1b4b516eeda09cad2
                                                                                                                                                                                                                                                        • Instruction Fuzzy Hash: FFA022A8C08000B2CE00E2E08080A3C23283A88308BC08BA2320CB20C0C03CE008020B
                                                                                                                                                                                                                                                        Function 00406970 Relevance: 1.5, APIs: 1, Instructions: 4COMMON
                                                                                                                                                                                                                                                        Download Yara Rule
                                                                                                                                                                                                                                                        APIs
                                                                                                                                                                                                                                                        • CharPrevA.USER32(?,?,0040696C,?,00406649,?,?,00406D87,00000000,00406DAC,?,?,?,?,00000000,00000000), ref: 00406972
                                                                                                                                                                                                                                                        Memory Dump Source
                                                                                                                                                                                                                                                        • Source File: 00000000.00000002.2795554773.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                                                                                                                        • Associated: 00000000.00000002.2795520483.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                        • Associated: 00000000.00000002.2795589664.000000000040B000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                        • Associated: 00000000.00000002.2795629951.0000000000411000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                        Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                                        • Snapshot File: hcaresult_0_2_400000_chica-pc-shield-1-75-0-1300-en-win.jbxd
                                                                                                                                                                                                                                                        Similarity
                                                                                                                                                                                                                                                        • API ID: CharPrev
                                                                                                                                                                                                                                                        • String ID:
                                                                                                                                                                                                                                                        • API String ID: 122130370-0
                                                                                                                                                                                                                                                        • Opcode ID: 4f55c7aa95ee0cc6def6f8b84b07f7a00b4eea213dcaa2411b48aa5a82a0c27b
                                                                                                                                                                                                                                                        • Instruction ID: 57bb655d476c0b104ac503b4dc16dcc9cc7d9309af7e6782790f501f1b0aeff9
                                                                                                                                                                                                                                                        • Opcode Fuzzy Hash: 4f55c7aa95ee0cc6def6f8b84b07f7a00b4eea213dcaa2411b48aa5a82a0c27b
                                                                                                                                                                                                                                                        • Instruction Fuzzy Hash:
                                                                                                                                                                                                                                                        Function 00407F10 Relevance: 1.3, APIs: 1, Instructions: 62memoryCOMMON
                                                                                                                                                                                                                                                        Download Yara Rule
                                                                                                                                                                                                                                                        APIs
                                                                                                                                                                                                                                                        • VirtualAlloc.KERNEL32(00000000,?,00001000,00000004), ref: 00407FA0
                                                                                                                                                                                                                                                        Memory Dump Source
                                                                                                                                                                                                                                                        • Source File: 00000000.00000002.2795554773.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                                                                                                                        • Associated: 00000000.00000002.2795520483.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                        • Associated: 00000000.00000002.2795589664.000000000040B000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                        • Associated: 00000000.00000002.2795629951.0000000000411000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                        Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                                        • Snapshot File: hcaresult_0_2_400000_chica-pc-shield-1-75-0-1300-en-win.jbxd
                                                                                                                                                                                                                                                        Similarity
                                                                                                                                                                                                                                                        • API ID: AllocVirtual
                                                                                                                                                                                                                                                        • String ID:
                                                                                                                                                                                                                                                        • API String ID: 4275171209-0
                                                                                                                                                                                                                                                        • Opcode ID: 636722d4ca057b68616df378e1b8a5bd7f337355b9f7c137ab23b8dc1cafdb71
                                                                                                                                                                                                                                                        • Instruction ID: 1e7236936b067224bcb0a7c190bcfb18a105a15b1652d3161176e1d0ad605fa4
                                                                                                                                                                                                                                                        • Opcode Fuzzy Hash: 636722d4ca057b68616df378e1b8a5bd7f337355b9f7c137ab23b8dc1cafdb71
                                                                                                                                                                                                                                                        • Instruction Fuzzy Hash: 43116371A042059BDB00EF19C881B5B7794AF44359F05807AF958AB2C6DB38E800CBAA
                                                                                                                                                                                                                                                        Function 00401658 Relevance: 1.3, APIs: 1, Instructions: 48COMMON
                                                                                                                                                                                                                                                        Download Yara Rule
                                                                                                                                                                                                                                                        APIs
                                                                                                                                                                                                                                                        • VirtualFree.KERNEL32(00000000,00000000,00004000,?,0000000C,?,-00000008,00003FFB,004018BF), ref: 004016B2
                                                                                                                                                                                                                                                        Memory Dump Source
                                                                                                                                                                                                                                                        • Source File: 00000000.00000002.2795554773.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                                                                                                                        • Associated: 00000000.00000002.2795520483.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                        • Associated: 00000000.00000002.2795589664.000000000040B000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                        • Associated: 00000000.00000002.2795629951.0000000000411000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                        Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                                        • Snapshot File: hcaresult_0_2_400000_chica-pc-shield-1-75-0-1300-en-win.jbxd
                                                                                                                                                                                                                                                        Similarity
                                                                                                                                                                                                                                                        • API ID: FreeVirtual
                                                                                                                                                                                                                                                        • String ID:
                                                                                                                                                                                                                                                        • API String ID: 1263568516-0
                                                                                                                                                                                                                                                        • Opcode ID: a2f32dd8ef58eb042d1926e7c5d87192c2fb778a874e681f692e1318d4ea2181
                                                                                                                                                                                                                                                        • Instruction ID: 63c8255cdd02620dd55efc6405714c3c0a63becca9b218cdeda95617091702f1
                                                                                                                                                                                                                                                        • Opcode Fuzzy Hash: a2f32dd8ef58eb042d1926e7c5d87192c2fb778a874e681f692e1318d4ea2181
                                                                                                                                                                                                                                                        • Instruction Fuzzy Hash: 3601A7726442148BC310AF28DDC093A77D5EB85364F1A4A7ED985B73A1D23B6C0587A8
                                                                                                                                                                                                                                                        Function 00407548 Relevance: 1.3, APIs: 1, Instructions: 20COMMON
                                                                                                                                                                                                                                                        Download Yara Rule
                                                                                                                                                                                                                                                        APIs
                                                                                                                                                                                                                                                        Memory Dump Source
                                                                                                                                                                                                                                                        • Source File: 00000000.00000002.2795554773.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                                                                                                                        • Associated: 00000000.00000002.2795520483.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                        • Associated: 00000000.00000002.2795589664.000000000040B000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                        • Associated: 00000000.00000002.2795629951.0000000000411000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                        Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                                        • Snapshot File: hcaresult_0_2_400000_chica-pc-shield-1-75-0-1300-en-win.jbxd
                                                                                                                                                                                                                                                        Similarity
                                                                                                                                                                                                                                                        • API ID: CloseHandle
                                                                                                                                                                                                                                                        • String ID:
                                                                                                                                                                                                                                                        • API String ID: 2962429428-0
                                                                                                                                                                                                                                                        • Opcode ID: fc6098dcd6b1504a072b68d3feaaa537492281b052079d944a979dec092e75e7
                                                                                                                                                                                                                                                        • Instruction ID: e7ddd8f09f86228f97b62737e097d00c20d119481f2284b048c56b7aa048eabb
                                                                                                                                                                                                                                                        • Opcode Fuzzy Hash: fc6098dcd6b1504a072b68d3feaaa537492281b052079d944a979dec092e75e7
                                                                                                                                                                                                                                                        • Instruction Fuzzy Hash: 41D05E82B00A6017D615F2BE4D8869692D85F89685B08843AF654E77D1D67CEC00838D
                                                                                                                                                                                                                                                        Function 00407EB8 Relevance: 1.3, APIs: 1, Instructions: 15COMMON
                                                                                                                                                                                                                                                        Download Yara Rule
                                                                                                                                                                                                                                                        APIs
                                                                                                                                                                                                                                                        • VirtualFree.KERNEL32(?,00000000,00008000,?,00407E9D), ref: 00407ECF
                                                                                                                                                                                                                                                        Memory Dump Source
                                                                                                                                                                                                                                                        • Source File: 00000000.00000002.2795554773.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                                                                                                                        • Associated: 00000000.00000002.2795520483.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                        • Associated: 00000000.00000002.2795589664.000000000040B000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                        • Associated: 00000000.00000002.2795629951.0000000000411000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                        Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                                        • Snapshot File: hcaresult_0_2_400000_chica-pc-shield-1-75-0-1300-en-win.jbxd
                                                                                                                                                                                                                                                        Similarity
                                                                                                                                                                                                                                                        • API ID: FreeVirtual
                                                                                                                                                                                                                                                        • String ID:
                                                                                                                                                                                                                                                        • API String ID: 1263568516-0
                                                                                                                                                                                                                                                        • Opcode ID: c7bedad96efb848ea9f674ed311898bb29a23f2a16fc3a9de009753beeeb9dd9
                                                                                                                                                                                                                                                        • Instruction ID: 622015b425f940adf6dc1d0f89e873b9c6d17cfe6f0c2733970da1323f12c917
                                                                                                                                                                                                                                                        • Opcode Fuzzy Hash: c7bedad96efb848ea9f674ed311898bb29a23f2a16fc3a9de009753beeeb9dd9
                                                                                                                                                                                                                                                        • Instruction Fuzzy Hash: 3ED0E9B17553055BDB90EEB98CC1B0237D8BB48610F5044B66904EB296E674E8009654

                                                                                                                                                                                                                                                        Non-executed Functions

                                                                                                                                                                                                                                                        Function 00409448 Relevance: 12.3, APIs: 6, Strings: 1, Instructions: 41shutdownCOMMON
                                                                                                                                                                                                                                                        Download Yara Rule
                                                                                                                                                                                                                                                        APIs
                                                                                                                                                                                                                                                        • GetCurrentProcess.KERNEL32(00000028), ref: 00409457
                                                                                                                                                                                                                                                        • OpenProcessToken.ADVAPI32(00000000,00000028), ref: 0040945D
                                                                                                                                                                                                                                                        • LookupPrivilegeValueA.ADVAPI32(00000000,SeShutdownPrivilege,00000028), ref: 00409476
                                                                                                                                                                                                                                                        • AdjustTokenPrivileges.ADVAPI32(?,00000000,00000002,00000000,00000000,00000000), ref: 0040949D
                                                                                                                                                                                                                                                        • GetLastError.KERNEL32(?,00000000,00000002,00000000,00000000,00000000), ref: 004094A2
                                                                                                                                                                                                                                                        • ExitWindowsEx.USER32(00000002,00000000), ref: 004094B3
                                                                                                                                                                                                                                                        Strings
                                                                                                                                                                                                                                                        Memory Dump Source
                                                                                                                                                                                                                                                        • Source File: 00000000.00000002.2795554773.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                                                                                                                        • Associated: 00000000.00000002.2795520483.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                        • Associated: 00000000.00000002.2795589664.000000000040B000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                        • Associated: 00000000.00000002.2795629951.0000000000411000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                        Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                                        • Snapshot File: hcaresult_0_2_400000_chica-pc-shield-1-75-0-1300-en-win.jbxd
                                                                                                                                                                                                                                                        Similarity
                                                                                                                                                                                                                                                        • API ID: ProcessToken$AdjustCurrentErrorExitLastLookupOpenPrivilegePrivilegesValueWindows
                                                                                                                                                                                                                                                        • String ID: SeShutdownPrivilege
                                                                                                                                                                                                                                                        • API String ID: 107509674-3733053543
                                                                                                                                                                                                                                                        • Opcode ID: 5d5c4cc2167cea31fe6e778ad900630fb502c4628614430f67a63468396a48bc
                                                                                                                                                                                                                                                        • Instruction ID: 55e16e97e4c30333ef6e9d7cb44a764448f3c494fd9ead6bbbdf5d5bb2f9c1eb
                                                                                                                                                                                                                                                        • Opcode Fuzzy Hash: 5d5c4cc2167cea31fe6e778ad900630fb502c4628614430f67a63468396a48bc
                                                                                                                                                                                                                                                        • Instruction Fuzzy Hash: 61F012B069830179E610AAB18D07F6762885BC4B18F50493ABB15FA1C3D7BDD809466F
                                                                                                                                                                                                                                                        Function 00409BEC Relevance: 6.0, APIs: 4, Instructions: 31COMMON
                                                                                                                                                                                                                                                        Download Yara Rule
                                                                                                                                                                                                                                                        APIs
                                                                                                                                                                                                                                                        • FindResourceA.KERNEL32(00000000,00002B67,0000000A), ref: 00409BF6
                                                                                                                                                                                                                                                        • SizeofResource.KERNEL32(00000000,00000000,?,00409CE6,00000000,0040A27D,?,00000001,00000000,00000002,00000000,0040A2C5,?,00000000,0040A2FC), ref: 00409C09
                                                                                                                                                                                                                                                        • LoadResource.KERNEL32(00000000,00000000,00000000,00000000,?,00409CE6,00000000,0040A27D,?,00000001,00000000,00000002,00000000,0040A2C5,?,00000000), ref: 00409C1B
                                                                                                                                                                                                                                                        • LockResource.KERNEL32(00000000,00000000,00000000,00000000,00000000,?,00409CE6,00000000,0040A27D,?,00000001,00000000,00000002,00000000,0040A2C5), ref: 00409C2C
                                                                                                                                                                                                                                                        Memory Dump Source
                                                                                                                                                                                                                                                        • Source File: 00000000.00000002.2795554773.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                                                                                                                        • Associated: 00000000.00000002.2795520483.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                        • Associated: 00000000.00000002.2795589664.000000000040B000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                        • Associated: 00000000.00000002.2795629951.0000000000411000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                        Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                                        • Snapshot File: hcaresult_0_2_400000_chica-pc-shield-1-75-0-1300-en-win.jbxd
                                                                                                                                                                                                                                                        Similarity
                                                                                                                                                                                                                                                        • API ID: Resource$FindLoadLockSizeof
                                                                                                                                                                                                                                                        • String ID:
                                                                                                                                                                                                                                                        • API String ID: 3473537107-0
                                                                                                                                                                                                                                                        • Opcode ID: ce7c2a79786de0a8682d58b31ceb4174bbddb2d24ae6ad16542ef9ae896a3e40
                                                                                                                                                                                                                                                        • Instruction ID: ed04ed1443b666af2c347742ca0221af59beed1f1180006ed42e296f861e82c7
                                                                                                                                                                                                                                                        • Opcode Fuzzy Hash: ce7c2a79786de0a8682d58b31ceb4174bbddb2d24ae6ad16542ef9ae896a3e40
                                                                                                                                                                                                                                                        • Instruction Fuzzy Hash: ECE07EA0B483562AFA6076FB08C2B2A018C4BA671DF40003BB701B92C3DEBD8C14856E
                                                                                                                                                                                                                                                        Function 00405258 Relevance: 1.5, APIs: 1, Instructions: 23COMMON
                                                                                                                                                                                                                                                        Download Yara Rule
                                                                                                                                                                                                                                                        APIs
                                                                                                                                                                                                                                                        • GetLocaleInfoA.KERNEL32(00000000,0000000F,?,00000002,0000002C,?,?,00000000,0040545A,?,?,?,00000000,0040560C), ref: 0040526B
                                                                                                                                                                                                                                                        Memory Dump Source
                                                                                                                                                                                                                                                        • Source File: 00000000.00000002.2795554773.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                                                                                                                        • Associated: 00000000.00000002.2795520483.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                        • Associated: 00000000.00000002.2795589664.000000000040B000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                        • Associated: 00000000.00000002.2795629951.0000000000411000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                        Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                                        • Snapshot File: hcaresult_0_2_400000_chica-pc-shield-1-75-0-1300-en-win.jbxd
                                                                                                                                                                                                                                                        Similarity
                                                                                                                                                                                                                                                        • API ID: InfoLocale
                                                                                                                                                                                                                                                        • String ID:
                                                                                                                                                                                                                                                        • API String ID: 2299586839-0
                                                                                                                                                                                                                                                        • Opcode ID: b79b605a6dbd2dbd76dc5df923bc970e8acc9169766131cf64cabc826e101d13
                                                                                                                                                                                                                                                        • Instruction ID: 1db3d1c1bb6fab5f91442dea8a08a829cd161d84d3a7e1f0c2fe21aaaafd944f
                                                                                                                                                                                                                                                        • Opcode Fuzzy Hash: b79b605a6dbd2dbd76dc5df923bc970e8acc9169766131cf64cabc826e101d13
                                                                                                                                                                                                                                                        • Instruction Fuzzy Hash: 9ED02EA230E2006AE210808B2C84EBB4A9CCEC53A0F00007FF648C3242D2208C029B76
                                                                                                                                                                                                                                                        Function 004026C4 Relevance: 1.5, APIs: 1, Instructions: 20timeCOMMON
                                                                                                                                                                                                                                                        Download Yara Rule
                                                                                                                                                                                                                                                        APIs
                                                                                                                                                                                                                                                        • GetSystemTime.KERNEL32(?), ref: 004026CE
                                                                                                                                                                                                                                                        Memory Dump Source
                                                                                                                                                                                                                                                        • Source File: 00000000.00000002.2795554773.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                                                                                                                        • Associated: 00000000.00000002.2795520483.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                        • Associated: 00000000.00000002.2795589664.000000000040B000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                        • Associated: 00000000.00000002.2795629951.0000000000411000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                        Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                                        • Snapshot File: hcaresult_0_2_400000_chica-pc-shield-1-75-0-1300-en-win.jbxd
                                                                                                                                                                                                                                                        Similarity
                                                                                                                                                                                                                                                        • API ID: SystemTime
                                                                                                                                                                                                                                                        • String ID:
                                                                                                                                                                                                                                                        • API String ID: 2656138-0
                                                                                                                                                                                                                                                        • Opcode ID: 1c1586f040ad907c453502297459692aa8199981632c93951a31d41848eff65d
                                                                                                                                                                                                                                                        • Instruction ID: 69442b1fa125f02c17f5f00667ba5619268a94e84ed87230136e9e38920861ba
                                                                                                                                                                                                                                                        • Opcode Fuzzy Hash: 1c1586f040ad907c453502297459692aa8199981632c93951a31d41848eff65d
                                                                                                                                                                                                                                                        • Instruction Fuzzy Hash: 14E04F21E0010A82C704ABA5CD435EDF7AEAB95600B044272A418E92E0F631C251C748
                                                                                                                                                                                                                                                        Function 00405CF4 Relevance: 1.5, APIs: 1, Instructions: 10COMMON
                                                                                                                                                                                                                                                        Download Yara Rule
                                                                                                                                                                                                                                                        APIs
                                                                                                                                                                                                                                                        • GetVersionExA.KERNEL32(?,004065F0,00000000,004065FE,?,?,?,?,?,00409C6A), ref: 00405D02
                                                                                                                                                                                                                                                        Memory Dump Source
                                                                                                                                                                                                                                                        • Source File: 00000000.00000002.2795554773.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                                                                                                                        • Associated: 00000000.00000002.2795520483.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                        • Associated: 00000000.00000002.2795589664.000000000040B000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                        • Associated: 00000000.00000002.2795629951.0000000000411000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                        Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                                        • Snapshot File: hcaresult_0_2_400000_chica-pc-shield-1-75-0-1300-en-win.jbxd
                                                                                                                                                                                                                                                        Similarity
                                                                                                                                                                                                                                                        • API ID: Version
                                                                                                                                                                                                                                                        • String ID:
                                                                                                                                                                                                                                                        • API String ID: 1889659487-0
                                                                                                                                                                                                                                                        • Opcode ID: 804cda8d473c4c61bcc63f12479ba9190822d5c554409fc9a119c77cb0a2aa37
                                                                                                                                                                                                                                                        • Instruction ID: 4c33b40dd65743d8d98a5ffd827b1eb297e5dd4f71424004bfe2d5ab9b26ea54
                                                                                                                                                                                                                                                        • Opcode Fuzzy Hash: 804cda8d473c4c61bcc63f12479ba9190822d5c554409fc9a119c77cb0a2aa37
                                                                                                                                                                                                                                                        • Instruction Fuzzy Hash: 00C0126040070186D7109B31DC02B1672D4AB44310F4405396DA4963C2E73C80018A6E
                                                                                                                                                                                                                                                        Function 0040840C Relevance: .5, Instructions: 545COMMON
                                                                                                                                                                                                                                                        Download Yara Rule
                                                                                                                                                                                                                                                        Memory Dump Source
                                                                                                                                                                                                                                                        • Source File: 00000000.00000002.2795554773.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                                                                                                                        • Associated: 00000000.00000002.2795520483.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                        • Associated: 00000000.00000002.2795589664.000000000040B000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                        • Associated: 00000000.00000002.2795629951.0000000000411000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                        Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                                        • Snapshot File: hcaresult_0_2_400000_chica-pc-shield-1-75-0-1300-en-win.jbxd
                                                                                                                                                                                                                                                        Similarity
                                                                                                                                                                                                                                                        • API ID:
                                                                                                                                                                                                                                                        • String ID:
                                                                                                                                                                                                                                                        • API String ID:
                                                                                                                                                                                                                                                        • Opcode ID: 7cb438cf7f0ff76753a1d16800e3023f3e313fbbfbb21f985cf38b771b24bb28
                                                                                                                                                                                                                                                        • Instruction ID: 7dc6dc86846b3232beed044054ddb30c9891ac2fec336679fba6e94018ae2b4c
                                                                                                                                                                                                                                                        • Opcode Fuzzy Hash: 7cb438cf7f0ff76753a1d16800e3023f3e313fbbfbb21f985cf38b771b24bb28
                                                                                                                                                                                                                                                        • Instruction Fuzzy Hash: C032D775E00219DFCB14CF99CA80AADB7B2BF88314F24816AD855B7385DB34AE42CF55
                                                                                                                                                                                                                                                        Function 00407024 Relevance: 15.8, APIs: 4, Strings: 5, Instructions: 86registrylibraryloaderCOMMON
                                                                                                                                                                                                                                                        Download Yara Rule
                                                                                                                                                                                                                                                        APIs
                                                                                                                                                                                                                                                        • GetModuleHandleA.KERNEL32(kernel32.dll,GetUserDefaultUILanguage,00000000,00407129,?,00000000,004098D0), ref: 0040704D
                                                                                                                                                                                                                                                        • GetProcAddress.KERNEL32(00000000,kernel32.dll), ref: 00407053
                                                                                                                                                                                                                                                        • RegCloseKey.ADVAPI32(?,?,00000001,00000000,00000000,kernel32.dll,GetUserDefaultUILanguage,00000000,00407129,?,00000000,004098D0), ref: 004070A1
                                                                                                                                                                                                                                                        Strings
                                                                                                                                                                                                                                                        Memory Dump Source
                                                                                                                                                                                                                                                        • Source File: 00000000.00000002.2795554773.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                                                                                                                        • Associated: 00000000.00000002.2795520483.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                        • Associated: 00000000.00000002.2795589664.000000000040B000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                        • Associated: 00000000.00000002.2795629951.0000000000411000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                        Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                                        • Snapshot File: hcaresult_0_2_400000_chica-pc-shield-1-75-0-1300-en-win.jbxd
                                                                                                                                                                                                                                                        Similarity
                                                                                                                                                                                                                                                        • API ID: AddressCloseHandleModuleProc
                                                                                                                                                                                                                                                        • String ID: .DEFAULT\Control Panel\International$Control Panel\Desktop\ResourceLocale$GetUserDefaultUILanguage$Locale$kernel32.dll
                                                                                                                                                                                                                                                        • API String ID: 4190037839-2401316094
                                                                                                                                                                                                                                                        • Opcode ID: 84283e8ecd5f01446eeee6c4ca3ac4597d6d061694d9d4138b3ca6e7d0b19e25
                                                                                                                                                                                                                                                        • Instruction ID: c068e7fb85b52830e378cef5638f1cf195f9e270113e5aa630163df598a56aa7
                                                                                                                                                                                                                                                        • Opcode Fuzzy Hash: 84283e8ecd5f01446eeee6c4ca3ac4597d6d061694d9d4138b3ca6e7d0b19e25
                                                                                                                                                                                                                                                        • Instruction Fuzzy Hash: 72214170E04209ABDB10EAB5CC55A9E77A9EB48304F60847BA510FB3C1D7BCAE01875E
                                                                                                                                                                                                                                                        Function 00403A97 Relevance: 15.1, APIs: 10, Instructions: 122fileCOMMON
                                                                                                                                                                                                                                                        Download Yara Rule
                                                                                                                                                                                                                                                        APIs
                                                                                                                                                                                                                                                        • CreateFileA.KERNEL32(00000000,80000000,00000002,00000000,00000003,00000080,00000000), ref: 00403B1E
                                                                                                                                                                                                                                                        • GetFileSize.KERNEL32(?,00000000,00000000,80000000,00000002,00000000,00000003,00000080,00000000), ref: 00403B42
                                                                                                                                                                                                                                                        • SetFilePointer.KERNEL32(?,-00000080,00000000,00000000,?,00000000,00000000,80000000,00000002,00000000,00000003,00000080,00000000), ref: 00403B5E
                                                                                                                                                                                                                                                        • ReadFile.KERNEL32(?,?,00000080,?,00000000,00000000,?,-00000080,00000000,00000000,?,00000000,00000000,80000000,00000002,00000000), ref: 00403B7F
                                                                                                                                                                                                                                                        • SetFilePointer.KERNEL32(?,00000000,00000000,00000002), ref: 00403BA8
                                                                                                                                                                                                                                                        • SetEndOfFile.KERNEL32(?,?,00000000,00000000,00000002), ref: 00403BB2
                                                                                                                                                                                                                                                        • GetStdHandle.KERNEL32(000000F5), ref: 00403BD2
                                                                                                                                                                                                                                                        • GetFileType.KERNEL32(?,000000F5), ref: 00403BE9
                                                                                                                                                                                                                                                        • CloseHandle.KERNEL32(?,?,000000F5), ref: 00403C04
                                                                                                                                                                                                                                                        • GetLastError.KERNEL32(000000F5), ref: 00403C1E
                                                                                                                                                                                                                                                        Memory Dump Source
                                                                                                                                                                                                                                                        • Source File: 00000000.00000002.2795554773.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                                                                                                                        • Associated: 00000000.00000002.2795520483.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                        • Associated: 00000000.00000002.2795589664.000000000040B000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                        • Associated: 00000000.00000002.2795629951.0000000000411000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                        Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                                        • Snapshot File: hcaresult_0_2_400000_chica-pc-shield-1-75-0-1300-en-win.jbxd
                                                                                                                                                                                                                                                        Similarity
                                                                                                                                                                                                                                                        • API ID: File$HandlePointer$CloseCreateErrorLastReadSizeType
                                                                                                                                                                                                                                                        • String ID:
                                                                                                                                                                                                                                                        • API String ID: 1694776339-0
                                                                                                                                                                                                                                                        • Opcode ID: bd0a662ad2dd38144def4530256030cdb08cf53568247c3ffcddd32d1ed1ea18
                                                                                                                                                                                                                                                        • Instruction ID: 6684f6b4d1923fa93cc5777a7ebe0ca766b8c5f16b1f456132d2f0a6dbb27d3d
                                                                                                                                                                                                                                                        • Opcode Fuzzy Hash: bd0a662ad2dd38144def4530256030cdb08cf53568247c3ffcddd32d1ed1ea18
                                                                                                                                                                                                                                                        • Instruction Fuzzy Hash: 444194302042009EF7305F258805B237DEDEB4571AF208A3FA1D6BA6E1E77DAE419B5D
                                                                                                                                                                                                                                                        Function 004053C4 Relevance: 10.7, APIs: 1, Strings: 5, Instructions: 167COMMON
                                                                                                                                                                                                                                                        Download Yara Rule
                                                                                                                                                                                                                                                        APIs
                                                                                                                                                                                                                                                        • GetSystemDefaultLCID.KERNEL32(00000000,0040560C,?,?,?,?,00000000,00000000,00000000,?,004065EB,00000000,004065FE), ref: 004053DE
                                                                                                                                                                                                                                                          • Part of subcall function 0040520C: GetLocaleInfoA.KERNEL32(?,00000044,?,00000100,0040C4BC,00000001,?,004052D7,?,00000000,004053B6), ref: 0040522A
                                                                                                                                                                                                                                                          • Part of subcall function 00405258: GetLocaleInfoA.KERNEL32(00000000,0000000F,?,00000002,0000002C,?,?,00000000,0040545A,?,?,?,00000000,0040560C), ref: 0040526B
                                                                                                                                                                                                                                                        Strings
                                                                                                                                                                                                                                                        Memory Dump Source
                                                                                                                                                                                                                                                        • Source File: 00000000.00000002.2795554773.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                                                                                                                        • Associated: 00000000.00000002.2795520483.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                        • Associated: 00000000.00000002.2795589664.000000000040B000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                        • Associated: 00000000.00000002.2795629951.0000000000411000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                        Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                                        • Snapshot File: hcaresult_0_2_400000_chica-pc-shield-1-75-0-1300-en-win.jbxd
                                                                                                                                                                                                                                                        Similarity
                                                                                                                                                                                                                                                        • API ID: InfoLocale$DefaultSystem
                                                                                                                                                                                                                                                        • String ID: AMPM$:mm$:mm:ss$m/d/yy$mmmm d, yyyy
                                                                                                                                                                                                                                                        • API String ID: 1044490935-665933166
                                                                                                                                                                                                                                                        • Opcode ID: 2becd82198b95216644133442ecc563e5ef80f5327bc31795fb041598c227e39
                                                                                                                                                                                                                                                        • Instruction ID: cc137df54ae1fcbb63b87987e69a719e9c27c4b31815d0debc5c9b1d2781c89a
                                                                                                                                                                                                                                                        • Opcode Fuzzy Hash: 2becd82198b95216644133442ecc563e5ef80f5327bc31795fb041598c227e39
                                                                                                                                                                                                                                                        • Instruction Fuzzy Hash: F8515374B00548ABDB00EBA59891A5F7769DB88304F50D5BBB515BB3C6CA3DCA058F1C
                                                                                                                                                                                                                                                        Function 004036B8 Relevance: 7.6, APIs: 5, Instructions: 55memoryCOMMON
                                                                                                                                                                                                                                                        Download Yara Rule
                                                                                                                                                                                                                                                        APIs
                                                                                                                                                                                                                                                        • MultiByteToWideChar.KERNEL32(00000000,00000000,00000000,00000000,?,00000400), ref: 004036F2
                                                                                                                                                                                                                                                        • SysAllocStringLen.OLEAUT32(?,00000000), ref: 004036FD
                                                                                                                                                                                                                                                        • MultiByteToWideChar.KERNEL32(00000000,00000000,?,00000000,00000000,00000000), ref: 00403710
                                                                                                                                                                                                                                                        • SysAllocStringLen.OLEAUT32(00000000,00000000), ref: 0040371A
                                                                                                                                                                                                                                                        • MultiByteToWideChar.KERNEL32(00000000,00000000,?,00000000,00000000,00000000,00000000,00000000,?,00000000,00000000,00000000), ref: 00403729
                                                                                                                                                                                                                                                        Memory Dump Source
                                                                                                                                                                                                                                                        • Source File: 00000000.00000002.2795554773.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                                                                                                                        • Associated: 00000000.00000002.2795520483.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                        • Associated: 00000000.00000002.2795589664.000000000040B000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                        • Associated: 00000000.00000002.2795629951.0000000000411000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                        Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                                        • Snapshot File: hcaresult_0_2_400000_chica-pc-shield-1-75-0-1300-en-win.jbxd
                                                                                                                                                                                                                                                        Similarity
                                                                                                                                                                                                                                                        • API ID: ByteCharMultiWide$AllocString
                                                                                                                                                                                                                                                        • String ID:
                                                                                                                                                                                                                                                        • API String ID: 262959230-0
                                                                                                                                                                                                                                                        • Opcode ID: 759139aa8138bb4f1b890a81a570935fc2f09484a8ccbcda4eb7e9d11bc9ffe5
                                                                                                                                                                                                                                                        • Instruction ID: 1285967c487f36a4f1f77a8b8e1f1fe351824cacfdb80e5859a13ebcd08b75b2
                                                                                                                                                                                                                                                        • Opcode Fuzzy Hash: 759139aa8138bb4f1b890a81a570935fc2f09484a8ccbcda4eb7e9d11bc9ffe5
                                                                                                                                                                                                                                                        • Instruction Fuzzy Hash: 17F068A13442543AF56075A75C43FAB198CCB45BAEF10457FF704FA2C2D8B89D0492BD
                                                                                                                                                                                                                                                        Function 00406E10 Relevance: 5.4, APIs: 2, Strings: 1, Instructions: 113registryCOMMON
                                                                                                                                                                                                                                                        Download Yara Rule
                                                                                                                                                                                                                                                        APIs
                                                                                                                                                                                                                                                        • RegQueryValueExA.ADVAPI32(?,?,00000000,00000000,00000000,?,00000000,00406F48,?,00000000,004098D0,00000000), ref: 00406E4C
                                                                                                                                                                                                                                                        • RegQueryValueExA.ADVAPI32(?,?,00000000,00000000,00000000,70000000,?,?,00000000,00000000,00000000,?,00000000,00406F48,?,00000000), ref: 00406EBC
                                                                                                                                                                                                                                                        Strings
                                                                                                                                                                                                                                                        Memory Dump Source
                                                                                                                                                                                                                                                        • Source File: 00000000.00000002.2795554773.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                                                                                                                        • Associated: 00000000.00000002.2795520483.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                        • Associated: 00000000.00000002.2795589664.000000000040B000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                        • Associated: 00000000.00000002.2795629951.0000000000411000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                        Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                                        • Snapshot File: hcaresult_0_2_400000_chica-pc-shield-1-75-0-1300-en-win.jbxd
                                                                                                                                                                                                                                                        Similarity
                                                                                                                                                                                                                                                        • API ID: QueryValue
                                                                                                                                                                                                                                                        • String ID: )q@
                                                                                                                                                                                                                                                        • API String ID: 3660427363-2284170586
                                                                                                                                                                                                                                                        • Opcode ID: 32d2d681139902fa63b50b1e86c1c6042aee641263ad409bd5d16b68eaa8278f
                                                                                                                                                                                                                                                        • Instruction ID: 22a93fbabe645b78fd14ced98f65bd4bcb22fe3fd6f8222f7fa8e6a3c98f8dfc
                                                                                                                                                                                                                                                        • Opcode Fuzzy Hash: 32d2d681139902fa63b50b1e86c1c6042aee641263ad409bd5d16b68eaa8278f
                                                                                                                                                                                                                                                        • Instruction Fuzzy Hash: E6415E31D0021AAFDB21DF95C881BAFB7B8EB04704F56447AE901F7280D738AF108B99
                                                                                                                                                                                                                                                        Function 004030DC Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 9COMMON
                                                                                                                                                                                                                                                        Download Yara Rule
                                                                                                                                                                                                                                                        APIs
                                                                                                                                                                                                                                                        • GetModuleHandleA.KERNEL32(00000000,00409C56), ref: 004030E3
                                                                                                                                                                                                                                                        • GetCommandLineA.KERNEL32(00000000,00409C56), ref: 004030EE
                                                                                                                                                                                                                                                        Strings
                                                                                                                                                                                                                                                        Memory Dump Source
                                                                                                                                                                                                                                                        • Source File: 00000000.00000002.2795554773.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                                                                                                                        • Associated: 00000000.00000002.2795520483.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                        • Associated: 00000000.00000002.2795589664.000000000040B000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                        • Associated: 00000000.00000002.2795629951.0000000000411000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                        Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                                        • Snapshot File: hcaresult_0_2_400000_chica-pc-shield-1-75-0-1300-en-win.jbxd
                                                                                                                                                                                                                                                        Similarity
                                                                                                                                                                                                                                                        • API ID: CommandHandleLineModule
                                                                                                                                                                                                                                                        • String ID: U1hd.@
                                                                                                                                                                                                                                                        • API String ID: 2123368496-2904493091
                                                                                                                                                                                                                                                        • Opcode ID: ab44cebb113f23cc453db0582047ce3f33ed2b100303cb8959b7892e21e32e4b
                                                                                                                                                                                                                                                        • Instruction ID: 0f926add87520dc699e98d27074396f9fab16295c11a520b4b5863bd90c7cb52
                                                                                                                                                                                                                                                        • Opcode Fuzzy Hash: ab44cebb113f23cc453db0582047ce3f33ed2b100303cb8959b7892e21e32e4b
                                                                                                                                                                                                                                                        • Instruction Fuzzy Hash: 03C01274541300CAD328AFF69E8A304B990A385349F40823FA608BA2F1CA7C4201EBDD

                                                                                                                                                                                                                                                        Execution Graph

                                                                                                                                                                                                                                                        Execution Coverage:15.9%
                                                                                                                                                                                                                                                        Dynamic/Decrypted Code Coverage:0%
                                                                                                                                                                                                                                                        Signature Coverage:8.1%
                                                                                                                                                                                                                                                        Total number of Nodes:2000
                                                                                                                                                                                                                                                        Total number of Limit Nodes:108
                                                                                                                                                                                                                                                        execution_graph 49856 498788 49914 403344 49856->49914 49858 498796 49917 4056a0 49858->49917 49860 49879b 49920 40631c GetModuleHandleA GetProcAddress 49860->49920 49864 4987a5 49928 40994c 49864->49928 50244 4032fc 49914->50244 49916 403349 GetModuleHandleA GetCommandLineA 49916->49858 49919 4056db 49917->49919 50245 4033bc LocalAlloc TlsSetValue TlsGetValue TlsGetValue 49917->50245 49919->49860 49921 406338 49920->49921 49922 40633f GetProcAddress 49920->49922 49921->49922 49923 406355 GetProcAddress 49922->49923 49924 40634e 49922->49924 49925 406364 SetProcessDEPPolicy 49923->49925 49926 406368 49923->49926 49924->49923 49925->49926 49927 4063c4 6F541CD0 49926->49927 49927->49864 50246 409024 49928->50246 50244->49916 50245->49919 50318 408cbc 50246->50318 50319 408cc8 50318->50319 50326 406dec LoadStringA 50319->50326 50339 4034e0 50326->50339 50329 403450 50330 403454 50329->50330 50333 403464 50329->50333 50332 4034bc 18 API calls 50330->50332 50330->50333 50331 403490 50332->50333 50333->50331 50389 402660 50333->50389 50344 4034bc 50339->50344 50341 4034f0 50342 403400 4 API calls 50341->50342 50343 403508 50342->50343 50343->50329 50345 4034c0 50344->50345 50346 4034dc 50344->50346 50349 402648 50345->50349 50346->50341 50348 4034c9 50348->50341 50350 40264c 50349->50350 50352 402656 50349->50352 50355 402088 50350->50355 50351 402652 50351->50352 50352->50348 50352->50352 50356 40209c 50355->50356 50357 4020a1 50355->50357 50367 4019cc RtlInitializeCriticalSection 50356->50367 50359 4020c6 RtlEnterCriticalSection 50357->50359 50360 4020d0 50357->50360 50363 4020a5 50357->50363 50359->50360 50360->50363 50374 401f94 50360->50374 50363->50351 50368 4019f0 RtlEnterCriticalSection 50367->50368 50369 4019fa 50367->50369 50368->50369 52973 416b42 52974 416bea 52973->52974 52975 416b5a 52973->52975 52992 41531c 18 API calls 52974->52992 52977 416b74 SendMessageA 52975->52977 52978 416b68 52975->52978 52988 416bc8 52977->52988 52979 416b72 CallWindowProcA 52978->52979 52980 416b8e 52978->52980 52979->52988 52989 41a058 GetSysColor 52980->52989 52983 416b99 SetTextColor 52984 416bae 52983->52984 52990 41a058 GetSysColor 52984->52990 52986 416bb3 SetBkColor 52991 41a6e0 GetSysColor CreateBrushIndirect 52986->52991 52989->52983 52990->52986 52991->52988 52992->52988 52993 416644 52994 416651 52993->52994 52995 4166ab 52993->52995 53000 416550 CreateWindowExA 52994->53000 52996 416658 SetPropA SetPropA 52996->52995 52997 41668b 52996->52997 52998 41669e SetWindowPos 52997->52998 52998->52995 53000->52996 53001 47678c 53002 4767a7 53001->53002 53003 4767af CallWindowProcW 53001->53003 53002->53003 53004 4767c0 CallWindowProcW 53002->53004 53005 4767cf 53003->53005 53004->53005 53006 48da5c 53007 48daad 53006->53007 53008 48dad9 53007->53008 53009 48daaf 53007->53009 53013 48dae8 53008->53013 53014 48db12 53008->53014 53010 446ff8 32 API calls 53009->53010 53011 48dabc 53010->53011 53697 452da0 53011->53697 53016 446ff8 32 API calls 53013->53016 53020 48db4b 53014->53020 53021 48db21 53014->53021 53018 48daf5 53016->53018 53017 4470d0 19 API calls 53631 48dad4 53017->53631 53704 452980 53018->53704 53027 48db5a 53020->53027 53028 48dbbf 53020->53028 53023 446ff8 32 API calls 53021->53023 53022 48db02 53024 4470d0 19 API calls 53022->53024 53025 48db2e 53023->53025 53024->53631 53712 4529f0 53025->53712 53026 403420 4 API calls 53030 48f0c3 53026->53030 53031 446ff8 32 API calls 53027->53031 53037 48dbce 53028->53037 53038 48dc44 53028->53038 53033 403420 4 API calls 53030->53033 53034 48db69 53031->53034 53032 48db3b 53035 4470d0 19 API calls 53032->53035 53036 48f0d0 53033->53036 53039 446ff8 32 API calls 53034->53039 53035->53631 53040 403400 4 API calls 53036->53040 53041 446f9c 32 API calls 53037->53041 53047 48dcaf 53038->53047 53048 48dc53 53038->53048 53042 48db80 53039->53042 53043 48f0d8 53040->53043 53044 48dbda 53041->53044 53045 446ff8 32 API calls 53042->53045 53046 446f9c 32 API calls 53044->53046 53049 48db93 53045->53049 53050 48dbe7 53046->53050 53056 48dd0b 53047->53056 53057 48dcbe 53047->53057 53051 446ff8 32 API calls 53048->53051 53052 446ff8 32 API calls 53049->53052 53053 446ff8 32 API calls 53050->53053 53054 48dc62 53051->53054 53055 48dba4 53052->53055 53058 48dbf7 53053->53058 53059 446ff8 32 API calls 53054->53059 53720 42cd94 20 API calls 53055->53720 53069 48dd1a 53056->53069 53070 48dd53 53056->53070 53061 446ff8 32 API calls 53057->53061 53062 446ff8 32 API calls 53058->53062 53063 48dc75 53059->53063 53065 48dccd 53061->53065 53066 48dc0a 53062->53066 53067 446ff8 32 API calls 53063->53067 53064 48dbae 53721 44734c 19 API calls 53064->53721 53071 446ff8 32 API calls 53065->53071 53072 446ff8 32 API calls 53066->53072 53073 48dc86 53067->53073 53074 446ff8 32 API calls 53069->53074 53086 48ddc2 53070->53086 53087 48dd62 53070->53087 53075 48dce0 53071->53075 53076 48dc1b 53072->53076 53724 446f50 53073->53724 53078 48dd29 53074->53078 53079 446ff8 32 API calls 53075->53079 53080 446f9c 32 API calls 53076->53080 53082 446ff8 32 API calls 53078->53082 53083 48dcf1 53079->53083 53084 48dc2b 53080->53084 53089 48dd3a 53082->53089 53729 42cfdc GetPrivateProfileStringA GetProfileStringA lstrcmp 53083->53729 53722 42ce98 20 API calls 53084->53722 53102 48de2d 53086->53102 53103 48ddd1 53086->53103 53088 446ff8 32 API calls 53087->53088 53094 48dd71 53088->53094 53730 42d028 GetPrivateProfileStringA GetProfileStringA 53089->53730 53092 48dc9f 53093 4470d0 19 API calls 53092->53093 53093->53631 53099 446ff8 32 API calls 53094->53099 53096 48dcfb 53101 4470d0 19 API calls 53096->53101 53097 48dc34 53723 447278 19 API calls 53097->53723 53105 48dd84 53099->53105 53100 48dd43 53106 4470d0 19 API calls 53100->53106 53101->53631 53111 48de98 53102->53111 53112 48de3c 53102->53112 53104 446ff8 32 API calls 53103->53104 53107 48dde0 53104->53107 53108 446ff8 32 API calls 53105->53108 53106->53631 53109 446ff8 32 API calls 53107->53109 53110 48dd97 53108->53110 53114 48ddf3 53109->53114 53115 446ff8 32 API calls 53110->53115 53122 48dee6 53111->53122 53123 48dea7 53111->53123 53113 446ff8 32 API calls 53112->53113 53116 48de4b 53113->53116 53117 446ff8 32 API calls 53114->53117 53118 48dda8 53115->53118 53119 446ff8 32 API calls 53116->53119 53120 48de04 53117->53120 53731 42d098 WritePrivateProfileStringA WriteProfileStringA 53118->53731 53125 48de5e 53119->53125 53126 446f9c 32 API calls 53120->53126 53135 48df20 53122->53135 53136 48def5 53122->53136 53124 446ff8 32 API calls 53123->53124 53128 48deb6 53124->53128 53129 446ff8 32 API calls 53125->53129 53130 48de14 53126->53130 53127 48ddb2 53131 4470d0 19 API calls 53127->53131 53132 446ff8 32 API calls 53128->53132 53133 48de6f 53129->53133 53732 42d108 35 API calls 53130->53732 53131->53631 53137 48dec7 53132->53137 53138 446f50 32 API calls 53133->53138 53146 48df58 53135->53146 53147 48df2f 53135->53147 53140 446ff8 32 API calls 53136->53140 53141 446ff8 32 API calls 53137->53141 53142 48de7f 53138->53142 53139 48de1d 53143 4470d0 19 API calls 53139->53143 53144 48df02 53140->53144 53145 48ded7 53141->53145 53733 42d168 35 API calls 53142->53733 53143->53631 53149 446ff8 32 API calls 53144->53149 53734 42d180 WritePrivateProfileStringA WriteProfileStringA 53145->53734 53158 48df80 53146->53158 53159 48df67 53146->53159 53151 446ff8 32 API calls 53147->53151 53153 48df12 53149->53153 53155 48df3c 53151->53155 53152 48de88 53156 4470d0 19 API calls 53152->53156 53735 42d1cc WritePrivateProfileStringA WriteProfileStringA 53153->53735 53736 42d208 53155->53736 53156->53631 53165 48df8f 53158->53165 53166 48dfa4 53158->53166 53160 42d32c 19 API calls 53159->53160 53162 48df6f 53160->53162 53745 44734c 19 API calls 53162->53745 53167 42d3f0 19 API calls 53165->53167 53170 48dfb3 53166->53170 53171 48dfd6 53166->53171 53168 48df94 53167->53168 53746 447278 19 API calls 53168->53746 53172 446f9c 32 API calls 53170->53172 53175 48e00e 53171->53175 53176 48dfe5 53171->53176 53173 48dfbd 53172->53173 53174 42d44c 20 API calls 53173->53174 53177 48dfc5 53174->53177 53181 48e01d 53175->53181 53182 48e046 53175->53182 53178 446ff8 32 API calls 53176->53178 53747 44734c 19 API calls 53177->53747 53180 48dff2 53178->53180 53183 42c3fc 19 API calls 53180->53183 53184 446ff8 32 API calls 53181->53184 53189 48e07e 53182->53189 53190 48e055 53182->53190 53185 48dffd 53183->53185 53186 48e02a 53184->53186 53748 44734c 19 API calls 53185->53748 53749 42cb68 19 API calls 53186->53749 53196 48e08d 53189->53196 53197 48e0b6 53189->53197 53192 446ff8 32 API calls 53190->53192 53191 48e035 53750 44734c 19 API calls 53191->53750 53194 48e062 53192->53194 53195 42cbc0 20 API calls 53194->53195 53198 48e06d 53195->53198 53199 446ff8 32 API calls 53196->53199 53202 48e0ee 53197->53202 53203 48e0c5 53197->53203 53751 44734c 19 API calls 53198->53751 53201 48e09a 53199->53201 53752 42d4e8 20 API calls 53201->53752 53210 48e12b 53202->53210 53211 48e0fd 53202->53211 53205 446ff8 32 API calls 53203->53205 53207 48e0d2 53205->53207 53206 48e0a5 53753 44734c 19 API calls 53206->53753 53754 42d540 19 API calls 53207->53754 53216 48e13a 53210->53216 53217 48e153 53210->53217 53213 446ff8 32 API calls 53211->53213 53212 48e0dd 53215 48e10a 53213->53215 53756 452b58 22 API calls 53215->53756 53758 42d898 GetWindowsDirectoryA 53216->53758 53224 48e17b 53217->53224 53225 48e162 53217->53225 53229 48e18a 53224->53229 53230 48e1a3 53224->53230 53226 42d8c4 GetSystemDirectoryA 53225->53226 53631->53026 53698 452724 2 API calls 53697->53698 53699 452db6 53698->53699 53700 452dba 53699->53700 53701 42cd24 GetFileAttributesA 53699->53701 53700->53017 53702 452dd5 GetLastError 53701->53702 53703 452760 Wow64RevertWow64FsRedirection 53702->53703 53703->53700 53705 452724 2 API calls 53704->53705 53706 452996 53705->53706 53707 45299a 53706->53707 53886 42cd48 53706->53886 53707->53022 53710 452760 Wow64RevertWow64FsRedirection 53711 4529d5 53710->53711 53711->53022 53713 452724 2 API calls 53712->53713 53714 452a06 53713->53714 53715 452a0a 53714->53715 53895 42cd5c 53714->53895 53715->53032 53718 452760 Wow64RevertWow64FsRedirection 53719 452a45 53718->53719 53719->53032 53720->53064 53721->53631 53722->53097 53723->53631 53725 446f55 53724->53725 53898 435a40 53725->53898 53728 42cf2c 20 API calls 53728->53092 53729->53096 53730->53100 53731->53127 53732->53139 53733->53152 53734->53631 53735->53631 53737 4038a4 18 API calls 53736->53737 53738 42d21b 53737->53738 53739 42d232 GetEnvironmentVariableA 53738->53739 53743 42d245 53738->53743 53923 42dbd0 18 API calls 53738->53923 53739->53738 53740 42d23e 53739->53740 53741 403400 4 API calls 53740->53741 53741->53743 53744 44734c 19 API calls 53743->53744 53744->53631 53745->53631 53746->53631 53747->53631 53748->53631 53749->53191 53750->53631 53751->53631 53752->53206 53753->53631 53754->53212 53759 42d8b9 53758->53759 53889 42cccc 53886->53889 53890 42cbc0 20 API calls 53889->53890 53891 42ccee 53890->53891 53892 42ccf6 GetFileAttributesA 53891->53892 53893 403400 4 API calls 53892->53893 53894 42cd13 GetLastError 53893->53894 53894->53710 53896 42cccc 21 API calls 53895->53896 53897 42cd66 GetLastError 53896->53897 53897->53718 53899 435a5e 53898->53899 53900 435a80 53898->53900 53899->53900 53917 408c0c 18 API calls 53899->53917 53901 435b6a 53900->53901 53904 435b10 53900->53904 53916 435ad7 53900->53916 53922 408c0c 18 API calls 53901->53922 53906 435b5f 53904->53906 53907 435b1e 53904->53907 53905 403400 4 API calls 53908 435b95 53905->53908 53921 403f90 32 API calls 53906->53921 53918 40483c 32 API calls 53907->53918 53908->53728 53911 435b28 53912 435b33 53911->53912 53913 435b47 53911->53913 53919 40483c 32 API calls 53912->53919 53920 408c0c 18 API calls 53913->53920 53916->53905 53917->53900 53918->53911 53919->53916 53920->53916 53921->53916 53922->53916 53923->53738 53929 48f71c 53930 48f75e 53929->53930 53931 48f789 53930->53931 53932 48f760 53930->53932 53936 48f798 53931->53936 53937 48f815 53931->53937 53933 446ff8 32 API calls 53932->53933 53934 48f76f 53933->53934 54199 4553b8 53934->54199 53939 446f50 32 API calls 53936->53939 53942 48f85e 53937->53942 53943 48f824 53937->53943 53941 48f7a4 53939->53941 53940 4470d0 19 API calls 53944 48f784 53940->53944 53945 48f7e8 53941->53945 53946 48f7a8 53941->53946 53960 48f86d 53942->53960 53961 48f8d3 53942->53961 53949 446ff8 32 API calls 53943->53949 53954 403420 4 API calls 53944->53954 53950 446ff8 32 API calls 53945->53950 53947 48f7bb 53946->53947 53948 48f7b1 53946->53948 53952 446ff8 32 API calls 53947->53952 54210 453344 18 API calls 53948->54210 53953 48f83c 53949->53953 53955 48f7f9 53950->53955 53956 48f7cc 53952->53956 53957 446f9c 32 API calls 53953->53957 53958 490114 53954->53958 54212 454874 44 API calls 53955->54212 54211 454874 44 API calls 53956->54211 53963 48f84c 53957->53963 53964 403400 4 API calls 53958->53964 53966 446f50 32 API calls 53960->53966 53975 48f92b 53961->53975 53976 48f8e2 53961->53976 54213 455674 9 API calls 53963->54213 53969 49011c 53964->53969 53965 48f803 53970 4470d0 19 API calls 53965->53970 53971 48f87b 53966->53971 53967 48f7d6 53973 4470d0 19 API calls 53967->53973 53974 48f7e3 53970->53974 53972 446f50 32 API calls 53971->53972 53977 48f88a 53972->53977 53973->53974 53974->53944 53983 48f93a 53975->53983 53984 48f955 53975->53984 53978 446ff8 32 API calls 53976->53978 53979 446ff8 32 API calls 53977->53979 53980 48f8f7 53978->53980 53982 48f8a2 53979->53982 53981 446ff8 32 API calls 53980->53981 53985 48f90a 53981->53985 53986 446f50 32 API calls 53982->53986 53987 455560 5 API calls 53983->53987 53991 48f9a1 53984->53991 53992 48f964 53984->53992 54214 4537b0 53985->54214 53989 48f8b4 53986->53989 53990 48f942 53987->53990 53994 454100 34 API calls 53989->53994 54234 44734c 19 API calls 53990->54234 54002 48f9e8 53991->54002 54003 48f9b0 53991->54003 53996 446ff8 32 API calls 53992->53996 53998 48f8c1 53994->53998 53999 48f973 53996->53999 54000 4470d0 19 API calls 53998->54000 54235 454c40 41 API calls 53999->54235 54000->53944 54009 48fa04 54002->54009 54010 48f9f7 54002->54010 54238 48c7d0 32 API calls 54003->54238 54004 48f983 54236 4522e8 18 API calls 54004->54236 54007 48f9bf 54239 4522e8 18 API calls 54007->54239 54008 48f98e 54237 44734c 19 API calls 54008->54237 54015 48fa50 54009->54015 54016 48fa13 54009->54016 54241 48c724 33 API calls 54010->54241 54014 48f9d5 54240 44734c 19 API calls 54014->54240 54021 48fa5f 54015->54021 54022 48fa97 54015->54022 54017 446ff8 32 API calls 54016->54017 54019 48fa22 54017->54019 54242 454ce8 41 API calls 54019->54242 54245 48c7d0 32 API calls 54021->54245 54028 48fab3 54022->54028 54029 48faa6 54022->54029 54023 48fa32 54243 431178 18 API calls 54023->54243 54026 48fa6e 54246 431178 18 API calls 54026->54246 54027 48fa3d 54244 44734c 19 API calls 54027->54244 54034 48fb89 54028->54034 54035 48fac6 54028->54035 54248 48c724 33 API calls 54029->54248 54033 48fa84 54247 44734c 19 API calls 54033->54247 54040 48fb98 54034->54040 54041 48fbb3 54034->54041 54037 446ff8 32 API calls 54035->54037 54038 48fad9 54037->54038 54249 455e0c GetModuleHandleA GetProcAddress 54038->54249 54043 45559c 5 API calls 54040->54043 54048 48fbc6 54041->54048 54055 48fc48 54041->54055 54042 48fae9 54044 48faf1 54042->54044 54045 48fb77 54042->54045 54046 48fba0 54043->54046 54047 446f50 32 API calls 54044->54047 54049 4470d0 19 API calls 54045->54049 54276 44734c 19 API calls 54046->54276 54061 48faff 54047->54061 54051 446f50 32 API calls 54048->54051 54049->53944 54052 48fbd1 54051->54052 54053 48fc18 54052->54053 54054 48fbd5 54052->54054 54056 446ff8 32 API calls 54053->54056 54057 48fbe8 54054->54057 54277 453344 18 API calls 54054->54277 54063 48fc6a 54055->54063 54075 48fd92 54055->54075 54058 48fc27 54056->54058 54060 446ff8 32 API calls 54057->54060 54064 446f50 32 API calls 54058->54064 54065 48fbf7 54060->54065 54274 4473b0 19 API calls 54061->54274 54062 48fc8a 54068 446ff8 32 API calls 54062->54068 54063->54062 54280 48c68c 33 API calls 54063->54280 54069 48fc39 54064->54069 54070 446f50 32 API calls 54065->54070 54072 48fc99 54068->54072 54279 454528 43 API calls 54069->54279 54074 48fc09 54070->54074 54071 48fb54 54281 42c608 21 API calls 54072->54281 54278 454528 43 API calls 54074->54278 54084 48feea 54075->54084 54085 48fdb4 54075->54085 54080 48fca7 54082 48fd6d 54080->54082 54083 48fcaf 54080->54083 54088 4470d0 19 API calls 54082->54088 54282 42f560 54083->54282 54096 48fef9 54084->54096 54097 48ff27 54084->54097 54086 48fdd4 54085->54086 54327 48c68c 33 API calls 54085->54327 54090 446ff8 32 API calls 54086->54090 54092 48fd7a 54088->54092 54093 48fde5 54090->54093 54326 447278 19 API calls 54092->54326 54328 42c608 21 API calls 54093->54328 54100 446ff8 32 API calls 54096->54100 54108 48ff5c 54097->54108 54109 48ff36 54097->54109 54103 48ff08 54100->54103 54101 48fdf3 54104 48fdfb 54101->54104 54105 48fec5 54101->54105 54331 454dd4 54103->54331 54111 42f560 28 API calls 54104->54111 54107 4470d0 19 API calls 54105->54107 54115 48fed2 54107->54115 54126 48ff6b 54108->54126 54139 48ffa6 54108->54139 54355 4556d8 54109->54355 54113 48fe07 54111->54113 54118 446ff8 32 API calls 54113->54118 54330 447278 19 API calls 54115->54330 54123 48fe29 54118->54123 54130 446ff8 32 API calls 54126->54130 54134 48ff7a 54130->54134 54135 446f50 32 API calls 54134->54135 54140 48ff8c 54135->54140 54138 48fff1 54149 49007b 54138->54149 54150 490000 54138->54150 54139->54138 54143 446f50 32 API calls 54139->54143 54390 4554a8 41 API calls 54140->54390 54147 48ffc3 54143->54147 54153 446ff8 32 API calls 54147->54153 54148 48ff94 54154 4470d0 19 API calls 54148->54154 54161 49008a 54149->54161 54175 4900b6 54149->54175 54155 446f50 32 API calls 54150->54155 54157 48ffd3 54153->54157 54154->53944 54158 49001c 54155->54158 54160 446f50 32 API calls 54157->54160 54162 446ff8 32 API calls 54158->54162 54164 48ffe2 54160->54164 54166 446ff8 32 API calls 54161->54166 54167 49002e 54162->54167 54189 4581f8 54164->54189 54170 490099 54166->54170 54173 446ff8 32 API calls 54170->54173 54175->53944 54179 446ff8 32 API calls 54175->54179 54184 4900d4 54179->54184 54185 446ff8 32 API calls 54184->54185 54187 4900e6 54185->54187 54205 4553cf 54199->54205 54200 403778 18 API calls 54200->54205 54202 4037b8 18 API calls 54202->54205 54203 42dbc8 19 API calls 54203->54205 54204 455465 54206 403420 4 API calls 54204->54206 54205->54200 54205->54202 54205->54203 54205->54204 54207 455431 OpenMutexA 54205->54207 54491 406bb0 54205->54491 54209 45547f 54206->54209 54207->54205 54208 455442 CloseHandle 54207->54208 54208->54204 54209->53940 54210->53947 54211->53967 54212->53965 54213->53974 54215 4537d0 54214->54215 54216 42c3fc 19 API calls 54215->54216 54217 4537e9 54216->54217 54218 403494 4 API calls 54217->54218 54221 4537f4 54218->54221 54219 42cbc0 20 API calls 54219->54221 54221->54219 54222 451458 18 API calls 54221->54222 54223 403634 18 API calls 54221->54223 54225 4529f0 25 API calls 54221->54225 54226 453870 54221->54226 54498 45373c 54221->54498 54506 408c0c 18 API calls 54221->54506 54222->54221 54223->54221 54225->54221 54227 403494 4 API calls 54226->54227 54228 45387b 54227->54228 54229 403420 4 API calls 54228->54229 54230 453895 54229->54230 54231 403400 4 API calls 54230->54231 54232 45389d 54231->54232 54233 44734c 19 API calls 54232->54233 54233->53944 54234->53944 54235->54004 54236->54008 54237->53944 54238->54007 54239->54014 54240->53944 54241->53944 54242->54023 54243->54027 54244->53944 54245->54026 54246->54033 54247->53944 54248->53944 54250 452724 2 API calls 54249->54250 54251 455e54 54250->54251 54252 455e61 54251->54252 54253 455e58 54251->54253 54254 455ea5 54252->54254 54255 455e73 54252->54255 54257 403420 4 API calls 54253->54257 54258 42c804 19 API calls 54254->54258 54256 42c804 19 API calls 54255->54256 54259 455e84 54256->54259 54260 455f4a 54257->54260 54261 455ebf 54258->54261 54262 42c3fc 19 API calls 54259->54262 54260->54042 54507 42c8cc 54261->54507 54266 455e8f 54262->54266 54268 455e97 GetDiskFreeSpaceExA 54266->54268 54269 455f13 54268->54269 54274->54071 54276->53944 54277->54057 54278->53944 54279->53944 54280->54062 54281->54080 54283 42f56c 54282->54283 54284 42f58f GetActiveWindow GetFocus 54283->54284 54518 41eea4 GetCurrentThreadId EnumThreadWindows 54284->54518 54326->53944 54327->54086 54328->54101 54330->53944 54332 454ddd 54331->54332 54332->54332 54333 454e8c 54332->54333 54334 42d8c4 GetSystemDirectoryA 54332->54334 54335 42c804 19 API calls 54333->54335 54351 454f05 54333->54351 54336 454e2d 54334->54336 54339 454eaa 54335->54339 54338 42c3fc 19 API calls 54336->54338 54337 403420 4 API calls 54340 454f3f 54337->54340 54341 454e3e 54338->54341 54348 454eca 54339->54348 54588 453b34 54339->54588 54343 403400 4 API calls 54340->54343 54344 40357c 18 API calls 54341->54344 54349 454ee7 MultiByteToWideChar 54348->54349 54349->54351 54351->54337 54356 455715 54355->54356 54357 455730 54356->54357 54358 4557bf 54356->54358 54360 42de1c RegOpenKeyExA 54357->54360 54359 42d898 GetWindowsDirectoryA 54358->54359 54361 4557ca 54359->54361 54362 455749 54360->54362 54364 42c3fc 19 API calls 54361->54364 54363 455865 54362->54363 54365 42dd58 20 API calls 54362->54365 54373 403420 4 API calls 54363->54373 54366 4557db 54364->54366 54368 455761 54365->54368 54369 455776 54368->54369 54376 403744 18 API calls 54368->54376 54375 4558a1 54373->54375 54376->54369 54390->54148 54492 406bbf 54491->54492 54493 406be1 54492->54493 54494 406bd8 54492->54494 54496 403778 18 API calls 54493->54496 54495 403400 4 API calls 54494->54495 54497 406bdf 54495->54497 54496->54497 54497->54205 54499 403400 4 API calls 54498->54499 54501 45375d 54499->54501 54500 403510 18 API calls 54500->54501 54501->54500 54502 403800 18 API calls 54501->54502 54503 45378a 54501->54503 54502->54501 54504 403400 4 API calls 54503->54504 54505 45379f 54504->54505 54505->54221 54506->54221 54515 42c674 54507->54515 54510 42c8e0 54511 42c8e9 54516 42c67c IsDBCSLeadByte 54515->54516 54517 42c67b 54516->54517 54517->54510 54517->54511 54519 41ef29 54518->54519 54610 41ee54 54611 41ee63 IsWindowVisible 54610->54611 54612 41ee99 54610->54612 54611->54612 54613 41ee6d IsWindowEnabled 54611->54613 54613->54612 54614 41ee77 54613->54614 54615 402648 18 API calls 54614->54615 54616 41ee81 EnableWindow 54615->54616 54616->54612 54617 491650 54618 49168a 54617->54618 54619 49168c 54618->54619 54620 491696 54618->54620 54812 409098 MessageBeep 54619->54812 54622 4916ce 54620->54622 54623 4916a5 54620->54623 54630 4916dd 54622->54630 54631 491706 54622->54631 54625 446ff8 32 API calls 54623->54625 54624 403420 4 API calls 54626 491ce2 54624->54626 54627 4916b2 54625->54627 54628 403400 4 API calls 54626->54628 54629 406bb0 18 API calls 54627->54629 54632 491cea 54628->54632 54633 4916bd 54629->54633 54634 446ff8 32 API calls 54630->54634 54638 49173e 54631->54638 54639 491715 54631->54639 54813 44734c 19 API calls 54633->54813 54635 4916ea 54634->54635 54814 406c00 18 API calls 54635->54814 54644 49174d 54638->54644 54645 491766 54638->54645 54641 446ff8 32 API calls 54639->54641 54640 4916f5 54815 44734c 19 API calls 54640->54815 54643 491722 54641->54643 54816 406c34 18 API calls 54643->54816 54818 407280 19 API calls 54644->54818 54652 49179a 54645->54652 54653 491775 54645->54653 54648 49172d 54817 44734c 19 API calls 54648->54817 54649 491755 54819 44734c 19 API calls 54649->54819 54656 4917a9 54652->54656 54657 4917d2 54652->54657 54654 446ff8 32 API calls 54653->54654 54655 491782 54654->54655 54820 4072a8 54655->54820 54659 446ff8 32 API calls 54656->54659 54664 49180a 54657->54664 54665 4917e1 54657->54665 54661 4917b6 54659->54661 54660 49178a 54662 4470d0 19 API calls 54660->54662 54663 42c804 19 API calls 54661->54663 54710 491691 54662->54710 54666 4917c1 54663->54666 54671 491819 54664->54671 54672 491856 54664->54672 54667 446ff8 32 API calls 54665->54667 54823 44734c 19 API calls 54666->54823 54668 4917ee 54667->54668 54824 4071f8 22 API calls 54668->54824 54674 446ff8 32 API calls 54671->54674 54677 49188e 54672->54677 54678 491865 54672->54678 54673 4917f9 54825 44734c 19 API calls 54673->54825 54676 491828 54674->54676 54679 446ff8 32 API calls 54676->54679 54685 49189d 54677->54685 54686 4918c6 54677->54686 54680 446ff8 32 API calls 54678->54680 54681 491839 54679->54681 54682 491872 54680->54682 54826 491354 22 API calls 54681->54826 54684 42c8a4 19 API calls 54682->54684 54688 49187d 54684->54688 54689 446ff8 32 API calls 54685->54689 54694 4918fe 54686->54694 54695 4918d5 54686->54695 54687 491845 54827 44734c 19 API calls 54687->54827 54828 44734c 19 API calls 54688->54828 54691 4918aa 54689->54691 54693 42c8cc 19 API calls 54691->54693 54696 4918b5 54693->54696 54700 49190d 54694->54700 54705 491936 54694->54705 54697 446ff8 32 API calls 54695->54697 54829 44734c 19 API calls 54696->54829 54699 4918e2 54697->54699 54830 42c8fc 19 API calls 54699->54830 54702 446ff8 32 API calls 54700->54702 54704 49191a 54702->54704 54703 4918ed 54831 44734c 19 API calls 54703->54831 54707 42c92c 19 API calls 54704->54707 54708 49196e 54705->54708 54709 491945 54705->54709 54711 491925 54707->54711 54715 4919ba 54708->54715 54716 49197d 54708->54716 54712 446ff8 32 API calls 54709->54712 54710->54624 54832 44734c 19 API calls 54711->54832 54714 491952 54712->54714 54717 42c954 19 API calls 54714->54717 54722 4919c9 54715->54722 54723 491a0c 54715->54723 54719 446ff8 32 API calls 54716->54719 54718 49195d 54717->54718 54833 44734c 19 API calls 54718->54833 54721 49198c 54719->54721 54724 446ff8 32 API calls 54721->54724 54725 446ff8 32 API calls 54722->54725 54731 491a1b 54723->54731 54732 491a7f 54723->54732 54726 49199d 54724->54726 54727 4919dc 54725->54727 54834 42c4f8 19 API calls 54726->54834 54729 446ff8 32 API calls 54727->54729 54733 4919ed 54729->54733 54730 4919a9 54835 44734c 19 API calls 54730->54835 54735 446ff8 32 API calls 54731->54735 54738 491abe 54732->54738 54739 491a8e 54732->54739 54836 49154c 26 API calls 54733->54836 54736 491a28 54735->54736 54804 42c608 21 API calls 54736->54804 54750 491afd 54738->54750 54751 491acd 54738->54751 54742 446ff8 32 API calls 54739->54742 54741 4919fb 54837 44734c 19 API calls 54741->54837 54745 491a9b 54742->54745 54743 491a36 54746 491a3a 54743->54746 54747 491a6f 54743->54747 54748 452908 5 API calls 54745->54748 54749 446ff8 32 API calls 54746->54749 54752 4470d0 19 API calls 54747->54752 54753 491aa8 54748->54753 54754 491a49 54749->54754 54759 491b3c 54750->54759 54760 491b0c 54750->54760 54755 446ff8 32 API calls 54751->54755 54752->54710 54756 4470d0 19 API calls 54753->54756 54805 452c80 54754->54805 54758 491ada 54755->54758 54756->54710 54838 452770 54758->54838 54769 491b4b 54759->54769 54770 491b84 54759->54770 54763 446ff8 32 API calls 54760->54763 54766 491b19 54763->54766 54765 491ae7 54768 452e10 5 API calls 54766->54768 54771 491b26 54768->54771 54772 446ff8 32 API calls 54769->54772 54776 491bcc 54770->54776 54777 491b93 54770->54777 54774 4470d0 19 API calls 54771->54774 54773 491b5a 54772->54773 54775 446ff8 32 API calls 54773->54775 54774->54710 54778 491b6b 54775->54778 54781 491bdf 54776->54781 54788 491c95 54776->54788 54779 446ff8 32 API calls 54777->54779 54845 447278 19 API calls 54778->54845 54780 491ba2 54779->54780 54782 446ff8 32 API calls 54780->54782 54784 446ff8 32 API calls 54781->54784 54785 491bb3 54782->54785 54786 491c0c 54784->54786 54787 446ff8 32 API calls 54786->54787 54788->54710 54791 446f9c 32 API calls 54788->54791 54792 491cae 54791->54792 54793 42e8c8 19 API calls 54792->54793 54804->54743 54806 452724 2 API calls 54805->54806 54812->54710 54813->54710 54814->54640 54815->54710 54816->54648 54817->54710 54818->54649 54819->54710 54821 403738 54820->54821 54822 4072b2 SetCurrentDirectoryA 54821->54822 54822->54660 54823->54710 54824->54673 54825->54710 54826->54687 54827->54710 54828->54710 54829->54710 54830->54703 54831->54710 54832->54710 54833->54710 54834->54730 54835->54710 54836->54741 54837->54710 54839 452724 2 API calls 54838->54839 54840 452786 54839->54840 54841 45278a 54840->54841 54842 4527a8 CreateDirectoryA GetLastError 54840->54842 54841->54765 54843 452760 Wow64RevertWow64FsRedirection 54842->54843 54845->54710 54851 41fb58 54852 41fb61 54851->54852 54855 41fdfc 54852->54855 54854 41fb6e 54856 41feee 54855->54856 54857 41fe13 54855->54857 54856->54854 54857->54856 54876 41f9bc GetWindowLongA GetSystemMetrics GetSystemMetrics GetWindowLongA 54857->54876 54859 41fe49 54860 41fe73 54859->54860 54861 41fe4d 54859->54861 54886 41f9bc GetWindowLongA GetSystemMetrics GetSystemMetrics GetWindowLongA 54860->54886 54877 41fb9c 54861->54877 54865 41fe81 54867 41fe85 54865->54867 54868 41feab 54865->54868 54866 41fb9c 10 API calls 54870 41fe71 54866->54870 54871 41fb9c 10 API calls 54867->54871 54869 41fb9c 10 API calls 54868->54869 54872 41febd 54869->54872 54870->54854 54873 41fe97 54871->54873 54875 41fb9c 10 API calls 54872->54875 54874 41fb9c 10 API calls 54873->54874 54874->54870 54875->54870 54876->54859 54878 41fbb7 54877->54878 54879 41f93c 4 API calls 54878->54879 54880 41fbcd 54878->54880 54879->54880 54887 41f93c 54880->54887 54882 41fc15 54883 41fc38 SetScrollInfo 54882->54883 54895 41fa9c 54883->54895 54886->54865 54888 4181e0 54887->54888 54889 41f959 GetWindowLongA 54888->54889 54890 41f996 54889->54890 54891 41f976 54889->54891 54907 41f8c8 GetWindowLongA GetSystemMetrics GetSystemMetrics 54890->54907 54906 41f8c8 GetWindowLongA GetSystemMetrics GetSystemMetrics 54891->54906 54894 41f982 54894->54882 54896 41faaa 54895->54896 54897 41fab2 54895->54897 54896->54866 54898 41faf1 54897->54898 54899 41fae1 54897->54899 54905 41faef 54897->54905 54909 417e48 IsWindowVisible ScrollWindow SetWindowPos 54898->54909 54908 417e48 IsWindowVisible ScrollWindow SetWindowPos 54899->54908 54900 41fb31 GetScrollPos 54900->54896 54903 41fb3c 54900->54903 54904 41fb4b SetScrollPos 54903->54904 54904->54896 54905->54900 54906->54894 54907->54894 54908->54905 54909->54905 54910 420598 54911 4205ab 54910->54911 54931 415b30 54911->54931 54913 4205e6 54914 4206f2 54913->54914 54915 420651 54913->54915 54924 420642 MulDiv 54913->54924 54918 420709 54914->54918 54938 4146d4 KiUserCallbackDispatcher 54914->54938 54936 420848 34 API calls 54915->54936 54917 420720 54921 420742 54917->54921 54940 420060 12 API calls 54917->54940 54918->54917 54939 414718 KiUserCallbackDispatcher 54918->54939 54922 42066a 54922->54914 54937 420060 12 API calls 54922->54937 54935 41a304 19 API calls 54924->54935 54927 420687 54928 4206a3 MulDiv 54927->54928 54929 4206c6 54927->54929 54928->54929 54929->54914 54930 4206cf MulDiv 54929->54930 54930->54914 54932 415b42 54931->54932 54941 414470 54932->54941 54934 415b5a 54934->54913 54935->54915 54936->54922 54937->54927 54938->54918 54939->54917 54940->54921 54942 41448a 54941->54942 54945 410458 54942->54945 54944 4144a0 54944->54934 54948 40dca4 54945->54948 54947 41045e 54947->54944 54949 40dd06 54948->54949 54950 40dcb7 54948->54950 54951 40dd14 33 API calls 54949->54951 54959 40dd14 54950->54959 54952 40dd10 54951->54952 54952->54947 54956 40dce9 54972 40d728 DestroyWindow 54956->54972 54958 40dcfe 54958->54947 54960 40dd24 54959->54960 54962 40dd3a 54960->54962 54973 40e09c 54960->54973 54989 40d5e0 54960->54989 54992 40df4c 54962->54992 54965 40dd42 54966 40d5e0 19 API calls 54965->54966 54967 40ddae 54965->54967 54995 40db60 54965->54995 54966->54965 54968 40df4c 19 API calls 54967->54968 54970 40dce1 54968->54970 54971 40d67c DestroyWindow 54970->54971 54971->54956 54972->54958 54974 40e96c 19 API calls 54973->54974 54977 40e0d7 54974->54977 54975 403778 18 API calls 54975->54977 54976 40e18d 54978 40e1b7 54976->54978 54979 40e1a8 54976->54979 54977->54975 54977->54976 55063 40d774 19 API calls 54977->55063 55064 40e080 19 API calls 54977->55064 55060 40ba24 54978->55060 55009 40e3c0 54979->55009 54985 40e1b5 54986 403400 4 API calls 54985->54986 54987 40e25c 54986->54987 54987->54960 54990 40ea08 19 API calls 54989->54990 54991 40d5ea 54990->54991 54991->54960 55097 40d4bc 54992->55097 54996 40df54 19 API calls 54995->54996 54997 40db93 54996->54997 54998 40e96c 19 API calls 54997->54998 54999 40db9e 54998->54999 55000 40e96c 19 API calls 54999->55000 55001 40dba9 55000->55001 55002 40dbc4 55001->55002 55003 40dbbb 55001->55003 55008 40dbc1 55001->55008 55106 40d9d8 55002->55106 55109 40dac8 33 API calls 55003->55109 55006 403420 4 API calls 55007 40dc8f 55006->55007 55007->54965 55008->55006 55010 40e3f6 55009->55010 55011 40e3ec 55009->55011 55013 40e511 55010->55013 55014 40e495 55010->55014 55015 40e4f6 55010->55015 55016 40e576 55010->55016 55017 40e438 55010->55017 55018 40e4d9 55010->55018 55019 40e47a 55010->55019 55020 40e4bb 55010->55020 55036 40e45c 55010->55036 55066 40d440 19 API calls 55011->55066 55029 40d764 19 API calls 55013->55029 55074 40de24 19 API calls 55014->55074 55079 40e890 19 API calls 55015->55079 55024 40d764 19 API calls 55016->55024 55067 40d764 55017->55067 55077 40e9a8 19 API calls 55018->55077 55073 40d818 19 API calls 55019->55073 55076 40dde4 19 API calls 55020->55076 55023 403400 4 API calls 55031 40e5eb 55023->55031 55032 40e57e 55024->55032 55030 40e519 55029->55030 55037 40e523 55030->55037 55038 40e51d 55030->55038 55031->54985 55039 40e582 55032->55039 55040 40e59b 55032->55040 55033 40e4e4 55078 409d38 18 API calls 55033->55078 55035 40e4a0 55075 40d470 19 API calls 55035->55075 55036->55023 55080 40ea08 55037->55080 55045 40e521 55038->55045 55046 40e53c 55038->55046 55048 40ea08 19 API calls 55039->55048 55086 40de24 19 API calls 55040->55086 55042 40e461 55072 40ded8 19 API calls 55042->55072 55043 40e444 55070 40de24 19 API calls 55043->55070 55084 40de24 19 API calls 55045->55084 55052 40ea08 19 API calls 55046->55052 55048->55036 55055 40e544 55052->55055 55053 40e44f 55071 40e26c 19 API calls 55053->55071 55083 40d8a0 19 API calls 55055->55083 55057 40e566 55085 40e2d4 18 API calls 55057->55085 55092 40b9d0 55060->55092 55063->54977 55064->54977 55065 40d774 19 API calls 55065->54985 55066->55010 55068 40ea08 19 API calls 55067->55068 55069 40d76e 55068->55069 55069->55042 55069->55043 55070->55053 55071->55036 55072->55036 55073->55036 55074->55035 55075->55036 55076->55036 55077->55033 55078->55036 55079->55036 55087 40d780 55080->55087 55083->55036 55084->55057 55085->55036 55086->55036 55088 40d78b 55087->55088 55089 40d7c5 55088->55089 55091 40d7cc 19 API calls 55088->55091 55089->55036 55091->55088 55093 40b9e2 55092->55093 55094 40ba07 55092->55094 55093->55094 55096 40ba84 LocalAlloc TlsSetValue TlsGetValue TlsGetValue 55093->55096 55094->54985 55094->55065 55096->55094 55098 40ea08 19 API calls 55097->55098 55099 40d4c9 55098->55099 55100 40d4dc 55099->55100 55104 40eb0c 19 API calls 55099->55104 55100->54965 55102 40d4d7 55105 40d458 19 API calls 55102->55105 55104->55102 55105->55100 55110 40ab7c 33 API calls 55106->55110 55109->55008 55111 47c89c 55113 47c8a7 55111->55113 55112 452908 5 API calls 55112->55113 55113->55112 55114 47c8bd GetLastError 55113->55114 55115 47c8e8 55113->55115 55114->55115 55116 47c8c7 GetLastError 55114->55116 55116->55115 55117 47c8d1 GetTickCount 55116->55117 55117->55115 55118 47c8df Sleep 55117->55118 55118->55113 55119 42285c 55120 42288c 55119->55120 55121 42286f 55119->55121 55123 422aa1 55120->55123 55124 4228c6 55120->55124 55130 422aff 55120->55130 55121->55120 55122 408cbc 19 API calls 55121->55122 55122->55120 55125 422af3 55123->55125 55126 422ae9 55123->55126 55131 42291d 55124->55131 55159 4231a8 GetSystemMetrics 55124->55159 55125->55130 55135 422b37 55125->55135 55136 422b18 55125->55136 55162 421e2c 25 API calls 55126->55162 55127 4229c9 55132 4229d5 55127->55132 55133 422a0b 55127->55133 55128 422a7c 55137 422a96 ShowWindow 55128->55137 55131->55127 55131->55128 55140 4229df SendMessageA 55132->55140 55141 422a25 ShowWindow 55133->55141 55139 422b41 GetActiveWindow 55135->55139 55142 422b2f SetWindowPos 55136->55142 55137->55130 55138 422961 55160 4231a0 GetSystemMetrics 55138->55160 55146 422b4c 55139->55146 55158 422b6b 55139->55158 55143 4181e0 55140->55143 55145 4181e0 55141->55145 55142->55130 55147 422a03 ShowWindow 55143->55147 55150 422a47 CallWindowProcA 55145->55150 55151 422b54 IsIconic 55146->55151 55152 422a5a SendMessageA 55147->55152 55148 422b71 55156 422b88 SetWindowPos SetActiveWindow 55148->55156 55149 422b96 55154 422ba0 ShowWindow 55149->55154 55161 414cc4 55150->55161 55155 422b5e 55151->55155 55151->55158 55152->55130 55154->55130 55163 41eff4 GetCurrentThreadId EnumThreadWindows 55155->55163 55156->55130 55158->55148 55158->55149 55159->55138 55160->55131 55161->55152 55162->55125 55164 41f022 55163->55164 55164->55158 55165 42f520 55166 42f52b 55165->55166 55167 42f52f NtdllDefWindowProc_A 55165->55167 55167->55166 55168 4358e0 55169 4358f5 55168->55169 55172 43590f 55169->55172 55174 4352c8 55169->55174 55177 435312 55174->55177 55209 4352f8 55174->55209 55175 403400 4 API calls 55176 435717 55175->55176 55176->55172 55215 435728 18 API calls 55176->55215 55177->55175 55178 446da4 18 API calls 55178->55209 55179 4354cc 55181 402b58 DestroyWindow 55179->55181 55180 43535a 55182 402b58 DestroyWindow 55180->55182 55181->55177 55182->55177 55183 4354fd 55184 402b58 DestroyWindow 55183->55184 55184->55177 55185 435549 55186 402b58 DestroyWindow 55185->55186 55186->55177 55187 43539d 55188 402b58 DestroyWindow 55187->55188 55188->55177 55189 402648 18 API calls 55189->55209 55190 4353f8 55191 402b58 DestroyWindow 55190->55191 55191->55177 55193 431ca0 18 API calls 55193->55209 55194 4038a4 18 API calls 55194->55209 55195 43546c 55196 402b58 DestroyWindow 55195->55196 55196->55177 55197 4356de 55200 402b58 DestroyWindow 55197->55200 55198 4355ad 55201 402b58 DestroyWindow 55198->55201 55199 4355d1 55202 402b58 DestroyWindow 55199->55202 55200->55177 55201->55177 55202->55177 55203 403450 18 API calls 55203->55209 55204 403744 18 API calls 55204->55209 55205 435610 55206 402b58 DestroyWindow 55205->55206 55206->55177 55207 435641 55208 402b58 DestroyWindow 55207->55208 55208->55177 55209->55177 55209->55178 55209->55179 55209->55180 55209->55183 55209->55185 55209->55187 55209->55189 55209->55190 55209->55193 55209->55194 55209->55195 55209->55197 55209->55198 55209->55199 55209->55203 55209->55204 55209->55205 55209->55207 55210 435665 55209->55210 55212 4356a4 55209->55212 55216 4343b0 55209->55216 55228 434b74 18 API calls 55209->55228 55211 402b58 DestroyWindow 55210->55211 55211->55177 55213 402b58 DestroyWindow 55212->55213 55213->55177 55215->55172 55217 43446d 55216->55217 55218 4343dd 55216->55218 55250 434310 18 API calls 55217->55250 55219 403494 4 API calls 55218->55219 55221 4343eb 55219->55221 55224 403778 18 API calls 55221->55224 55222 43445f 55223 403400 4 API calls 55222->55223 55225 4344bd 55223->55225 55226 43440c 55224->55226 55225->55209 55226->55222 55229 494520 55226->55229 55228->55209 55230 494558 55229->55230 55231 4945f0 55229->55231 55232 403494 4 API calls 55230->55232 55281 448930 55231->55281 55235 494563 55232->55235 55234 403400 4 API calls 55236 494614 55234->55236 55237 494573 55235->55237 55239 4037b8 18 API calls 55235->55239 55238 403400 4 API calls 55236->55238 55237->55234 55240 49461c 55238->55240 55241 49458c 55239->55241 55240->55226 55241->55237 55242 4037b8 18 API calls 55241->55242 55243 4945af 55242->55243 55248 42cd24 GetFileAttributesA 55243->55248 55251 47ddac 55243->55251 55244 4945b8 55245 403778 18 API calls 55244->55245 55246 4945e0 55245->55246 55247 403634 18 API calls 55246->55247 55247->55231 55248->55244 55250->55222 55257 47ddca 55251->55257 55252 47dde2 55253 403400 4 API calls 55252->55253 55255 47dde9 55253->55255 55254 47de3e 55262 47de51 55254->55262 55263 47df1f 55254->55263 55259 403420 4 API calls 55255->55259 55256 47de1c 55258 403400 4 API calls 55256->55258 55257->55252 55257->55254 55257->55256 55260 4037b8 18 API calls 55257->55260 55258->55255 55261 47df4d 55259->55261 55260->55257 55261->55244 55264 47de5a 55262->55264 55265 47de69 55262->55265 55266 47bdf4 58 API calls 55263->55266 55267 403400 4 API calls 55264->55267 55268 403778 18 API calls 55265->55268 55269 47df29 55266->55269 55267->55255 55276 47de7e 55268->55276 55270 403450 18 API calls 55269->55270 55270->55255 55271 403778 18 API calls 55271->55276 55272 4037b8 18 API calls 55272->55276 55273 47bdf4 58 API calls 55273->55276 55274 403494 LocalAlloc TlsSetValue TlsGetValue TlsGetValue 55274->55276 55275 42c3fc 19 API calls 55275->55276 55276->55255 55276->55271 55276->55272 55276->55273 55276->55274 55276->55275 55277 4035c0 18 API calls 55276->55277 55278 42cd24 GetFileAttributesA 55276->55278 55280 403450 18 API calls 55276->55280 55293 4763c4 55276->55293 55277->55276 55278->55276 55280->55276 55282 448955 55281->55282 55292 448998 55281->55292 55283 403494 4 API calls 55282->55283 55286 448960 55283->55286 55285 403400 4 API calls 55288 4489df 55285->55288 55289 4037b8 18 API calls 55286->55289 55287 4489ac 55287->55285 55288->55237 55290 44897c 55289->55290 55291 4037b8 18 API calls 55290->55291 55291->55292 55292->55287 55392 44852c 55292->55392 55306 476204 55293->55306 55307 403494 4 API calls 55306->55307 55393 403494 4 API calls 55392->55393 55394 448562 55393->55394 55395 4037b8 18 API calls 55394->55395 55396 448574 55395->55396 55397 403778 18 API calls 55396->55397 55398 448595 55397->55398 55399 4037b8 18 API calls 55398->55399 55400 4485ad 55399->55400 55401 403778 18 API calls 55400->55401 55402 4485d8 55401->55402 55403 4037b8 18 API calls 55402->55403 55414 4485f0 55403->55414 55404 448628 55405 4486c3 55408 44864b LoadLibraryExA 55408->55414 55409 44865d LoadLibraryA 55409->55414 55413 403450 18 API calls 55413->55414 55414->55404 55414->55405 55414->55408 55414->55409 55414->55413 55416 403b80 18 API calls 55414->55416 55417 43da88 18 API calls 55414->55417 55416->55414 55417->55414 55418 4222e4 55419 4222f3 55418->55419 55424 421274 55419->55424 55422 422313 55425 4212e3 55424->55425 55427 421283 55424->55427 55430 4212f4 55425->55430 55449 4124d0 GetMenuItemCount GetMenuStringA GetMenuState 55425->55449 55427->55425 55448 408d2c 33 API calls 55427->55448 55428 4213ba 55432 421393 55428->55432 55435 4213ce SetMenu 55428->55435 55429 421322 55434 421395 55429->55434 55439 42133d 55429->55439 55430->55428 55430->55429 55431 4213e6 55452 4211bc 24 API calls 55431->55452 55432->55431 55451 421e2c 25 API calls 55432->55451 55434->55432 55438 4213a9 55434->55438 55435->55432 55437 4213ed 55437->55422 55447 4221e8 10 API calls 55437->55447 55441 4213b2 SetMenu 55438->55441 55439->55432 55442 421360 GetMenu 55439->55442 55441->55432 55443 421383 55442->55443 55444 42136a 55442->55444 55450 4124d0 GetMenuItemCount GetMenuStringA GetMenuState 55443->55450 55446 42137d SetMenu 55444->55446 55446->55443 55447->55422 55448->55427 55449->55430 55450->55432 55451->55431 55452->55437 55453 404d2a 55461 404d3a 55453->55461 55454 404e07 ExitProcess 55455 404de0 55469 404cf0 55455->55469 55456 404e12 55459 404cf0 4 API calls 55460 404df4 55459->55460 55473 401a90 55460->55473 55461->55454 55461->55455 55461->55456 55463 404db7 MessageBoxA 55461->55463 55464 404dcc 55461->55464 55463->55455 55485 40500c LocalAlloc TlsSetValue TlsGetValue TlsGetValue 55464->55485 55466 404df9 55466->55454 55466->55456 55470 404cfe 55469->55470 55471 404d13 55470->55471 55486 402728 LocalAlloc TlsSetValue TlsGetValue TlsGetValue 55470->55486 55471->55459 55474 401aa1 55473->55474 55475 401b6f 55473->55475 55476 401ac2 LocalFree 55474->55476 55477 401ab8 RtlEnterCriticalSection 55474->55477 55475->55466 55478 401af5 55476->55478 55477->55476 55479 401ae3 VirtualFree 55478->55479 55480 401afd 55478->55480 55479->55478 55481 401b24 LocalFree 55480->55481 55482 401b3b 55480->55482 55481->55481 55481->55482 55483 401b53 RtlLeaveCriticalSection 55482->55483 55484 401b5d RtlDeleteCriticalSection 55482->55484 55483->55484 55484->55466 55486->55471 55487 44b4a8 55488 44b4b6 55487->55488 55490 44b4d5 55487->55490 55489 44b38c 25 API calls 55488->55489 55488->55490 55489->55490 55491 448728 55492 448756 55491->55492 55493 44875d 55491->55493 55495 403400 4 API calls 55492->55495 55494 448771 55493->55494 55496 44852c 21 API calls 55493->55496 55494->55492 55497 403494 4 API calls 55494->55497 55498 448907 55495->55498 55496->55494 55499 44878a 55497->55499 55500 4037b8 18 API calls 55499->55500 55501 4487a6 55500->55501 55502 4037b8 18 API calls 55501->55502 55503 4487c2 55502->55503 55503->55492 55504 4487d6 55503->55504 55505 4037b8 18 API calls 55504->55505 55506 4487f0 55505->55506 55507 431bd0 18 API calls 55506->55507 55508 448812 55507->55508 55509 431ca0 18 API calls 55508->55509 55516 448832 55508->55516 55509->55508 55510 448888 55523 442334 55510->55523 55511 448870 55511->55510 55537 4435d0 18 API calls 55511->55537 55515 4488bc GetLastError 55538 4484c0 18 API calls 55515->55538 55516->55511 55536 4435d0 18 API calls 55516->55536 55518 4488cb 55539 443610 LocalAlloc TlsSetValue TlsGetValue TlsGetValue 55518->55539 55520 4488e0 55540 443620 LocalAlloc TlsSetValue TlsGetValue TlsGetValue DestroyWindow 55520->55540 55522 4488e8 55524 443312 55523->55524 55525 44236d 55523->55525 55527 403400 4 API calls 55524->55527 55526 403400 4 API calls 55525->55526 55528 442375 55526->55528 55529 443327 55527->55529 55530 431bd0 18 API calls 55528->55530 55529->55515 55532 442381 55530->55532 55531 443302 55533 402b58 DestroyWindow 55531->55533 55532->55531 55541 441a0c 18 API calls 55532->55541 55534 44330a 55533->55534 55534->55515 55536->55516 55537->55510 55538->55518 55539->55520 55540->55522 55541->55532 55542 4804a5 55543 451004 19 API calls 55542->55543 55544 4804b9 55543->55544 55545 47f554 35 API calls 55544->55545 55546 4804dd 55545->55546 55547 402b58 DestroyWindow 55546->55547 55548 4804f3 55547->55548 55549 42e3ef SetErrorMode 55550 46b9e8 55551 46be85 55550->55551 55552 46ba1c 55550->55552 55553 403400 4 API calls 55551->55553 55554 46ba58 55552->55554 55557 46bab4 55552->55557 55558 46ba92 55552->55558 55559 46baa3 55552->55559 55560 46ba70 55552->55560 55561 46ba81 55552->55561 55556 46bec4 55553->55556 55554->55551 55555 468b4c 33 API calls 55554->55555 55570 46baf0 55555->55570 55563 403400 4 API calls 55556->55563 55815 46b978 59 API calls 55557->55815 55610 46b5a8 55558->55610 55814 46b768 83 API calls 55559->55814 55812 46b2f8 62 API calls 55560->55812 55813 46b460 56 API calls 55561->55813 55568 46becc 55563->55568 55569 46ba76 55569->55551 55569->55554 55570->55551 55582 46bb33 55570->55582 55816 49497c 33 API calls 55570->55816 55572 468a88 33 API calls 55572->55582 55573 414ae8 18 API calls 55573->55582 55576 42cbc0 20 API calls 55576->55582 55578 46ae40 38 API calls 55578->55582 55581 46ae40 38 API calls 55581->55551 55582->55551 55582->55572 55582->55573 55582->55576 55582->55578 55583 46bcaf 55582->55583 55584 403450 18 API calls 55582->55584 55607 46bd77 55582->55607 55645 4830dc 55582->55645 55670 46abac 55582->55670 55740 482bd4 55582->55740 55818 46b0b4 34 API calls 55582->55818 55677 469df4 55583->55677 55584->55582 55586 46bd15 55587 403450 18 API calls 55586->55587 55588 46bd25 55587->55588 55589 46bd81 55588->55589 55590 46bd31 55588->55590 55592 46be43 55589->55592 55593 46bd8e 55589->55593 55591 457df4 38 API calls 55590->55591 55595 46bd50 55591->55595 55594 402b58 DestroyWindow 55592->55594 55596 46ae40 38 API calls 55593->55596 55597 46be58 55594->55597 55598 457df4 38 API calls 55595->55598 55601 46bd9b 55596->55601 55599 402b58 DestroyWindow 55597->55599 55598->55607 55600 46be60 55599->55600 55602 46bdc4 SetActiveWindow 55601->55602 55603 46bddc 55601->55603 55602->55603 55817 46a19c 91 API calls 55603->55817 55605 46be06 55605->55607 55607->55581 55819 46c2fc 55610->55819 55613 46b72a 55615 403420 4 API calls 55613->55615 55614 414ae8 18 API calls 55616 46b5f6 55614->55616 55617 46b744 55615->55617 55618 46b716 55616->55618 55822 455f84 55616->55822 55619 403400 4 API calls 55617->55619 55618->55613 55621 403450 18 API calls 55618->55621 55622 46b74c 55619->55622 55621->55613 55623 403400 4 API calls 55622->55623 55624 46b754 55623->55624 55624->55554 55646 4181e0 55645->55646 55647 483113 GetForegroundWindow 55646->55647 55648 48311e SetActiveWindow 55647->55648 55649 48312c 55647->55649 55648->55649 55651 48314d 55649->55651 55954 482fd8 55649->55954 55653 483179 55651->55653 55657 4831d8 55651->55657 55658 48320e 55651->55658 55654 483250 55653->55654 55655 457be8 38 API calls 55653->55655 55967 482004 55654->55967 55655->55654 55660 4666d8 34 API calls 55657->55660 55659 4666d8 34 API calls 55658->55659 55662 48320c 55659->55662 55661 4831fc 55660->55661 55665 403634 18 API calls 55661->55665 55966 47eb18 56 API calls 55662->55966 55665->55662 55667 48328c 55668 403420 4 API calls 55667->55668 55669 46bc71 KiUserCallbackDispatcher 55668->55669 55669->55582 55671 46abbd 55670->55671 55672 46abb8 55670->55672 56270 469958 61 API calls 55671->56270 55676 46abbb 55672->55676 56180 46a618 55672->56180 55674 46abc5 55674->55582 55676->55582 55678 403400 4 API calls 55677->55678 55679 469e22 55678->55679 56284 47d854 55679->56284 55681 469e85 55682 469ea2 55681->55682 55683 469e89 55681->55683 55685 469e93 55682->55685 56293 49486c 18 API calls 55682->56293 55684 4666d8 34 API calls 55683->55684 55684->55685 55687 469fc1 55685->55687 55688 46a02c 55685->55688 55739 46a136 55685->55739 55691 403494 4 API calls 55687->55691 55692 403494 4 API calls 55688->55692 55689 403420 4 API calls 55693 46a160 55689->55693 55690 469ebe 55690->55685 55694 469ec6 55690->55694 55695 469fce 55691->55695 55696 46a039 55692->55696 55693->55586 55697 46ae40 38 API calls 55694->55697 55698 40357c 18 API calls 55695->55698 55699 40357c 18 API calls 55696->55699 55704 469ed3 55697->55704 55700 469fdb 55698->55700 55701 46a046 55699->55701 55702 40357c 18 API calls 55700->55702 55703 40357c 18 API calls 55701->55703 55705 469fe8 55702->55705 55706 46a053 55703->55706 55709 469f14 55704->55709 55710 469efc SetActiveWindow 55704->55710 55707 40357c 18 API calls 55705->55707 55708 40357c 18 API calls 55706->55708 55711 469ff5 55707->55711 55712 46a060 55708->55712 55717 42f560 28 API calls 55709->55717 55710->55709 55713 4666d8 34 API calls 55711->55713 55714 40357c 18 API calls 55712->55714 55715 46a003 55713->55715 55716 46a06e 55714->55716 55718 40357c 18 API calls 55715->55718 55719 414b18 18 API calls 55716->55719 55721 469f2a 55717->55721 55722 46a00c 55718->55722 55720 46a02a 55719->55720 56294 494b18 33 API calls 55721->56294 55727 469f65 55729 402b58 DestroyWindow 55727->55729 55730 469f8f 55729->55730 55731 46acbc 36 API calls 55730->55731 55732 469f97 55731->55732 55732->55586 55739->55689 55741 46c2fc 62 API calls 55740->55741 55742 482c17 55741->55742 55743 482c20 55742->55743 56544 408be0 19 API calls 55742->56544 55745 414ae8 18 API calls 55743->55745 55746 482c30 55745->55746 55747 403450 18 API calls 55746->55747 55748 482c3d 55747->55748 56318 46c654 55748->56318 55751 482c4d 55753 414ae8 18 API calls 55751->55753 55754 482c5d 55753->55754 55755 403450 18 API calls 55754->55755 55756 482c6a 55755->55756 55757 469740 SendMessageA 55756->55757 55758 482c83 55757->55758 55759 482cd4 55758->55759 56546 4799a0 37 API calls 55758->56546 56347 4241dc IsIconic 55759->56347 55812->55569 55813->55554 55814->55554 55815->55554 55816->55582 55817->55605 55818->55582 55834 46c394 55819->55834 55823 42cbc0 20 API calls 55822->55823 55828 455fb2 55823->55828 55824 455fca 55825 403420 4 API calls 55824->55825 55827 456016 55825->55827 55826 455e0c 28 API calls 55826->55828 55828->55824 55828->55826 55829 42c8a4 19 API calls 55828->55829 55830 403494 4 API calls 55828->55830 55829->55828 55830->55828 55835 414ae8 18 API calls 55834->55835 55836 46c3c8 55835->55836 55895 466770 55836->55895 55839 414b18 18 API calls 55840 46c3da 55839->55840 55841 46c3e9 55840->55841 55844 46c402 55840->55844 55924 47eb18 56 API calls 55841->55924 55843 46c3fd 55845 403420 4 API calls 55843->55845 55846 46c449 55844->55846 55848 46c430 55844->55848 55847 46b5da 55845->55847 55849 46c4ae 55846->55849 55862 46c44d 55846->55862 55847->55613 55847->55614 55925 47eb18 56 API calls 55848->55925 55927 42cb4c CharNextA 55849->55927 55852 46c4bd 55853 46c4c1 55852->55853 55856 46c4da 55852->55856 55928 47eb18 56 API calls 55853->55928 55855 46c495 55926 47eb18 56 API calls 55855->55926 55857 46c4fe 55856->55857 55904 4668e0 55856->55904 55929 47eb18 56 API calls 55857->55929 55862->55855 55862->55856 55865 46c517 55866 403778 18 API calls 55865->55866 55867 46c52d 55866->55867 55900 46678a 55895->55900 55896 406bb0 18 API calls 55896->55900 55898 42cbc0 20 API calls 55898->55900 55899 403450 18 API calls 55899->55900 55900->55896 55900->55898 55900->55899 55901 4667d3 55900->55901 55934 42caac 55900->55934 55902 403420 4 API calls 55901->55902 55903 4667ed 55902->55903 55903->55839 55905 4668ea 55904->55905 55906 4668fd 55905->55906 55945 42cb3c CharNextA 55905->55945 55906->55857 55908 466910 55906->55908 55910 46691a 55908->55910 55909 466947 55909->55857 55909->55865 55910->55909 55946 42cb3c CharNextA 55910->55946 55924->55843 55925->55843 55926->55843 55927->55852 55928->55843 55929->55843 55935 403494 4 API calls 55934->55935 55936 42cabc 55935->55936 55937 403744 18 API calls 55936->55937 55939 42caf2 55936->55939 55943 42c444 IsDBCSLeadByte 55936->55943 55937->55936 55940 42cb36 55939->55940 55942 4037b8 18 API calls 55939->55942 55944 42c444 IsDBCSLeadByte 55939->55944 55940->55900 55942->55939 55943->55936 55944->55939 55945->55905 55946->55910 55955 48300e 55954->55955 55956 4830ab 55955->55956 55961 42f560 28 API calls 55955->55961 55972 47dd00 55955->55972 55976 478e2c 55955->55976 55979 4822b0 55955->55979 56076 478e58 34 API calls 55955->56076 55957 4830b6 55956->55957 56069 482fa0 GetTickCount 55956->56069 55959 402b58 DestroyWindow 55957->55959 55960 4830cb KiUserCallbackDispatcher 55959->55960 55960->55651 55961->55955 55966->55653 55968 482055 55967->55968 55969 482027 55967->55969 55971 4817b8 PostMessageA 55968->55971 55970 4948c8 33 API calls 55969->55970 55970->55968 55971->55667 55973 47dda7 55972->55973 55974 47dd14 55972->55974 55973->55955 55974->55973 56077 457348 29 API calls 55974->56077 56078 478d88 55976->56078 55980 457be8 38 API calls 55979->55980 55981 4822f5 55980->55981 55982 48230c 55981->55982 55983 482300 55981->55983 55985 457be8 38 API calls 55982->55985 55984 457be8 38 API calls 55983->55984 55986 48230a 55984->55986 55985->55986 55987 482328 55986->55987 55988 48231c 55986->55988 55990 457be8 38 API calls 55987->55990 55989 457be8 38 API calls 55988->55989 55991 482326 55989->55991 55990->55991 55992 47bdf4 58 API calls 55991->55992 55993 48233c 55992->55993 55994 403494 4 API calls 55993->55994 55995 482349 55994->55995 55996 40357c 18 API calls 55995->55996 55997 482354 55996->55997 55998 457be8 38 API calls 55997->55998 56075 482fb8 56069->56075 56071 482faa GetTickCount 56072 482fd5 56071->56072 56071->56075 56072->55957 56073 481ff8 12 API calls 56073->56075 56075->56071 56075->56072 56075->56073 56175 42ec74 MsgWaitForMultipleObjects 56075->56175 56176 482f6c GetForegroundWindow 56075->56176 56076->55955 56077->55973 56079 478d94 56078->56079 56080 478dbc 56078->56080 56081 478db5 56079->56081 56092 453344 18 API calls 56079->56092 56080->55955 56084 478c48 56081->56084 56085 478c83 56084->56085 56086 403450 18 API calls 56085->56086 56087 478ca1 56086->56087 56093 4775e0 56087->56093 56092->56081 56094 4775ee 56093->56094 56106 476ca8 56094->56106 56107 476cc8 56106->56107 56108 476d07 56107->56108 56109 476cec 56107->56109 56115 476d13 56108->56115 56123 476e37 56108->56123 56110 476cee 56109->56110 56111 476d6a 56109->56111 56112 476cf3 56110->56112 56113 476d2d 56110->56113 56114 403510 18 API calls 56111->56114 56117 476e6c 56112->56117 56118 476cfc 56112->56118 56116 403400 4 API calls 56113->56116 56135 476d35 56114->56135 56119 476d02 56115->56119 56129 476d80 56115->56129 56116->56135 56158 408c40 33 API calls 56119->56158 56127 4034e0 18 API calls 56123->56127 56127->56135 56132 4034e0 18 API calls 56129->56132 56132->56135 56158->56135 56175->56075 56177 482f98 56176->56177 56178 482f7f GetWindowThreadProcessId 56176->56178 56177->56075 56178->56177 56179 482f8d GetCurrentProcessId 56178->56179 56179->56177 56182 46a65f 56180->56182 56181 46aad7 56183 46aaf2 56181->56183 56184 46ab23 56181->56184 56182->56181 56185 46a71a 56182->56185 56187 403494 4 API calls 56182->56187 56186 403494 4 API calls 56183->56186 56188 403494 4 API calls 56184->56188 56189 46a73b 56185->56189 56194 46a77c 56185->56194 56191 46ab00 56186->56191 56192 46a69e 56187->56192 56193 46ab31 56188->56193 56190 403494 4 API calls 56189->56190 56195 46a749 56190->56195 56282 469034 26 API calls 56191->56282 56197 414ae8 18 API calls 56192->56197 56283 469034 26 API calls 56193->56283 56198 403400 4 API calls 56194->56198 56200 414ae8 18 API calls 56195->56200 56201 46a6bf 56197->56201 56202 46a77a 56198->56202 56204 46a76a 56200->56204 56205 403634 18 API calls 56201->56205 56221 46a871 56202->56221 56271 469740 56202->56271 56203 46ab0e 56206 403400 4 API calls 56203->56206 56207 403634 18 API calls 56204->56207 56208 46a6cf 56205->56208 56210 46ab54 56206->56210 56207->56202 56212 414ae8 18 API calls 56208->56212 56215 403400 4 API calls 56210->56215 56211 46a8e8 56213 403400 4 API calls 56211->56213 56216 46a6e3 56212->56216 56217 46a8e6 56213->56217 56214 46a79c 56218 46a7a2 56214->56218 56219 46a7da 56214->56219 56220 46ab5c 56215->56220 56216->56185 56228 414ae8 18 API calls 56216->56228 56277 469b7c 58 API calls 56217->56277 56223 403494 4 API calls 56218->56223 56222 403400 4 API calls 56219->56222 56224 403420 4 API calls 56220->56224 56221->56211 56226 46a8a7 56221->56226 56227 46a7d8 56222->56227 56229 46a7b0 56223->56229 56225 46ab69 56224->56225 56225->55676 56230 403494 4 API calls 56226->56230 56240 469a34 58 API calls 56227->56240 56231 46a70a 56228->56231 56233 47bdf4 58 API calls 56229->56233 56235 46a8b5 56230->56235 56236 403634 18 API calls 56231->56236 56234 46a7c8 56233->56234 56238 403634 18 API calls 56234->56238 56239 414ae8 18 API calls 56235->56239 56236->56185 56237 46a911 56243 46a972 56237->56243 56244 46a91c 56237->56244 56238->56227 56241 46a8d6 56239->56241 56242 46a801 56240->56242 56245 403634 18 API calls 56241->56245 56249 46a862 56242->56249 56250 46a80c 56242->56250 56247 403400 4 API calls 56243->56247 56246 403494 4 API calls 56244->56246 56245->56217 56259 46a92a 56246->56259 56248 46a97a 56247->56248 56251 402b58 DestroyWindow 56248->56251 56252 403400 4 API calls 56249->56252 56253 403494 4 API calls 56250->56253 56254 46a981 56251->56254 56255 46a860 56252->56255 56261 46a81a 56253->56261 56256 46a98e 56254->56256 56269 46aa23 56254->56269 56257 402b58 DestroyWindow 56255->56257 56278 49486c 18 API calls 56256->56278 56257->56221 56259->56248 56263 403634 18 API calls 56259->56263 56265 46a970 56259->56265 56260 46a99d 56260->56269 56261->56255 56264 403634 18 API calls 56261->56264 56263->56259 56264->56261 56265->56248 56267 46aac4 56280 4290f4 SendMessageA 56269->56280 56270->55674 56272 42a040 SendMessageA 56271->56272 56273 46974f 56272->56273 56274 46976f 56273->56274 56275 42a040 SendMessageA 56273->56275 56274->56214 56276 46975f 56275->56276 56276->56214 56277->56237 56278->56260 56280->56267 56282->56203 56283->56203 56285 47d8aa 56284->56285 56286 47d86d 56284->56286 56285->55681 56296 455d0c 56286->56296 56290 47d8c1 56291 402b58 DestroyWindow 56290->56291 56292 47d8db 56291->56292 56292->55681 56293->55690 56294->55727 56297 455d1d 56296->56297 56298 455d21 56297->56298 56299 455d2a 56297->56299 56304 455a10 56298->56304 56312 455af0 44 API calls 56299->56312 56302 455d27 56302->56285 56303 47d4c4 76 API calls 56302->56303 56303->56290 56305 42de1c RegOpenKeyExA 56304->56305 56306 455a2d 56305->56306 56307 455a7b 56306->56307 56313 455944 56306->56313 56307->56302 56310 455944 20 API calls 56311 455a5c RegCloseKey 56310->56311 56311->56302 56312->56302 56314 42dd58 20 API calls 56313->56314 56316 45596c 56314->56316 56315 403420 4 API calls 56317 4559f6 56315->56317 56316->56315 56317->56310 56319 46c67d 56318->56319 56320 414ae8 18 API calls 56319->56320 56335 46c6ca 56319->56335 56321 46c693 56320->56321 56550 4667fc 20 API calls 56321->56550 56322 403420 4 API calls 56324 46c774 56322->56324 56324->55751 56545 408be0 19 API calls 56324->56545 56325 46c69b 56326 414b18 18 API calls 56325->56326 56327 46c6a9 56326->56327 56328 46c6b6 56327->56328 56331 46c6cf 56327->56331 56551 47eb18 56 API calls 56328->56551 56330 46c6e7 56552 47eb18 56 API calls 56330->56552 56331->56330 56333 4668e0 CharNextA 56331->56333 56334 46c6e3 56333->56334 56334->56330 56336 46c6fd 56334->56336 56335->56322 56337 46c703 56336->56337 56338 46c719 56336->56338 56553 47eb18 56 API calls 56337->56553 56340 42c99c CharNextA 56338->56340 56546->55759 56550->56325 56551->56335 56552->56335 56553->56335 57932 40cc34 57935 406f10 WriteFile 57932->57935 57936 406f2d 57935->57936 57937 48053f 57938 480573 57937->57938 57939 480548 57937->57939 57942 4805b2 57938->57942 58280 47efec 18 API calls 57938->58280 57939->57938 58063 4767d8 57939->58063 57941 4805d6 57948 480612 57941->57948 57949 4805f4 57941->57949 57942->57941 57945 4805c9 57942->57945 57946 4805cb 57942->57946 57944 4805a5 58281 47f054 56 API calls 57944->58281 57953 47f030 56 API calls 57945->57953 58282 47f0c4 56 API calls 57946->58282 58285 47ee84 38 API calls 57948->58285 57954 480609 57949->57954 58283 47f054 56 API calls 57949->58283 57953->57941 58284 47ee84 38 API calls 57954->58284 57958 480610 57959 480628 57958->57959 57960 480622 57958->57960 57961 480626 57959->57961 57962 47f030 56 API calls 57959->57962 57960->57961 57964 47f030 56 API calls 57960->57964 58096 47c1c0 57961->58096 57962->57961 57964->57961 58305 476aec 58063->58305 58097 42d898 GetWindowsDirectoryA 58096->58097 58098 47c1e4 58097->58098 58099 403450 18 API calls 58098->58099 58100 47c1f1 58099->58100 58101 42d8c4 GetSystemDirectoryA 58100->58101 58102 47c1f9 58101->58102 58103 403450 18 API calls 58102->58103 58104 47c206 58103->58104 58105 42d8f0 6 API calls 58104->58105 58106 47c20e 58105->58106 58107 403450 18 API calls 58106->58107 58108 47c21b 58107->58108 58109 47c224 58108->58109 58110 47c240 58108->58110 58111 42d208 19 API calls 58109->58111 58112 403400 4 API calls 58110->58112 58113 47c231 58111->58113 58114 47c23e 58112->58114 58115 403450 18 API calls 58113->58115 58116 47c285 58114->58116 58118 42c8cc 19 API calls 58114->58118 58115->58114 58396 47c048 58116->58396 58120 47c260 58118->58120 58122 403450 18 API calls 58120->58122 58280->57944 58281->57942 58282->57941 58283->57954 58284->57958 58285->57958 58306 476af6 58305->58306 58307 495358 66 API calls 58306->58307 58308 476b0c 58307->58308 58309 495660 35 API calls 58308->58309 58310 476b13 58309->58310 58311 4955cc 11 API calls 58310->58311 58312 476b1a 58311->58312 58313 414b18 18 API calls 58312->58313 58314 476b27 58313->58314 58315 414b18 18 API calls 58314->58315 58316 476b38 58315->58316 58317 414b18 18 API calls 58316->58317 58318 476b49 58317->58318 58319 414b18 18 API calls 58318->58319 58320 476b5a 58319->58320 58321 41d0d0 38 API calls 58320->58321 58322 476b6b 58321->58322 58323 41a6ac 19 API calls 58322->58323 58324 476b76 58323->58324 58325 41d0d0 38 API calls 58324->58325 58326 476bd0 58325->58326 58366 41ab38 58326->58366 58328 476bd9 58367 41aba5 58366->58367 58368 41ab53 58366->58368 58367->58328 58368->58367 58375 41b168 33 API calls 58368->58375 58397 42de1c RegOpenKeyExA 58396->58397 58516 40ce7c 58517 40ce84 58516->58517 58518 40ceb2 58517->58518 58519 40cea7 58517->58519 58523 40ceae 58517->58523 58521 40ceb6 58518->58521 58522 40cec8 58518->58522 58530 406288 GlobalHandle GlobalUnlock GlobalFree 58519->58530 58531 40625c GlobalAlloc GlobalLock 58521->58531 58529 40626c GlobalHandle GlobalUnlock GlobalReAlloc GlobalLock 58522->58529 58526 40cec4 58527 40ced8 58526->58527 58527->58523 58528 408cbc 19 API calls 58527->58528 58528->58523 58529->58527 58530->58523 58531->58526 58532 41363c SetWindowLongA GetWindowLongA 58533 413699 SetPropA SetPropA 58532->58533 58534 41367b GetWindowLongA 58532->58534 58539 41f39c 58533->58539 58534->58533 58535 41368a SetWindowLongA 58534->58535 58535->58533 58542 41eff4 2 API calls 58539->58542 58546 416bf8 58539->58546 58549 423a84 58539->58549 58556 415270 58539->58556 58563 423c0c 58539->58563 58540 4136e9 58542->58540 58657 4136f4 58546->58657 58548 416c04 58548->58540 58550 423b0d 58549->58550 58551 423a94 58549->58551 58550->58540 58551->58550 58552 423a9a EnumWindows 58551->58552 58552->58550 58553 423ab6 GetWindow GetWindowLongA 58552->58553 58662 423a1c GetWindow 58552->58662 58554 423ad5 58553->58554 58554->58550 58555 423b01 SetWindowPos 58554->58555 58555->58550 58555->58554 58557 41527d 58556->58557 58558 4152e3 58557->58558 58559 4152d8 58557->58559 58562 4152e1 58557->58562 58665 424b8c 13 API calls 58558->58665 58559->58562 58666 41505c 60 API calls 58559->58666 58562->58540 58580 423c42 58563->58580 58566 423cec 58568 423cf3 58566->58568 58569 423d27 58566->58569 58567 423c8d 58570 423c93 58567->58570 58571 423d50 58567->58571 58574 423cf9 58568->58574 58611 423fb1 58568->58611 58577 423d32 58569->58577 58578 42409a IsIconic 58569->58578 58575 423cc5 58570->58575 58576 423c98 58570->58576 58572 423d62 58571->58572 58573 423d6b 58571->58573 58581 423d78 58572->58581 58582 423d69 58572->58582 58675 424194 11 API calls 58573->58675 58584 423f13 SendMessageA 58574->58584 58585 423d07 58574->58585 58579 423c63 58575->58579 58601 423cde 58575->58601 58602 423e3f 58575->58602 58587 423df6 58576->58587 58588 423c9e 58576->58588 58589 4240d6 58577->58589 58590 423d3b 58577->58590 58578->58579 58586 4240ae GetFocus 58578->58586 58579->58540 58580->58579 58667 423b68 58580->58667 58593 4241dc 11 API calls 58581->58593 58676 423b84 NtdllDefWindowProc_A 58582->58676 58584->58579 58585->58579 58612 423cc0 58585->58612 58639 423f56 58585->58639 58586->58579 58594 4240bf 58586->58594 58680 423b84 NtdllDefWindowProc_A 58587->58680 58595 423ca7 58588->58595 58596 423e1e PostMessageA 58588->58596 58685 424850 WinHelpA PostMessageA 58589->58685 58592 4240ed 58590->58592 58590->58612 58599 4240f6 58592->58599 58600 42410b 58592->58600 58593->58579 58604 41eff4 2 API calls 58594->58604 58606 423cb0 58595->58606 58607 423ea5 58595->58607 58671 423b84 NtdllDefWindowProc_A 58596->58671 58598 4240eb 58598->58579 58610 4244d4 19 API calls 58599->58610 58686 42452c LocalAlloc TlsSetValue TlsGetValue TlsGetValue SendMessageA 58600->58686 58601->58612 58613 423e0b 58601->58613 58672 423b84 NtdllDefWindowProc_A 58602->58672 58616 4240c6 58604->58616 58617 423cb9 58606->58617 58618 423dce IsIconic 58606->58618 58608 423eae 58607->58608 58609 423edf 58607->58609 58620 423b14 5 API calls 58608->58620 58673 423b84 NtdllDefWindowProc_A 58609->58673 58610->58579 58611->58579 58629 423fd7 IsWindowEnabled 58611->58629 58612->58579 58674 423b84 NtdllDefWindowProc_A 58612->58674 58625 424178 26 API calls 58613->58625 58616->58579 58627 4240ce SetFocus 58616->58627 58617->58612 58619 423d91 58617->58619 58621 423dea 58618->58621 58622 423dde 58618->58622 58619->58579 58677 422c4c ShowWindow PostMessageA PostQuitMessage 58619->58677 58628 423eb6 58620->58628 58679 423b84 NtdllDefWindowProc_A 58621->58679 58678 423bc0 29 API calls 58622->58678 58625->58579 58626 423e45 58633 423e83 58626->58633 58634 423e61 58626->58634 58627->58579 58636 423ec8 58628->58636 58642 41ef58 6 API calls 58628->58642 58629->58579 58637 423fe5 58629->58637 58632 423ee5 58638 423efd 58632->58638 58644 41eea4 2 API calls 58632->58644 58641 423a84 6 API calls 58633->58641 58640 423b14 5 API calls 58634->58640 58681 423b84 NtdllDefWindowProc_A 58636->58681 58649 423fec IsWindowVisible 58637->58649 58645 423a84 6 API calls 58638->58645 58639->58579 58646 423f78 IsWindowEnabled 58639->58646 58647 423e69 PostMessageA 58640->58647 58648 423e8b PostMessageA 58641->58648 58642->58636 58644->58638 58645->58579 58646->58579 58650 423f86 58646->58650 58647->58579 58648->58579 58649->58579 58651 423ffa GetFocus 58649->58651 58682 412310 21 API calls 58650->58682 58653 4181e0 58651->58653 58654 42400f SetFocus 58653->58654 58683 415240 58654->58683 58658 413724 58657->58658 58659 4136ff GetWindowThreadProcessId 58657->58659 58658->58548 58659->58658 58660 41370a GetCurrentProcessId 58659->58660 58660->58658 58661 413714 GetPropA 58660->58661 58661->58658 58663 423a3d GetWindowLongA 58662->58663 58664 423a49 58662->58664 58663->58664 58665->58562 58666->58562 58668 423b72 58667->58668 58669 423b7d 58667->58669 58668->58669 58670 408720 21 API calls 58668->58670 58669->58566 58669->58567 58670->58669 58671->58579 58672->58626 58673->58632 58674->58579 58675->58579 58676->58579 58677->58579 58678->58579 58679->58579 58680->58579 58681->58579 58682->58579 58684 41525b SetFocus 58683->58684 58684->58579 58685->58598 58686->58598

                                                                                                                                                                                                                                                        Executed Functions

                                                                                                                                                                                                                                                        Function 0048DA5C Relevance: 138.4, APIs: 22, Strings: 56, Instructions: 1883COMMON
                                                                                                                                                                                                                                                        Download Yara Rule
                                                                                                                                                                                                                                                        Strings
                                                                                                                                                                                                                                                        Memory Dump Source
                                                                                                                                                                                                                                                        • Source File: 00000001.00000002.2793245300.0000000000401000.00000020.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                                                                                                                        • Associated: 00000001.00000002.2793219234.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                                                                                                                                                                                                        • Associated: 00000001.00000002.2793346997.0000000000499000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                                                                                                                                                                                                        • Associated: 00000001.00000002.2793378529.000000000049A000.00000008.00000001.01000000.00000004.sdmpDownload File
                                                                                                                                                                                                                                                        • Associated: 00000001.00000002.2793416768.000000000049B000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                                                                                                                                                                                                        • Associated: 00000001.00000002.2793448951.00000000004AB000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                                                                                                                                                                                                        Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                                        • Snapshot File: hcaresult_1_2_400000_chica-pc-shield-1-75-0-1300-en-win.jbxd
                                                                                                                                                                                                                                                        Similarity
                                                                                                                                                                                                                                                        • API ID:
                                                                                                                                                                                                                                                        • String ID: ADDBACKSLASH$ADDPERIOD$ADDQUOTES$CHARLENGTH$CONVERTPERCENTSTR$DELETEINIENTRY$DELETEINISECTION$DIREXISTS$FILECOPY$FILEEXISTS$FILEORDIREXISTS$FONTEXISTS$GETCMDTAIL$GETENV$GETINIBOOL$GETINIINT$GETINISTRING$GETSHORTNAME$GETSYSNATIVEDIR$GETSYSTEMDIR$GETSYSWOW64DIR$GETTEMPDIR$GETUILANGUAGE$GETWINDIR$INIKEYEXISTS$ISADMINLOGGEDON$ISINISECTIONEMPTY$ISPOWERUSERLOGGEDON$PARAMCOUNT$PARAMSTR$REGDELETEKEYIFEMPTY$REGDELETEKEYINCLUDINGSUBKEYS$REGDELETEVALUE$REGGETSUBKEYNAMES$REGGETVALUENAMES$REGKEYEXISTS$REGQUERYBINARYVALUE$REGQUERYDWORDVALUE$REGQUERYMULTISTRINGVALUE$REGQUERYSTRINGVALUE$REGVALUEEXISTS$REGWRITEBINARYVALUE$REGWRITEDWORDVALUE$REGWRITEEXPANDSTRINGVALUE$REGWRITEMULTISTRINGVALUE$REGWRITESTRINGVALUE$REMOVEBACKSLASH$REMOVEBACKSLASHUNLESSROOT$REMOVEQUOTES$SETINIBOOL$SETINIINT$SETINISTRING$SETNTFSCOMPRESSION$STRINGCHANGE$STRINGCHANGEEX$USINGWINNT
                                                                                                                                                                                                                                                        • API String ID: 0-4234653879
                                                                                                                                                                                                                                                        • Opcode ID: 0b35161c62076a0aa1b79bef7233e41cfe119bc3bfa0d241014cb232ecee9a80
                                                                                                                                                                                                                                                        • Instruction ID: d02af680958f845af4f17b62cfc8fb9d1a0ae824f2bdeb6ca06ac61dfeb0c001
                                                                                                                                                                                                                                                        • Opcode Fuzzy Hash: 0b35161c62076a0aa1b79bef7233e41cfe119bc3bfa0d241014cb232ecee9a80
                                                                                                                                                                                                                                                        • Instruction Fuzzy Hash: 11D26270B002055BDB14FFBAD8815AEA7B5AF89704F50883FF451A7386DA38ED0A8759
                                                                                                                                                                                                                                                        Function 00470584 Relevance: 78.0, APIs: 4, Strings: 40, Instructions: 965COMMON
                                                                                                                                                                                                                                                        Download Yara Rule
                                                                                                                                                                                                                                                        Strings
                                                                                                                                                                                                                                                        • Will register the file (a type library) later., xrefs: 004713EF
                                                                                                                                                                                                                                                        • Dest file exists., xrefs: 00470897
                                                                                                                                                                                                                                                        • User opted not to overwrite the existing file. Skipping., xrefs: 00470D29
                                                                                                                                                                                                                                                        • Existing file's SHA-1 hash is different from our file. Proceeding., xrefs: 00470BA0
                                                                                                                                                                                                                                                        • Failed to read existing file's SHA-1 hash. Proceeding., xrefs: 00470BAC
                                                                                                                                                                                                                                                        • InUn, xrefs: 0047103B
                                                                                                                                                                                                                                                        • Version of existing file: (none), xrefs: 00470BD6
                                                                                                                                                                                                                                                        • Stripped read-only attribute., xrefs: 00470DA3
                                                                                                                                                                                                                                                        • Incrementing shared file count (64-bit)., xrefs: 00471468
                                                                                                                                                                                                                                                        • Time stamp of our file: (failed to read), xrefs: 00470883
                                                                                                                                                                                                                                                        • Incrementing shared file count (32-bit)., xrefs: 00471481
                                                                                                                                                                                                                                                        • Dest file is protected by Windows File Protection., xrefs: 004707C9
                                                                                                                                                                                                                                                        • Will register the file (a DLL/OCX) later., xrefs: 004713FB
                                                                                                                                                                                                                                                        • Skipping due to "onlyifdoesntexist" flag., xrefs: 004708AA
                                                                                                                                                                                                                                                        • Version of our file: %u.%u.%u.%u, xrefs: 004709CC
                                                                                                                                                                                                                                                        • Existing file has a later time stamp. Skipping., xrefs: 00470CAB
                                                                                                                                                                                                                                                        • d&G, xrefs: 004715F0
                                                                                                                                                                                                                                                        • User opted not to strip the existing file's read-only attribute. Skipping., xrefs: 00470D72
                                                                                                                                                                                                                                                        • Version of existing file: %u.%u.%u.%u, xrefs: 00470A58
                                                                                                                                                                                                                                                        • Dest filename: %s, xrefs: 00470770
                                                                                                                                                                                                                                                        • Same version. Skipping., xrefs: 00470BC1
                                                                                                                                                                                                                                                        • .tmp, xrefs: 00470E93
                                                                                                                                                                                                                                                        • Installing the file., xrefs: 00470DE5
                                                                                                                                                                                                                                                        • Couldn't read time stamp. Skipping., xrefs: 00470C11
                                                                                                                                                                                                                                                        • Existing file is protected by Windows File Protection. Skipping., xrefs: 00470CC8
                                                                                                                                                                                                                                                        • Time stamp of existing file: %s, xrefs: 00470907
                                                                                                                                                                                                                                                        • Time stamp of existing file: (failed to read), xrefs: 00470913
                                                                                                                                                                                                                                                        • , xrefs: 00470AAB, 00470C7C, 00470CFA
                                                                                                                                                                                                                                                        • @, xrefs: 0047068C
                                                                                                                                                                                                                                                        • Version of our file: (none), xrefs: 004709D8
                                                                                                                                                                                                                                                        • Failed to strip read-only attribute., xrefs: 00470DAF
                                                                                                                                                                                                                                                        • Skipping due to "onlyifdestfileexists" flag., xrefs: 00470DD6
                                                                                                                                                                                                                                                        • Non-default bitness: 32-bit, xrefs: 00470797
                                                                                                                                                                                                                                                        • Non-default bitness: 64-bit, xrefs: 0047078B
                                                                                                                                                                                                                                                        • -- File entry --, xrefs: 004705D7
                                                                                                                                                                                                                                                        • Existing file is a newer version. Skipping., xrefs: 00470ADE
                                                                                                                                                                                                                                                        • Existing file's SHA-1 hash matches our file. Skipping., xrefs: 00470B91
                                                                                                                                                                                                                                                        • Time stamp of our file: %s, xrefs: 00470877
                                                                                                                                                                                                                                                        • Uninstaller requires administrator: %s, xrefs: 0047106B
                                                                                                                                                                                                                                                        • Same time stamp. Skipping., xrefs: 00470C31
                                                                                                                                                                                                                                                        Memory Dump Source
                                                                                                                                                                                                                                                        • Source File: 00000001.00000002.2793245300.0000000000401000.00000020.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                                                                                                                        • Associated: 00000001.00000002.2793219234.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                                                                                                                                                                                                        • Associated: 00000001.00000002.2793346997.0000000000499000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                                                                                                                                                                                                        • Associated: 00000001.00000002.2793378529.000000000049A000.00000008.00000001.01000000.00000004.sdmpDownload File
                                                                                                                                                                                                                                                        • Associated: 00000001.00000002.2793416768.000000000049B000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                                                                                                                                                                                                        • Associated: 00000001.00000002.2793448951.00000000004AB000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                                                                                                                                                                                                        Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                                        • Snapshot File: hcaresult_1_2_400000_chica-pc-shield-1-75-0-1300-en-win.jbxd
                                                                                                                                                                                                                                                        Similarity
                                                                                                                                                                                                                                                        • API ID:
                                                                                                                                                                                                                                                        • String ID: $-- File entry --$.tmp$@$Couldn't read time stamp. Skipping.$Dest file exists.$Dest file is protected by Windows File Protection.$Dest filename: %s$Existing file has a later time stamp. Skipping.$Existing file is a newer version. Skipping.$Existing file is protected by Windows File Protection. Skipping.$Existing file's SHA-1 hash is different from our file. Proceeding.$Existing file's SHA-1 hash matches our file. Skipping.$Failed to read existing file's SHA-1 hash. Proceeding.$Failed to strip read-only attribute.$InUn$Incrementing shared file count (32-bit).$Incrementing shared file count (64-bit).$Installing the file.$Non-default bitness: 32-bit$Non-default bitness: 64-bit$Same time stamp. Skipping.$Same version. Skipping.$Skipping due to "onlyifdestfileexists" flag.$Skipping due to "onlyifdoesntexist" flag.$Stripped read-only attribute.$Time stamp of existing file: %s$Time stamp of existing file: (failed to read)$Time stamp of our file: %s$Time stamp of our file: (failed to read)$Uninstaller requires administrator: %s$User opted not to overwrite the existing file. Skipping.$User opted not to strip the existing file's read-only attribute. Skipping.$Version of existing file: %u.%u.%u.%u$Version of existing file: (none)$Version of our file: %u.%u.%u.%u$Version of our file: (none)$Will register the file (a DLL/OCX) later.$Will register the file (a type library) later.$d&G
                                                                                                                                                                                                                                                        • API String ID: 0-1787809831
                                                                                                                                                                                                                                                        • Opcode ID: 3f03b0dd22833ca56ee06f034c587be6014e775d3e63eebe54e34c4707d9dd89
                                                                                                                                                                                                                                                        • Instruction ID: 621cd333294344af5d97a5347e8fa1dc6562289eaae78befaee99519ae279b45
                                                                                                                                                                                                                                                        • Opcode Fuzzy Hash: 3f03b0dd22833ca56ee06f034c587be6014e775d3e63eebe54e34c4707d9dd89
                                                                                                                                                                                                                                                        • Instruction Fuzzy Hash: 4A927334A0428CDFDB11DFA9C445BDDBBB1AF05308F1481ABE848AB392D7789E45CB59
                                                                                                                                                                                                                                                        Function 0042E09C Relevance: 31.7, APIs: 16, Strings: 2, Instructions: 178memorylibraryloaderCOMMON
                                                                                                                                                                                                                                                        Download Yara Rule

                                                                                                                                                                                                                                                        Control-flow Graph

                                                                                                                                                                                                                                                        • Executed
                                                                                                                                                                                                                                                        • Not Executed
                                                                                                                                                                                                                                                        control_flow_graph 2655 42e09c-42e0ad 2656 42e0b8-42e0dd AllocateAndInitializeSid 2655->2656 2657 42e0af-42e0b3 2655->2657 2658 42e287-42e28f 2656->2658 2659 42e0e3-42e100 GetVersion 2656->2659 2657->2658 2660 42e102-42e117 GetModuleHandleA GetProcAddress 2659->2660 2661 42e119-42e11b 2659->2661 2660->2661 2662 42e142-42e15c GetCurrentThread OpenThreadToken 2661->2662 2663 42e11d-42e12b CheckTokenMembership 2661->2663 2666 42e193-42e1bb GetTokenInformation 2662->2666 2667 42e15e-42e168 GetLastError 2662->2667 2664 42e131-42e13d 2663->2664 2665 42e269-42e27f FreeSid 2663->2665 2664->2665 2668 42e1d6-42e1fa call 402648 GetTokenInformation 2666->2668 2669 42e1bd-42e1c5 GetLastError 2666->2669 2670 42e174-42e187 GetCurrentProcess OpenProcessToken 2667->2670 2671 42e16a-42e16f call 4031bc 2667->2671 2681 42e208-42e210 2668->2681 2682 42e1fc-42e206 call 4031bc * 2 2668->2682 2669->2668 2672 42e1c7-42e1d1 call 4031bc * 2 2669->2672 2670->2666 2675 42e189-42e18e call 4031bc 2670->2675 2671->2658 2672->2658 2675->2658 2684 42e212-42e213 2681->2684 2685 42e243-42e261 call 402660 CloseHandle 2681->2685 2682->2658 2688 42e215-42e228 EqualSid 2684->2688 2692 42e22a-42e237 2688->2692 2693 42e23f-42e241 2688->2693 2692->2693 2696 42e239-42e23d 2692->2696 2693->2685 2693->2688 2696->2685
                                                                                                                                                                                                                                                        APIs
                                                                                                                                                                                                                                                        • AllocateAndInitializeSid.ADVAPI32(00499788,00000002,00000020,00000220,00000000,00000000,00000000,00000000,00000000,00000000,00000000,00000000), ref: 0042E0D6
                                                                                                                                                                                                                                                        • GetVersion.KERNEL32(00000000,0042E280,?,00499788,00000002,00000020,00000220,00000000,00000000,00000000,00000000,00000000,00000000,00000000,00000000), ref: 0042E0F3
                                                                                                                                                                                                                                                        • GetModuleHandleA.KERNEL32(advapi32.dll,CheckTokenMembership,00000000,0042E280,?,00499788,00000002,00000020,00000220,00000000,00000000,00000000,00000000,00000000,00000000,00000000), ref: 0042E10C
                                                                                                                                                                                                                                                        • GetProcAddress.KERNEL32(00000000,advapi32.dll), ref: 0042E112
                                                                                                                                                                                                                                                        • CheckTokenMembership.KERNELBASE(00000000,00000000,?,00000000,0042E280,?,00499788,00000002,00000020,00000220,00000000,00000000,00000000,00000000,00000000,00000000), ref: 0042E127
                                                                                                                                                                                                                                                        • FreeSid.ADVAPI32(00000000,0042E287,00000020,00000220,00000000,00000000,00000000,00000000,00000000,00000000,00000000,00000000), ref: 0042E27A
                                                                                                                                                                                                                                                        Strings
                                                                                                                                                                                                                                                        Memory Dump Source
                                                                                                                                                                                                                                                        • Source File: 00000001.00000002.2793245300.0000000000401000.00000020.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                                                                                                                        • Associated: 00000001.00000002.2793219234.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                                                                                                                                                                                                        • Associated: 00000001.00000002.2793346997.0000000000499000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                                                                                                                                                                                                        • Associated: 00000001.00000002.2793378529.000000000049A000.00000008.00000001.01000000.00000004.sdmpDownload File
                                                                                                                                                                                                                                                        • Associated: 00000001.00000002.2793416768.000000000049B000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                                                                                                                                                                                                        • Associated: 00000001.00000002.2793448951.00000000004AB000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                                                                                                                                                                                                        Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                                        • Snapshot File: hcaresult_1_2_400000_chica-pc-shield-1-75-0-1300-en-win.jbxd
                                                                                                                                                                                                                                                        Similarity
                                                                                                                                                                                                                                                        • API ID: AddressAllocateCheckFreeHandleInitializeMembershipModuleProcTokenVersion
                                                                                                                                                                                                                                                        • String ID: CheckTokenMembership$advapi32.dll
                                                                                                                                                                                                                                                        • API String ID: 2252812187-1888249752
                                                                                                                                                                                                                                                        • Opcode ID: eb8cfeeb17a0637a24a8010f94cffad8af622f1b0e059c57d1211d1ee7f4eb30
                                                                                                                                                                                                                                                        • Instruction ID: e5677345bf142a8b1d9111380f95962c8bb8cf61ba8e960ca5c3fd0f127139eb
                                                                                                                                                                                                                                                        • Opcode Fuzzy Hash: eb8cfeeb17a0637a24a8010f94cffad8af622f1b0e059c57d1211d1ee7f4eb30
                                                                                                                                                                                                                                                        • Instruction Fuzzy Hash: E351A271B44215EEEB10EAE69C42BBF77ACEB09704F9404BBB901F7281D57C99018B79
                                                                                                                                                                                                                                                        Function 00456574 Relevance: 23.0, APIs: 4, Strings: 9, Instructions: 299comCOMMON
                                                                                                                                                                                                                                                        Download Yara Rule

                                                                                                                                                                                                                                                        Control-flow Graph

                                                                                                                                                                                                                                                        • Executed
                                                                                                                                                                                                                                                        • Not Executed
                                                                                                                                                                                                                                                        control_flow_graph 2985 456574-4565a2 2986 4565a4-4565bb CoCreateInstance 2985->2986 2987 4565bd 2985->2987 2988 4565c2-4565c4 2986->2988 2987->2988 2989 4565c6-4565e3 CoCreateInstance 2988->2989 2990 4565f1-456636 call 403738 * 2 2988->2990 2989->2990 2991 4565e5-4565ec call 4534b0 2989->2991 2999 456643-456645 2990->2999 3000 456638-45663e call 456398 2990->3000 2991->2990 3002 456647-456657 call 403738 2999->3002 3003 45665c-45666b 2999->3003 3000->2999 3002->3003 3007 45666d-456679 call 403738 3003->3007 3008 45667e-456683 3003->3008 3007->3008 3010 456685-45668e 3008->3010 3011 456693-45669a call 456378 3008->3011 3010->3011 3015 4566a0-4566a8 3011->3015 3016 4567fb-45680e 3011->3016 3017 4566b4-4566c7 3015->3017 3018 4566aa-4566ae 3015->3018 3020 456810-456817 call 4534b0 3016->3020 3021 45681c-456820 3016->3021 3026 4566d5-4566d9 3017->3026 3027 4566c9-4566d0 call 4534b0 3017->3027 3018->3016 3018->3017 3020->3021 3024 456845-45684d call 403ca4 3021->3024 3025 456822-456829 call 456358 3021->3025 3037 456850-456854 3024->3037 3025->3024 3039 45682b-456843 call 42c4f8 call 403ca4 3025->3039 3030 456709-45670b 3026->3030 3031 4566db-4566fb 3026->3031 3027->3026 3034 456776-45677a 3030->3034 3035 45670d-456721 call 403ca4 3030->3035 3031->3030 3047 4566fd-456704 call 4534b0 3031->3047 3040 4567e2-4567ed 3034->3040 3041 45677c-45679c 3034->3041 3051 456723 call 408c00 3035->3051 3052 456728-456743 3035->3052 3043 456856 call 408c00 3037->3043 3044 45685b-456865 3037->3044 3039->3037 3040->3016 3060 4567ef-4567f6 call 4534b0 3040->3060 3055 45679e-4567a5 call 4534b0 3041->3055 3056 4567aa-4567b1 call 456388 3041->3056 3043->3044 3057 45686a-45686c 3044->3057 3047->3030 3051->3052 3065 456748-45674a 3052->3065 3055->3056 3056->3040 3073 4567b3-4567d4 3056->3073 3063 45686e-456875 call 4534b0 3057->3063 3064 45687a-456899 call 45648c 3057->3064 3060->3016 3063->3064 3076 4568a4-4568a8 3064->3076 3077 45689b-45689f SysFreeString 3064->3077 3071 45674c-456753 call 4534b0 3065->3071 3072 456758-45676e SysFreeString 3065->3072 3071->3072 3073->3040 3083 4567d6-4567dd call 4534b0 3073->3083 3079 4568b3-4568b7 3076->3079 3080 4568aa-4568ae 3076->3080 3077->3076 3081 4568c2-4568cb 3079->3081 3082 4568b9-4568bd 3079->3082 3080->3079 3082->3081 3083->3040
                                                                                                                                                                                                                                                        APIs
                                                                                                                                                                                                                                                        • CoCreateInstance.OLE32(00499A74,00000000,00000001,00499774,?,00000000,004568E9), ref: 004565B6
                                                                                                                                                                                                                                                        • CoCreateInstance.OLE32(00499764,00000000,00000001,00499774,?,00000000,004568E9), ref: 004565DC
                                                                                                                                                                                                                                                        • SysFreeString.OLEAUT32(?), ref: 00456769
                                                                                                                                                                                                                                                        Strings
                                                                                                                                                                                                                                                        • IShellLink::QueryInterface(IID_IPersistFile), xrefs: 00456812
                                                                                                                                                                                                                                                        • IPersistFile::Save, xrefs: 00456870
                                                                                                                                                                                                                                                        • IShellLink::QueryInterface(IID_IPropertyStore), xrefs: 004566CB
                                                                                                                                                                                                                                                        • CoCreateInstance, xrefs: 004565E7
                                                                                                                                                                                                                                                        • IPropertyStore::SetValue(PKEY_AppUserModel_StartPinOption), xrefs: 004567D8
                                                                                                                                                                                                                                                        • IPropertyStore::SetValue(PKEY_AppUserModel_ExcludeFromShowInNewInstall), xrefs: 004567A0
                                                                                                                                                                                                                                                        • IPropertyStore::Commit, xrefs: 004567F1
                                                                                                                                                                                                                                                        • IPropertyStore::SetValue(PKEY_AppUserModel_PreventPinning), xrefs: 004566FF
                                                                                                                                                                                                                                                        • IPropertyStore::SetValue(PKEY_AppUserModel_ID), xrefs: 0045674E
                                                                                                                                                                                                                                                        Memory Dump Source
                                                                                                                                                                                                                                                        • Source File: 00000001.00000002.2793245300.0000000000401000.00000020.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                                                                                                                        • Associated: 00000001.00000002.2793219234.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                                                                                                                                                                                                        • Associated: 00000001.00000002.2793346997.0000000000499000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                                                                                                                                                                                                        • Associated: 00000001.00000002.2793378529.000000000049A000.00000008.00000001.01000000.00000004.sdmpDownload File
                                                                                                                                                                                                                                                        • Associated: 00000001.00000002.2793416768.000000000049B000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                                                                                                                                                                                                        • Associated: 00000001.00000002.2793448951.00000000004AB000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                                                                                                                                                                                                        Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                                        • Snapshot File: hcaresult_1_2_400000_chica-pc-shield-1-75-0-1300-en-win.jbxd
                                                                                                                                                                                                                                                        Similarity
                                                                                                                                                                                                                                                        • API ID: CreateInstance$FreeString
                                                                                                                                                                                                                                                        • String ID: CoCreateInstance$IPersistFile::Save$IPropertyStore::Commit$IPropertyStore::SetValue(PKEY_AppUserModel_ExcludeFromShowInNewInstall)$IPropertyStore::SetValue(PKEY_AppUserModel_ID)$IPropertyStore::SetValue(PKEY_AppUserModel_PreventPinning)$IPropertyStore::SetValue(PKEY_AppUserModel_StartPinOption)$IShellLink::QueryInterface(IID_IPersistFile)$IShellLink::QueryInterface(IID_IPropertyStore)
                                                                                                                                                                                                                                                        • API String ID: 308859552-3566394107
                                                                                                                                                                                                                                                        • Opcode ID: e79d94b7fa80332a8ad5a6f485323860ebed742ecbc364eddad45eb2579c0322
                                                                                                                                                                                                                                                        • Instruction ID: 566ce70ebd2e7e48b4641fa416f4fd375dd646780ce199d2d8f0499ea0915a3b
                                                                                                                                                                                                                                                        • Opcode Fuzzy Hash: e79d94b7fa80332a8ad5a6f485323860ebed742ecbc364eddad45eb2579c0322
                                                                                                                                                                                                                                                        • Instruction Fuzzy Hash: 2DB13170A00104AFDB50DFA9C885BAE7BF8AF09306F55406AF904E7352DB78DD48CB69
                                                                                                                                                                                                                                                        Function 00423C0C Relevance: 21.4, APIs: 14, Instructions: 395COMMON
                                                                                                                                                                                                                                                        Download Yara Rule

                                                                                                                                                                                                                                                        Control-flow Graph

                                                                                                                                                                                                                                                        • Executed
                                                                                                                                                                                                                                                        • Not Executed
                                                                                                                                                                                                                                                        control_flow_graph 3170 423c0c-423c40 3171 423c42-423c43 3170->3171 3172 423c74-423c8b call 423b68 3170->3172 3174 423c45-423c61 call 40b24c 3171->3174 3178 423cec-423cf1 3172->3178 3179 423c8d 3172->3179 3197 423c63-423c6b 3174->3197 3198 423c70-423c72 3174->3198 3180 423cf3 3178->3180 3181 423d27-423d2c 3178->3181 3182 423c93-423c96 3179->3182 3183 423d50-423d60 3179->3183 3187 423fb1-423fb9 3180->3187 3188 423cf9-423d01 3180->3188 3191 423d32-423d35 3181->3191 3192 42409a-4240a8 IsIconic 3181->3192 3189 423cc5-423cc8 3182->3189 3190 423c98 3182->3190 3185 423d62-423d67 3183->3185 3186 423d6b-423d73 call 424194 3183->3186 3199 423d78-423d80 call 4241dc 3185->3199 3200 423d69-423d8c call 423b84 3185->3200 3193 424152-42415a 3186->3193 3187->3193 3194 423fbf-423fca call 4181e0 3187->3194 3202 423f13-423f3a SendMessageA 3188->3202 3203 423d07-423d0c 3188->3203 3195 423da9-423db0 3189->3195 3196 423cce-423ccf 3189->3196 3205 423df6-423e06 call 423b84 3190->3205 3206 423c9e-423ca1 3190->3206 3207 4240d6-4240eb call 424850 3191->3207 3208 423d3b-423d3c 3191->3208 3192->3193 3204 4240ae-4240b9 GetFocus 3192->3204 3215 424171-424177 3193->3215 3194->3193 3249 423fd0-423fdf call 4181e0 IsWindowEnabled 3194->3249 3195->3193 3210 423db6-423dbd 3195->3210 3211 423cd5-423cd8 3196->3211 3212 423f3f-423f46 3196->3212 3197->3215 3198->3172 3198->3174 3199->3193 3200->3193 3202->3193 3213 423d12-423d13 3203->3213 3214 42404a-424055 3203->3214 3204->3193 3222 4240bf-4240c8 call 41eff4 3204->3222 3205->3193 3223 423ca7-423caa 3206->3223 3224 423e1e-423e34 PostMessageA call 423b84 3206->3224 3207->3193 3217 423d42-423d45 3208->3217 3218 4240ed-4240f4 3208->3218 3210->3193 3230 423dc3-423dc9 3210->3230 3231 423cde-423ce1 3211->3231 3232 423e3f-423e5f call 423b84 3211->3232 3212->3193 3239 423f4c-423f51 call 404e54 3212->3239 3233 424072-42407d 3213->3233 3234 423d19-423d1c 3213->3234 3214->3193 3236 42405b-42406d 3214->3236 3237 424120-424127 3217->3237 3238 423d4b 3217->3238 3227 4240f6-424109 call 4244d4 3218->3227 3228 42410b-42411e call 42452c 3218->3228 3222->3193 3282 4240ce-4240d4 SetFocus 3222->3282 3244 423cb0-423cb3 3223->3244 3245 423ea5-423eac 3223->3245 3260 423e39-423e3a 3224->3260 3227->3193 3228->3193 3230->3193 3250 423ce7 3231->3250 3251 423e0b-423e19 call 424178 3231->3251 3292 423e83-423ea0 call 423a84 PostMessageA 3232->3292 3293 423e61-423e7e call 423b14 PostMessageA 3232->3293 3233->3193 3258 424083-424095 3233->3258 3255 423d22 3234->3255 3256 423f56-423f5e 3234->3256 3236->3193 3253 42413a-424149 3237->3253 3254 424129-424138 3237->3254 3257 42414b-42414c call 423b84 3238->3257 3239->3193 3264 423cb9-423cba 3244->3264 3265 423dce-423ddc IsIconic 3244->3265 3246 423eae-423ec1 call 423b14 3245->3246 3247 423edf-423ef0 call 423b84 3245->3247 3296 423ed3-423eda call 423b84 3246->3296 3297 423ec3-423ecd call 41ef58 3246->3297 3301 423ef2-423ef8 call 41eea4 3247->3301 3302 423f06-423f0e call 423a84 3247->3302 3249->3193 3298 423fe5-423ff4 call 4181e0 IsWindowVisible 3249->3298 3250->3257 3251->3193 3253->3193 3254->3193 3255->3257 3256->3193 3280 423f64-423f6b 3256->3280 3288 424151 3257->3288 3258->3193 3260->3193 3266 423cc0 3264->3266 3267 423d91-423d99 3264->3267 3273 423dea-423df1 call 423b84 3265->3273 3274 423dde-423de5 call 423bc0 3265->3274 3266->3257 3267->3193 3294 423d9f-423da4 call 422c4c 3267->3294 3273->3193 3274->3193 3280->3193 3291 423f71-423f80 call 4181e0 IsWindowEnabled 3280->3291 3282->3193 3288->3193 3291->3193 3320 423f86-423f9c call 412310 3291->3320 3292->3193 3293->3193 3294->3193 3296->3193 3297->3296 3298->3193 3321 423ffa-424045 GetFocus call 4181e0 SetFocus call 415240 SetFocus 3298->3321 3318 423efd-423f00 3301->3318 3302->3193 3318->3302 3320->3193 3325 423fa2-423fac 3320->3325 3321->3193 3325->3193
                                                                                                                                                                                                                                                        Memory Dump Source
                                                                                                                                                                                                                                                        • Source File: 00000001.00000002.2793245300.0000000000401000.00000020.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                                                                                                                        • Associated: 00000001.00000002.2793219234.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                                                                                                                                                                                                        • Associated: 00000001.00000002.2793346997.0000000000499000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                                                                                                                                                                                                        • Associated: 00000001.00000002.2793378529.000000000049A000.00000008.00000001.01000000.00000004.sdmpDownload File
                                                                                                                                                                                                                                                        • Associated: 00000001.00000002.2793416768.000000000049B000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                                                                                                                                                                                                        • Associated: 00000001.00000002.2793448951.00000000004AB000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                                                                                                                                                                                                        Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                                        • Snapshot File: hcaresult_1_2_400000_chica-pc-shield-1-75-0-1300-en-win.jbxd
                                                                                                                                                                                                                                                        Similarity
                                                                                                                                                                                                                                                        • API ID:
                                                                                                                                                                                                                                                        • String ID:
                                                                                                                                                                                                                                                        • API String ID:
                                                                                                                                                                                                                                                        • Opcode ID: a6a3816862b514f70ca1b361f81ea91c83852cb9df02cd0e0faeb288ab1859b4
                                                                                                                                                                                                                                                        • Instruction ID: afb4f91cf4018cf9acc1c9974f14325182323c15c0e0405bd0f9b005e596376e
                                                                                                                                                                                                                                                        • Opcode Fuzzy Hash: a6a3816862b514f70ca1b361f81ea91c83852cb9df02cd0e0faeb288ab1859b4
                                                                                                                                                                                                                                                        • Instruction Fuzzy Hash: 03E1AE31700124EFDB04DF69E989AADB7B5FB54300FA440AAE5559B352C73CEE81DB09
                                                                                                                                                                                                                                                        Function 0042285C Relevance: 18.3, APIs: 12, Instructions: 255windowCOMMON
                                                                                                                                                                                                                                                        Download Yara Rule

                                                                                                                                                                                                                                                        Control-flow Graph

                                                                                                                                                                                                                                                        • Executed
                                                                                                                                                                                                                                                        • Not Executed
                                                                                                                                                                                                                                                        control_flow_graph 3495 42285c-42286d 3496 422891-4228b0 3495->3496 3497 42286f-422879 3495->3497 3499 422ba6-422bbd 3496->3499 3500 4228b6-4228c0 3496->3500 3497->3496 3498 42287b-42288c call 408cbc call 40311c 3497->3498 3498->3496 3502 422aa1-422ae7 call 402c00 3500->3502 3503 4228c6-42290b call 402c00 3500->3503 3512 422af3-422afd 3502->3512 3513 422ae9-422aee call 421e2c 3502->3513 3514 422911-42291b 3503->3514 3515 4229af-4229c3 3503->3515 3519 422aff-422b07 call 4166b0 3512->3519 3520 422b0c-422b16 3512->3520 3513->3512 3521 422957-42296b call 4231a8 3514->3521 3522 42291d-422934 call 4146bc 3514->3522 3516 4229c9-4229d3 3515->3516 3517 422a7c-422a9c call 4181e0 ShowWindow 3515->3517 3524 4229d5-422a09 call 4181e0 SendMessageA call 4181e0 ShowWindow 3516->3524 3525 422a0b-422a55 call 4181e0 ShowWindow call 4181e0 CallWindowProcA call 414cc4 3516->3525 3517->3499 3519->3499 3529 422b37-422b4a call 4181e0 GetActiveWindow 3520->3529 3530 422b18-422b35 call 4181e0 SetWindowPos 3520->3530 3541 422970-422984 call 4231a0 3521->3541 3542 42296d 3521->3542 3544 422936 3522->3544 3545 422939-422950 call 414700 3522->3545 3564 422a5a-422a77 SendMessageA 3524->3564 3525->3564 3548 422b4c-422b5c call 4181e0 IsIconic 3529->3548 3549 422b6d-422b6f 3529->3549 3530->3499 3562 422989-42298b 3541->3562 3565 422986 3541->3565 3542->3541 3544->3545 3561 422952-422955 3545->3561 3545->3562 3548->3549 3569 422b5e-422b6b call 4181e0 call 41eff4 3548->3569 3557 422b71-422b94 call 4181e0 SetWindowPos SetActiveWindow 3549->3557 3558 422b96-422ba1 call 4181e0 ShowWindow 3549->3558 3557->3499 3558->3499 3561->3562 3570 42298f-422991 3562->3570 3571 42298d 3562->3571 3564->3499 3565->3562 3569->3549 3574 422993 3570->3574 3575 422995-4229aa 3570->3575 3571->3570 3574->3575 3575->3515
                                                                                                                                                                                                                                                        APIs
                                                                                                                                                                                                                                                        • SendMessageA.USER32(00000000,00000223,00000000,00000000), ref: 004229F4
                                                                                                                                                                                                                                                        • ShowWindow.USER32(00000000,00000003,00000000,00000223,00000000,00000000,00000000,00422BBE), ref: 00422A04
                                                                                                                                                                                                                                                        Memory Dump Source
                                                                                                                                                                                                                                                        • Source File: 00000001.00000002.2793245300.0000000000401000.00000020.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                                                                                                                        • Associated: 00000001.00000002.2793219234.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                                                                                                                                                                                                        • Associated: 00000001.00000002.2793346997.0000000000499000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                                                                                                                                                                                                        • Associated: 00000001.00000002.2793378529.000000000049A000.00000008.00000001.01000000.00000004.sdmpDownload File
                                                                                                                                                                                                                                                        • Associated: 00000001.00000002.2793416768.000000000049B000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                                                                                                                                                                                                        • Associated: 00000001.00000002.2793448951.00000000004AB000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                                                                                                                                                                                                        Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                                        • Snapshot File: hcaresult_1_2_400000_chica-pc-shield-1-75-0-1300-en-win.jbxd
                                                                                                                                                                                                                                                        Similarity
                                                                                                                                                                                                                                                        • API ID: MessageSendShowWindow
                                                                                                                                                                                                                                                        • String ID:
                                                                                                                                                                                                                                                        • API String ID: 1631623395-0
                                                                                                                                                                                                                                                        • Opcode ID: 51b0364919ae9db351a8db8a8757ad53d3501c4eae3ca631765fc17792d96d2d
                                                                                                                                                                                                                                                        • Instruction ID: 9e9026b6a08d43f4c34b0c014f83afec13b9727198b5f0eb67f7172f0d04fbcb
                                                                                                                                                                                                                                                        • Opcode Fuzzy Hash: 51b0364919ae9db351a8db8a8757ad53d3501c4eae3ca631765fc17792d96d2d
                                                                                                                                                                                                                                                        • Instruction Fuzzy Hash: 90915171B04214BFDB11EFA9DA86F9D77F4AB04304F5500BAF504AB392CB78AE419B58
                                                                                                                                                                                                                                                        Function 0046727C Relevance: 15.6, APIs: 4, Strings: 4, Instructions: 1649windowCOMMON
                                                                                                                                                                                                                                                        Download Yara Rule
                                                                                                                                                                                                                                                        APIs
                                                                                                                                                                                                                                                          • Part of subcall function 004954A8: GetWindowRect.USER32(00000000), ref: 004954BE
                                                                                                                                                                                                                                                        • LoadBitmapA.USER32(00400000,STOPIMAGE), ref: 0046764B
                                                                                                                                                                                                                                                          • Part of subcall function 0041D6B0: GetObjectA.GDI32(?,00000018,00467665), ref: 0041D6DB
                                                                                                                                                                                                                                                          • Part of subcall function 00467058: SHGetFileInfo.SHELL32(c:\directory,00000010,?,00000160,00001010), ref: 004670FB
                                                                                                                                                                                                                                                          • Part of subcall function 00467058: ExtractIconA.SHELL32(00400000,00000000,?), ref: 00467121
                                                                                                                                                                                                                                                          • Part of subcall function 00467058: ExtractIconA.SHELL32(00400000,00000000,00000027), ref: 00467178
                                                                                                                                                                                                                                                          • Part of subcall function 00466A18: KiUserCallbackDispatcher.NTDLL(?,?,00000000,?,00467700,00000000,00000000,00000000,0000000C,00000000), ref: 00466A30
                                                                                                                                                                                                                                                          • Part of subcall function 0049572C: MulDiv.KERNEL32(0000000D,?,0000000D), ref: 00495736
                                                                                                                                                                                                                                                          • Part of subcall function 0042ED38: GetProcAddress.KERNEL32(00000000,SHAutoComplete), ref: 0042EDA8
                                                                                                                                                                                                                                                          • Part of subcall function 0042ED38: SHAutoComplete.SHLWAPI(00000000,00000001), ref: 0042EDC5
                                                                                                                                                                                                                                                          • Part of subcall function 004953F8: GetDC.USER32(00000000), ref: 0049541A
                                                                                                                                                                                                                                                          • Part of subcall function 004953F8: SelectObject.GDI32(?,00000000), ref: 00495440
                                                                                                                                                                                                                                                          • Part of subcall function 004953F8: ReleaseDC.USER32(00000000,?), ref: 00495491
                                                                                                                                                                                                                                                          • Part of subcall function 0049571C: MulDiv.KERNEL32(0000004B,?,00000006), ref: 00495726
                                                                                                                                                                                                                                                        • GetSystemMenu.USER32(00000000,00000000,0000000C,00000000,00000000,00000000,00000000,00000000,00000000,?,?,00000000,?,?,00000000,?), ref: 004682D5
                                                                                                                                                                                                                                                        • AppendMenuA.USER32(00000000,00000800,00000000,00000000), ref: 004682E6
                                                                                                                                                                                                                                                        • AppendMenuA.USER32(00000000,00000000,0000270F,00000000), ref: 004682FE
                                                                                                                                                                                                                                                          • Part of subcall function 0042A05C: SendMessageA.USER32(00000000,0000014E,00000000,00000000), ref: 0042A072
                                                                                                                                                                                                                                                        Strings
                                                                                                                                                                                                                                                        Memory Dump Source
                                                                                                                                                                                                                                                        • Source File: 00000001.00000002.2793245300.0000000000401000.00000020.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                                                                                                                        • Associated: 00000001.00000002.2793219234.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                                                                                                                                                                                                        • Associated: 00000001.00000002.2793346997.0000000000499000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                                                                                                                                                                                                        • Associated: 00000001.00000002.2793378529.000000000049A000.00000008.00000001.01000000.00000004.sdmpDownload File
                                                                                                                                                                                                                                                        • Associated: 00000001.00000002.2793416768.000000000049B000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                                                                                                                                                                                                        • Associated: 00000001.00000002.2793448951.00000000004AB000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                                                                                                                                                                                                        Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                                        • Snapshot File: hcaresult_1_2_400000_chica-pc-shield-1-75-0-1300-en-win.jbxd
                                                                                                                                                                                                                                                        Similarity
                                                                                                                                                                                                                                                        • API ID: Menu$AppendExtractIconObject$AddressAutoBitmapCallbackCompleteDispatcherFileInfoLoadMessageProcRectReleaseSelectSendSystemUserWindow
                                                                                                                                                                                                                                                        • String ID: $(Default)$3!H$STOPIMAGE
                                                                                                                                                                                                                                                        • API String ID: 3231140908-1654834099
                                                                                                                                                                                                                                                        • Opcode ID: 74ef8a35b9b8fc54da3a310be392b5605cecb2abae3d4e67161a0eb4122d87c7
                                                                                                                                                                                                                                                        • Instruction ID: b700352d90e143707aa16fa6df3394eb4c79b632d69f0e323bfe47862c193e97
                                                                                                                                                                                                                                                        • Opcode Fuzzy Hash: 74ef8a35b9b8fc54da3a310be392b5605cecb2abae3d4e67161a0eb4122d87c7
                                                                                                                                                                                                                                                        • Instruction Fuzzy Hash: 09F2C6386005249FCB00EB59D5D9F9973F1BF49304F1582BAE5049B36ADB74AC46CF8A
                                                                                                                                                                                                                                                        Function 00455E0C Relevance: 10.6, APIs: 4, Strings: 2, Instructions: 112libraryloaderCOMMON
                                                                                                                                                                                                                                                        Download Yara Rule
                                                                                                                                                                                                                                                        APIs
                                                                                                                                                                                                                                                        • GetModuleHandleA.KERNEL32(kernel32.dll,GetDiskFreeSpaceExA,00000000,00455F4B), ref: 00455E3C
                                                                                                                                                                                                                                                        • GetProcAddress.KERNEL32(00000000,kernel32.dll), ref: 00455E42
                                                                                                                                                                                                                                                        • GetDiskFreeSpaceExA.KERNELBASE(00000000,?,?,00000000,00000000,00455F29,?,00000000,kernel32.dll,GetDiskFreeSpaceExA,00000000,00455F4B), ref: 00455E98
                                                                                                                                                                                                                                                        Strings
                                                                                                                                                                                                                                                        Memory Dump Source
                                                                                                                                                                                                                                                        • Source File: 00000001.00000002.2793245300.0000000000401000.00000020.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                                                                                                                        • Associated: 00000001.00000002.2793219234.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                                                                                                                                                                                                        • Associated: 00000001.00000002.2793346997.0000000000499000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                                                                                                                                                                                                        • Associated: 00000001.00000002.2793378529.000000000049A000.00000008.00000001.01000000.00000004.sdmpDownload File
                                                                                                                                                                                                                                                        • Associated: 00000001.00000002.2793416768.000000000049B000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                                                                                                                                                                                                        • Associated: 00000001.00000002.2793448951.00000000004AB000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                                                                                                                                                                                                        Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                                        • Snapshot File: hcaresult_1_2_400000_chica-pc-shield-1-75-0-1300-en-win.jbxd
                                                                                                                                                                                                                                                        Similarity
                                                                                                                                                                                                                                                        • API ID: AddressDiskFreeHandleModuleProcSpace
                                                                                                                                                                                                                                                        • String ID: GetDiskFreeSpaceExA$kernel32.dll
                                                                                                                                                                                                                                                        • API String ID: 1197914913-3712701948
                                                                                                                                                                                                                                                        • Opcode ID: 0cf4dfe6aae4aecb46ca130a60c8265bfc072b423f1d49aa537b4760483e04fe
                                                                                                                                                                                                                                                        • Instruction ID: d81c9a8c7c52065d28d66f53e81ce4f313aa74f068c2efe820cb9bfc493487ae
                                                                                                                                                                                                                                                        • Opcode Fuzzy Hash: 0cf4dfe6aae4aecb46ca130a60c8265bfc072b423f1d49aa537b4760483e04fe
                                                                                                                                                                                                                                                        • Instruction Fuzzy Hash: B0418671A04649AFCF01EFA5C8929EEB7B8EF48305F504567F804F7292D67C5E098B68
                                                                                                                                                                                                                                                        Function 00474E64 Relevance: 8.8, APIs: 3, Strings: 2, Instructions: 99fileCOMMON
                                                                                                                                                                                                                                                        Download Yara Rule
                                                                                                                                                                                                                                                        APIs
                                                                                                                                                                                                                                                        • FindFirstFileA.KERNEL32(00000000,?,00000000,00474FCE,?,?,0049C1DC,00000000), ref: 00474EBD
                                                                                                                                                                                                                                                        • FindNextFileA.KERNEL32(00000000,?,00000000,?,00000000,00474FCE,?,?,0049C1DC,00000000), ref: 00474F9A
                                                                                                                                                                                                                                                        • FindClose.KERNEL32(00000000,00000000,?,00000000,?,00000000,00474FCE,?,?,0049C1DC,00000000), ref: 00474FA8
                                                                                                                                                                                                                                                        Strings
                                                                                                                                                                                                                                                        Memory Dump Source
                                                                                                                                                                                                                                                        • Source File: 00000001.00000002.2793245300.0000000000401000.00000020.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                                                                                                                        • Associated: 00000001.00000002.2793219234.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                                                                                                                                                                                                        • Associated: 00000001.00000002.2793346997.0000000000499000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                                                                                                                                                                                                        • Associated: 00000001.00000002.2793378529.000000000049A000.00000008.00000001.01000000.00000004.sdmpDownload File
                                                                                                                                                                                                                                                        • Associated: 00000001.00000002.2793416768.000000000049B000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                                                                                                                                                                                                        • Associated: 00000001.00000002.2793448951.00000000004AB000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                                                                                                                                                                                                        Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                                        • Snapshot File: hcaresult_1_2_400000_chica-pc-shield-1-75-0-1300-en-win.jbxd
                                                                                                                                                                                                                                                        Similarity
                                                                                                                                                                                                                                                        • API ID: Find$File$CloseFirstNext
                                                                                                                                                                                                                                                        • String ID: unins$unins???.*
                                                                                                                                                                                                                                                        • API String ID: 3541575487-1009660736
                                                                                                                                                                                                                                                        • Opcode ID: b649989a6049c3436182c2bb5e84e3edffc312e753dc4685f5b3c678a0cc44ba
                                                                                                                                                                                                                                                        • Instruction ID: 71c31de5aec6568d3fd02c10b200621d6e733b678e62e08c2b577e25fb21157a
                                                                                                                                                                                                                                                        • Opcode Fuzzy Hash: b649989a6049c3436182c2bb5e84e3edffc312e753dc4685f5b3c678a0cc44ba
                                                                                                                                                                                                                                                        • Instruction Fuzzy Hash: 9B3132706005489FCB10EB65CD91ADEB7A9EF85308F51C4B6E50CEB2A2DB389F458F58
                                                                                                                                                                                                                                                        Function 0044852C Relevance: 4.7, APIs: 3, Instructions: 151libraryloaderCOMMON
                                                                                                                                                                                                                                                        Download Yara Rule
                                                                                                                                                                                                                                                        APIs
                                                                                                                                                                                                                                                        • LoadLibraryExA.KERNEL32(00000000,00000000,00000008,?,?,00000000,00448709), ref: 0044864C
                                                                                                                                                                                                                                                        • GetProcAddress.KERNEL32(00000000,00000000), ref: 004486CD
                                                                                                                                                                                                                                                        Memory Dump Source
                                                                                                                                                                                                                                                        • Source File: 00000001.00000002.2793245300.0000000000401000.00000020.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                                                                                                                        • Associated: 00000001.00000002.2793219234.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                                                                                                                                                                                                        • Associated: 00000001.00000002.2793346997.0000000000499000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                                                                                                                                                                                                        • Associated: 00000001.00000002.2793378529.000000000049A000.00000008.00000001.01000000.00000004.sdmpDownload File
                                                                                                                                                                                                                                                        • Associated: 00000001.00000002.2793416768.000000000049B000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                                                                                                                                                                                                        • Associated: 00000001.00000002.2793448951.00000000004AB000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                                                                                                                                                                                                        Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                                        • Snapshot File: hcaresult_1_2_400000_chica-pc-shield-1-75-0-1300-en-win.jbxd
                                                                                                                                                                                                                                                        Similarity
                                                                                                                                                                                                                                                        • API ID: AddressLibraryLoadProc
                                                                                                                                                                                                                                                        • String ID:
                                                                                                                                                                                                                                                        • API String ID: 2574300362-0
                                                                                                                                                                                                                                                        • Opcode ID: bbee7e0047e0021721baff079e26fbf7481f990012d18e41f1f23c4fced0fd86
                                                                                                                                                                                                                                                        • Instruction ID: 2eaa58f6359003fef9dee836e3db1fa56ae38c906bc4f4c4d93ca6671f7cd4fb
                                                                                                                                                                                                                                                        • Opcode Fuzzy Hash: bbee7e0047e0021721baff079e26fbf7481f990012d18e41f1f23c4fced0fd86
                                                                                                                                                                                                                                                        • Instruction Fuzzy Hash: 14515470E00105AFDB40EF95C491AAEBBF9EB45319F11817FE414BB391DA389E05CB99
                                                                                                                                                                                                                                                        Function 00452A60 Relevance: 3.0, APIs: 2, Instructions: 45fileCOMMON
                                                                                                                                                                                                                                                        Download Yara Rule
                                                                                                                                                                                                                                                        APIs
                                                                                                                                                                                                                                                        • FindFirstFileA.KERNEL32(00000000,?,00000000,00452AC3,?,?,-00000001,00000000), ref: 00452A9D
                                                                                                                                                                                                                                                        • GetLastError.KERNEL32(00000000,?,00000000,00452AC3,?,?,-00000001,00000000), ref: 00452AA5
                                                                                                                                                                                                                                                        Memory Dump Source
                                                                                                                                                                                                                                                        • Source File: 00000001.00000002.2793245300.0000000000401000.00000020.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                                                                                                                        • Associated: 00000001.00000002.2793219234.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                                                                                                                                                                                                        • Associated: 00000001.00000002.2793346997.0000000000499000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                                                                                                                                                                                                        • Associated: 00000001.00000002.2793378529.000000000049A000.00000008.00000001.01000000.00000004.sdmpDownload File
                                                                                                                                                                                                                                                        • Associated: 00000001.00000002.2793416768.000000000049B000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                                                                                                                                                                                                        • Associated: 00000001.00000002.2793448951.00000000004AB000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                                                                                                                                                                                                        Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                                        • Snapshot File: hcaresult_1_2_400000_chica-pc-shield-1-75-0-1300-en-win.jbxd
                                                                                                                                                                                                                                                        Similarity
                                                                                                                                                                                                                                                        • API ID: ErrorFileFindFirstLast
                                                                                                                                                                                                                                                        • String ID:
                                                                                                                                                                                                                                                        • API String ID: 873889042-0
                                                                                                                                                                                                                                                        • Opcode ID: 9c675a8f1f28b386d0fa8c71b8ecb41695e84785a8bb79b0d9bc0322d07a8b6a
                                                                                                                                                                                                                                                        • Instruction ID: 3e58272229af866f17ac5928e9872a720c3be2d4903e778e839a846eb7d55d53
                                                                                                                                                                                                                                                        • Opcode Fuzzy Hash: 9c675a8f1f28b386d0fa8c71b8ecb41695e84785a8bb79b0d9bc0322d07a8b6a
                                                                                                                                                                                                                                                        • Instruction Fuzzy Hash: 94F0F971A04604AB8B10EF669D4149EF7ACEB8672571046BBFC14E3282DAB84E0485A8
                                                                                                                                                                                                                                                        Function 00408568 Relevance: 1.5, APIs: 1, Instructions: 29COMMON
                                                                                                                                                                                                                                                        Download Yara Rule
                                                                                                                                                                                                                                                        APIs
                                                                                                                                                                                                                                                        • GetLocaleInfoA.KERNEL32(?,00000044,?,00000100,0049B4C0,00000001,?,00408633,?,00000000,00408712), ref: 00408586
                                                                                                                                                                                                                                                        Memory Dump Source
                                                                                                                                                                                                                                                        • Source File: 00000001.00000002.2793245300.0000000000401000.00000020.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                                                                                                                        • Associated: 00000001.00000002.2793219234.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                                                                                                                                                                                                        • Associated: 00000001.00000002.2793346997.0000000000499000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                                                                                                                                                                                                        • Associated: 00000001.00000002.2793378529.000000000049A000.00000008.00000001.01000000.00000004.sdmpDownload File
                                                                                                                                                                                                                                                        • Associated: 00000001.00000002.2793416768.000000000049B000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                                                                                                                                                                                                        • Associated: 00000001.00000002.2793448951.00000000004AB000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                                                                                                                                                                                                        Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                                        • Snapshot File: hcaresult_1_2_400000_chica-pc-shield-1-75-0-1300-en-win.jbxd
                                                                                                                                                                                                                                                        Similarity
                                                                                                                                                                                                                                                        • API ID: InfoLocale
                                                                                                                                                                                                                                                        • String ID:
                                                                                                                                                                                                                                                        • API String ID: 2299586839-0
                                                                                                                                                                                                                                                        • Opcode ID: 64da881718ef9bfb5c3691e8182369eeaf442f2681d4624e7b5adc518b999176
                                                                                                                                                                                                                                                        • Instruction ID: 8daab3ef8e56b0da8b8c23f45c5b5388ad46b50bd825570c2d348c61856efc62
                                                                                                                                                                                                                                                        • Opcode Fuzzy Hash: 64da881718ef9bfb5c3691e8182369eeaf442f2681d4624e7b5adc518b999176
                                                                                                                                                                                                                                                        • Instruction Fuzzy Hash: BFE0223170021466C311AA2A9C86AEAB34C9758310F00427FB904E73C2EDB89E4042A8
                                                                                                                                                                                                                                                        Function 00423B84 Relevance: 1.5, APIs: 1, Instructions: 24nativeCOMMON
                                                                                                                                                                                                                                                        Download Yara Rule
                                                                                                                                                                                                                                                        APIs
                                                                                                                                                                                                                                                        • NtdllDefWindowProc_A.USER32(?,?,?,?,?,00424151,?,00000000,0042415C), ref: 00423BAE
                                                                                                                                                                                                                                                        Memory Dump Source
                                                                                                                                                                                                                                                        • Source File: 00000001.00000002.2793245300.0000000000401000.00000020.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                                                                                                                        • Associated: 00000001.00000002.2793219234.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                                                                                                                                                                                                        • Associated: 00000001.00000002.2793346997.0000000000499000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                                                                                                                                                                                                        • Associated: 00000001.00000002.2793378529.000000000049A000.00000008.00000001.01000000.00000004.sdmpDownload File
                                                                                                                                                                                                                                                        • Associated: 00000001.00000002.2793416768.000000000049B000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                                                                                                                                                                                                        • Associated: 00000001.00000002.2793448951.00000000004AB000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                                                                                                                                                                                                        Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                                        • Snapshot File: hcaresult_1_2_400000_chica-pc-shield-1-75-0-1300-en-win.jbxd
                                                                                                                                                                                                                                                        Similarity
                                                                                                                                                                                                                                                        • API ID: NtdllProc_Window
                                                                                                                                                                                                                                                        • String ID:
                                                                                                                                                                                                                                                        • API String ID: 4255912815-0
                                                                                                                                                                                                                                                        • Opcode ID: 03c86555d74cd6010afd77b9e61a524e96c156e733cd5bd8e2feacc4387cef90
                                                                                                                                                                                                                                                        • Instruction ID: a748582893d7571d6ac8bdbe819d0a8fbf5f36db2d3505b6f19a51c7a0bbae16
                                                                                                                                                                                                                                                        • Opcode Fuzzy Hash: 03c86555d74cd6010afd77b9e61a524e96c156e733cd5bd8e2feacc4387cef90
                                                                                                                                                                                                                                                        • Instruction Fuzzy Hash: 47F0B979205608AF8B40DF99C588D4ABBE8AB4C260B058195B988CB321C234ED808F90
                                                                                                                                                                                                                                                        Function 0045559C Relevance: 1.5, APIs: 1, Instructions: 20COMMON
                                                                                                                                                                                                                                                        Download Yara Rule
                                                                                                                                                                                                                                                        APIs
                                                                                                                                                                                                                                                        Memory Dump Source
                                                                                                                                                                                                                                                        • Source File: 00000001.00000002.2793245300.0000000000401000.00000020.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                                                                                                                        • Associated: 00000001.00000002.2793219234.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                                                                                                                                                                                                        • Associated: 00000001.00000002.2793346997.0000000000499000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                                                                                                                                                                                                        • Associated: 00000001.00000002.2793378529.000000000049A000.00000008.00000001.01000000.00000004.sdmpDownload File
                                                                                                                                                                                                                                                        • Associated: 00000001.00000002.2793416768.000000000049B000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                                                                                                                                                                                                        • Associated: 00000001.00000002.2793448951.00000000004AB000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                                                                                                                                                                                                        Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                                        • Snapshot File: hcaresult_1_2_400000_chica-pc-shield-1-75-0-1300-en-win.jbxd
                                                                                                                                                                                                                                                        Similarity
                                                                                                                                                                                                                                                        • API ID: NameUser
                                                                                                                                                                                                                                                        • String ID:
                                                                                                                                                                                                                                                        • API String ID: 2645101109-0
                                                                                                                                                                                                                                                        • Opcode ID: c88cbf789a6641c4b706c01e69cacd1b1581240507725cd8c18f4a5e994771e1
                                                                                                                                                                                                                                                        • Instruction ID: 9f318ec9847dd9a6abcb639c8bc611599857aea0b867fcad4bfaeec6bdb042bf
                                                                                                                                                                                                                                                        • Opcode Fuzzy Hash: c88cbf789a6641c4b706c01e69cacd1b1581240507725cd8c18f4a5e994771e1
                                                                                                                                                                                                                                                        • Instruction Fuzzy Hash: 8FD0C27230470473CB00AA689C825AA35CD8B84305F00483E3CC5DA2C3FABDDA485756
                                                                                                                                                                                                                                                        Function 0042F520 Relevance: 1.5, APIs: 1, Instructions: 17nativeCOMMON
                                                                                                                                                                                                                                                        Download Yara Rule
                                                                                                                                                                                                                                                        APIs
                                                                                                                                                                                                                                                        • NtdllDefWindowProc_A.USER32(?,?,?,?), ref: 0042F53C
                                                                                                                                                                                                                                                        Memory Dump Source
                                                                                                                                                                                                                                                        • Source File: 00000001.00000002.2793245300.0000000000401000.00000020.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                                                                                                                        • Associated: 00000001.00000002.2793219234.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                                                                                                                                                                                                        • Associated: 00000001.00000002.2793346997.0000000000499000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                                                                                                                                                                                                        • Associated: 00000001.00000002.2793378529.000000000049A000.00000008.00000001.01000000.00000004.sdmpDownload File
                                                                                                                                                                                                                                                        • Associated: 00000001.00000002.2793416768.000000000049B000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                                                                                                                                                                                                        • Associated: 00000001.00000002.2793448951.00000000004AB000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                                                                                                                                                                                                        Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                                        • Snapshot File: hcaresult_1_2_400000_chica-pc-shield-1-75-0-1300-en-win.jbxd
                                                                                                                                                                                                                                                        Similarity
                                                                                                                                                                                                                                                        • API ID: NtdllProc_Window
                                                                                                                                                                                                                                                        • String ID:
                                                                                                                                                                                                                                                        • API String ID: 4255912815-0
                                                                                                                                                                                                                                                        • Opcode ID: 9e43cbcd657a147b44e82c26281af1c584f356d37a2e763e4ec43db1fd6d4cd6
                                                                                                                                                                                                                                                        • Instruction ID: 7ca9c19e24a5def9c493c34941f9da96f9ca037215ec7a65a90973bf7a04e639
                                                                                                                                                                                                                                                        • Opcode Fuzzy Hash: 9e43cbcd657a147b44e82c26281af1c584f356d37a2e763e4ec43db1fd6d4cd6
                                                                                                                                                                                                                                                        • Instruction Fuzzy Hash: FCD09E7120011D7B9B00DE99E840D6B33AD9B88710B909925F945D7642D634ED9197A5
                                                                                                                                                                                                                                                        Function 0046EF30 Relevance: 72.2, APIs: 1, Strings: 40, Instructions: 500registryCOMMON
                                                                                                                                                                                                                                                        Download Yara Rule

                                                                                                                                                                                                                                                        Control-flow Graph

                                                                                                                                                                                                                                                        • Executed
                                                                                                                                                                                                                                                        • Not Executed
                                                                                                                                                                                                                                                        control_flow_graph 1755 46ef30-46ef62 1756 46ef64-46ef6b 1755->1756 1757 46ef7f 1755->1757 1758 46ef76-46ef7d 1756->1758 1759 46ef6d-46ef74 1756->1759 1760 46ef86-46efbe call 403634 call 403738 call 42dec0 1757->1760 1758->1760 1759->1757 1759->1758 1767 46efc0-46efd4 call 403738 call 42dec0 1760->1767 1768 46efd9-46f002 call 403738 call 42dde4 1760->1768 1767->1768 1776 46f004-46f00d call 46ec00 1768->1776 1777 46f012-46f03b call 46ed1c 1768->1777 1776->1777 1781 46f04d-46f050 call 403400 1777->1781 1782 46f03d-46f04b call 403494 1777->1782 1785 46f055-46f0a0 call 46ed1c call 42c3fc call 46ed64 call 46ed1c 1781->1785 1782->1785 1795 46f0b6-46f0d7 call 45559c call 46ed1c 1785->1795 1796 46f0a2-46f0b5 call 46ed8c 1785->1796 1803 46f12d-46f134 1795->1803 1804 46f0d9-46f12c call 46ed1c call 431404 call 46ed1c call 431404 call 46ed1c 1795->1804 1796->1795 1806 46f136-46f16e call 431404 call 46ed1c call 431404 call 46ed1c 1803->1806 1807 46f174-46f17b 1803->1807 1804->1803 1839 46f173 1806->1839 1809 46f1bc-46f1e1 call 40b24c call 46ed1c 1807->1809 1810 46f17d-46f1bb call 46ed1c * 3 1807->1810 1828 46f1e3-46f1ee call 47bdf4 1809->1828 1829 46f1f0-46f1f9 call 403494 1809->1829 1810->1809 1840 46f1fe-46f209 call 47898c 1828->1840 1829->1840 1839->1807 1845 46f212 1840->1845 1846 46f20b-46f210 1840->1846 1847 46f217-46f3e1 call 403778 call 46ed1c call 47bdf4 call 46ed64 call 403494 call 40357c * 2 call 46ed1c call 403494 call 40357c * 2 call 46ed1c call 47bdf4 call 46ed64 call 47bdf4 call 46ed64 call 47bdf4 call 46ed64 call 47bdf4 call 46ed64 call 47bdf4 call 46ed64 call 47bdf4 call 46ed64 call 47bdf4 call 46ed64 call 47bdf4 call 46ed64 call 47bdf4 call 46ed64 call 47bdf4 1845->1847 1846->1847 1910 46f3f7-46f405 call 46ed8c 1847->1910 1911 46f3e3-46f3f5 call 46ed1c 1847->1911 1914 46f40a 1910->1914 1916 46f40b-46f454 call 46ed8c call 46edc0 call 46ed1c call 47bdf4 call 46ee24 1911->1916 1914->1916 1927 46f456-46f474 call 46ed8c * 2 1916->1927 1928 46f47a-46f487 1916->1928 1941 46f479 1927->1941 1929 46f556-46f55d 1928->1929 1930 46f48d-46f494 1928->1930 1934 46f5b7-46f5cd RegCloseKey 1929->1934 1935 46f55f-46f595 call 4948c8 1929->1935 1932 46f496-46f49d 1930->1932 1933 46f501-46f510 1930->1933 1932->1933 1939 46f49f-46f4c3 call 430bcc 1932->1939 1938 46f513-46f520 1933->1938 1935->1934 1942 46f537-46f550 call 430c08 call 46ed8c 1938->1942 1943 46f522-46f52f 1938->1943 1939->1938 1950 46f4c5-46f4c6 1939->1950 1941->1928 1953 46f555 1942->1953 1943->1942 1946 46f531-46f535 1943->1946 1946->1929 1946->1942 1952 46f4c8-46f4ee call 40b24c call 4791b8 1950->1952 1958 46f4f0-46f4f6 call 430bcc 1952->1958 1959 46f4fb-46f4fd 1952->1959 1953->1929 1958->1959 1959->1952 1960 46f4ff 1959->1960 1960->1938
                                                                                                                                                                                                                                                        APIs
                                                                                                                                                                                                                                                          • Part of subcall function 0046ED1C: RegSetValueExA.ADVAPI32(?,Inno Setup: Setup Version,00000000,00000001,00000000,00000001,f`G,?,0049C1DC,?,0046F033,?,00000000,0046F5CE,?,_is1), ref: 0046ED3F
                                                                                                                                                                                                                                                          • Part of subcall function 0046ED8C: RegSetValueExA.ADVAPI32(?,NoModify,00000000,00000004,00000000,00000004,00000001,?,0046F40A,?,?,00000000,0046F5CE,?,_is1,?), ref: 0046ED9F
                                                                                                                                                                                                                                                        • RegCloseKey.ADVAPI32(?,0046F5D5,?,_is1,?,Software\Microsoft\Windows\CurrentVersion\Uninstall\,00000000,0046F620,?,?,0049C1DC,00000000), ref: 0046F5C8
                                                                                                                                                                                                                                                        Strings
                                                                                                                                                                                                                                                        Memory Dump Source
                                                                                                                                                                                                                                                        • Source File: 00000001.00000002.2793245300.0000000000401000.00000020.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                                                                                                                        • Associated: 00000001.00000002.2793219234.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                                                                                                                                                                                                        • Associated: 00000001.00000002.2793346997.0000000000499000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                                                                                                                                                                                                        • Associated: 00000001.00000002.2793378529.000000000049A000.00000008.00000001.01000000.00000004.sdmpDownload File
                                                                                                                                                                                                                                                        • Associated: 00000001.00000002.2793416768.000000000049B000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                                                                                                                                                                                                        • Associated: 00000001.00000002.2793448951.00000000004AB000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                                                                                                                                                                                                        Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                                        • Snapshot File: hcaresult_1_2_400000_chica-pc-shield-1-75-0-1300-en-win.jbxd
                                                                                                                                                                                                                                                        Similarity
                                                                                                                                                                                                                                                        • API ID: Value$Close
                                                                                                                                                                                                                                                        • String ID: " /SILENT$5.5.3-dev (a)$Comments$Contact$DisplayIcon$DisplayName$DisplayVersion$EstimatedSize$HelpLink$HelpTelephone$Inno Setup: App Path$Inno Setup: Deselected Components$Inno Setup: Deselected Tasks$Inno Setup: Icon Group$Inno Setup: Language$Inno Setup: No Icons$Inno Setup: Selected Components$Inno Setup: Selected Tasks$Inno Setup: Setup Type$Inno Setup: Setup Version$Inno Setup: User$Inno Setup: User Info: Name$Inno Setup: User Info: Organization$Inno Setup: User Info: Serial$InstallDate$InstallLocation$MajorVersion$MinorVersion$ModifyPath$NoModify$NoRepair$Publisher$QuietUninstallString$Readme$RegisterPreviousData$Software\Microsoft\Windows\CurrentVersion\Uninstall\$URLInfoAbout$URLUpdateInfo$UninstallString$_is1
                                                                                                                                                                                                                                                        • API String ID: 3391052094-3291417993
                                                                                                                                                                                                                                                        • Opcode ID: 350d457f303b3d1a0d7a11843be7ea0c6425cd52b6654b1112e0283e78a0f07e
                                                                                                                                                                                                                                                        • Instruction ID: e010d7796fb7cf4c28bd3f5a2325ab5f55ea2e17d6efaf78f477242790e958ae
                                                                                                                                                                                                                                                        • Opcode Fuzzy Hash: 350d457f303b3d1a0d7a11843be7ea0c6425cd52b6654b1112e0283e78a0f07e
                                                                                                                                                                                                                                                        • Instruction Fuzzy Hash: 49127435A001099FCB14EF56E891ADE73F5EB48304F20817BE840AB365EB79AD05CB5E
                                                                                                                                                                                                                                                        Function 004835CC Relevance: 26.3, APIs: 9, Strings: 6, Instructions: 68libraryloaderCOMMON
                                                                                                                                                                                                                                                        Download Yara Rule

                                                                                                                                                                                                                                                        Control-flow Graph

                                                                                                                                                                                                                                                        • Executed
                                                                                                                                                                                                                                                        • Not Executed
                                                                                                                                                                                                                                                        control_flow_graph 2698 4835cc-4835f1 GetModuleHandleA GetProcAddress 2699 483658-48365d GetSystemInfo 2698->2699 2700 4835f3-483609 GetNativeSystemInfo GetProcAddress 2698->2700 2701 483662-48366b 2699->2701 2700->2701 2702 48360b-483616 GetCurrentProcess 2700->2702 2703 48367b-483682 2701->2703 2704 48366d-483671 2701->2704 2702->2701 2709 483618-48361c 2702->2709 2708 48369d-4836a2 2703->2708 2706 483673-483677 2704->2706 2707 483684-48368b 2704->2707 2710 483679-483696 2706->2710 2711 48368d-483694 2706->2711 2707->2708 2709->2701 2712 48361e-483625 call 45271c 2709->2712 2710->2708 2711->2708 2712->2701 2716 483627-483634 GetProcAddress 2712->2716 2716->2701 2717 483636-48364d GetModuleHandleA GetProcAddress 2716->2717 2717->2701 2718 48364f-483656 2717->2718 2718->2701
                                                                                                                                                                                                                                                        APIs
                                                                                                                                                                                                                                                        • GetModuleHandleA.KERNEL32(kernel32.dll), ref: 004835DD
                                                                                                                                                                                                                                                        • GetProcAddress.KERNEL32(00000000,GetNativeSystemInfo), ref: 004835EA
                                                                                                                                                                                                                                                        • GetNativeSystemInfo.KERNELBASE(?,00000000,GetNativeSystemInfo,kernel32.dll), ref: 004835F8
                                                                                                                                                                                                                                                        • GetProcAddress.KERNEL32(00000000,IsWow64Process), ref: 00483600
                                                                                                                                                                                                                                                        • GetCurrentProcess.KERNEL32(?,00000000,IsWow64Process), ref: 0048360C
                                                                                                                                                                                                                                                        • GetProcAddress.KERNEL32(00000000,GetSystemWow64DirectoryA), ref: 0048362D
                                                                                                                                                                                                                                                        • GetModuleHandleA.KERNEL32(advapi32.dll,RegDeleteKeyExA,00000000,GetSystemWow64DirectoryA,?,00000000,IsWow64Process), ref: 00483640
                                                                                                                                                                                                                                                        • GetProcAddress.KERNEL32(00000000,advapi32.dll), ref: 00483646
                                                                                                                                                                                                                                                        • GetSystemInfo.KERNEL32(?,00000000,GetNativeSystemInfo,kernel32.dll), ref: 0048365D
                                                                                                                                                                                                                                                        Strings
                                                                                                                                                                                                                                                        Memory Dump Source
                                                                                                                                                                                                                                                        • Source File: 00000001.00000002.2793245300.0000000000401000.00000020.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                                                                                                                        • Associated: 00000001.00000002.2793219234.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                                                                                                                                                                                                        • Associated: 00000001.00000002.2793346997.0000000000499000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                                                                                                                                                                                                        • Associated: 00000001.00000002.2793378529.000000000049A000.00000008.00000001.01000000.00000004.sdmpDownload File
                                                                                                                                                                                                                                                        • Associated: 00000001.00000002.2793416768.000000000049B000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                                                                                                                                                                                                        • Associated: 00000001.00000002.2793448951.00000000004AB000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                                                                                                                                                                                                        Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                                        • Snapshot File: hcaresult_1_2_400000_chica-pc-shield-1-75-0-1300-en-win.jbxd
                                                                                                                                                                                                                                                        Similarity
                                                                                                                                                                                                                                                        • API ID: AddressProc$HandleInfoModuleSystem$CurrentNativeProcess
                                                                                                                                                                                                                                                        • String ID: GetNativeSystemInfo$GetSystemWow64DirectoryA$IsWow64Process$RegDeleteKeyExA$advapi32.dll$kernel32.dll
                                                                                                                                                                                                                                                        • API String ID: 2230631259-2623177817
                                                                                                                                                                                                                                                        • Opcode ID: 2d7a3cf76853c6228e04a2cf5e1dcf6059238efe67b1f541d8f916056214c91d
                                                                                                                                                                                                                                                        • Instruction ID: 881feda35cecc5e02869585bdb0a4ccc1c56b7a648b879ab02fedb7aac1f37a5
                                                                                                                                                                                                                                                        • Opcode Fuzzy Hash: 2d7a3cf76853c6228e04a2cf5e1dcf6059238efe67b1f541d8f916056214c91d
                                                                                                                                                                                                                                                        • Instruction Fuzzy Hash: AA118140104341B4D731BB7D4D59BAF1A888B11F5AF140D3BA840753C3FABC8E419B6E
                                                                                                                                                                                                                                                        Function 00473660 Relevance: 25.1, APIs: 9, Strings: 5, Instructions: 585registryCOMMON
                                                                                                                                                                                                                                                        Download Yara Rule

                                                                                                                                                                                                                                                        Control-flow Graph

                                                                                                                                                                                                                                                        • Executed
                                                                                                                                                                                                                                                        • Not Executed
                                                                                                                                                                                                                                                        control_flow_graph 2719 473660-473693 2720 473d7e-473db2 call 46e39c call 403400 * 2 call 403420 2719->2720 2721 473699-47369d 2719->2721 2722 4736a4-4736e1 call 40b24c call 4791b8 2721->2722 2733 4736e7-473726 call 47dd00 call 478e2c call 47bdf4 * 2 2722->2733 2734 473d72-473d78 2722->2734 2745 47372c-473733 2733->2745 2746 473728 2733->2746 2734->2720 2734->2722 2747 473735-47373c 2745->2747 2748 47374c-473765 2745->2748 2746->2745 2749 47373e-473743 call 453344 2747->2749 2750 473748 2747->2750 2751 473767-473771 call 473490 2748->2751 2752 47378b-473792 2748->2752 2749->2750 2750->2748 2751->2752 2761 473773-473786 call 403738 call 42dec0 2751->2761 2753 473794-47379b 2752->2753 2754 4737a1-4737a8 2752->2754 2753->2754 2757 473c4f-473c85 2753->2757 2758 4737fb-47381b call 4734b4 2754->2758 2759 4737aa-4737b1 2754->2759 2757->2748 2767 473c8b-473c92 2757->2767 2770 47388e-473895 2758->2770 2771 47381d-473842 call 403738 call 42dde4 2758->2771 2759->2758 2764 4737b3-4737d5 call 403738 call 42de1c 2759->2764 2761->2752 2764->2757 2799 4737db-4737f6 call 403738 RegDeleteValueA RegCloseKey 2764->2799 2772 473cc5-473ccc 2767->2772 2773 473c94-473c9e call 473490 2767->2773 2775 473897-4738bb call 403738 call 42de1c 2770->2775 2776 4738de 2770->2776 2802 473847-47384b 2771->2802 2781 473cff-473d06 2772->2781 2782 473cce-473cd8 call 473490 2772->2782 2773->2772 2797 473ca0-473cc0 call 45a28c 2773->2797 2788 4738e3-4738e5 2775->2788 2820 4738bd-4738c0 2775->2820 2776->2788 2784 473d33-473d3a 2781->2784 2785 473d08-473d2e call 45a28c 2781->2785 2782->2781 2800 473cda-473cfa call 45a28c 2782->2800 2795 473d67-473d6d call 478e58 2784->2795 2796 473d3c-473d62 call 45a28c 2784->2796 2785->2784 2788->2757 2798 4738eb-473900 2788->2798 2795->2734 2796->2795 2797->2772 2806 473914-47391b 2798->2806 2807 473902-47390f call 403738 RegDeleteValueA 2798->2807 2799->2757 2800->2781 2813 473872-473879 2802->2813 2814 47384d-473851 2802->2814 2810 473c31-473c47 RegCloseKey 2806->2810 2811 473921-473928 2806->2811 2807->2806 2818 473944-473951 2811->2818 2819 47392a-47393e call 403738 call 42dd64 2811->2819 2813->2788 2822 47387b-47388c call 46ec00 2813->2822 2814->2788 2821 473857-473870 call 4734b4 2814->2821 2818->2810 2825 473957 2818->2825 2819->2810 2819->2818 2820->2788 2824 4738c2-4738c9 2820->2824 2821->2788 2822->2788 2824->2788 2829 4738cb-4738dc call 46ec00 2824->2829 2825->2810 2830 473be3-473c15 call 403574 call 403738 * 2 RegSetValueExA 2825->2830 2831 473b7e-473b99 call 47bdf4 call 430c58 2825->2831 2832 473b1c-473b55 call 47bdf4 call 406d98 call 403738 RegSetValueExA 2825->2832 2833 47397a-473984 2825->2833 2829->2788 2830->2810 2875 473c17-473c1e 2830->2875 2861 473ba5-473bc5 call 403738 RegSetValueExA 2831->2861 2862 473b9b-473ba0 call 453344 2831->2862 2832->2810 2879 473b5b-473b62 2832->2879 2840 473986-473989 2833->2840 2841 47398d-473992 2833->2841 2847 473994 2840->2847 2848 47398b 2840->2848 2849 473999-47399b 2841->2849 2847->2849 2848->2849 2851 4739a1-4739b3 call 40385c 2849->2851 2852 473a38-473a4a call 40385c 2849->2852 2869 4739b5-4739cc call 403738 call 42dd4c 2851->2869 2870 4739ce-4739d1 call 403400 2851->2870 2872 473a65-473a68 call 403400 2852->2872 2873 473a4c-473a63 call 403738 call 42dd58 2852->2873 2861->2810 2884 473bc7-473bce 2861->2884 2862->2861 2869->2870 2887 4739d6-4739dd 2869->2887 2870->2887 2888 473a6d-473aa6 call 47be14 2872->2888 2873->2872 2873->2888 2875->2810 2882 473c20-473c2c call 46ec00 2875->2882 2879->2810 2886 473b68-473b79 call 46ec00 2879->2886 2882->2810 2884->2810 2891 473bd0-473be1 call 46ec00 2884->2891 2886->2810 2894 4739df-4739fd call 403738 RegQueryValueExA 2887->2894 2895 473a0e-473a33 call 47be14 2887->2895 2904 473ac7-473af3 call 403574 call 403738 * 2 RegSetValueExA 2888->2904 2905 473aa8-473ab8 call 403574 2888->2905 2891->2810 2894->2895 2911 4739ff-473a03 2894->2911 2895->2904 2904->2810 2922 473af9-473b00 2904->2922 2905->2904 2916 473aba-473ac2 call 40357c 2905->2916 2914 473a05-473a09 2911->2914 2915 473a0b 2911->2915 2914->2895 2914->2915 2915->2895 2916->2904 2922->2810 2923 473b06-473b17 call 46ec00 2922->2923 2923->2810
                                                                                                                                                                                                                                                        APIs
                                                                                                                                                                                                                                                        • RegDeleteValueA.ADVAPI32(?,00000000,?,00000002,00000000,00000000,00473C59,?,?,?,?,00000000,00473DB3,?,?,0049C1DC), ref: 004737E8
                                                                                                                                                                                                                                                        • RegCloseKey.ADVAPI32(?,?,00000000,?,00000002,00000000,00000000,00473C59,?,?,?,?,00000000,00473DB3), ref: 004737F1
                                                                                                                                                                                                                                                          • Part of subcall function 004734B4: GetLastError.KERNEL32(00000000,00000000,00000000,00473588,?,?,0049C1DC,00000000), ref: 00473541
                                                                                                                                                                                                                                                        • RegDeleteValueA.ADVAPI32(?,00000000,00000000,00473C48,?,?,00000000,00473C59,?,?,?,?,00000000,00473DB3), ref: 0047390F
                                                                                                                                                                                                                                                          • Part of subcall function 0042DDE4: RegCreateKeyExA.ADVAPI32(?,?,?,?,?,?,?,?,?), ref: 0042DE10
                                                                                                                                                                                                                                                          • Part of subcall function 004734B4: GetLastError.KERNEL32(00000000,00000000,00000000,00473588,?,?,0049C1DC,00000000), ref: 00473557
                                                                                                                                                                                                                                                        Strings
                                                                                                                                                                                                                                                        Memory Dump Source
                                                                                                                                                                                                                                                        • Source File: 00000001.00000002.2793245300.0000000000401000.00000020.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                                                                                                                        • Associated: 00000001.00000002.2793219234.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                                                                                                                                                                                                        • Associated: 00000001.00000002.2793346997.0000000000499000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                                                                                                                                                                                                        • Associated: 00000001.00000002.2793378529.000000000049A000.00000008.00000001.01000000.00000004.sdmpDownload File
                                                                                                                                                                                                                                                        • Associated: 00000001.00000002.2793416768.000000000049B000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                                                                                                                                                                                                        • Associated: 00000001.00000002.2793448951.00000000004AB000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                                                                                                                                                                                                        Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                                        • Snapshot File: hcaresult_1_2_400000_chica-pc-shield-1-75-0-1300-en-win.jbxd
                                                                                                                                                                                                                                                        Similarity
                                                                                                                                                                                                                                                        • API ID: DeleteErrorLastValue$CloseCreate
                                                                                                                                                                                                                                                        • String ID: Cannot access 64-bit registry keys on this version of Windows$Failed to parse "qword" value$break$olddata${olddata}
                                                                                                                                                                                                                                                        • API String ID: 2638610037-3092547568
                                                                                                                                                                                                                                                        • Opcode ID: 4ba82e80bdfa0cb3500322ce5a18341871dfead2b4573d14df413bd7eb18869f
                                                                                                                                                                                                                                                        • Instruction ID: 7f3bd94fd46d44511359ad95d92ecab3c9f8cfa7154b5666b27225ceed3cac76
                                                                                                                                                                                                                                                        • Opcode Fuzzy Hash: 4ba82e80bdfa0cb3500322ce5a18341871dfead2b4573d14df413bd7eb18869f
                                                                                                                                                                                                                                                        • Instruction Fuzzy Hash: 6C323E74A00248AFCB15DFA9C485BDEBBF4AF08305F048066F904BB362D778AE45DB59
                                                                                                                                                                                                                                                        Function 00468C60 Relevance: 24.7, APIs: 1, Strings: 13, Instructions: 155registryCOMMON
                                                                                                                                                                                                                                                        Download Yara Rule

                                                                                                                                                                                                                                                        Control-flow Graph

                                                                                                                                                                                                                                                        • Executed
                                                                                                                                                                                                                                                        • Not Executed
                                                                                                                                                                                                                                                        control_flow_graph 2926 468c60-468c98 call 47bdf4 2929 468c9e-468cae call 4789ac 2926->2929 2930 468e7a-468e94 call 403420 2926->2930 2935 468cb3-468cf8 call 4078f4 call 403738 call 42de1c 2929->2935 2941 468cfd-468cff 2935->2941 2942 468d05-468d1a 2941->2942 2943 468e70-468e74 2941->2943 2944 468d2f-468d36 2942->2944 2945 468d1c-468d2a call 42dd4c 2942->2945 2943->2930 2943->2935 2947 468d63-468d6a 2944->2947 2948 468d38-468d5a call 42dd4c call 42dd64 2944->2948 2945->2944 2949 468dc3-468dca 2947->2949 2950 468d6c-468d91 call 42dd4c * 2 2947->2950 2948->2947 2969 468d5c 2948->2969 2954 468e10-468e17 2949->2954 2955 468dcc-468dde call 42dd4c 2949->2955 2972 468d93-468d9c call 4314f8 2950->2972 2973 468da1-468db3 call 42dd4c 2950->2973 2957 468e52-468e68 RegCloseKey 2954->2957 2958 468e19-468e4d call 42dd4c * 3 2954->2958 2965 468de0-468de9 call 4314f8 2955->2965 2966 468dee-468e00 call 42dd4c 2955->2966 2958->2957 2965->2966 2966->2954 2979 468e02-468e0b call 4314f8 2966->2979 2969->2947 2972->2973 2973->2949 2983 468db5-468dbe call 4314f8 2973->2983 2979->2954 2983->2949
                                                                                                                                                                                                                                                        APIs
                                                                                                                                                                                                                                                          • Part of subcall function 0042DE1C: RegOpenKeyExA.ADVAPI32(80000002,System\CurrentControlSet\Control\Windows,37H,?,00000001,?,?,00483733,?,00000001,00000000), ref: 0042DE38
                                                                                                                                                                                                                                                        • RegCloseKey.ADVAPI32(?,00468E7A,?,?,00000001,00000000,00000000,00468E95,?,00000000,00000000,?), ref: 00468E63
                                                                                                                                                                                                                                                        Strings
                                                                                                                                                                                                                                                        • Inno Setup: Deselected Components, xrefs: 00468DA4
                                                                                                                                                                                                                                                        • Inno Setup: Setup Type, xrefs: 00468D72
                                                                                                                                                                                                                                                        • %s\%s_is1, xrefs: 00468CDD
                                                                                                                                                                                                                                                        • Software\Microsoft\Windows\CurrentVersion\Uninstall, xrefs: 00468CBF
                                                                                                                                                                                                                                                        • Inno Setup: User Info: Serial, xrefs: 00468E45
                                                                                                                                                                                                                                                        • Inno Setup: Deselected Tasks, xrefs: 00468DF1
                                                                                                                                                                                                                                                        • Inno Setup: App Path, xrefs: 00468D22
                                                                                                                                                                                                                                                        • Inno Setup: Selected Components, xrefs: 00468D82
                                                                                                                                                                                                                                                        • Inno Setup: User Info: Organization, xrefs: 00468E32
                                                                                                                                                                                                                                                        • Inno Setup: User Info: Name, xrefs: 00468E1F
                                                                                                                                                                                                                                                        • Inno Setup: Selected Tasks, xrefs: 00468DCF
                                                                                                                                                                                                                                                        • Inno Setup: Icon Group, xrefs: 00468D3E
                                                                                                                                                                                                                                                        • Inno Setup: No Icons, xrefs: 00468D4B
                                                                                                                                                                                                                                                        Memory Dump Source
                                                                                                                                                                                                                                                        • Source File: 00000001.00000002.2793245300.0000000000401000.00000020.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                                                                                                                        • Associated: 00000001.00000002.2793219234.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                                                                                                                                                                                                        • Associated: 00000001.00000002.2793346997.0000000000499000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                                                                                                                                                                                                        • Associated: 00000001.00000002.2793378529.000000000049A000.00000008.00000001.01000000.00000004.sdmpDownload File
                                                                                                                                                                                                                                                        • Associated: 00000001.00000002.2793416768.000000000049B000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                                                                                                                                                                                                        • Associated: 00000001.00000002.2793448951.00000000004AB000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                                                                                                                                                                                                        Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                                        • Snapshot File: hcaresult_1_2_400000_chica-pc-shield-1-75-0-1300-en-win.jbxd
                                                                                                                                                                                                                                                        Similarity
                                                                                                                                                                                                                                                        • API ID: CloseOpen
                                                                                                                                                                                                                                                        • String ID: %s\%s_is1$Inno Setup: App Path$Inno Setup: Deselected Components$Inno Setup: Deselected Tasks$Inno Setup: Icon Group$Inno Setup: No Icons$Inno Setup: Selected Components$Inno Setup: Selected Tasks$Inno Setup: Setup Type$Inno Setup: User Info: Name$Inno Setup: User Info: Organization$Inno Setup: User Info: Serial$Software\Microsoft\Windows\CurrentVersion\Uninstall
                                                                                                                                                                                                                                                        • API String ID: 47109696-1093091907
                                                                                                                                                                                                                                                        • Opcode ID: e39ca5c79a98ef63317efbb1028f085b1a1f7b12764f18e28c99012a72a7f341
                                                                                                                                                                                                                                                        • Instruction ID: 8852ef8b8ed4446cdca4290267838b31d3b3871daa288d52b71b22c3e2ab6549
                                                                                                                                                                                                                                                        • Opcode Fuzzy Hash: e39ca5c79a98ef63317efbb1028f085b1a1f7b12764f18e28c99012a72a7f341
                                                                                                                                                                                                                                                        • Instruction Fuzzy Hash: 5F51B570A006449FCB15DB69D941BDEB7F5EF98304F50856EE840AB391EB38AF01CB69
                                                                                                                                                                                                                                                        Function 0047C1C0 Relevance: 22.9, APIs: 4, Strings: 9, Instructions: 187COMMON
                                                                                                                                                                                                                                                        Download Yara Rule

                                                                                                                                                                                                                                                        Control-flow Graph

                                                                                                                                                                                                                                                        APIs
                                                                                                                                                                                                                                                          • Part of subcall function 0042D898: GetWindowsDirectoryA.KERNEL32(?,00000104,00000000,00453DB4,00000000,00454066,?,?,00000000,0049B628,00000004,00000000,00000000,00000000,?,00497F85), ref: 0042D8AB
                                                                                                                                                                                                                                                          • Part of subcall function 0042D8C4: GetSystemDirectoryA.KERNEL32(?,00000104), ref: 0042D8D7
                                                                                                                                                                                                                                                          • Part of subcall function 0042D8F0: GetModuleHandleA.KERNEL32(kernel32.dll,GetSystemWow64DirectoryA,?,00453B5A,00000000,00453BFD,?,?,00000000,00000000,00000000,00000000,00000000,?,00453FED,00000000), ref: 0042D90A
                                                                                                                                                                                                                                                          • Part of subcall function 0042D8F0: GetProcAddress.KERNEL32(00000000,kernel32.dll), ref: 0042D910
                                                                                                                                                                                                                                                        • SHGetKnownFolderPath.SHELL32(00499D30,00008000,00000000,?,00000000,0047C496), ref: 0047C39A
                                                                                                                                                                                                                                                        • CoTaskMemFree.OLE32(?,0047C3DF), ref: 0047C3D2
                                                                                                                                                                                                                                                          • Part of subcall function 0042D208: GetEnvironmentVariableA.KERNEL32(00000000,00000000,00000000,?,?,00000000,0042DA3E,00000000,0042DAD0,?,?,?,0049B628,00000000,00000000), ref: 0042D233
                                                                                                                                                                                                                                                        Strings
                                                                                                                                                                                                                                                        Memory Dump Source
                                                                                                                                                                                                                                                        • Source File: 00000001.00000002.2793245300.0000000000401000.00000020.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                                                                                                                        • Associated: 00000001.00000002.2793219234.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                                                                                                                                                                                                        • Associated: 00000001.00000002.2793346997.0000000000499000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                                                                                                                                                                                                        • Associated: 00000001.00000002.2793378529.000000000049A000.00000008.00000001.01000000.00000004.sdmpDownload File
                                                                                                                                                                                                                                                        • Associated: 00000001.00000002.2793416768.000000000049B000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                                                                                                                                                                                                        • Associated: 00000001.00000002.2793448951.00000000004AB000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                                                                                                                                                                                                        Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                                        • Snapshot File: hcaresult_1_2_400000_chica-pc-shield-1-75-0-1300-en-win.jbxd
                                                                                                                                                                                                                                                        Similarity
                                                                                                                                                                                                                                                        • API ID: Directory$AddressEnvironmentFolderFreeHandleKnownModulePathProcSystemTaskVariableWindows
                                                                                                                                                                                                                                                        • String ID: COMMAND.COM$Common Files$CommonFilesDir$Failed to get path of 64-bit Common Files directory$Failed to get path of 64-bit Program Files directory$ProgramFilesDir$SystemDrive$\Program Files$cmd.exe
                                                                                                                                                                                                                                                        • API String ID: 3771764029-544719455
                                                                                                                                                                                                                                                        • Opcode ID: fae68f7ce1b4accb6bcc686a59b43ab22c0d5fd275f28d015915852254e27fc6
                                                                                                                                                                                                                                                        • Instruction ID: 69001dd7f3d8357c182f41230515665ceffb17943eaae92fd9498dc9e84a0f9e
                                                                                                                                                                                                                                                        • Opcode Fuzzy Hash: fae68f7ce1b4accb6bcc686a59b43ab22c0d5fd275f28d015915852254e27fc6
                                                                                                                                                                                                                                                        • Instruction Fuzzy Hash: 5F616F34A00204ABDB20EBA5D8D2A9E7B69EB44319F90C57FE404A7397C73C9E458F5D
                                                                                                                                                                                                                                                        Function 00472A24 Relevance: 19.6, APIs: 4, Strings: 7, Instructions: 337COMMON
                                                                                                                                                                                                                                                        Download Yara Rule

                                                                                                                                                                                                                                                        Control-flow Graph

                                                                                                                                                                                                                                                        • Executed
                                                                                                                                                                                                                                                        • Not Executed
                                                                                                                                                                                                                                                        control_flow_graph 3329 472a24-472b20 call 403728 call 403778 call 403684 call 47bdf4 call 403494 * 2 call 40357c call 42c804 call 403494 call 40357c call 42c804 call 403494 call 40357c call 42c804 * 2 3360 472b27-472b2b 3329->3360 3361 472b22-472b25 3329->3361 3362 472b30-472b34 3360->3362 3363 472b2d 3360->3363 3361->3362 3364 472b47-472b55 call 4726f4 3362->3364 3365 472b36-472b41 call 47898c 3362->3365 3363->3362 3371 472b57-472b62 call 403494 3364->3371 3372 472b64-472b6a call 403494 3364->3372 3365->3364 3370 472b43 3365->3370 3370->3364 3376 472b6f-472bcb call 457df4 call 46e0f8 call 42c8a4 call 46f9b8 call 406f50 * 2 call 42cd24 3371->3376 3372->3376 3391 472be1-472bf5 call 406f50 call 4728d4 3376->3391 3392 472bcd-472bdc call 403738 WritePrivateProfileStringA 3376->3392 3399 472bfb-472c2d call 456574 3391->3399 3400 472ca8-472cc3 call 472790 call 403494 3391->3400 3392->3391 3403 472c32-472c36 3399->3403 3412 472cc7-472cd2 3400->3412 3405 472c44-472c46 3403->3405 3406 472c38-472c42 call 42cd48 3403->3406 3410 472c4a-472c51 3405->3410 3406->3405 3414 472c48 3406->3414 3410->3412 3413 472c53-472c57 3410->3413 3415 472cd4-472ce8 call 403738 SHChangeNotify 3412->3415 3416 472cea-472cf9 call 403738 SHChangeNotify 3412->3416 3413->3412 3417 472c59-472c73 call 42c8fc call 406ac4 3413->3417 3414->3410 3424 472cfe-472d27 call 42c8a4 call 403738 SHChangeNotify 3415->3424 3416->3424 3417->3412 3428 472c75-472c9a call 4554a8 3417->3428 3434 472d2d-472d31 3424->3434 3435 472e2b-472e5f call 46e39c call 403400 call 403420 call 403400 3424->3435 3428->3412 3436 472d37-472dc4 call 45a0dc call 42c3fc call 40357c call 45a0dc call 42c3fc call 40357c call 45a0dc 3434->3436 3437 472dc6-472dca 3434->3437 3436->3435 3439 472ded-472e26 call 45a0dc * 2 3437->3439 3440 472dcc-472deb call 45a0dc 3437->3440 3439->3435 3440->3435
                                                                                                                                                                                                                                                        APIs
                                                                                                                                                                                                                                                          • Part of subcall function 0042C804: GetFullPathNameA.KERNEL32(00000000,00001000,?), ref: 0042C828
                                                                                                                                                                                                                                                        • WritePrivateProfileStringA.KERNEL32(00000000,00000000,00000000,00000000), ref: 00472BDC
                                                                                                                                                                                                                                                        • SHChangeNotify.SHELL32(00000008,00000001,00000000,00000000), ref: 00472CE3
                                                                                                                                                                                                                                                        • SHChangeNotify.SHELL32(00000002,00000001,00000000,00000000), ref: 00472CF9
                                                                                                                                                                                                                                                        • SHChangeNotify.SHELL32(00001000,00001001,00000000,00000000), ref: 00472D1E
                                                                                                                                                                                                                                                        Strings
                                                                                                                                                                                                                                                        Memory Dump Source
                                                                                                                                                                                                                                                        • Source File: 00000001.00000002.2793245300.0000000000401000.00000020.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                                                                                                                        • Associated: 00000001.00000002.2793219234.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                                                                                                                                                                                                        • Associated: 00000001.00000002.2793346997.0000000000499000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                                                                                                                                                                                                        • Associated: 00000001.00000002.2793378529.000000000049A000.00000008.00000001.01000000.00000004.sdmpDownload File
                                                                                                                                                                                                                                                        • Associated: 00000001.00000002.2793416768.000000000049B000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                                                                                                                                                                                                        • Associated: 00000001.00000002.2793448951.00000000004AB000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                                                                                                                                                                                                        Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                                        • Snapshot File: hcaresult_1_2_400000_chica-pc-shield-1-75-0-1300-en-win.jbxd
                                                                                                                                                                                                                                                        Similarity
                                                                                                                                                                                                                                                        • API ID: ChangeNotify$FullNamePathPrivateProfileStringWrite
                                                                                                                                                                                                                                                        • String ID: .lnk$.pif$.url$Desktop.ini$Filename: %s$target.lnk${group}\
                                                                                                                                                                                                                                                        • API String ID: 971782779-3668018701
                                                                                                                                                                                                                                                        • Opcode ID: f648de025d227944a40b6a1189b07e627bd7fea08cdf46801cba0a0222d819ad
                                                                                                                                                                                                                                                        • Instruction ID: 2199e5291f6c1fee24e609e14c2fbb33425e4a5dd21fff1bbddffd9c8afea78a
                                                                                                                                                                                                                                                        • Opcode Fuzzy Hash: f648de025d227944a40b6a1189b07e627bd7fea08cdf46801cba0a0222d819ad
                                                                                                                                                                                                                                                        • Instruction Fuzzy Hash: 0ED12574A00148AFDB11EFA9D581BDEBBF5AF08304F50806AF904B7391D778AE45CB69
                                                                                                                                                                                                                                                        Function 00423874 Relevance: 19.3, APIs: 10, Strings: 1, Instructions: 98windowregistryCOMMON
                                                                                                                                                                                                                                                        Download Yara Rule

                                                                                                                                                                                                                                                        Control-flow Graph

                                                                                                                                                                                                                                                        • Executed
                                                                                                                                                                                                                                                        • Not Executed
                                                                                                                                                                                                                                                        control_flow_graph 3467 423874-42387e 3468 4239a7-4239ab 3467->3468 3469 423884-4238a6 call 41f3c4 GetClassInfoA 3467->3469 3472 4238d7-4238e0 GetSystemMetrics 3469->3472 3473 4238a8-4238bf RegisterClassA 3469->3473 3475 4238e2 3472->3475 3476 4238e5-4238ef GetSystemMetrics 3472->3476 3473->3472 3474 4238c1-4238d2 call 408cbc call 40311c 3473->3474 3474->3472 3475->3476 3478 4238f1 3476->3478 3479 4238f4-423950 call 403738 call 4062e8 call 403400 call 42364c SetWindowLongA 3476->3479 3478->3479 3490 423952-423965 call 424178 SendMessageA 3479->3490 3491 42396a-423998 GetSystemMenu DeleteMenu * 2 3479->3491 3490->3491 3491->3468 3493 42399a-4239a2 DeleteMenu 3491->3493 3493->3468
                                                                                                                                                                                                                                                        APIs
                                                                                                                                                                                                                                                          • Part of subcall function 0041F3C4: VirtualAlloc.KERNEL32(00000000,00001000,00001000,00000040,?,00000000,0041EDA4,?,0042388F,00423C0C,0041EDA4), ref: 0041F3E2
                                                                                                                                                                                                                                                        • GetClassInfoA.USER32(00400000,0042367C), ref: 0042389F
                                                                                                                                                                                                                                                        • RegisterClassA.USER32(00499630), ref: 004238B7
                                                                                                                                                                                                                                                        • GetSystemMetrics.USER32(00000000), ref: 004238D9
                                                                                                                                                                                                                                                        • GetSystemMetrics.USER32(00000001), ref: 004238E8
                                                                                                                                                                                                                                                        • SetWindowLongA.USER32(00410460,000000FC,0042368C), ref: 00423944
                                                                                                                                                                                                                                                        • SendMessageA.USER32(00410460,00000080,00000001,00000000), ref: 00423965
                                                                                                                                                                                                                                                        • GetSystemMenu.USER32(00410460,00000000,00000000,00400000,00000000,00000000,00000000,00000000,00000000,00000001,00000000,00423C0C,0041EDA4), ref: 00423970
                                                                                                                                                                                                                                                        • DeleteMenu.USER32(00000000,0000F030,00000000,00410460,00000000,00000000,00400000,00000000,00000000,00000000,00000000,00000000,00000001,00000000,00423C0C,0041EDA4), ref: 0042397F
                                                                                                                                                                                                                                                        • DeleteMenu.USER32(00000000,0000F000,00000000,00000000,0000F030,00000000,00410460,00000000,00000000,00400000,00000000,00000000,00000000,00000000,00000000,00000001), ref: 0042398C
                                                                                                                                                                                                                                                        • DeleteMenu.USER32(00000000,0000F010,00000000,00000000,0000F000,00000000,00000000,0000F030,00000000,00410460,00000000,00000000,00400000,00000000,00000000,00000000), ref: 004239A2
                                                                                                                                                                                                                                                        Strings
                                                                                                                                                                                                                                                        Memory Dump Source
                                                                                                                                                                                                                                                        • Source File: 00000001.00000002.2793245300.0000000000401000.00000020.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                                                                                                                        • Associated: 00000001.00000002.2793219234.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                                                                                                                                                                                                        • Associated: 00000001.00000002.2793346997.0000000000499000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                                                                                                                                                                                                        • Associated: 00000001.00000002.2793378529.000000000049A000.00000008.00000001.01000000.00000004.sdmpDownload File
                                                                                                                                                                                                                                                        • Associated: 00000001.00000002.2793416768.000000000049B000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                                                                                                                                                                                                        • Associated: 00000001.00000002.2793448951.00000000004AB000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                                                                                                                                                                                                        Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                                        • Snapshot File: hcaresult_1_2_400000_chica-pc-shield-1-75-0-1300-en-win.jbxd
                                                                                                                                                                                                                                                        Similarity
                                                                                                                                                                                                                                                        • API ID: Menu$DeleteSystem$ClassMetrics$AllocInfoLongMessageRegisterSendVirtualWindow
                                                                                                                                                                                                                                                        • String ID: |6B
                                                                                                                                                                                                                                                        • API String ID: 183575631-3009739247
                                                                                                                                                                                                                                                        • Opcode ID: a73a008a7563970272a3625dc9bb64b31da3d68a27a1b0b6dfb252f000dfd8ef
                                                                                                                                                                                                                                                        • Instruction ID: 5979ac727d64f3fe5c9a0a43452729076f54e0f9e4c251b9a4c28f9d6bed272f
                                                                                                                                                                                                                                                        • Opcode Fuzzy Hash: a73a008a7563970272a3625dc9bb64b31da3d68a27a1b0b6dfb252f000dfd8ef
                                                                                                                                                                                                                                                        • Instruction Fuzzy Hash: E63152B17402006AEB10AF69DC82F6A37989B14709F60017BFA44EF2D7C6BDED40876D
                                                                                                                                                                                                                                                        Function 0047C9CC Relevance: 17.6, APIs: 1, Strings: 9, Instructions: 95libraryloaderCOMMON
                                                                                                                                                                                                                                                        Download Yara Rule

                                                                                                                                                                                                                                                        Control-flow Graph

                                                                                                                                                                                                                                                        • Executed
                                                                                                                                                                                                                                                        • Not Executed
                                                                                                                                                                                                                                                        control_flow_graph 3579 47c9cc-47ca22 call 42c3fc call 4035c0 call 47c690 call 4525d8 3588 47ca24-47ca29 call 453344 3579->3588 3589 47ca2e-47ca3d call 4525d8 3579->3589 3588->3589 3593 47ca57-47ca5d 3589->3593 3594 47ca3f-47ca45 3589->3594 3597 47ca74-47ca9c call 42e394 * 2 3593->3597 3598 47ca5f-47ca65 3593->3598 3595 47ca67-47ca6f call 403494 3594->3595 3596 47ca47-47ca4d 3594->3596 3595->3597 3596->3593 3601 47ca4f-47ca55 3596->3601 3605 47cac3-47cadd GetProcAddress 3597->3605 3606 47ca9e-47cabe call 4078f4 call 453344 3597->3606 3598->3595 3598->3597 3601->3593 3601->3595 3608 47cadf-47cae4 call 453344 3605->3608 3609 47cae9-47cb06 call 403400 * 2 3605->3609 3606->3605 3608->3609
                                                                                                                                                                                                                                                        APIs
                                                                                                                                                                                                                                                        • GetProcAddress.KERNEL32(00000000,SHGetFolderPathA), ref: 0047CACE
                                                                                                                                                                                                                                                        Strings
                                                                                                                                                                                                                                                        Memory Dump Source
                                                                                                                                                                                                                                                        • Source File: 00000001.00000002.2793245300.0000000000401000.00000020.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                                                                                                                        • Associated: 00000001.00000002.2793219234.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                                                                                                                                                                                                        • Associated: 00000001.00000002.2793346997.0000000000499000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                                                                                                                                                                                                        • Associated: 00000001.00000002.2793378529.000000000049A000.00000008.00000001.01000000.00000004.sdmpDownload File
                                                                                                                                                                                                                                                        • Associated: 00000001.00000002.2793416768.000000000049B000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                                                                                                                                                                                                        • Associated: 00000001.00000002.2793448951.00000000004AB000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                                                                                                                                                                                                        Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                                        • Snapshot File: hcaresult_1_2_400000_chica-pc-shield-1-75-0-1300-en-win.jbxd
                                                                                                                                                                                                                                                        Similarity
                                                                                                                                                                                                                                                        • API ID: AddressProc
                                                                                                                                                                                                                                                        • String ID: 9tI$Failed to get address of SHGetFolderPath function$Failed to get version numbers of _shfoldr.dll$Failed to load DLL "%s"$SHFOLDERDLL$SHGetFolderPathA$_isetup\_shfoldr.dll$shell32.dll$shfolder.dll
                                                                                                                                                                                                                                                        • API String ID: 190572456-2495307774
                                                                                                                                                                                                                                                        • Opcode ID: e31f5324531c17430eb92328054454a85ae0321ab1aa5061e986742380be4216
                                                                                                                                                                                                                                                        • Instruction ID: 6cb8ae0fe454569243ffa89843cf59b13e41aa93d1f38be20b841c5ee4678ddc
                                                                                                                                                                                                                                                        • Opcode Fuzzy Hash: e31f5324531c17430eb92328054454a85ae0321ab1aa5061e986742380be4216
                                                                                                                                                                                                                                                        • Instruction Fuzzy Hash: BE31FD30A001499BCB00EFA5E5D2AEEB7B5EB44715F50847BE408F7251D738AE45CBAD
                                                                                                                                                                                                                                                        Function 0040631C Relevance: 15.8, APIs: 5, Strings: 4, Instructions: 27libraryloaderCOMMON
                                                                                                                                                                                                                                                        Download Yara Rule
                                                                                                                                                                                                                                                        APIs
                                                                                                                                                                                                                                                        • GetModuleHandleA.KERNEL32(kernel32.dll,?,004987A0), ref: 00406322
                                                                                                                                                                                                                                                        • GetProcAddress.KERNEL32(00000000,SetDllDirectoryW), ref: 0040632F
                                                                                                                                                                                                                                                        • GetProcAddress.KERNEL32(00000000,SetSearchPathMode), ref: 00406345
                                                                                                                                                                                                                                                        • GetProcAddress.KERNEL32(00000000,SetProcessDEPPolicy), ref: 0040635B
                                                                                                                                                                                                                                                        • SetProcessDEPPolicy.KERNEL32(00000001,00000000,SetProcessDEPPolicy,00000000,SetSearchPathMode,kernel32.dll,?,004987A0), ref: 00406366
                                                                                                                                                                                                                                                        Strings
                                                                                                                                                                                                                                                        Memory Dump Source
                                                                                                                                                                                                                                                        • Source File: 00000001.00000002.2793245300.0000000000401000.00000020.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                                                                                                                        • Associated: 00000001.00000002.2793219234.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                                                                                                                                                                                                        • Associated: 00000001.00000002.2793346997.0000000000499000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                                                                                                                                                                                                        • Associated: 00000001.00000002.2793378529.000000000049A000.00000008.00000001.01000000.00000004.sdmpDownload File
                                                                                                                                                                                                                                                        • Associated: 00000001.00000002.2793416768.000000000049B000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                                                                                                                                                                                                        • Associated: 00000001.00000002.2793448951.00000000004AB000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                                                                                                                                                                                                        Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                                        • Snapshot File: hcaresult_1_2_400000_chica-pc-shield-1-75-0-1300-en-win.jbxd
                                                                                                                                                                                                                                                        Similarity
                                                                                                                                                                                                                                                        • API ID: AddressProc$HandleModulePolicyProcess
                                                                                                                                                                                                                                                        • String ID: SetDllDirectoryW$SetProcessDEPPolicy$SetSearchPathMode$kernel32.dll
                                                                                                                                                                                                                                                        • API String ID: 3256987805-3653653586
                                                                                                                                                                                                                                                        • Opcode ID: fb4db72500fb8039bf9e982fa136c472a352d03826636d66c2b82dec8efce00d
                                                                                                                                                                                                                                                        • Instruction ID: 935c6a5f7b98c90e27654dc67135d8c1f882d2ad5d8c1b9d0efaf55941893a49
                                                                                                                                                                                                                                                        • Opcode Fuzzy Hash: fb4db72500fb8039bf9e982fa136c472a352d03826636d66c2b82dec8efce00d
                                                                                                                                                                                                                                                        • Instruction Fuzzy Hash: 97E02D90380702ACEA1032B20D82F3B144C9B54B69B26543B7D56B51C7D9BDDD7059BD
                                                                                                                                                                                                                                                        Function 0041321B Relevance: 14.6, APIs: 6, Strings: 2, Instructions: 633COMMON
                                                                                                                                                                                                                                                        Download Yara Rule
                                                                                                                                                                                                                                                        APIs
                                                                                                                                                                                                                                                        • SetWindowLongA.USER32(?,000000FC,?), ref: 00413664
                                                                                                                                                                                                                                                        • GetWindowLongA.USER32(?,000000F0), ref: 0041366F
                                                                                                                                                                                                                                                        • GetWindowLongA.USER32(?,000000F4), ref: 00413681
                                                                                                                                                                                                                                                        • SetWindowLongA.USER32(?,000000F4,?), ref: 00413694
                                                                                                                                                                                                                                                        • SetPropA.USER32(?,00000000,00000000), ref: 004136AB
                                                                                                                                                                                                                                                        • SetPropA.USER32(?,00000000,00000000), ref: 004136C2
                                                                                                                                                                                                                                                        Strings
                                                                                                                                                                                                                                                        Memory Dump Source
                                                                                                                                                                                                                                                        • Source File: 00000001.00000002.2793245300.0000000000401000.00000020.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                                                                                                                        • Associated: 00000001.00000002.2793219234.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                                                                                                                                                                                                        • Associated: 00000001.00000002.2793346997.0000000000499000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                                                                                                                                                                                                        • Associated: 00000001.00000002.2793378529.000000000049A000.00000008.00000001.01000000.00000004.sdmpDownload File
                                                                                                                                                                                                                                                        • Associated: 00000001.00000002.2793416768.000000000049B000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                                                                                                                                                                                                        • Associated: 00000001.00000002.2793448951.00000000004AB000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                                                                                                                                                                                                        Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                                        • Snapshot File: hcaresult_1_2_400000_chica-pc-shield-1-75-0-1300-en-win.jbxd
                                                                                                                                                                                                                                                        Similarity
                                                                                                                                                                                                                                                        • API ID: LongWindow$Prop
                                                                                                                                                                                                                                                        • String ID: 3A$yA
                                                                                                                                                                                                                                                        • API String ID: 3887896539-3278460822
                                                                                                                                                                                                                                                        • Opcode ID: d9856cee796f57cc1685d9958f98130356579251106e4d85d69cc018d86e5275
                                                                                                                                                                                                                                                        • Instruction ID: bcb4e109f9bb3244d1d15a250a8b19338fc20a7c4ef9bfc7c396c8b3ff51cb63
                                                                                                                                                                                                                                                        • Opcode Fuzzy Hash: d9856cee796f57cc1685d9958f98130356579251106e4d85d69cc018d86e5275
                                                                                                                                                                                                                                                        • Instruction Fuzzy Hash: 8C22D06508E3C05FE31B9B74896A5D57FA0EE13325B1D45DFC4C28B1A3D21E8A8BC71A
                                                                                                                                                                                                                                                        Function 004813A0 Relevance: 14.2, APIs: 3, Strings: 5, Instructions: 175windowCOMMON
                                                                                                                                                                                                                                                        Download Yara Rule
                                                                                                                                                                                                                                                        APIs
                                                                                                                                                                                                                                                        • FreeLibrary.KERNEL32(00000000), ref: 0048155D
                                                                                                                                                                                                                                                        • FreeLibrary.KERNEL32(00000000), ref: 00481571
                                                                                                                                                                                                                                                        • SendNotifyMessageA.USER32(00020430,00000496,00002710,00000000), ref: 004815E3
                                                                                                                                                                                                                                                        Strings
                                                                                                                                                                                                                                                        • Deinitializing Setup., xrefs: 004813BE
                                                                                                                                                                                                                                                        • GetCustomSetupExitCode, xrefs: 004813FD
                                                                                                                                                                                                                                                        • DeinitializeSetup, xrefs: 00481459
                                                                                                                                                                                                                                                        • Restarting Windows., xrefs: 004815BE
                                                                                                                                                                                                                                                        • Not restarting Windows because Setup is being run from the debugger., xrefs: 00481592
                                                                                                                                                                                                                                                        Memory Dump Source
                                                                                                                                                                                                                                                        • Source File: 00000001.00000002.2793245300.0000000000401000.00000020.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                                                                                                                        • Associated: 00000001.00000002.2793219234.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                                                                                                                                                                                                        • Associated: 00000001.00000002.2793346997.0000000000499000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                                                                                                                                                                                                        • Associated: 00000001.00000002.2793378529.000000000049A000.00000008.00000001.01000000.00000004.sdmpDownload File
                                                                                                                                                                                                                                                        • Associated: 00000001.00000002.2793416768.000000000049B000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                                                                                                                                                                                                        • Associated: 00000001.00000002.2793448951.00000000004AB000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                                                                                                                                                                                                        Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                                        • Snapshot File: hcaresult_1_2_400000_chica-pc-shield-1-75-0-1300-en-win.jbxd
                                                                                                                                                                                                                                                        Similarity
                                                                                                                                                                                                                                                        • API ID: FreeLibrary$MessageNotifySend
                                                                                                                                                                                                                                                        • String ID: DeinitializeSetup$Deinitializing Setup.$GetCustomSetupExitCode$Not restarting Windows because Setup is being run from the debugger.$Restarting Windows.
                                                                                                                                                                                                                                                        • API String ID: 3817813901-1884538726
                                                                                                                                                                                                                                                        • Opcode ID: 7a28e22f49addc96e76f802ca0849d61b7b50c1c5bda5676bed9641229de787a
                                                                                                                                                                                                                                                        • Instruction ID: cbf35c6ea8e2c35755bf260fcb7ea2de6ee1912f2844d37045d7b21794c51175
                                                                                                                                                                                                                                                        • Opcode Fuzzy Hash: 7a28e22f49addc96e76f802ca0849d61b7b50c1c5bda5676bed9641229de787a
                                                                                                                                                                                                                                                        • Instruction Fuzzy Hash: 7E51B034B00200AFD311EB69D8D5B2A77A8EB59708F50887BE801D73B1DB38AC46CB5D
                                                                                                                                                                                                                                                        Function 00467058 Relevance: 14.1, APIs: 5, Strings: 3, Instructions: 141windowCOMMON
                                                                                                                                                                                                                                                        Download Yara Rule
                                                                                                                                                                                                                                                        APIs
                                                                                                                                                                                                                                                        • SHGetFileInfo.SHELL32(c:\directory,00000010,?,00000160,00001010), ref: 004670FB
                                                                                                                                                                                                                                                        • ExtractIconA.SHELL32(00400000,00000000,?), ref: 00467121
                                                                                                                                                                                                                                                          • Part of subcall function 00466F98: DrawIconEx.USER32(00000000,00000000,00000000,00000000,00000020,00000020,00000000,00000000,00000003), ref: 00467030
                                                                                                                                                                                                                                                          • Part of subcall function 00466F98: DestroyCursor.USER32(00000000), ref: 00467046
                                                                                                                                                                                                                                                        • ExtractIconA.SHELL32(00400000,00000000,00000027), ref: 00467178
                                                                                                                                                                                                                                                        • SHGetFileInfo.SHELL32(00000000,00000000,?,00000160,00001000), ref: 004671D9
                                                                                                                                                                                                                                                        • ExtractIconA.SHELL32(00400000,00000000,?), ref: 004671FF
                                                                                                                                                                                                                                                        Strings
                                                                                                                                                                                                                                                        Memory Dump Source
                                                                                                                                                                                                                                                        • Source File: 00000001.00000002.2793245300.0000000000401000.00000020.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                                                                                                                        • Associated: 00000001.00000002.2793219234.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                                                                                                                                                                                                        • Associated: 00000001.00000002.2793346997.0000000000499000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                                                                                                                                                                                                        • Associated: 00000001.00000002.2793378529.000000000049A000.00000008.00000001.01000000.00000004.sdmpDownload File
                                                                                                                                                                                                                                                        • Associated: 00000001.00000002.2793416768.000000000049B000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                                                                                                                                                                                                        • Associated: 00000001.00000002.2793448951.00000000004AB000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                                                                                                                                                                                                        Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                                        • Snapshot File: hcaresult_1_2_400000_chica-pc-shield-1-75-0-1300-en-win.jbxd
                                                                                                                                                                                                                                                        Similarity
                                                                                                                                                                                                                                                        • API ID: Icon$Extract$FileInfo$CursorDestroyDraw
                                                                                                                                                                                                                                                        • String ID: 3!H$c:\directory$shell32.dll
                                                                                                                                                                                                                                                        • API String ID: 3376378930-1433438913
                                                                                                                                                                                                                                                        • Opcode ID: 98d177bb41c59d9eda90a867a93fad1e1930e0ff4594ebc68b10a6f6ae3f3113
                                                                                                                                                                                                                                                        • Instruction ID: eeb72baf5b42853d3f815a5aa99c9586f68c4266b8b4c17a0f013aa805d14d20
                                                                                                                                                                                                                                                        • Opcode Fuzzy Hash: 98d177bb41c59d9eda90a867a93fad1e1930e0ff4594ebc68b10a6f6ae3f3113
                                                                                                                                                                                                                                                        • Instruction Fuzzy Hash: C8519E70604244AFDB10DF65DD89FDFB7A8EB48308F5085B7F50897391D638AE81CA59
                                                                                                                                                                                                                                                        Function 0042F560 Relevance: 14.1, APIs: 7, Strings: 1, Instructions: 90windowregistryCOMMON
                                                                                                                                                                                                                                                        Download Yara Rule
                                                                                                                                                                                                                                                        APIs
                                                                                                                                                                                                                                                        • GetActiveWindow.USER32 ref: 0042F58F
                                                                                                                                                                                                                                                        • GetFocus.USER32 ref: 0042F597
                                                                                                                                                                                                                                                        • RegisterClassA.USER32(004997AC), ref: 0042F5B8
                                                                                                                                                                                                                                                        • CreateWindowExA.USER32(00000000,TWindowDisabler-Window,0042F68C,88000000,00000000,00000000,00000000,00000000,00000000,00000000,00400000,00000000), ref: 0042F5F6
                                                                                                                                                                                                                                                        • CreateWindowExA.USER32(00000000,TWindowDisabler-Window,00000000,80000000,00000000,00000000,00000000,00000000,61736944,00000000,00400000,00000000), ref: 0042F63C
                                                                                                                                                                                                                                                        • ShowWindow.USER32(00000000,00000008,00000000,TWindowDisabler-Window,00000000,80000000,00000000,00000000,00000000,00000000,61736944,00000000,00400000,00000000,00000000,TWindowDisabler-Window), ref: 0042F64D
                                                                                                                                                                                                                                                        • SetFocus.USER32(00000000,00000000,0042F66F,?,?,?,00000001,00000000,?,0045822A,00000000,0049B628), ref: 0042F654
                                                                                                                                                                                                                                                        Strings
                                                                                                                                                                                                                                                        Memory Dump Source
                                                                                                                                                                                                                                                        • Source File: 00000001.00000002.2793245300.0000000000401000.00000020.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                                                                                                                        • Associated: 00000001.00000002.2793219234.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                                                                                                                                                                                                        • Associated: 00000001.00000002.2793346997.0000000000499000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                                                                                                                                                                                                        • Associated: 00000001.00000002.2793378529.000000000049A000.00000008.00000001.01000000.00000004.sdmpDownload File
                                                                                                                                                                                                                                                        • Associated: 00000001.00000002.2793416768.000000000049B000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                                                                                                                                                                                                        • Associated: 00000001.00000002.2793448951.00000000004AB000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                                                                                                                                                                                                        Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                                        • Snapshot File: hcaresult_1_2_400000_chica-pc-shield-1-75-0-1300-en-win.jbxd
                                                                                                                                                                                                                                                        Similarity
                                                                                                                                                                                                                                                        • API ID: Window$CreateFocus$ActiveClassRegisterShow
                                                                                                                                                                                                                                                        • String ID: TWindowDisabler-Window
                                                                                                                                                                                                                                                        • API String ID: 3167913817-1824977358
                                                                                                                                                                                                                                                        • Opcode ID: f7ab43707fc58a8671fa89562680ab341e1c6dac946df8ae77823ce8bb8e6cb4
                                                                                                                                                                                                                                                        • Instruction ID: c3989f54cd535b42bfd745bd8d6279a550c1ea008e6f4be51b2d228796931bcd
                                                                                                                                                                                                                                                        • Opcode Fuzzy Hash: f7ab43707fc58a8671fa89562680ab341e1c6dac946df8ae77823ce8bb8e6cb4
                                                                                                                                                                                                                                                        • Instruction Fuzzy Hash: B021A170740710BAE310EF66AD43F1A76B8EB04B44F91853BF604AB2E1D7B86D0586AD
                                                                                                                                                                                                                                                        Function 004728D4 Relevance: 14.1, APIs: 3, Strings: 5, Instructions: 67COMMON
                                                                                                                                                                                                                                                        Download Yara Rule
                                                                                                                                                                                                                                                        APIs
                                                                                                                                                                                                                                                        • GetFileAttributesA.KERNEL32(00000000,00000000,00472995,?,?,?,00000008,00000000,00000000,00000000,?,00472BF1,?,?,00000000,00472E60), ref: 004728F8
                                                                                                                                                                                                                                                          • Part of subcall function 0042CD94: GetPrivateProfileStringA.KERNEL32(00000000,00000000,00000000,00000000,00000100,00000000), ref: 0042CE0A
                                                                                                                                                                                                                                                          • Part of subcall function 00406F50: DeleteFileA.KERNEL32(00000000,0049B628,004982D1,00000000,00498326,?,?,00000005,?,00000000,00000000,00000000,Inno-Setup-RegSvr-Mutex,?,00000005,00000000), ref: 00406F5B
                                                                                                                                                                                                                                                        • SetFileAttributesA.KERNEL32(00000000,00000000,00000000,00000000,00000000,00000000,00472995,?,?,?,00000008,00000000,00000000,00000000,?,00472BF1), ref: 0047296F
                                                                                                                                                                                                                                                        • RemoveDirectoryA.KERNEL32(00000000,00000000,00000000,00000000,00000000,00000000,00000000,00472995,?,?,?,00000008,00000000,00000000,00000000), ref: 00472975
                                                                                                                                                                                                                                                        Strings
                                                                                                                                                                                                                                                        Memory Dump Source
                                                                                                                                                                                                                                                        • Source File: 00000001.00000002.2793245300.0000000000401000.00000020.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                                                                                                                        • Associated: 00000001.00000002.2793219234.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                                                                                                                                                                                                        • Associated: 00000001.00000002.2793346997.0000000000499000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                                                                                                                                                                                                        • Associated: 00000001.00000002.2793378529.000000000049A000.00000008.00000001.01000000.00000004.sdmpDownload File
                                                                                                                                                                                                                                                        • Associated: 00000001.00000002.2793416768.000000000049B000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                                                                                                                                                                                                        • Associated: 00000001.00000002.2793448951.00000000004AB000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                                                                                                                                                                                                        Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                                        • Snapshot File: hcaresult_1_2_400000_chica-pc-shield-1-75-0-1300-en-win.jbxd
                                                                                                                                                                                                                                                        Similarity
                                                                                                                                                                                                                                                        • API ID: File$Attributes$DeleteDirectoryPrivateProfileRemoveString
                                                                                                                                                                                                                                                        • String ID: .ShellClassInfo$CLSID2$desktop.ini$target.lnk${0AFACED1-E828-11D1-9187-B532F1E9575D}
                                                                                                                                                                                                                                                        • API String ID: 884541143-1710247218
                                                                                                                                                                                                                                                        • Opcode ID: 524c06fc51e9c2653bdcf2676b801e4e9f9d3f0fda8b2bcdedf8bca621ce2dcf
                                                                                                                                                                                                                                                        • Instruction ID: 462ce40c89e15ce4c06a0e37d2b4e5ea8e3c275fc862558d30a21327f7840796
                                                                                                                                                                                                                                                        • Opcode Fuzzy Hash: 524c06fc51e9c2653bdcf2676b801e4e9f9d3f0fda8b2bcdedf8bca621ce2dcf
                                                                                                                                                                                                                                                        • Instruction Fuzzy Hash: 1611D0F07005047BD701E66A8D82BAE72ACDB49724F64807BB508B73C1DBBCAE01865C
                                                                                                                                                                                                                                                        Function 004531F0 Relevance: 14.0, APIs: 4, Strings: 4, Instructions: 46libraryloaderCOMMON
                                                                                                                                                                                                                                                        Download Yara Rule
                                                                                                                                                                                                                                                        APIs
                                                                                                                                                                                                                                                        • GetModuleHandleA.KERNEL32(kernel32.dll,Wow64DisableWow64FsRedirection,00000000,00453289,?,?,?,?,00000000,?,004987E6), ref: 00453210
                                                                                                                                                                                                                                                        • GetProcAddress.KERNEL32(00000000,kernel32.dll), ref: 00453216
                                                                                                                                                                                                                                                        • GetModuleHandleA.KERNEL32(kernel32.dll,Wow64RevertWow64FsRedirection,00000000,kernel32.dll,Wow64DisableWow64FsRedirection,00000000,00453289,?,?,?,?,00000000,?,004987E6), ref: 0045322A
                                                                                                                                                                                                                                                        • GetProcAddress.KERNEL32(00000000,kernel32.dll), ref: 00453230
                                                                                                                                                                                                                                                        Strings
                                                                                                                                                                                                                                                        Memory Dump Source
                                                                                                                                                                                                                                                        • Source File: 00000001.00000002.2793245300.0000000000401000.00000020.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                                                                                                                        • Associated: 00000001.00000002.2793219234.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                                                                                                                                                                                                        • Associated: 00000001.00000002.2793346997.0000000000499000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                                                                                                                                                                                                        • Associated: 00000001.00000002.2793378529.000000000049A000.00000008.00000001.01000000.00000004.sdmpDownload File
                                                                                                                                                                                                                                                        • Associated: 00000001.00000002.2793416768.000000000049B000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                                                                                                                                                                                                        • Associated: 00000001.00000002.2793448951.00000000004AB000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                                                                                                                                                                                                        Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                                        • Snapshot File: hcaresult_1_2_400000_chica-pc-shield-1-75-0-1300-en-win.jbxd
                                                                                                                                                                                                                                                        Similarity
                                                                                                                                                                                                                                                        • API ID: AddressHandleModuleProc
                                                                                                                                                                                                                                                        • String ID: Wow64DisableWow64FsRedirection$Wow64RevertWow64FsRedirection$kernel32.dll$shell32.dll
                                                                                                                                                                                                                                                        • API String ID: 1646373207-2130885113
                                                                                                                                                                                                                                                        • Opcode ID: 3c9fa4c0e07a2ee3018d2944ff9ca33be98ff08f9077dd36f774f159ffc5baad
                                                                                                                                                                                                                                                        • Instruction ID: 0cfad7ca53bf4133c716031d63a26ec494c9be7874946ed143d2344feace3e75
                                                                                                                                                                                                                                                        • Opcode Fuzzy Hash: 3c9fa4c0e07a2ee3018d2944ff9ca33be98ff08f9077dd36f774f159ffc5baad
                                                                                                                                                                                                                                                        • Instruction Fuzzy Hash: 9F01D870240B04BED3016F63AD12F563A58E755B5BF5044BBFC1496582C77C4A088EAD
                                                                                                                                                                                                                                                        Function 00457F9C Relevance: 13.6, APIs: 1, Strings: 8, Instructions: 126COMMON
                                                                                                                                                                                                                                                        Download Yara Rule
                                                                                                                                                                                                                                                        APIs
                                                                                                                                                                                                                                                          • Part of subcall function 0042D8C4: GetSystemDirectoryA.KERNEL32(?,00000104), ref: 0042D8D7
                                                                                                                                                                                                                                                        • CloseHandle.KERNEL32(?,?,00000044,00000000,00000000,04000000,00000000,00000000,00000000,00458150,?, /s ",?,regsvr32.exe",?,00458150), ref: 004580C2
                                                                                                                                                                                                                                                        Strings
                                                                                                                                                                                                                                                        Memory Dump Source
                                                                                                                                                                                                                                                        • Source File: 00000001.00000002.2793245300.0000000000401000.00000020.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                                                                                                                        • Associated: 00000001.00000002.2793219234.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                                                                                                                                                                                                        • Associated: 00000001.00000002.2793346997.0000000000499000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                                                                                                                                                                                                        • Associated: 00000001.00000002.2793378529.000000000049A000.00000008.00000001.01000000.00000004.sdmpDownload File
                                                                                                                                                                                                                                                        • Associated: 00000001.00000002.2793416768.000000000049B000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                                                                                                                                                                                                        • Associated: 00000001.00000002.2793448951.00000000004AB000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                                                                                                                                                                                                        Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                                        • Snapshot File: hcaresult_1_2_400000_chica-pc-shield-1-75-0-1300-en-win.jbxd
                                                                                                                                                                                                                                                        Similarity
                                                                                                                                                                                                                                                        • API ID: CloseDirectoryHandleSystem
                                                                                                                                                                                                                                                        • String ID: /s "$ /u$0x%x$CreateProcess$D$Spawning 32-bit RegSvr32: $Spawning 64-bit RegSvr32: $regsvr32.exe"
                                                                                                                                                                                                                                                        • API String ID: 2051275411-1862435767
                                                                                                                                                                                                                                                        • Opcode ID: d175d9da8a76c71ba850d7f7f1134850f14e3b89773ae9d7c64671375ec7c016
                                                                                                                                                                                                                                                        • Instruction ID: 7b83132b996dcc88cd003ed7b4b9ff56f03cb6cdfa93b787d37915dd879d1aab
                                                                                                                                                                                                                                                        • Opcode Fuzzy Hash: d175d9da8a76c71ba850d7f7f1134850f14e3b89773ae9d7c64671375ec7c016
                                                                                                                                                                                                                                                        • Instruction Fuzzy Hash: 4E412670E047086BDB10EFE6C842B8DB7F9AF45305F50407FA804BB292DF789A098B19
                                                                                                                                                                                                                                                        Function 00430940 Relevance: 12.3, APIs: 4, Strings: 3, Instructions: 23registryclipboardthreadCOMMON
                                                                                                                                                                                                                                                        Download Yara Rule
                                                                                                                                                                                                                                                        APIs
                                                                                                                                                                                                                                                        • RegisterClipboardFormatA.USER32(commdlg_help), ref: 00430948
                                                                                                                                                                                                                                                        • RegisterClipboardFormatA.USER32(commdlg_FindReplace), ref: 00430957
                                                                                                                                                                                                                                                        • GetCurrentThreadId.KERNEL32 ref: 00430971
                                                                                                                                                                                                                                                        • GlobalAddAtomA.KERNEL32(00000000), ref: 00430992
                                                                                                                                                                                                                                                        Strings
                                                                                                                                                                                                                                                        Memory Dump Source
                                                                                                                                                                                                                                                        • Source File: 00000001.00000002.2793245300.0000000000401000.00000020.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                                                                                                                        • Associated: 00000001.00000002.2793219234.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                                                                                                                                                                                                        • Associated: 00000001.00000002.2793346997.0000000000499000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                                                                                                                                                                                                        • Associated: 00000001.00000002.2793378529.000000000049A000.00000008.00000001.01000000.00000004.sdmpDownload File
                                                                                                                                                                                                                                                        • Associated: 00000001.00000002.2793416768.000000000049B000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                                                                                                                                                                                                        • Associated: 00000001.00000002.2793448951.00000000004AB000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                                                                                                                                                                                                        Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                                        • Snapshot File: hcaresult_1_2_400000_chica-pc-shield-1-75-0-1300-en-win.jbxd
                                                                                                                                                                                                                                                        Similarity
                                                                                                                                                                                                                                                        • API ID: ClipboardFormatRegister$AtomCurrentGlobalThread
                                                                                                                                                                                                                                                        • String ID: WndProcPtr%.8X%.8X$commdlg_FindReplace$commdlg_help
                                                                                                                                                                                                                                                        • API String ID: 4130936913-2943970505
                                                                                                                                                                                                                                                        • Opcode ID: 8a088dfdc0b2c62b7d21c5c596ec815df7ae76573c78c741c8a86d6eee6cb681
                                                                                                                                                                                                                                                        • Instruction ID: 0bd92e6c8c1c5a5b8444157758b44b4e11dae02c37acc47d2edddbd1fb793b69
                                                                                                                                                                                                                                                        • Opcode Fuzzy Hash: 8a088dfdc0b2c62b7d21c5c596ec815df7ae76573c78c741c8a86d6eee6cb681
                                                                                                                                                                                                                                                        • Instruction Fuzzy Hash: 22F012B0458340DEE300EB65994271E7BD0EF58718F50467FF498A6392D7795904CB5F
                                                                                                                                                                                                                                                        Function 00422E50 Relevance: 12.1, APIs: 8, Instructions: 119windowCOMMON
                                                                                                                                                                                                                                                        Download Yara Rule
                                                                                                                                                                                                                                                        APIs
                                                                                                                                                                                                                                                        • GetCapture.USER32 ref: 00422EA4
                                                                                                                                                                                                                                                        • GetCapture.USER32 ref: 00422EB3
                                                                                                                                                                                                                                                        • SendMessageA.USER32(00000000,0000001F,00000000,00000000), ref: 00422EB9
                                                                                                                                                                                                                                                        • ReleaseCapture.USER32 ref: 00422EBE
                                                                                                                                                                                                                                                        • GetActiveWindow.USER32 ref: 00422ECD
                                                                                                                                                                                                                                                        • SendMessageA.USER32(00000000,0000B000,00000000,00000000), ref: 00422F4C
                                                                                                                                                                                                                                                        • SendMessageA.USER32(00000000,0000B001,00000000,00000000), ref: 00422FB0
                                                                                                                                                                                                                                                        • GetActiveWindow.USER32 ref: 00422FBF
                                                                                                                                                                                                                                                        Memory Dump Source
                                                                                                                                                                                                                                                        • Source File: 00000001.00000002.2793245300.0000000000401000.00000020.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                                                                                                                        • Associated: 00000001.00000002.2793219234.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                                                                                                                                                                                                        • Associated: 00000001.00000002.2793346997.0000000000499000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                                                                                                                                                                                                        • Associated: 00000001.00000002.2793378529.000000000049A000.00000008.00000001.01000000.00000004.sdmpDownload File
                                                                                                                                                                                                                                                        • Associated: 00000001.00000002.2793416768.000000000049B000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                                                                                                                                                                                                        • Associated: 00000001.00000002.2793448951.00000000004AB000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                                                                                                                                                                                                        Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                                        • Snapshot File: hcaresult_1_2_400000_chica-pc-shield-1-75-0-1300-en-win.jbxd
                                                                                                                                                                                                                                                        Similarity
                                                                                                                                                                                                                                                        • API ID: CaptureMessageSend$ActiveWindow$Release
                                                                                                                                                                                                                                                        • String ID:
                                                                                                                                                                                                                                                        • API String ID: 862346643-0
                                                                                                                                                                                                                                                        • Opcode ID: 9a658c63173933740f838e134dd06879da375375ea41c34b29c7eb91f1edca17
                                                                                                                                                                                                                                                        • Instruction ID: c6261992695b47722d84ffa44129b55dc5b2a4dad2f70b0012283783c1c7b094
                                                                                                                                                                                                                                                        • Opcode Fuzzy Hash: 9a658c63173933740f838e134dd06879da375375ea41c34b29c7eb91f1edca17
                                                                                                                                                                                                                                                        • Instruction Fuzzy Hash: 24417230B00245AFDB10EB69DA86B9E77F1EF44304F5540BAF404AB2A2D778AE40DB49
                                                                                                                                                                                                                                                        Function 004767D8 Relevance: 10.7, APIs: 4, Strings: 2, Instructions: 200windowCOMMON
                                                                                                                                                                                                                                                        Download Yara Rule
                                                                                                                                                                                                                                                        APIs
                                                                                                                                                                                                                                                        • GetClassInfoW.USER32(00000000,COMBOBOX,?), ref: 00476831
                                                                                                                                                                                                                                                        • SetWindowLongW.USER32(00000000,000000FC,0047678C), ref: 00476858
                                                                                                                                                                                                                                                        • GetACP.KERNEL32(00000000,00476A70,?,00000000,00476A9A), ref: 00476895
                                                                                                                                                                                                                                                        • SendMessageW.USER32(00000000,00000143,00000000,?), ref: 004768DB
                                                                                                                                                                                                                                                        Strings
                                                                                                                                                                                                                                                        Memory Dump Source
                                                                                                                                                                                                                                                        • Source File: 00000001.00000002.2793245300.0000000000401000.00000020.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                                                                                                                        • Associated: 00000001.00000002.2793219234.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                                                                                                                                                                                                        • Associated: 00000001.00000002.2793346997.0000000000499000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                                                                                                                                                                                                        • Associated: 00000001.00000002.2793378529.000000000049A000.00000008.00000001.01000000.00000004.sdmpDownload File
                                                                                                                                                                                                                                                        • Associated: 00000001.00000002.2793416768.000000000049B000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                                                                                                                                                                                                        • Associated: 00000001.00000002.2793448951.00000000004AB000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                                                                                                                                                                                                        Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                                        • Snapshot File: hcaresult_1_2_400000_chica-pc-shield-1-75-0-1300-en-win.jbxd
                                                                                                                                                                                                                                                        Similarity
                                                                                                                                                                                                                                                        • API ID: ClassInfoLongMessageSendWindow
                                                                                                                                                                                                                                                        • String ID: COMBOBOX$Inno Setup: Language
                                                                                                                                                                                                                                                        • API String ID: 3391662889-4234151509
                                                                                                                                                                                                                                                        • Opcode ID: a4e4449b3cbe8564ce7ac80a0411ab61b62921b3e55361c0809f1fed2a0e8f54
                                                                                                                                                                                                                                                        • Instruction ID: d76c004897552a3cc8e54786408815dd89bb54d04f8b08ddd0f07c4dae0e4e58
                                                                                                                                                                                                                                                        • Opcode Fuzzy Hash: a4e4449b3cbe8564ce7ac80a0411ab61b62921b3e55361c0809f1fed2a0e8f54
                                                                                                                                                                                                                                                        • Instruction Fuzzy Hash: 99813F706006059FCB10DF69C885AAAB7F2FB09304F16C0BAE909E7762D738ED45CB59
                                                                                                                                                                                                                                                        Function 00455010 Relevance: 10.7, APIs: 2, Strings: 5, Instructions: 154COMMON
                                                                                                                                                                                                                                                        Download Yara Rule
                                                                                                                                                                                                                                                        APIs
                                                                                                                                                                                                                                                        • GetLastError.KERNEL32(?,00000044,00000000,00000000,04000000,00000000,00000000,00000000,?,COMMAND.COM" /C ,?,0045522C,0045522C,?,0045522C,00000000), ref: 004551BA
                                                                                                                                                                                                                                                        • CloseHandle.KERNEL32(?,?,00000044,00000000,00000000,04000000,00000000,00000000,00000000,?,COMMAND.COM" /C ,?,0045522C,0045522C,?,0045522C), ref: 004551C7
                                                                                                                                                                                                                                                          • Part of subcall function 00454F7C: WaitForInputIdle.USER32(?,00000032), ref: 00454FA8
                                                                                                                                                                                                                                                          • Part of subcall function 00454F7C: MsgWaitForMultipleObjects.USER32(00000001,?,00000000,000000FF,000000FF), ref: 00454FCA
                                                                                                                                                                                                                                                          • Part of subcall function 00454F7C: GetExitCodeProcess.KERNEL32(?,?), ref: 00454FD9
                                                                                                                                                                                                                                                          • Part of subcall function 00454F7C: CloseHandle.KERNEL32(?,00455006,00454FFF,?,?,?,00000000,?,?,004551DB,?,?,?,00000044,00000000,00000000), ref: 00454FF9
                                                                                                                                                                                                                                                        Strings
                                                                                                                                                                                                                                                        Memory Dump Source
                                                                                                                                                                                                                                                        • Source File: 00000001.00000002.2793245300.0000000000401000.00000020.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                                                                                                                        • Associated: 00000001.00000002.2793219234.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                                                                                                                                                                                                        • Associated: 00000001.00000002.2793346997.0000000000499000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                                                                                                                                                                                                        • Associated: 00000001.00000002.2793378529.000000000049A000.00000008.00000001.01000000.00000004.sdmpDownload File
                                                                                                                                                                                                                                                        • Associated: 00000001.00000002.2793416768.000000000049B000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                                                                                                                                                                                                        • Associated: 00000001.00000002.2793448951.00000000004AB000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                                                                                                                                                                                                        Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                                        • Snapshot File: hcaresult_1_2_400000_chica-pc-shield-1-75-0-1300-en-win.jbxd
                                                                                                                                                                                                                                                        Similarity
                                                                                                                                                                                                                                                        • API ID: CloseHandleWait$CodeErrorExitIdleInputLastMultipleObjectsProcess
                                                                                                                                                                                                                                                        • String ID: .bat$.cmd$COMMAND.COM" /C $D$cmd.exe" /C "
                                                                                                                                                                                                                                                        • API String ID: 854858120-615399546
                                                                                                                                                                                                                                                        • Opcode ID: 87637bfe1c403b0336740b264e509fa12eda090332999a1b9478a3c957ce749b
                                                                                                                                                                                                                                                        • Instruction ID: 058baa7e90e176347c833b132b7c272bf8058e823d6e061bdbf2f6311869cd9e
                                                                                                                                                                                                                                                        • Opcode Fuzzy Hash: 87637bfe1c403b0336740b264e509fa12eda090332999a1b9478a3c957ce749b
                                                                                                                                                                                                                                                        • Instruction Fuzzy Hash: 41516D34B0074DABCF10EFA5D852BDEBBB9AF44305F50447BB804B7292D7789A098B59
                                                                                                                                                                                                                                                        Function 0042368C Relevance: 10.6, APIs: 4, Strings: 2, Instructions: 96windowCOMMON
                                                                                                                                                                                                                                                        Download Yara Rule
                                                                                                                                                                                                                                                        APIs
                                                                                                                                                                                                                                                        • LoadIconA.USER32(00400000,MAINICON), ref: 0042371C
                                                                                                                                                                                                                                                        • GetModuleFileNameA.KERNEL32(00400000,?,00000100,00400000,MAINICON,?,?,?,00418FE6,00000000,?,?,?,00000001), ref: 00423749
                                                                                                                                                                                                                                                        • OemToCharA.USER32(?,?), ref: 0042375C
                                                                                                                                                                                                                                                        • CharLowerA.USER32(?,00400000,?,00000100,00400000,MAINICON,?,?,?,00418FE6,00000000,?,?,?,00000001), ref: 0042379C
                                                                                                                                                                                                                                                        Strings
                                                                                                                                                                                                                                                        Memory Dump Source
                                                                                                                                                                                                                                                        • Source File: 00000001.00000002.2793245300.0000000000401000.00000020.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                                                                                                                        • Associated: 00000001.00000002.2793219234.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                                                                                                                                                                                                        • Associated: 00000001.00000002.2793346997.0000000000499000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                                                                                                                                                                                                        • Associated: 00000001.00000002.2793378529.000000000049A000.00000008.00000001.01000000.00000004.sdmpDownload File
                                                                                                                                                                                                                                                        • Associated: 00000001.00000002.2793416768.000000000049B000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                                                                                                                                                                                                        • Associated: 00000001.00000002.2793448951.00000000004AB000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                                                                                                                                                                                                        Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                                        • Snapshot File: hcaresult_1_2_400000_chica-pc-shield-1-75-0-1300-en-win.jbxd
                                                                                                                                                                                                                                                        Similarity
                                                                                                                                                                                                                                                        • API ID: Char$FileIconLoadLowerModuleName
                                                                                                                                                                                                                                                        • String ID: 2$MAINICON
                                                                                                                                                                                                                                                        • API String ID: 3935243913-3181700818
                                                                                                                                                                                                                                                        • Opcode ID: a0d1a492a3e1df344d79b5ede7937f80cf878dadafa44837ceada302c6d607ca
                                                                                                                                                                                                                                                        • Instruction ID: 339a64ebbf2375270c19ef2cfa2d714624ee8dcb7e06b01b5ae6522dc3b50067
                                                                                                                                                                                                                                                        • Opcode Fuzzy Hash: a0d1a492a3e1df344d79b5ede7937f80cf878dadafa44837ceada302c6d607ca
                                                                                                                                                                                                                                                        • Instruction Fuzzy Hash: 243181B0A042549ADF10EF29D8C57C67BA8AF14308F4441BAE844DB393D7BED988CB59
                                                                                                                                                                                                                                                        Function 00418F38 Relevance: 10.6, APIs: 4, Strings: 2, Instructions: 55threadCOMMON
                                                                                                                                                                                                                                                        Download Yara Rule
                                                                                                                                                                                                                                                        APIs
                                                                                                                                                                                                                                                        • GetCurrentProcessId.KERNEL32(00000000), ref: 00418F3D
                                                                                                                                                                                                                                                        • GlobalAddAtomA.KERNEL32(00000000), ref: 00418F5E
                                                                                                                                                                                                                                                        • GetCurrentThreadId.KERNEL32 ref: 00418F79
                                                                                                                                                                                                                                                        • GlobalAddAtomA.KERNEL32(00000000), ref: 00418F9A
                                                                                                                                                                                                                                                          • Part of subcall function 004230C8: GetDC.USER32(00000000), ref: 0042311E
                                                                                                                                                                                                                                                          • Part of subcall function 004230C8: EnumFontsA.GDI32(00000000,00000000,00423068,00410460,00000000,?,?,00000000,?,00418FD3,00000000,?,?,?,00000001), ref: 00423131
                                                                                                                                                                                                                                                          • Part of subcall function 004230C8: GetDeviceCaps.GDI32(00000000,0000005A), ref: 00423139
                                                                                                                                                                                                                                                          • Part of subcall function 004230C8: ReleaseDC.USER32(00000000,00000000), ref: 00423144
                                                                                                                                                                                                                                                          • Part of subcall function 0042368C: LoadIconA.USER32(00400000,MAINICON), ref: 0042371C
                                                                                                                                                                                                                                                          • Part of subcall function 0042368C: GetModuleFileNameA.KERNEL32(00400000,?,00000100,00400000,MAINICON,?,?,?,00418FE6,00000000,?,?,?,00000001), ref: 00423749
                                                                                                                                                                                                                                                          • Part of subcall function 0042368C: OemToCharA.USER32(?,?), ref: 0042375C
                                                                                                                                                                                                                                                          • Part of subcall function 0042368C: CharLowerA.USER32(?,00400000,?,00000100,00400000,MAINICON,?,?,?,00418FE6,00000000,?,?,?,00000001), ref: 0042379C
                                                                                                                                                                                                                                                          • Part of subcall function 0041F118: GetVersion.KERNEL32(?,00418FF0,00000000,?,?,?,00000001), ref: 0041F126
                                                                                                                                                                                                                                                          • Part of subcall function 0041F118: SetErrorMode.KERNEL32(00008000,?,00418FF0,00000000,?,?,?,00000001), ref: 0041F142
                                                                                                                                                                                                                                                          • Part of subcall function 0041F118: LoadLibraryA.KERNEL32(CTL3D32.DLL,00008000,?,00418FF0,00000000,?,?,?,00000001), ref: 0041F14E
                                                                                                                                                                                                                                                          • Part of subcall function 0041F118: SetErrorMode.KERNEL32(00000000,CTL3D32.DLL,00008000,?,00418FF0,00000000,?,?,?,00000001), ref: 0041F15C
                                                                                                                                                                                                                                                          • Part of subcall function 0041F118: GetProcAddress.KERNEL32(00000001,Ctl3dRegister), ref: 0041F18C
                                                                                                                                                                                                                                                          • Part of subcall function 0041F118: GetProcAddress.KERNEL32(00000001,Ctl3dUnregister), ref: 0041F1B5
                                                                                                                                                                                                                                                          • Part of subcall function 0041F118: GetProcAddress.KERNEL32(00000001,Ctl3dSubclassCtl), ref: 0041F1CA
                                                                                                                                                                                                                                                          • Part of subcall function 0041F118: GetProcAddress.KERNEL32(00000001,Ctl3dSubclassDlgEx), ref: 0041F1DF
                                                                                                                                                                                                                                                          • Part of subcall function 0041F118: GetProcAddress.KERNEL32(00000001,Ctl3dDlgFramePaint), ref: 0041F1F4
                                                                                                                                                                                                                                                          • Part of subcall function 0041F118: GetProcAddress.KERNEL32(00000001,Ctl3dCtlColorEx), ref: 0041F209
                                                                                                                                                                                                                                                          • Part of subcall function 0041F118: GetProcAddress.KERNEL32(00000001,Ctl3dAutoSubclass), ref: 0041F21E
                                                                                                                                                                                                                                                          • Part of subcall function 0041F118: GetProcAddress.KERNEL32(00000001,Ctl3dUnAutoSubclass), ref: 0041F233
                                                                                                                                                                                                                                                          • Part of subcall function 0041F118: GetProcAddress.KERNEL32(00000001,Ctl3DColorChange), ref: 0041F248
                                                                                                                                                                                                                                                          • Part of subcall function 0041F118: GetProcAddress.KERNEL32(00000001,BtnWndProc3d), ref: 0041F25D
                                                                                                                                                                                                                                                        Strings
                                                                                                                                                                                                                                                        Memory Dump Source
                                                                                                                                                                                                                                                        • Source File: 00000001.00000002.2793245300.0000000000401000.00000020.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                                                                                                                        • Associated: 00000001.00000002.2793219234.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                                                                                                                                                                                                        • Associated: 00000001.00000002.2793346997.0000000000499000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                                                                                                                                                                                                        • Associated: 00000001.00000002.2793378529.000000000049A000.00000008.00000001.01000000.00000004.sdmpDownload File
                                                                                                                                                                                                                                                        • Associated: 00000001.00000002.2793416768.000000000049B000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                                                                                                                                                                                                        • Associated: 00000001.00000002.2793448951.00000000004AB000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                                                                                                                                                                                                        Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                                        • Snapshot File: hcaresult_1_2_400000_chica-pc-shield-1-75-0-1300-en-win.jbxd
                                                                                                                                                                                                                                                        Similarity
                                                                                                                                                                                                                                                        • API ID: AddressProc$AtomCharCurrentErrorGlobalLoadMode$CapsDeviceEnumFileFontsIconLibraryLowerModuleNameProcessReleaseThreadVersion
                                                                                                                                                                                                                                                        • String ID: ControlOfs%.8X%.8X$Delphi%.8X
                                                                                                                                                                                                                                                        • API String ID: 316262546-2767913252
                                                                                                                                                                                                                                                        • Opcode ID: b417f06b73a7dba032b12b865c8ed9bc6bb92a8bfb887f153b822e9fb73695be
                                                                                                                                                                                                                                                        • Instruction ID: d883a59e21ed3b4d0722d018b4a025de81f9e45e1fd093e44b5ebaba0e30331f
                                                                                                                                                                                                                                                        • Opcode Fuzzy Hash: b417f06b73a7dba032b12b865c8ed9bc6bb92a8bfb887f153b822e9fb73695be
                                                                                                                                                                                                                                                        • Instruction Fuzzy Hash: AC115E706142419AD740FF76A94235A7BE1DF64308F40943FF448A7391DB3DA9448B5F
                                                                                                                                                                                                                                                        Function 0041363C Relevance: 9.1, APIs: 6, Instructions: 60COMMON
                                                                                                                                                                                                                                                        Download Yara Rule
                                                                                                                                                                                                                                                        APIs
                                                                                                                                                                                                                                                        • SetWindowLongA.USER32(?,000000FC,?), ref: 00413664
                                                                                                                                                                                                                                                        • GetWindowLongA.USER32(?,000000F0), ref: 0041366F
                                                                                                                                                                                                                                                        • GetWindowLongA.USER32(?,000000F4), ref: 00413681
                                                                                                                                                                                                                                                        • SetWindowLongA.USER32(?,000000F4,?), ref: 00413694
                                                                                                                                                                                                                                                        • SetPropA.USER32(?,00000000,00000000), ref: 004136AB
                                                                                                                                                                                                                                                        • SetPropA.USER32(?,00000000,00000000), ref: 004136C2
                                                                                                                                                                                                                                                        Memory Dump Source
                                                                                                                                                                                                                                                        • Source File: 00000001.00000002.2793245300.0000000000401000.00000020.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                                                                                                                        • Associated: 00000001.00000002.2793219234.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                                                                                                                                                                                                        • Associated: 00000001.00000002.2793346997.0000000000499000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                                                                                                                                                                                                        • Associated: 00000001.00000002.2793378529.000000000049A000.00000008.00000001.01000000.00000004.sdmpDownload File
                                                                                                                                                                                                                                                        • Associated: 00000001.00000002.2793416768.000000000049B000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                                                                                                                                                                                                        • Associated: 00000001.00000002.2793448951.00000000004AB000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                                                                                                                                                                                                        Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                                        • Snapshot File: hcaresult_1_2_400000_chica-pc-shield-1-75-0-1300-en-win.jbxd
                                                                                                                                                                                                                                                        Similarity
                                                                                                                                                                                                                                                        • API ID: LongWindow$Prop
                                                                                                                                                                                                                                                        • String ID:
                                                                                                                                                                                                                                                        • API String ID: 3887896539-0
                                                                                                                                                                                                                                                        • Opcode ID: 7846fecbe383e6d7fdaea4169180c186d89bab15e88d328ea810806c298c4441
                                                                                                                                                                                                                                                        • Instruction ID: 06abc153636d574f2b9d5b42ed2ef1d3d1989bf2b09c04f5b7aa0ee96fd2bcf7
                                                                                                                                                                                                                                                        • Opcode Fuzzy Hash: 7846fecbe383e6d7fdaea4169180c186d89bab15e88d328ea810806c298c4441
                                                                                                                                                                                                                                                        • Instruction Fuzzy Hash: 1011C975100244BFEF00DF9DDC84EDA37E8EB19364F144666B958DB2A2D738DD908B68
                                                                                                                                                                                                                                                        Function 00401A90 Relevance: 9.1, APIs: 6, Instructions: 59COMMON
                                                                                                                                                                                                                                                        Download Yara Rule
                                                                                                                                                                                                                                                        APIs
                                                                                                                                                                                                                                                        • RtlEnterCriticalSection.KERNEL32(0049B420,00000000,00401B68), ref: 00401ABD
                                                                                                                                                                                                                                                        • LocalFree.KERNEL32(00000000,00000000,00401B68), ref: 00401ACF
                                                                                                                                                                                                                                                        • VirtualFree.KERNEL32(00000000,00000000,00008000,00000000,00000000,00401B68), ref: 00401AEE
                                                                                                                                                                                                                                                        • LocalFree.KERNEL32(00000000,00000000,00000000,00008000,00000000,00000000,00401B68), ref: 00401B2D
                                                                                                                                                                                                                                                        • RtlLeaveCriticalSection.KERNEL32(0049B420,00401B6F), ref: 00401B58
                                                                                                                                                                                                                                                        • RtlDeleteCriticalSection.KERNEL32(0049B420,00401B6F), ref: 00401B62
                                                                                                                                                                                                                                                        Memory Dump Source
                                                                                                                                                                                                                                                        • Source File: 00000001.00000002.2793245300.0000000000401000.00000020.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                                                                                                                        • Associated: 00000001.00000002.2793219234.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                                                                                                                                                                                                        • Associated: 00000001.00000002.2793346997.0000000000499000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                                                                                                                                                                                                        • Associated: 00000001.00000002.2793378529.000000000049A000.00000008.00000001.01000000.00000004.sdmpDownload File
                                                                                                                                                                                                                                                        • Associated: 00000001.00000002.2793416768.000000000049B000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                                                                                                                                                                                                        • Associated: 00000001.00000002.2793448951.00000000004AB000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                                                                                                                                                                                                        Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                                        • Snapshot File: hcaresult_1_2_400000_chica-pc-shield-1-75-0-1300-en-win.jbxd
                                                                                                                                                                                                                                                        Similarity
                                                                                                                                                                                                                                                        • API ID: CriticalFreeSection$Local$DeleteEnterLeaveVirtual
                                                                                                                                                                                                                                                        • String ID:
                                                                                                                                                                                                                                                        • API String ID: 3782394904-0
                                                                                                                                                                                                                                                        • Opcode ID: 49a09b6a13b56db9203ce39fe96f4178c1f7b5105776856b2d284d5d8bbe2f88
                                                                                                                                                                                                                                                        • Instruction ID: 79795942c165c44483fb09e1962e32eaca51f8de38df00e9c029d8aa05623ce8
                                                                                                                                                                                                                                                        • Opcode Fuzzy Hash: 49a09b6a13b56db9203ce39fe96f4178c1f7b5105776856b2d284d5d8bbe2f88
                                                                                                                                                                                                                                                        • Instruction Fuzzy Hash: 3B118E30A003405AEB15AB65BE85B263BA5D761B08F44407BF80067BF3D77C5850E7AE
                                                                                                                                                                                                                                                        Function 00472030 Relevance: 9.0, APIs: 4, Strings: 1, Instructions: 272fileCOMMON
                                                                                                                                                                                                                                                        Download Yara Rule
                                                                                                                                                                                                                                                        APIs
                                                                                                                                                                                                                                                        • FindNextFileA.KERNEL32(000000FF,?,00000000,00472201,?,00000000,?,0049C1DC,00000000,004723F1,?,00000000,?,00000000,?,004725BD), ref: 004721DD
                                                                                                                                                                                                                                                        • FindClose.KERNEL32(000000FF,00472208,00472201,?,00000000,?,0049C1DC,00000000,004723F1,?,00000000,?,00000000,?,004725BD,?), ref: 004721FB
                                                                                                                                                                                                                                                        • FindNextFileA.KERNEL32(000000FF,?,00000000,00472323,?,00000000,?,0049C1DC,00000000,004723F1,?,00000000,?,00000000,?,004725BD), ref: 004722FF
                                                                                                                                                                                                                                                        • FindClose.KERNEL32(000000FF,0047232A,00472323,?,00000000,?,0049C1DC,00000000,004723F1,?,00000000,?,00000000,?,004725BD,?), ref: 0047231D
                                                                                                                                                                                                                                                        Strings
                                                                                                                                                                                                                                                        Memory Dump Source
                                                                                                                                                                                                                                                        • Source File: 00000001.00000002.2793245300.0000000000401000.00000020.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                                                                                                                        • Associated: 00000001.00000002.2793219234.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                                                                                                                                                                                                        • Associated: 00000001.00000002.2793346997.0000000000499000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                                                                                                                                                                                                        • Associated: 00000001.00000002.2793378529.000000000049A000.00000008.00000001.01000000.00000004.sdmpDownload File
                                                                                                                                                                                                                                                        • Associated: 00000001.00000002.2793416768.000000000049B000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                                                                                                                                                                                                        • Associated: 00000001.00000002.2793448951.00000000004AB000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                                                                                                                                                                                                        Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                                        • Snapshot File: hcaresult_1_2_400000_chica-pc-shield-1-75-0-1300-en-win.jbxd
                                                                                                                                                                                                                                                        Similarity
                                                                                                                                                                                                                                                        • API ID: Find$CloseFileNext
                                                                                                                                                                                                                                                        • String ID: d&G
                                                                                                                                                                                                                                                        • API String ID: 2066263336-2616847865
                                                                                                                                                                                                                                                        • Opcode ID: 3135acd49bdd9f7c940886891253c872025377feb8fdbabe8a22e46f2ad5dbf6
                                                                                                                                                                                                                                                        • Instruction ID: 608184e9d730796bd638f0aed621da03a149468e2f0a896b3490ab0ad4e323f3
                                                                                                                                                                                                                                                        • Opcode Fuzzy Hash: 3135acd49bdd9f7c940886891253c872025377feb8fdbabe8a22e46f2ad5dbf6
                                                                                                                                                                                                                                                        • Instruction Fuzzy Hash: 76C13B3090424D9FCF11DFA5C981ADEBBB9FF48304F5085AAE818A3391D7789A46CF64
                                                                                                                                                                                                                                                        Function 004556D8 Relevance: 8.9, APIs: 1, Strings: 4, Instructions: 142registryCOMMON
                                                                                                                                                                                                                                                        Download Yara Rule
                                                                                                                                                                                                                                                        APIs
                                                                                                                                                                                                                                                          • Part of subcall function 0042DE1C: RegOpenKeyExA.ADVAPI32(80000002,System\CurrentControlSet\Control\Windows,37H,?,00000001,?,?,00483733,?,00000001,00000000), ref: 0042DE38
                                                                                                                                                                                                                                                        • RegCloseKey.ADVAPI32(?,?,00000001,00000000,00000000,0045586F,?,00000000,004558AF), ref: 004557B5
                                                                                                                                                                                                                                                        Strings
                                                                                                                                                                                                                                                        • PendingFileRenameOperations, xrefs: 00455754
                                                                                                                                                                                                                                                        • SYSTEM\CurrentControlSet\Control\Session Manager, xrefs: 00455738
                                                                                                                                                                                                                                                        • WININIT.INI, xrefs: 004557E4
                                                                                                                                                                                                                                                        • PendingFileRenameOperations2, xrefs: 00455784
                                                                                                                                                                                                                                                        Memory Dump Source
                                                                                                                                                                                                                                                        • Source File: 00000001.00000002.2793245300.0000000000401000.00000020.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                                                                                                                        • Associated: 00000001.00000002.2793219234.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                                                                                                                                                                                                        • Associated: 00000001.00000002.2793346997.0000000000499000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                                                                                                                                                                                                        • Associated: 00000001.00000002.2793378529.000000000049A000.00000008.00000001.01000000.00000004.sdmpDownload File
                                                                                                                                                                                                                                                        • Associated: 00000001.00000002.2793416768.000000000049B000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                                                                                                                                                                                                        • Associated: 00000001.00000002.2793448951.00000000004AB000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                                                                                                                                                                                                        Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                                        • Snapshot File: hcaresult_1_2_400000_chica-pc-shield-1-75-0-1300-en-win.jbxd
                                                                                                                                                                                                                                                        Similarity
                                                                                                                                                                                                                                                        • API ID: CloseOpen
                                                                                                                                                                                                                                                        • String ID: PendingFileRenameOperations$PendingFileRenameOperations2$SYSTEM\CurrentControlSet\Control\Session Manager$WININIT.INI
                                                                                                                                                                                                                                                        • API String ID: 47109696-2199428270
                                                                                                                                                                                                                                                        • Opcode ID: 61bab1fbce8125a1ef0a6b7e628570c1d80a2c4d95d385196e5e328981673cec
                                                                                                                                                                                                                                                        • Instruction ID: 0fa1da25f67206326559771d92c7e47b52ca8d856d575cc5f046ac455f5bab2a
                                                                                                                                                                                                                                                        • Opcode Fuzzy Hash: 61bab1fbce8125a1ef0a6b7e628570c1d80a2c4d95d385196e5e328981673cec
                                                                                                                                                                                                                                                        • Instruction Fuzzy Hash: FF51A974E006089FDB10EF61DC51AEEB7B9EF44305F50857BEC04A7292DB78AE49CA58
                                                                                                                                                                                                                                                        Function 0047C6E8 Relevance: 8.9, APIs: 2, Strings: 3, Instructions: 101COMMON
                                                                                                                                                                                                                                                        Download Yara Rule
                                                                                                                                                                                                                                                        APIs
                                                                                                                                                                                                                                                        • CreateDirectoryA.KERNEL32(00000000,00000000,00000000,0047C83E,?,?,00000000,0049B628,00000000,00000000,?,00498119,00000000,004982C2,?,00000000), ref: 0047C77B
                                                                                                                                                                                                                                                        • GetLastError.KERNEL32(00000000,00000000,00000000,0047C83E,?,?,00000000,0049B628,00000000,00000000,?,00498119,00000000,004982C2,?,00000000), ref: 0047C784
                                                                                                                                                                                                                                                        Strings
                                                                                                                                                                                                                                                        Memory Dump Source
                                                                                                                                                                                                                                                        • Source File: 00000001.00000002.2793245300.0000000000401000.00000020.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                                                                                                                        • Associated: 00000001.00000002.2793219234.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                                                                                                                                                                                                        • Associated: 00000001.00000002.2793346997.0000000000499000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                                                                                                                                                                                                        • Associated: 00000001.00000002.2793378529.000000000049A000.00000008.00000001.01000000.00000004.sdmpDownload File
                                                                                                                                                                                                                                                        • Associated: 00000001.00000002.2793416768.000000000049B000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                                                                                                                                                                                                        • Associated: 00000001.00000002.2793448951.00000000004AB000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                                                                                                                                                                                                        Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                                        • Snapshot File: hcaresult_1_2_400000_chica-pc-shield-1-75-0-1300-en-win.jbxd
                                                                                                                                                                                                                                                        Similarity
                                                                                                                                                                                                                                                        • API ID: CreateDirectoryErrorLast
                                                                                                                                                                                                                                                        • String ID: Created temporary directory: $\_setup64.tmp$_isetup
                                                                                                                                                                                                                                                        • API String ID: 1375471231-2952887711
                                                                                                                                                                                                                                                        • Opcode ID: cdb850062fff62b3483cb9d455793b2ffcb5a285f05f3e3c93654b2d8917781d
                                                                                                                                                                                                                                                        • Instruction ID: 5d4e87a35204cb1efdaf7da8c531a93990ce3b0e97e2adc2e7d4826ba5d250a1
                                                                                                                                                                                                                                                        • Opcode Fuzzy Hash: cdb850062fff62b3483cb9d455793b2ffcb5a285f05f3e3c93654b2d8917781d
                                                                                                                                                                                                                                                        • Instruction Fuzzy Hash: 62410774A001099BDB00FFA5D882ADEB7B5EB44309F50557FE81477392DB389E058A5D
                                                                                                                                                                                                                                                        Function 00423A84 Relevance: 8.8, APIs: 4, Strings: 1, Instructions: 55COMMON
                                                                                                                                                                                                                                                        Download Yara Rule
                                                                                                                                                                                                                                                        APIs
                                                                                                                                                                                                                                                        • EnumWindows.USER32(00423A1C), ref: 00423AA8
                                                                                                                                                                                                                                                        • GetWindow.USER32(?,00000003), ref: 00423ABD
                                                                                                                                                                                                                                                        • GetWindowLongA.USER32(?,000000EC), ref: 00423ACC
                                                                                                                                                                                                                                                        • SetWindowPos.USER32(00000000,\AB,00000000,00000000,00000000,00000000,00000013,?,000000EC,?,?,?,004241AB,?,?,00423D73), ref: 00423B02
                                                                                                                                                                                                                                                        Strings
                                                                                                                                                                                                                                                        Memory Dump Source
                                                                                                                                                                                                                                                        • Source File: 00000001.00000002.2793245300.0000000000401000.00000020.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                                                                                                                        • Associated: 00000001.00000002.2793219234.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                                                                                                                                                                                                        • Associated: 00000001.00000002.2793346997.0000000000499000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                                                                                                                                                                                                        • Associated: 00000001.00000002.2793378529.000000000049A000.00000008.00000001.01000000.00000004.sdmpDownload File
                                                                                                                                                                                                                                                        • Associated: 00000001.00000002.2793416768.000000000049B000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                                                                                                                                                                                                        • Associated: 00000001.00000002.2793448951.00000000004AB000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                                                                                                                                                                                                        Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                                        • Snapshot File: hcaresult_1_2_400000_chica-pc-shield-1-75-0-1300-en-win.jbxd
                                                                                                                                                                                                                                                        Similarity
                                                                                                                                                                                                                                                        • API ID: Window$EnumLongWindows
                                                                                                                                                                                                                                                        • String ID: \AB
                                                                                                                                                                                                                                                        • API String ID: 4191631535-3948367934
                                                                                                                                                                                                                                                        • Opcode ID: e93388bd3fff79c24eeb181f990f23eef1eb1c1e13edb1a8516a489dd705de31
                                                                                                                                                                                                                                                        • Instruction ID: 3ad81c14f5822e14e615a382c86082b2427cd388a5bf15486a3129e996868218
                                                                                                                                                                                                                                                        • Opcode Fuzzy Hash: e93388bd3fff79c24eeb181f990f23eef1eb1c1e13edb1a8516a489dd705de31
                                                                                                                                                                                                                                                        • Instruction Fuzzy Hash: D6115E70700610ABDB109F28E885F5677E8EB08715F10026AF994AB2E3C378ED41CB59
                                                                                                                                                                                                                                                        Function 00457ED0 Relevance: 8.8, APIs: 3, Strings: 2, Instructions: 45COMMON
                                                                                                                                                                                                                                                        Download Yara Rule
                                                                                                                                                                                                                                                        APIs
                                                                                                                                                                                                                                                        • MsgWaitForMultipleObjects.USER32(00000001,00000001,00000000,000000FF,000000FF), ref: 00457F00
                                                                                                                                                                                                                                                        • GetExitCodeProcess.KERNEL32(?,?), ref: 00457F21
                                                                                                                                                                                                                                                        • CloseHandle.KERNEL32(?,00457F54), ref: 00457F47
                                                                                                                                                                                                                                                        Strings
                                                                                                                                                                                                                                                        Memory Dump Source
                                                                                                                                                                                                                                                        • Source File: 00000001.00000002.2793245300.0000000000401000.00000020.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                                                                                                                        • Associated: 00000001.00000002.2793219234.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                                                                                                                                                                                                        • Associated: 00000001.00000002.2793346997.0000000000499000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                                                                                                                                                                                                        • Associated: 00000001.00000002.2793378529.000000000049A000.00000008.00000001.01000000.00000004.sdmpDownload File
                                                                                                                                                                                                                                                        • Associated: 00000001.00000002.2793416768.000000000049B000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                                                                                                                                                                                                        • Associated: 00000001.00000002.2793448951.00000000004AB000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                                                                                                                                                                                                        Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                                        • Snapshot File: hcaresult_1_2_400000_chica-pc-shield-1-75-0-1300-en-win.jbxd
                                                                                                                                                                                                                                                        Similarity
                                                                                                                                                                                                                                                        • API ID: CloseCodeExitHandleMultipleObjectsProcessWait
                                                                                                                                                                                                                                                        • String ID: GetExitCodeProcess$MsgWaitForMultipleObjects
                                                                                                                                                                                                                                                        • API String ID: 2573145106-3235461205
                                                                                                                                                                                                                                                        • Opcode ID: 4448aa6085b3b7c488e18254bdbfc71c8710c610067728cd4fa77b4d45ab329b
                                                                                                                                                                                                                                                        • Instruction ID: 50a764ba55142cb249135573a30d7c63c7411ebd48bfbac2c50c8ab338f63295
                                                                                                                                                                                                                                                        • Opcode Fuzzy Hash: 4448aa6085b3b7c488e18254bdbfc71c8710c610067728cd4fa77b4d45ab329b
                                                                                                                                                                                                                                                        • Instruction Fuzzy Hash: 2301D632608204AFDB10EB99EC42E2E73A8EB49715F5040B7FC10D73C2D63C9E04961D
                                                                                                                                                                                                                                                        Function 0042DE44 Relevance: 8.8, APIs: 3, Strings: 2, Instructions: 32registrylibraryloaderCOMMON
                                                                                                                                                                                                                                                        Download Yara Rule
                                                                                                                                                                                                                                                        APIs
                                                                                                                                                                                                                                                        • RegDeleteKeyA.ADVAPI32(00000000,00000000), ref: 0042DE50
                                                                                                                                                                                                                                                        • GetModuleHandleA.KERNEL32(advapi32.dll,RegDeleteKeyExA,?,00000000,0042DFEB,00000000,0042E003,?,?,?,?,00000006,?,00000000,00497439), ref: 0042DE6B
                                                                                                                                                                                                                                                        • GetProcAddress.KERNEL32(00000000,advapi32.dll), ref: 0042DE71
                                                                                                                                                                                                                                                        Strings
                                                                                                                                                                                                                                                        Memory Dump Source
                                                                                                                                                                                                                                                        • Source File: 00000001.00000002.2793245300.0000000000401000.00000020.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                                                                                                                        • Associated: 00000001.00000002.2793219234.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                                                                                                                                                                                                        • Associated: 00000001.00000002.2793346997.0000000000499000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                                                                                                                                                                                                        • Associated: 00000001.00000002.2793378529.000000000049A000.00000008.00000001.01000000.00000004.sdmpDownload File
                                                                                                                                                                                                                                                        • Associated: 00000001.00000002.2793416768.000000000049B000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                                                                                                                                                                                                        • Associated: 00000001.00000002.2793448951.00000000004AB000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                                                                                                                                                                                                        Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                                        • Snapshot File: hcaresult_1_2_400000_chica-pc-shield-1-75-0-1300-en-win.jbxd
                                                                                                                                                                                                                                                        Similarity
                                                                                                                                                                                                                                                        • API ID: AddressDeleteHandleModuleProc
                                                                                                                                                                                                                                                        • String ID: RegDeleteKeyExA$advapi32.dll
                                                                                                                                                                                                                                                        • API String ID: 588496660-1846899949
                                                                                                                                                                                                                                                        • Opcode ID: ed1542cdc99e60fdc1e6205037aed1b156b4601bf62b1d4fa5b097ff81e7402e
                                                                                                                                                                                                                                                        • Instruction ID: e7246de0df94fba710dd2820c0ca51643d5dd29c3ac0bea476bad59fd0e01b91
                                                                                                                                                                                                                                                        • Opcode Fuzzy Hash: ed1542cdc99e60fdc1e6205037aed1b156b4601bf62b1d4fa5b097ff81e7402e
                                                                                                                                                                                                                                                        • Instruction Fuzzy Hash: 73E06DF1B41B30AAD72022657C8ABA33729DB75365F658437F105AD19183FC2C50CE9D
                                                                                                                                                                                                                                                        Function 0046B9E8 Relevance: 7.3, APIs: 1, Strings: 3, Instructions: 320COMMON
                                                                                                                                                                                                                                                        Download Yara Rule
                                                                                                                                                                                                                                                        Strings
                                                                                                                                                                                                                                                        • NextButtonClick, xrefs: 0046BB24
                                                                                                                                                                                                                                                        • PrepareToInstall failed: %s, xrefs: 0046BD46
                                                                                                                                                                                                                                                        • Need to restart Windows? %s, xrefs: 0046BD6D
                                                                                                                                                                                                                                                        Memory Dump Source
                                                                                                                                                                                                                                                        • Source File: 00000001.00000002.2793245300.0000000000401000.00000020.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                                                                                                                        • Associated: 00000001.00000002.2793219234.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                                                                                                                                                                                                        • Associated: 00000001.00000002.2793346997.0000000000499000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                                                                                                                                                                                                        • Associated: 00000001.00000002.2793378529.000000000049A000.00000008.00000001.01000000.00000004.sdmpDownload File
                                                                                                                                                                                                                                                        • Associated: 00000001.00000002.2793416768.000000000049B000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                                                                                                                                                                                                        • Associated: 00000001.00000002.2793448951.00000000004AB000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                                                                                                                                                                                                        Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                                        • Snapshot File: hcaresult_1_2_400000_chica-pc-shield-1-75-0-1300-en-win.jbxd
                                                                                                                                                                                                                                                        Similarity
                                                                                                                                                                                                                                                        • API ID:
                                                                                                                                                                                                                                                        • String ID: Need to restart Windows? %s$NextButtonClick$PrepareToInstall failed: %s
                                                                                                                                                                                                                                                        • API String ID: 0-2329492092
                                                                                                                                                                                                                                                        • Opcode ID: a39060279f72b48284e08eff57eab896bb1f01eada22d25c9f6c632c2855073d
                                                                                                                                                                                                                                                        • Instruction ID: aedd5239c298be2547da2a839ccd7c469dbbdea3d5c90e64bceb31d433ef37a4
                                                                                                                                                                                                                                                        • Opcode Fuzzy Hash: a39060279f72b48284e08eff57eab896bb1f01eada22d25c9f6c632c2855073d
                                                                                                                                                                                                                                                        • Instruction Fuzzy Hash: 12D11C34A00108DFCB00EB99C585AEE77F5EF49304F6445BAE404EB352D779AE81CB9A
                                                                                                                                                                                                                                                        Function 00482BD4 Relevance: 7.2, APIs: 2, Strings: 2, Instructions: 226COMMON
                                                                                                                                                                                                                                                        Download Yara Rule
                                                                                                                                                                                                                                                        APIs
                                                                                                                                                                                                                                                        • SetActiveWindow.USER32(?,?,00000000,00482F25), ref: 00482CF8
                                                                                                                                                                                                                                                        • SHChangeNotify.SHELL32(08000000,00000000,00000000,00000000), ref: 00482D96
                                                                                                                                                                                                                                                        Strings
                                                                                                                                                                                                                                                        Memory Dump Source
                                                                                                                                                                                                                                                        • Source File: 00000001.00000002.2793245300.0000000000401000.00000020.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                                                                                                                        • Associated: 00000001.00000002.2793219234.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                                                                                                                                                                                                        • Associated: 00000001.00000002.2793346997.0000000000499000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                                                                                                                                                                                                        • Associated: 00000001.00000002.2793378529.000000000049A000.00000008.00000001.01000000.00000004.sdmpDownload File
                                                                                                                                                                                                                                                        • Associated: 00000001.00000002.2793416768.000000000049B000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                                                                                                                                                                                                        • Associated: 00000001.00000002.2793448951.00000000004AB000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                                                                                                                                                                                                        Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                                        • Snapshot File: hcaresult_1_2_400000_chica-pc-shield-1-75-0-1300-en-win.jbxd
                                                                                                                                                                                                                                                        Similarity
                                                                                                                                                                                                                                                        • API ID: ActiveChangeNotifyWindow
                                                                                                                                                                                                                                                        • String ID: $Need to restart Windows? %s
                                                                                                                                                                                                                                                        • API String ID: 1160245247-4200181552
                                                                                                                                                                                                                                                        • Opcode ID: 85e9d30413544076e55be9a72f517eb79e25aba56188ef4e592797f601b59bdf
                                                                                                                                                                                                                                                        • Instruction ID: 1aeb2d584ff8c62d9bd57db574d113adc6e4e0e514ad05e5719deb60ea54066a
                                                                                                                                                                                                                                                        • Opcode Fuzzy Hash: 85e9d30413544076e55be9a72f517eb79e25aba56188ef4e592797f601b59bdf
                                                                                                                                                                                                                                                        • Instruction Fuzzy Hash: BF918E346042449FDB10FB69D985BAE7BF4AF59308F4484BBE8009B362C7B8AD45CB5D
                                                                                                                                                                                                                                                        Function 0046F9B8 Relevance: 7.2, APIs: 3, Strings: 1, Instructions: 161COMMON
                                                                                                                                                                                                                                                        Download Yara Rule
                                                                                                                                                                                                                                                        APIs
                                                                                                                                                                                                                                                          • Part of subcall function 0042C804: GetFullPathNameA.KERNEL32(00000000,00001000,?), ref: 0042C828
                                                                                                                                                                                                                                                        • GetLastError.KERNEL32(00000000,0046FBB5,?,?,0049C1DC,00000000), ref: 0046FA92
                                                                                                                                                                                                                                                        • SHChangeNotify.SHELL32(00000008,00000001,00000000,00000000), ref: 0046FB0C
                                                                                                                                                                                                                                                        • SHChangeNotify.SHELL32(00001000,00001001,00000000,00000000), ref: 0046FB31
                                                                                                                                                                                                                                                        Strings
                                                                                                                                                                                                                                                        Memory Dump Source
                                                                                                                                                                                                                                                        • Source File: 00000001.00000002.2793245300.0000000000401000.00000020.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                                                                                                                        • Associated: 00000001.00000002.2793219234.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                                                                                                                                                                                                        • Associated: 00000001.00000002.2793346997.0000000000499000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                                                                                                                                                                                                        • Associated: 00000001.00000002.2793378529.000000000049A000.00000008.00000001.01000000.00000004.sdmpDownload File
                                                                                                                                                                                                                                                        • Associated: 00000001.00000002.2793416768.000000000049B000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                                                                                                                                                                                                        • Associated: 00000001.00000002.2793448951.00000000004AB000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                                                                                                                                                                                                        Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                                        • Snapshot File: hcaresult_1_2_400000_chica-pc-shield-1-75-0-1300-en-win.jbxd
                                                                                                                                                                                                                                                        Similarity
                                                                                                                                                                                                                                                        • API ID: ChangeNotify$ErrorFullLastNamePath
                                                                                                                                                                                                                                                        • String ID: Creating directory: %s
                                                                                                                                                                                                                                                        • API String ID: 2451617938-483064649
                                                                                                                                                                                                                                                        • Opcode ID: 171113a9a74995553e8e25c276a788ed0e76067d8c0b988a536185a582d1a31f
                                                                                                                                                                                                                                                        • Instruction ID: eb76e5a5c62baf7f93a74a30aafa38496d2f7a5b2612fa3441d7b1df4e24bdef
                                                                                                                                                                                                                                                        • Opcode Fuzzy Hash: 171113a9a74995553e8e25c276a788ed0e76067d8c0b988a536185a582d1a31f
                                                                                                                                                                                                                                                        • Instruction Fuzzy Hash: E0515574E00248ABDB01DFA5D592BDEB7F5AF49304F50847AE850B7382D7786E08CB59
                                                                                                                                                                                                                                                        Function 00454DD4 Relevance: 7.1, APIs: 2, Strings: 2, Instructions: 102libraryloaderCOMMON
                                                                                                                                                                                                                                                        Download Yara Rule
                                                                                                                                                                                                                                                        APIs
                                                                                                                                                                                                                                                        • GetProcAddress.KERNEL32(00000000,SfcIsFileProtected), ref: 00454E82
                                                                                                                                                                                                                                                        • MultiByteToWideChar.KERNEL32(00000000,00000000,00000000,00000000,?,00000FFF,00000000,00454F48), ref: 00454EEC
                                                                                                                                                                                                                                                        Strings
                                                                                                                                                                                                                                                        Memory Dump Source
                                                                                                                                                                                                                                                        • Source File: 00000001.00000002.2793245300.0000000000401000.00000020.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                                                                                                                        • Associated: 00000001.00000002.2793219234.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                                                                                                                                                                                                        • Associated: 00000001.00000002.2793346997.0000000000499000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                                                                                                                                                                                                        • Associated: 00000001.00000002.2793378529.000000000049A000.00000008.00000001.01000000.00000004.sdmpDownload File
                                                                                                                                                                                                                                                        • Associated: 00000001.00000002.2793416768.000000000049B000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                                                                                                                                                                                                        • Associated: 00000001.00000002.2793448951.00000000004AB000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                                                                                                                                                                                                        Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                                        • Snapshot File: hcaresult_1_2_400000_chica-pc-shield-1-75-0-1300-en-win.jbxd
                                                                                                                                                                                                                                                        Similarity
                                                                                                                                                                                                                                                        • API ID: AddressByteCharMultiProcWide
                                                                                                                                                                                                                                                        • String ID: SfcIsFileProtected$sfc.dll
                                                                                                                                                                                                                                                        • API String ID: 2508298434-591603554
                                                                                                                                                                                                                                                        • Opcode ID: 8ad70f115c2cd82e4055ec905d7ce046a45a54d0b91e2e8387ca62de9b03e25d
                                                                                                                                                                                                                                                        • Instruction ID: 0183ab2a96bad10459dc7acb776d15a29b7b4c70eaa7773bbc3cb8db3249cf06
                                                                                                                                                                                                                                                        • Opcode Fuzzy Hash: 8ad70f115c2cd82e4055ec905d7ce046a45a54d0b91e2e8387ca62de9b03e25d
                                                                                                                                                                                                                                                        • Instruction Fuzzy Hash: 1A419771A042189BEB20DB59DC85B9DB7B8EB4430DF5041B7E908A7293D7785F88CE1C
                                                                                                                                                                                                                                                        Function 00452510 Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 75COMMON
                                                                                                                                                                                                                                                        Download Yara Rule
                                                                                                                                                                                                                                                        APIs
                                                                                                                                                                                                                                                        • 74D31520.VERSION(00000000,?,?,?,004974DC), ref: 00452530
                                                                                                                                                                                                                                                        • 74D31500.VERSION(00000000,?,00000000,?,00000000,004525AB,?,00000000,?,?,?,004974DC), ref: 0045255D
                                                                                                                                                                                                                                                        • 74D31540.VERSION(?,004525D4,?,?,00000000,?,00000000,?,00000000,004525AB,?,00000000,?,?,?,004974DC), ref: 00452577
                                                                                                                                                                                                                                                        Strings
                                                                                                                                                                                                                                                        Memory Dump Source
                                                                                                                                                                                                                                                        • Source File: 00000001.00000002.2793245300.0000000000401000.00000020.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                                                                                                                        • Associated: 00000001.00000002.2793219234.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                                                                                                                                                                                                        • Associated: 00000001.00000002.2793346997.0000000000499000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                                                                                                                                                                                                        • Associated: 00000001.00000002.2793378529.000000000049A000.00000008.00000001.01000000.00000004.sdmpDownload File
                                                                                                                                                                                                                                                        • Associated: 00000001.00000002.2793416768.000000000049B000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                                                                                                                                                                                                        • Associated: 00000001.00000002.2793448951.00000000004AB000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                                                                                                                                                                                                        Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                                        • Snapshot File: hcaresult_1_2_400000_chica-pc-shield-1-75-0-1300-en-win.jbxd
                                                                                                                                                                                                                                                        Similarity
                                                                                                                                                                                                                                                        • API ID: D31500D31520D31540
                                                                                                                                                                                                                                                        • String ID: %E
                                                                                                                                                                                                                                                        • API String ID: 1003763464-175436132
                                                                                                                                                                                                                                                        • Opcode ID: f18440ec30d6a8502c14f0dca7f1c7caee1af709ad5b943411f89d38bbe9f821
                                                                                                                                                                                                                                                        • Instruction ID: f5dca5bfdad9659449235e2d7a4f424f1fde127461be4d93bb02e754cc996b3f
                                                                                                                                                                                                                                                        • Opcode Fuzzy Hash: f18440ec30d6a8502c14f0dca7f1c7caee1af709ad5b943411f89d38bbe9f821
                                                                                                                                                                                                                                                        • Instruction Fuzzy Hash: D2218331A00608BFDB01DAA989519AFB7FCEB4A300F554477F800E7242E6B9AE04C765
                                                                                                                                                                                                                                                        Function 0044B38C Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 74COMMON
                                                                                                                                                                                                                                                        Download Yara Rule
                                                                                                                                                                                                                                                        APIs
                                                                                                                                                                                                                                                        • GetDC.USER32(00000000), ref: 0044B401
                                                                                                                                                                                                                                                        • SelectObject.GDI32(?,00000000), ref: 0044B424
                                                                                                                                                                                                                                                        • ReleaseDC.USER32(00000000,?), ref: 0044B457
                                                                                                                                                                                                                                                        Strings
                                                                                                                                                                                                                                                        Memory Dump Source
                                                                                                                                                                                                                                                        • Source File: 00000001.00000002.2793245300.0000000000401000.00000020.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                                                                                                                        • Associated: 00000001.00000002.2793219234.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                                                                                                                                                                                                        • Associated: 00000001.00000002.2793346997.0000000000499000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                                                                                                                                                                                                        • Associated: 00000001.00000002.2793378529.000000000049A000.00000008.00000001.01000000.00000004.sdmpDownload File
                                                                                                                                                                                                                                                        • Associated: 00000001.00000002.2793416768.000000000049B000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                                                                                                                                                                                                        • Associated: 00000001.00000002.2793448951.00000000004AB000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                                                                                                                                                                                                        Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                                        • Snapshot File: hcaresult_1_2_400000_chica-pc-shield-1-75-0-1300-en-win.jbxd
                                                                                                                                                                                                                                                        Similarity
                                                                                                                                                                                                                                                        • API ID: ObjectReleaseSelect
                                                                                                                                                                                                                                                        • String ID: 3!H
                                                                                                                                                                                                                                                        • API String ID: 1831053106-770989722
                                                                                                                                                                                                                                                        • Opcode ID: 727807454f8ff094e28708ba5fb35fd06b71b478ae961844f5fd952962583580
                                                                                                                                                                                                                                                        • Instruction ID: 242bcfed98594cbdcf51f2854abe94a1ec69c13560e3a72339b9f4254961cc58
                                                                                                                                                                                                                                                        • Opcode Fuzzy Hash: 727807454f8ff094e28708ba5fb35fd06b71b478ae961844f5fd952962583580
                                                                                                                                                                                                                                                        • Instruction Fuzzy Hash: 62216570A04248AFEB15DFA6C841B9F7BB9DB49304F11806AF904A7682D778D940CB59
                                                                                                                                                                                                                                                        Function 00404D2A Relevance: 7.1, APIs: 2, Strings: 2, Instructions: 72windowCOMMON
                                                                                                                                                                                                                                                        Download Yara Rule
                                                                                                                                                                                                                                                        APIs
                                                                                                                                                                                                                                                        • MessageBoxA.USER32(00000000,Runtime error at 00000000,Error,00000000), ref: 00404DC5
                                                                                                                                                                                                                                                        • ExitProcess.KERNEL32 ref: 00404E0D
                                                                                                                                                                                                                                                        Strings
                                                                                                                                                                                                                                                        Memory Dump Source
                                                                                                                                                                                                                                                        • Source File: 00000001.00000002.2793245300.0000000000401000.00000020.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                                                                                                                        • Associated: 00000001.00000002.2793219234.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                                                                                                                                                                                                        • Associated: 00000001.00000002.2793346997.0000000000499000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                                                                                                                                                                                                        • Associated: 00000001.00000002.2793378529.000000000049A000.00000008.00000001.01000000.00000004.sdmpDownload File
                                                                                                                                                                                                                                                        • Associated: 00000001.00000002.2793416768.000000000049B000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                                                                                                                                                                                                        • Associated: 00000001.00000002.2793448951.00000000004AB000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                                                                                                                                                                                                        Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                                        • Snapshot File: hcaresult_1_2_400000_chica-pc-shield-1-75-0-1300-en-win.jbxd
                                                                                                                                                                                                                                                        Similarity
                                                                                                                                                                                                                                                        • API ID: ExitMessageProcess
                                                                                                                                                                                                                                                        • String ID: Error$Runtime error at 00000000
                                                                                                                                                                                                                                                        • API String ID: 1220098344-2970929446
                                                                                                                                                                                                                                                        • Opcode ID: 4aa0907dffceb0697d192a833af99b379258e6819ee5eddde657f3822e72bbb6
                                                                                                                                                                                                                                                        • Instruction ID: e2df0dcbf1ce8e07228a8ae3c957e3f7be2bf5582065763199918d440bd3f461
                                                                                                                                                                                                                                                        • Opcode Fuzzy Hash: 4aa0907dffceb0697d192a833af99b379258e6819ee5eddde657f3822e72bbb6
                                                                                                                                                                                                                                                        • Instruction Fuzzy Hash: 8E219560A442414ADB11A779BA8571B3B91D7E5348F04817BE710A73E3C77C8C4487ED
                                                                                                                                                                                                                                                        Function 0044B0C0 Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 72COMMON
                                                                                                                                                                                                                                                        Download Yara Rule
                                                                                                                                                                                                                                                        APIs
                                                                                                                                                                                                                                                        • MultiByteToWideChar.KERNEL32(00000000,00000000,00000000,00000000,?,00000000,00000000,0044B14C,?,3!H,?,?), ref: 0044B11E
                                                                                                                                                                                                                                                        • DrawTextW.USER32(?,?,00000000,?,?), ref: 0044B131
                                                                                                                                                                                                                                                        • DrawTextA.USER32(?,00000000,00000000,?,?), ref: 0044B165
                                                                                                                                                                                                                                                        Strings
                                                                                                                                                                                                                                                        Memory Dump Source
                                                                                                                                                                                                                                                        • Source File: 00000001.00000002.2793245300.0000000000401000.00000020.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                                                                                                                        • Associated: 00000001.00000002.2793219234.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                                                                                                                                                                                                        • Associated: 00000001.00000002.2793346997.0000000000499000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                                                                                                                                                                                                        • Associated: 00000001.00000002.2793378529.000000000049A000.00000008.00000001.01000000.00000004.sdmpDownload File
                                                                                                                                                                                                                                                        • Associated: 00000001.00000002.2793416768.000000000049B000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                                                                                                                                                                                                        • Associated: 00000001.00000002.2793448951.00000000004AB000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                                                                                                                                                                                                        Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                                        • Snapshot File: hcaresult_1_2_400000_chica-pc-shield-1-75-0-1300-en-win.jbxd
                                                                                                                                                                                                                                                        Similarity
                                                                                                                                                                                                                                                        • API ID: DrawText$ByteCharMultiWide
                                                                                                                                                                                                                                                        • String ID: 3!H
                                                                                                                                                                                                                                                        • API String ID: 65125430-770989722
                                                                                                                                                                                                                                                        • Opcode ID: a99cfc9a03c86f724ad29982784cb728f5a8acb1e514b76901035c2484111296
                                                                                                                                                                                                                                                        • Instruction ID: fec6fabf6d030a51aab30bc406273ff78954f96defe81b00f374268ef7e1f253
                                                                                                                                                                                                                                                        • Opcode Fuzzy Hash: a99cfc9a03c86f724ad29982784cb728f5a8acb1e514b76901035c2484111296
                                                                                                                                                                                                                                                        • Instruction Fuzzy Hash: 2A11CBB27046047FEB00DB6A9C91D6F77ECDB49750F10817BF504D72D0D6399E018669
                                                                                                                                                                                                                                                        Function 0042ED38 Relevance: 7.1, APIs: 2, Strings: 2, Instructions: 55libraryloaderCOMMON
                                                                                                                                                                                                                                                        Download Yara Rule
                                                                                                                                                                                                                                                        APIs
                                                                                                                                                                                                                                                        • SHAutoComplete.SHLWAPI(00000000,00000001), ref: 0042EDC5
                                                                                                                                                                                                                                                          • Part of subcall function 0042D8C4: GetSystemDirectoryA.KERNEL32(?,00000104), ref: 0042D8D7
                                                                                                                                                                                                                                                          • Part of subcall function 0042E394: SetErrorMode.KERNEL32(00008000), ref: 0042E39E
                                                                                                                                                                                                                                                          • Part of subcall function 0042E394: LoadLibraryA.KERNEL32(00000000,00000000,0042E3E8,?,00000000,0042E406,?,00008000), ref: 0042E3CD
                                                                                                                                                                                                                                                        • GetProcAddress.KERNEL32(00000000,SHAutoComplete), ref: 0042EDA8
                                                                                                                                                                                                                                                        Strings
                                                                                                                                                                                                                                                        Memory Dump Source
                                                                                                                                                                                                                                                        • Source File: 00000001.00000002.2793245300.0000000000401000.00000020.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                                                                                                                        • Associated: 00000001.00000002.2793219234.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                                                                                                                                                                                                        • Associated: 00000001.00000002.2793346997.0000000000499000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                                                                                                                                                                                                        • Associated: 00000001.00000002.2793378529.000000000049A000.00000008.00000001.01000000.00000004.sdmpDownload File
                                                                                                                                                                                                                                                        • Associated: 00000001.00000002.2793416768.000000000049B000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                                                                                                                                                                                                        • Associated: 00000001.00000002.2793448951.00000000004AB000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                                                                                                                                                                                                        Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                                        • Snapshot File: hcaresult_1_2_400000_chica-pc-shield-1-75-0-1300-en-win.jbxd
                                                                                                                                                                                                                                                        Similarity
                                                                                                                                                                                                                                                        • API ID: AddressAutoCompleteDirectoryErrorLibraryLoadModeProcSystem
                                                                                                                                                                                                                                                        • String ID: SHAutoComplete$shlwapi.dll
                                                                                                                                                                                                                                                        • API String ID: 395431579-1506664499
                                                                                                                                                                                                                                                        • Opcode ID: 03dbd901aa7110cc9683d5c1b3267e8c75712ceaaa91c95a5190d29b40c4bd10
                                                                                                                                                                                                                                                        • Instruction ID: e807f919b0f5f47641bb36d66eaae5ab4e0d2818c3cb02d7dc2bc8906116ae4e
                                                                                                                                                                                                                                                        • Opcode Fuzzy Hash: 03dbd901aa7110cc9683d5c1b3267e8c75712ceaaa91c95a5190d29b40c4bd10
                                                                                                                                                                                                                                                        • Instruction Fuzzy Hash: 3311A330B00319BBD711EB62FD85B8E7BA8DB55704F90447BF40066291DBB8AE05C65D
                                                                                                                                                                                                                                                        Function 00455A10 Relevance: 7.0, APIs: 1, Strings: 3, Instructions: 41registryCOMMON
                                                                                                                                                                                                                                                        Download Yara Rule
                                                                                                                                                                                                                                                        APIs
                                                                                                                                                                                                                                                          • Part of subcall function 0042DE1C: RegOpenKeyExA.ADVAPI32(80000002,System\CurrentControlSet\Control\Windows,37H,?,00000001,?,?,00483733,?,00000001,00000000), ref: 0042DE38
                                                                                                                                                                                                                                                        • RegCloseKey.ADVAPI32(?,00455A7B,?,00000001,00000000), ref: 00455A6E
                                                                                                                                                                                                                                                        Strings
                                                                                                                                                                                                                                                        • PendingFileRenameOperations2, xrefs: 00455A4F
                                                                                                                                                                                                                                                        • PendingFileRenameOperations, xrefs: 00455A40
                                                                                                                                                                                                                                                        • SYSTEM\CurrentControlSet\Control\Session Manager, xrefs: 00455A1C
                                                                                                                                                                                                                                                        Memory Dump Source
                                                                                                                                                                                                                                                        • Source File: 00000001.00000002.2793245300.0000000000401000.00000020.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                                                                                                                        • Associated: 00000001.00000002.2793219234.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                                                                                                                                                                                                        • Associated: 00000001.00000002.2793346997.0000000000499000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                                                                                                                                                                                                        • Associated: 00000001.00000002.2793378529.000000000049A000.00000008.00000001.01000000.00000004.sdmpDownload File
                                                                                                                                                                                                                                                        • Associated: 00000001.00000002.2793416768.000000000049B000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                                                                                                                                                                                                        • Associated: 00000001.00000002.2793448951.00000000004AB000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                                                                                                                                                                                                        Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                                        • Snapshot File: hcaresult_1_2_400000_chica-pc-shield-1-75-0-1300-en-win.jbxd
                                                                                                                                                                                                                                                        Similarity
                                                                                                                                                                                                                                                        • API ID: CloseOpen
                                                                                                                                                                                                                                                        • String ID: PendingFileRenameOperations$PendingFileRenameOperations2$SYSTEM\CurrentControlSet\Control\Session Manager
                                                                                                                                                                                                                                                        • API String ID: 47109696-2115312317
                                                                                                                                                                                                                                                        • Opcode ID: 4024932538ae5887f481c00a5b26e89126044ce8d3803db75db9ed78d0794b1f
                                                                                                                                                                                                                                                        • Instruction ID: e9356c19d9a7d2c1b22529064790e486fb2be540b5bf165494b3782c633fa2c0
                                                                                                                                                                                                                                                        • Opcode Fuzzy Hash: 4024932538ae5887f481c00a5b26e89126044ce8d3803db75db9ed78d0794b1f
                                                                                                                                                                                                                                                        • Instruction Fuzzy Hash: A3F0F671304A08BFDB04D661DC62A3B739CE744725FB08167F800CB682EA7CBD04915C
                                                                                                                                                                                                                                                        Function 0047F840 Relevance: 6.1, APIs: 4, Instructions: 147fileCOMMON
                                                                                                                                                                                                                                                        Download Yara Rule
                                                                                                                                                                                                                                                        APIs
                                                                                                                                                                                                                                                        • FindNextFileA.KERNEL32(000000FF,?,?,?,?,00000000,0047FA39,?,00000000,00000000,?,?,00480C8F,?,?,00000000), ref: 0047F8E6
                                                                                                                                                                                                                                                        • FindClose.KERNEL32(000000FF,000000FF,?,?,?,?,00000000,0047FA39,?,00000000,00000000,?,?,00480C8F,?,?), ref: 0047F8F3
                                                                                                                                                                                                                                                        • FindNextFileA.KERNEL32(000000FF,?,00000000,0047FA0C,?,?,?,?,00000000,0047FA39,?,00000000,00000000,?,?,00480C8F), ref: 0047F9E8
                                                                                                                                                                                                                                                        • FindClose.KERNEL32(000000FF,0047FA13,0047FA0C,?,?,?,?,00000000,0047FA39,?,00000000,00000000,?,?,00480C8F,?), ref: 0047FA06
                                                                                                                                                                                                                                                        Memory Dump Source
                                                                                                                                                                                                                                                        • Source File: 00000001.00000002.2793245300.0000000000401000.00000020.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                                                                                                                        • Associated: 00000001.00000002.2793219234.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                                                                                                                                                                                                        • Associated: 00000001.00000002.2793346997.0000000000499000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                                                                                                                                                                                                        • Associated: 00000001.00000002.2793378529.000000000049A000.00000008.00000001.01000000.00000004.sdmpDownload File
                                                                                                                                                                                                                                                        • Associated: 00000001.00000002.2793416768.000000000049B000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                                                                                                                                                                                                        • Associated: 00000001.00000002.2793448951.00000000004AB000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                                                                                                                                                                                                        Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                                        • Snapshot File: hcaresult_1_2_400000_chica-pc-shield-1-75-0-1300-en-win.jbxd
                                                                                                                                                                                                                                                        Similarity
                                                                                                                                                                                                                                                        • API ID: Find$CloseFileNext
                                                                                                                                                                                                                                                        • String ID:
                                                                                                                                                                                                                                                        • API String ID: 2066263336-0
                                                                                                                                                                                                                                                        • Opcode ID: 060517e770f88c230472ebc85a875130a4459b0d8e7052b4c0965d551127201c
                                                                                                                                                                                                                                                        • Instruction ID: b33153c689731431f5f6758ffa131ff439c11241547dfb1f23eae018cdad53b3
                                                                                                                                                                                                                                                        • Opcode Fuzzy Hash: 060517e770f88c230472ebc85a875130a4459b0d8e7052b4c0965d551127201c
                                                                                                                                                                                                                                                        • Instruction Fuzzy Hash: 29511D71A00659AFCB21EF65CC45ADEB7B8EF48315F1084BAA818B7341D7389F898F54
                                                                                                                                                                                                                                                        Function 00421274 Relevance: 6.1, APIs: 4, Instructions: 127windowCOMMON
                                                                                                                                                                                                                                                        Download Yara Rule
                                                                                                                                                                                                                                                        APIs
                                                                                                                                                                                                                                                        • GetMenu.USER32(00000000), ref: 00421361
                                                                                                                                                                                                                                                        • SetMenu.USER32(00000000,00000000), ref: 0042137E
                                                                                                                                                                                                                                                        • SetMenu.USER32(00000000,00000000), ref: 004213B3
                                                                                                                                                                                                                                                        • SetMenu.USER32(00000000,00000000), ref: 004213CF
                                                                                                                                                                                                                                                        Memory Dump Source
                                                                                                                                                                                                                                                        • Source File: 00000001.00000002.2793245300.0000000000401000.00000020.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                                                                                                                        • Associated: 00000001.00000002.2793219234.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                                                                                                                                                                                                        • Associated: 00000001.00000002.2793346997.0000000000499000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                                                                                                                                                                                                        • Associated: 00000001.00000002.2793378529.000000000049A000.00000008.00000001.01000000.00000004.sdmpDownload File
                                                                                                                                                                                                                                                        • Associated: 00000001.00000002.2793416768.000000000049B000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                                                                                                                                                                                                        • Associated: 00000001.00000002.2793448951.00000000004AB000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                                                                                                                                                                                                        Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                                        • Snapshot File: hcaresult_1_2_400000_chica-pc-shield-1-75-0-1300-en-win.jbxd
                                                                                                                                                                                                                                                        Similarity
                                                                                                                                                                                                                                                        • API ID: Menu
                                                                                                                                                                                                                                                        • String ID:
                                                                                                                                                                                                                                                        • API String ID: 3711407533-0
                                                                                                                                                                                                                                                        • Opcode ID: 011238806e8749de4259267c2425fab43e1a23b2a7ed20fe69ece2c0c4e48eae
                                                                                                                                                                                                                                                        • Instruction ID: 68e231870b0c3442489bede8fdcf2aa1db34e154331db007d9f14f65c1163b63
                                                                                                                                                                                                                                                        • Opcode Fuzzy Hash: 011238806e8749de4259267c2425fab43e1a23b2a7ed20fe69ece2c0c4e48eae
                                                                                                                                                                                                                                                        • Instruction Fuzzy Hash: 4641AE3070425447EB20EA3AA9857AB36925B20308F4841BFFC40DF7A3CA7CDD45839D
                                                                                                                                                                                                                                                        Function 00416B42 Relevance: 6.1, APIs: 4, Instructions: 67windowCOMMON
                                                                                                                                                                                                                                                        Download Yara Rule
                                                                                                                                                                                                                                                        APIs
                                                                                                                                                                                                                                                        • SendMessageA.USER32(?,?,?,?), ref: 00416B84
                                                                                                                                                                                                                                                        • SetTextColor.GDI32(?,00000000), ref: 00416B9E
                                                                                                                                                                                                                                                        • SetBkColor.GDI32(?,00000000), ref: 00416BB8
                                                                                                                                                                                                                                                        • CallWindowProcA.USER32(?,?,?,?,?), ref: 00416BE0
                                                                                                                                                                                                                                                        Memory Dump Source
                                                                                                                                                                                                                                                        • Source File: 00000001.00000002.2793245300.0000000000401000.00000020.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                                                                                                                        • Associated: 00000001.00000002.2793219234.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                                                                                                                                                                                                        • Associated: 00000001.00000002.2793346997.0000000000499000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                                                                                                                                                                                                        • Associated: 00000001.00000002.2793378529.000000000049A000.00000008.00000001.01000000.00000004.sdmpDownload File
                                                                                                                                                                                                                                                        • Associated: 00000001.00000002.2793416768.000000000049B000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                                                                                                                                                                                                        • Associated: 00000001.00000002.2793448951.00000000004AB000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                                                                                                                                                                                                        Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                                        • Snapshot File: hcaresult_1_2_400000_chica-pc-shield-1-75-0-1300-en-win.jbxd
                                                                                                                                                                                                                                                        Similarity
                                                                                                                                                                                                                                                        • API ID: Color$CallMessageProcSendTextWindow
                                                                                                                                                                                                                                                        • String ID:
                                                                                                                                                                                                                                                        • API String ID: 601730667-0
                                                                                                                                                                                                                                                        • Opcode ID: 072521f5090f240ceba025e33949739ce14f97652003165ca459573163e57643
                                                                                                                                                                                                                                                        • Instruction ID: 4ea48ea5c9b96bae81565ca4ce64eb356f32bd46963e120bc97d04dec40f2685
                                                                                                                                                                                                                                                        • Opcode Fuzzy Hash: 072521f5090f240ceba025e33949739ce14f97652003165ca459573163e57643
                                                                                                                                                                                                                                                        • Instruction Fuzzy Hash: BC115171705604AFD710EE6ECC84E8777ECEF49310715887EB959CB612C638F8418B69
                                                                                                                                                                                                                                                        Function 00454F7C Relevance: 6.1, APIs: 4, Instructions: 54COMMON
                                                                                                                                                                                                                                                        Download Yara Rule
                                                                                                                                                                                                                                                        APIs
                                                                                                                                                                                                                                                        • WaitForInputIdle.USER32(?,00000032), ref: 00454FA8
                                                                                                                                                                                                                                                        • MsgWaitForMultipleObjects.USER32(00000001,?,00000000,000000FF,000000FF), ref: 00454FCA
                                                                                                                                                                                                                                                        • GetExitCodeProcess.KERNEL32(?,?), ref: 00454FD9
                                                                                                                                                                                                                                                        • CloseHandle.KERNEL32(?,00455006,00454FFF,?,?,?,00000000,?,?,004551DB,?,?,?,00000044,00000000,00000000), ref: 00454FF9
                                                                                                                                                                                                                                                        Memory Dump Source
                                                                                                                                                                                                                                                        • Source File: 00000001.00000002.2793245300.0000000000401000.00000020.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                                                                                                                        • Associated: 00000001.00000002.2793219234.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                                                                                                                                                                                                        • Associated: 00000001.00000002.2793346997.0000000000499000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                                                                                                                                                                                                        • Associated: 00000001.00000002.2793378529.000000000049A000.00000008.00000001.01000000.00000004.sdmpDownload File
                                                                                                                                                                                                                                                        • Associated: 00000001.00000002.2793416768.000000000049B000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                                                                                                                                                                                                        • Associated: 00000001.00000002.2793448951.00000000004AB000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                                                                                                                                                                                                        Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                                        • Snapshot File: hcaresult_1_2_400000_chica-pc-shield-1-75-0-1300-en-win.jbxd
                                                                                                                                                                                                                                                        Similarity
                                                                                                                                                                                                                                                        • API ID: Wait$CloseCodeExitHandleIdleInputMultipleObjectsProcess
                                                                                                                                                                                                                                                        • String ID:
                                                                                                                                                                                                                                                        • API String ID: 4071923889-0
                                                                                                                                                                                                                                                        • Opcode ID: dd50dfeadc934d49718674b70b7762dca81241f06e47b37901a5315ac1615649
                                                                                                                                                                                                                                                        • Instruction ID: ea90b2abd28d60bbe0c33bbe6d7a83e36ef454db8471bda6b5c19e9a906557d9
                                                                                                                                                                                                                                                        • Opcode Fuzzy Hash: dd50dfeadc934d49718674b70b7762dca81241f06e47b37901a5315ac1615649
                                                                                                                                                                                                                                                        • Instruction Fuzzy Hash: B9012D31A006097FEB1097AA8C02F6FBBECDF49764F610127F904D72C2C5788D409A78
                                                                                                                                                                                                                                                        Function 004230C8 Relevance: 6.1, APIs: 4, Instructions: 54COMMON
                                                                                                                                                                                                                                                        Download Yara Rule
                                                                                                                                                                                                                                                        APIs
                                                                                                                                                                                                                                                        • GetDC.USER32(00000000), ref: 0042311E
                                                                                                                                                                                                                                                        • EnumFontsA.GDI32(00000000,00000000,00423068,00410460,00000000,?,?,00000000,?,00418FD3,00000000,?,?,?,00000001), ref: 00423131
                                                                                                                                                                                                                                                        • GetDeviceCaps.GDI32(00000000,0000005A), ref: 00423139
                                                                                                                                                                                                                                                        • ReleaseDC.USER32(00000000,00000000), ref: 00423144
                                                                                                                                                                                                                                                        Memory Dump Source
                                                                                                                                                                                                                                                        • Source File: 00000001.00000002.2793245300.0000000000401000.00000020.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                                                                                                                        • Associated: 00000001.00000002.2793219234.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                                                                                                                                                                                                        • Associated: 00000001.00000002.2793346997.0000000000499000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                                                                                                                                                                                                        • Associated: 00000001.00000002.2793378529.000000000049A000.00000008.00000001.01000000.00000004.sdmpDownload File
                                                                                                                                                                                                                                                        • Associated: 00000001.00000002.2793416768.000000000049B000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                                                                                                                                                                                                        • Associated: 00000001.00000002.2793448951.00000000004AB000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                                                                                                                                                                                                        Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                                        • Snapshot File: hcaresult_1_2_400000_chica-pc-shield-1-75-0-1300-en-win.jbxd
                                                                                                                                                                                                                                                        Similarity
                                                                                                                                                                                                                                                        • API ID: CapsDeviceEnumFontsRelease
                                                                                                                                                                                                                                                        • String ID:
                                                                                                                                                                                                                                                        • API String ID: 2698912916-0
                                                                                                                                                                                                                                                        • Opcode ID: ae3b46bdf4144dece9088701a44aa945a4d7eb571b2044da6dc5baa79edeb2ca
                                                                                                                                                                                                                                                        • Instruction ID: a9d24610abdaa6694e735d00c6d38f20457f2ac5f1468c421a1b182fb2ef8db9
                                                                                                                                                                                                                                                        • Opcode Fuzzy Hash: ae3b46bdf4144dece9088701a44aa945a4d7eb571b2044da6dc5baa79edeb2ca
                                                                                                                                                                                                                                                        • Instruction Fuzzy Hash: 8D01CC716042102AE700BF6A5C82B9B3AA49F01319F40027BF808AA3C6DA7E980547AE
                                                                                                                                                                                                                                                        Function 004019CC Relevance: 6.0, APIs: 4, Instructions: 48memoryCOMMON
                                                                                                                                                                                                                                                        Download Yara Rule
                                                                                                                                                                                                                                                        APIs
                                                                                                                                                                                                                                                        • RtlInitializeCriticalSection.KERNEL32(0049B420,00000000,00401A82,?,?,0040222E,02188000,?,00000000,?,?,00401C49,00401C5E,00401DA2), ref: 004019E2
                                                                                                                                                                                                                                                        • RtlEnterCriticalSection.KERNEL32(0049B420,0049B420,00000000,00401A82,?,?,0040222E,02188000,?,00000000,?,?,00401C49,00401C5E,00401DA2), ref: 004019F5
                                                                                                                                                                                                                                                        • LocalAlloc.KERNEL32(00000000,00000FF8,0049B420,00000000,00401A82,?,?,0040222E,02188000,?,00000000,?,?,00401C49,00401C5E,00401DA2), ref: 00401A1F
                                                                                                                                                                                                                                                        • RtlLeaveCriticalSection.KERNEL32(0049B420,00401A89,00000000,00401A82,?,?,0040222E,02188000,?,00000000,?,?,00401C49,00401C5E,00401DA2), ref: 00401A7C
                                                                                                                                                                                                                                                        Memory Dump Source
                                                                                                                                                                                                                                                        • Source File: 00000001.00000002.2793245300.0000000000401000.00000020.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                                                                                                                        • Associated: 00000001.00000002.2793219234.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                                                                                                                                                                                                        • Associated: 00000001.00000002.2793346997.0000000000499000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                                                                                                                                                                                                        • Associated: 00000001.00000002.2793378529.000000000049A000.00000008.00000001.01000000.00000004.sdmpDownload File
                                                                                                                                                                                                                                                        • Associated: 00000001.00000002.2793416768.000000000049B000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                                                                                                                                                                                                        • Associated: 00000001.00000002.2793448951.00000000004AB000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                                                                                                                                                                                                        Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                                        • Snapshot File: hcaresult_1_2_400000_chica-pc-shield-1-75-0-1300-en-win.jbxd
                                                                                                                                                                                                                                                        Similarity
                                                                                                                                                                                                                                                        • API ID: CriticalSection$AllocEnterInitializeLeaveLocal
                                                                                                                                                                                                                                                        • String ID:
                                                                                                                                                                                                                                                        • API String ID: 730355536-0
                                                                                                                                                                                                                                                        • Opcode ID: 0890baa5a0d1e935d96baa81f1570a556114ff82a35d0c7734bdeeb6470e0ce7
                                                                                                                                                                                                                                                        • Instruction ID: 91310e2de28581c92a9b529d79901d52005bdf0b1253609ef7109df0d78d257f
                                                                                                                                                                                                                                                        • Opcode Fuzzy Hash: 0890baa5a0d1e935d96baa81f1570a556114ff82a35d0c7734bdeeb6470e0ce7
                                                                                                                                                                                                                                                        • Instruction Fuzzy Hash: D001A1706482409EE719AB69BA467253FD4D795B48F11803BF840A6BF3C77C4440EBAD
                                                                                                                                                                                                                                                        Function 0047C89C Relevance: 6.0, APIs: 4, Instructions: 35sleepCOMMON
                                                                                                                                                                                                                                                        Download Yara Rule
                                                                                                                                                                                                                                                        APIs
                                                                                                                                                                                                                                                        Memory Dump Source
                                                                                                                                                                                                                                                        • Source File: 00000001.00000002.2793245300.0000000000401000.00000020.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                                                                                                                        • Associated: 00000001.00000002.2793219234.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                                                                                                                                                                                                        • Associated: 00000001.00000002.2793346997.0000000000499000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                                                                                                                                                                                                        • Associated: 00000001.00000002.2793378529.000000000049A000.00000008.00000001.01000000.00000004.sdmpDownload File
                                                                                                                                                                                                                                                        • Associated: 00000001.00000002.2793416768.000000000049B000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                                                                                                                                                                                                        • Associated: 00000001.00000002.2793448951.00000000004AB000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                                                                                                                                                                                                        Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                                        • Snapshot File: hcaresult_1_2_400000_chica-pc-shield-1-75-0-1300-en-win.jbxd
                                                                                                                                                                                                                                                        Similarity
                                                                                                                                                                                                                                                        • API ID: ErrorLast$CountSleepTick
                                                                                                                                                                                                                                                        • String ID:
                                                                                                                                                                                                                                                        • API String ID: 2227064392-0
                                                                                                                                                                                                                                                        • Opcode ID: 4409c29a9a25c0ad308f5e955a5ec1cd053a298abf52c98fd3bc106dc91571a3
                                                                                                                                                                                                                                                        • Instruction ID: fb8ccce0602981b24cccf543ece47fad641bfa2f8f4142a34fcf790c278cb350
                                                                                                                                                                                                                                                        • Opcode Fuzzy Hash: 4409c29a9a25c0ad308f5e955a5ec1cd053a298abf52c98fd3bc106dc91571a3
                                                                                                                                                                                                                                                        • Instruction Fuzzy Hash: 99E0ED6235919086C62132BF18C25AF4948CBC2326B29453FE088D6282C8584C0AA73F
                                                                                                                                                                                                                                                        Function 0040626C Relevance: 6.0, APIs: 4, Instructions: 11memoryCOMMON
                                                                                                                                                                                                                                                        Download Yara Rule
                                                                                                                                                                                                                                                        APIs
                                                                                                                                                                                                                                                        • GlobalHandle.KERNEL32 ref: 0040626F
                                                                                                                                                                                                                                                        • GlobalUnlock.KERNEL32(00000000), ref: 00406276
                                                                                                                                                                                                                                                        • GlobalReAlloc.KERNEL32(00000000,00000000), ref: 0040627B
                                                                                                                                                                                                                                                        • GlobalLock.KERNEL32(00000000), ref: 00406281
                                                                                                                                                                                                                                                        Memory Dump Source
                                                                                                                                                                                                                                                        • Source File: 00000001.00000002.2793245300.0000000000401000.00000020.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                                                                                                                        • Associated: 00000001.00000002.2793219234.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                                                                                                                                                                                                        • Associated: 00000001.00000002.2793346997.0000000000499000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                                                                                                                                                                                                        • Associated: 00000001.00000002.2793378529.000000000049A000.00000008.00000001.01000000.00000004.sdmpDownload File
                                                                                                                                                                                                                                                        • Associated: 00000001.00000002.2793416768.000000000049B000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                                                                                                                                                                                                        • Associated: 00000001.00000002.2793448951.00000000004AB000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                                                                                                                                                                                                        Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                                        • Snapshot File: hcaresult_1_2_400000_chica-pc-shield-1-75-0-1300-en-win.jbxd
                                                                                                                                                                                                                                                        Similarity
                                                                                                                                                                                                                                                        • API ID: Global$AllocHandleLockUnlock
                                                                                                                                                                                                                                                        • String ID:
                                                                                                                                                                                                                                                        • API String ID: 2167344118-0
                                                                                                                                                                                                                                                        • Opcode ID: cbc5b304f88c7a08b053d0b09bd11fc9f2d944e51c7d356257a26bde9ab667b0
                                                                                                                                                                                                                                                        • Instruction ID: 5df08fd8dc2b017785a639aa93036e57be915985ffe03f20f856cac12e18577c
                                                                                                                                                                                                                                                        • Opcode Fuzzy Hash: cbc5b304f88c7a08b053d0b09bd11fc9f2d944e51c7d356257a26bde9ab667b0
                                                                                                                                                                                                                                                        • Instruction Fuzzy Hash: 0BB009C4810A01BEEC0473B24C0BE3F245CD88172C3904A6F3448BA183987C9C405A3A
                                                                                                                                                                                                                                                        Function 0045C13C Relevance: 5.4, APIs: 1, Strings: 2, Instructions: 166COMMON
                                                                                                                                                                                                                                                        Download Yara Rule
                                                                                                                                                                                                                                                        APIs
                                                                                                                                                                                                                                                          • Part of subcall function 0045092C: SetEndOfFile.KERNEL32(?,?,0045C21A,00000000,0045C3A5,?,00000000,00000002,00000002), ref: 00450933
                                                                                                                                                                                                                                                        • FlushFileBuffers.KERNEL32(?), ref: 0045C371
                                                                                                                                                                                                                                                        Strings
                                                                                                                                                                                                                                                        • NumRecs range exceeded, xrefs: 0045C26E
                                                                                                                                                                                                                                                        • EndOffset range exceeded, xrefs: 0045C2A5
                                                                                                                                                                                                                                                        Memory Dump Source
                                                                                                                                                                                                                                                        • Source File: 00000001.00000002.2793245300.0000000000401000.00000020.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                                                                                                                        • Associated: 00000001.00000002.2793219234.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                                                                                                                                                                                                        • Associated: 00000001.00000002.2793346997.0000000000499000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                                                                                                                                                                                                        • Associated: 00000001.00000002.2793378529.000000000049A000.00000008.00000001.01000000.00000004.sdmpDownload File
                                                                                                                                                                                                                                                        • Associated: 00000001.00000002.2793416768.000000000049B000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                                                                                                                                                                                                        • Associated: 00000001.00000002.2793448951.00000000004AB000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                                                                                                                                                                                                        Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                                        • Snapshot File: hcaresult_1_2_400000_chica-pc-shield-1-75-0-1300-en-win.jbxd
                                                                                                                                                                                                                                                        Similarity
                                                                                                                                                                                                                                                        • API ID: File$BuffersFlush
                                                                                                                                                                                                                                                        • String ID: EndOffset range exceeded$NumRecs range exceeded
                                                                                                                                                                                                                                                        • API String ID: 3593489403-659731555
                                                                                                                                                                                                                                                        • Opcode ID: 8303768bd48e0fc2fa6ee4afa8e648be89b1656b816eebee7fc537c11c154369
                                                                                                                                                                                                                                                        • Instruction ID: 92b39deb1d727bbe453e199d504f681136ca2c8dc81762a7a316b3574306949e
                                                                                                                                                                                                                                                        • Opcode Fuzzy Hash: 8303768bd48e0fc2fa6ee4afa8e648be89b1656b816eebee7fc537c11c154369
                                                                                                                                                                                                                                                        • Instruction Fuzzy Hash: 8C617234A002588FDB25DF25C881AD9B7B5EF49305F0084DAED88AB352D774AEC8CF54
                                                                                                                                                                                                                                                        Function 004830DC Relevance: 5.4, APIs: 2, Strings: 1, Instructions: 123COMMON
                                                                                                                                                                                                                                                        Download Yara Rule
                                                                                                                                                                                                                                                        APIs
                                                                                                                                                                                                                                                        • GetForegroundWindow.USER32(00000000,00483266,?,00000000,004832A7,?,?,?,?,00000000,00000000,00000000,?,0046BC71), ref: 00483115
                                                                                                                                                                                                                                                        • SetActiveWindow.USER32(?,00000000,00483266,?,00000000,004832A7,?,?,?,?,00000000,00000000,00000000,?,0046BC71), ref: 00483127
                                                                                                                                                                                                                                                        Strings
                                                                                                                                                                                                                                                        • Will not restart Windows automatically., xrefs: 00483246
                                                                                                                                                                                                                                                        Memory Dump Source
                                                                                                                                                                                                                                                        • Source File: 00000001.00000002.2793245300.0000000000401000.00000020.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                                                                                                                        • Associated: 00000001.00000002.2793219234.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                                                                                                                                                                                                        • Associated: 00000001.00000002.2793346997.0000000000499000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                                                                                                                                                                                                        • Associated: 00000001.00000002.2793378529.000000000049A000.00000008.00000001.01000000.00000004.sdmpDownload File
                                                                                                                                                                                                                                                        • Associated: 00000001.00000002.2793416768.000000000049B000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                                                                                                                                                                                                        • Associated: 00000001.00000002.2793448951.00000000004AB000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                                                                                                                                                                                                        Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                                        • Snapshot File: hcaresult_1_2_400000_chica-pc-shield-1-75-0-1300-en-win.jbxd
                                                                                                                                                                                                                                                        Similarity
                                                                                                                                                                                                                                                        • API ID: Window$ActiveForeground
                                                                                                                                                                                                                                                        • String ID: Will not restart Windows automatically.
                                                                                                                                                                                                                                                        • API String ID: 307657957-4169339592
                                                                                                                                                                                                                                                        • Opcode ID: 91e6c9f49964e5799d5a8281bce09450ffeb408f9a54e11e665e42baf201208a
                                                                                                                                                                                                                                                        • Instruction ID: 8a7042837739e321d77f655c2f69457931782f300a0f77f956dc7f734a8b2175
                                                                                                                                                                                                                                                        • Opcode Fuzzy Hash: 91e6c9f49964e5799d5a8281bce09450ffeb408f9a54e11e665e42baf201208a
                                                                                                                                                                                                                                                        • Instruction Fuzzy Hash: 6A413634204280AFE711FFA4ED9AB6D7BE49B55F05F5448F7E8404B3A2C2BC5A019B5E
                                                                                                                                                                                                                                                        Function 00498788 Relevance: 5.4, APIs: 2, Strings: 1, Instructions: 119COMMON
                                                                                                                                                                                                                                                        Download Yara Rule
                                                                                                                                                                                                                                                        APIs
                                                                                                                                                                                                                                                          • Part of subcall function 00403344: GetModuleHandleA.KERNEL32(00000000,00498796), ref: 0040334B
                                                                                                                                                                                                                                                          • Part of subcall function 00403344: GetCommandLineA.KERNEL32(00000000,00498796), ref: 00403356
                                                                                                                                                                                                                                                          • Part of subcall function 0040631C: GetModuleHandleA.KERNEL32(kernel32.dll,?,004987A0), ref: 00406322
                                                                                                                                                                                                                                                          • Part of subcall function 0040631C: GetProcAddress.KERNEL32(00000000,SetDllDirectoryW), ref: 0040632F
                                                                                                                                                                                                                                                          • Part of subcall function 0040631C: GetProcAddress.KERNEL32(00000000,SetSearchPathMode), ref: 00406345
                                                                                                                                                                                                                                                          • Part of subcall function 0040631C: GetProcAddress.KERNEL32(00000000,SetProcessDEPPolicy), ref: 0040635B
                                                                                                                                                                                                                                                          • Part of subcall function 0040631C: SetProcessDEPPolicy.KERNEL32(00000001,00000000,SetProcessDEPPolicy,00000000,SetSearchPathMode,kernel32.dll,?,004987A0), ref: 00406366
                                                                                                                                                                                                                                                          • Part of subcall function 004063C4: 6F541CD0.COMCTL32(004987A5), ref: 004063C4
                                                                                                                                                                                                                                                          • Part of subcall function 00410764: GetCurrentThreadId.KERNEL32 ref: 004107B2
                                                                                                                                                                                                                                                          • Part of subcall function 00419040: GetVersion.KERNEL32(004987BE), ref: 00419040
                                                                                                                                                                                                                                                          • Part of subcall function 0044F744: GetModuleHandleA.KERNEL32(user32.dll,NotifyWinEvent,004987D2), ref: 0044F77F
                                                                                                                                                                                                                                                          • Part of subcall function 0044F744: GetProcAddress.KERNEL32(00000000,user32.dll), ref: 0044F785
                                                                                                                                                                                                                                                          • Part of subcall function 0044FC10: GetVersionExA.KERNEL32(0049B790,004987D7), ref: 0044FC1F
                                                                                                                                                                                                                                                          • Part of subcall function 004531F0: GetModuleHandleA.KERNEL32(kernel32.dll,Wow64DisableWow64FsRedirection,00000000,00453289,?,?,?,?,00000000,?,004987E6), ref: 00453210
                                                                                                                                                                                                                                                          • Part of subcall function 004531F0: GetProcAddress.KERNEL32(00000000,kernel32.dll), ref: 00453216
                                                                                                                                                                                                                                                          • Part of subcall function 004531F0: GetModuleHandleA.KERNEL32(kernel32.dll,Wow64RevertWow64FsRedirection,00000000,kernel32.dll,Wow64DisableWow64FsRedirection,00000000,00453289,?,?,?,?,00000000,?,004987E6), ref: 0045322A
                                                                                                                                                                                                                                                          • Part of subcall function 004531F0: GetProcAddress.KERNEL32(00000000,kernel32.dll), ref: 00453230
                                                                                                                                                                                                                                                          • Part of subcall function 00456F8C: GetProcAddress.KERNEL32(00000000,SHCreateItemFromParsingName), ref: 00456FB0
                                                                                                                                                                                                                                                          • Part of subcall function 004644CC: LoadLibraryA.KERNEL32(shell32.dll,SHPathPrepareForWriteA,004987FA), ref: 004644DB
                                                                                                                                                                                                                                                          • Part of subcall function 004644CC: GetProcAddress.KERNEL32(00000000,shell32.dll), ref: 004644E1
                                                                                                                                                                                                                                                          • Part of subcall function 0046CCC8: GetProcAddress.KERNEL32(00000000,SHPathPrepareForWriteA), ref: 0046CCDD
                                                                                                                                                                                                                                                          • Part of subcall function 004787A8: GetModuleHandleA.KERNEL32(kernel32.dll,?,00498804), ref: 004787AE
                                                                                                                                                                                                                                                          • Part of subcall function 004787A8: GetProcAddress.KERNEL32(00000000,VerSetConditionMask), ref: 004787BB
                                                                                                                                                                                                                                                          • Part of subcall function 004787A8: GetProcAddress.KERNEL32(00000000,VerifyVersionInfoW), ref: 004787CB
                                                                                                                                                                                                                                                          • Part of subcall function 00483AD8: GetProcAddress.KERNEL32(00000000,SHGetKnownFolderPath), ref: 00483BC7
                                                                                                                                                                                                                                                          • Part of subcall function 00495790: RegisterClipboardFormatA.USER32(QueryCancelAutoPlay), ref: 004957A9
                                                                                                                                                                                                                                                        • SetErrorMode.KERNEL32(00000001,00000000,0049884C), ref: 0049881E
                                                                                                                                                                                                                                                          • Part of subcall function 00498548: GetModuleHandleA.KERNEL32(user32.dll,DisableProcessWindowsGhosting,00498828,00000001,00000000,0049884C), ref: 00498552
                                                                                                                                                                                                                                                          • Part of subcall function 00498548: GetProcAddress.KERNEL32(00000000,user32.dll), ref: 00498558
                                                                                                                                                                                                                                                          • Part of subcall function 004244D4: SendMessageA.USER32(?,0000B020,00000000,?), ref: 004244F3
                                                                                                                                                                                                                                                          • Part of subcall function 004242C4: SetWindowTextA.USER32(?,00000000), ref: 004242DC
                                                                                                                                                                                                                                                        • ShowWindow.USER32(?,00000005,00000000,0049884C), ref: 0049887F
                                                                                                                                                                                                                                                          • Part of subcall function 00482118: SetActiveWindow.USER32(?), ref: 004821C6
                                                                                                                                                                                                                                                        Strings
                                                                                                                                                                                                                                                        Memory Dump Source
                                                                                                                                                                                                                                                        • Source File: 00000001.00000002.2793245300.0000000000401000.00000020.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                                                                                                                        • Associated: 00000001.00000002.2793219234.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                                                                                                                                                                                                        • Associated: 00000001.00000002.2793346997.0000000000499000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                                                                                                                                                                                                        • Associated: 00000001.00000002.2793378529.000000000049A000.00000008.00000001.01000000.00000004.sdmpDownload File
                                                                                                                                                                                                                                                        • Associated: 00000001.00000002.2793416768.000000000049B000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                                                                                                                                                                                                        • Associated: 00000001.00000002.2793448951.00000000004AB000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                                                                                                                                                                                                        Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                                        • Snapshot File: hcaresult_1_2_400000_chica-pc-shield-1-75-0-1300-en-win.jbxd
                                                                                                                                                                                                                                                        Similarity
                                                                                                                                                                                                                                                        • API ID: AddressProc$HandleModule$Window$Version$ActiveClipboardCommandCurrentErrorF541FormatLibraryLineLoadMessageModePolicyProcessRegisterSendShowTextThread
                                                                                                                                                                                                                                                        • String ID: Setup
                                                                                                                                                                                                                                                        • API String ID: 291738113-3839654196
                                                                                                                                                                                                                                                        • Opcode ID: ac60a49be437ebb45cc5134b6cac54189cf8131719c63685879d854b47d4e96c
                                                                                                                                                                                                                                                        • Instruction ID: e6cb1ecab586e882d6092fc32a61e4d3e54d1174c3ade86a22a5c589b5456c94
                                                                                                                                                                                                                                                        • Opcode Fuzzy Hash: ac60a49be437ebb45cc5134b6cac54189cf8131719c63685879d854b47d4e96c
                                                                                                                                                                                                                                                        • Instruction Fuzzy Hash: 9E31D8712045009FE601BBBBED5392D3B98DF8A718BA2447FF80496553DE3D5850867F
                                                                                                                                                                                                                                                        Function 0042DC00 Relevance: 5.4, APIs: 2, Strings: 1, Instructions: 113registryCOMMON
                                                                                                                                                                                                                                                        Download Yara Rule
                                                                                                                                                                                                                                                        APIs
                                                                                                                                                                                                                                                        • RegQueryValueExA.ADVAPI32(?,?,00000000,?,00000000,?,00000000,0042DD38), ref: 0042DC3C
                                                                                                                                                                                                                                                        • RegQueryValueExA.ADVAPI32(?,?,00000000,?,00000000,70000000,?,?,00000000,?,00000000,?,00000000,0042DD38), ref: 0042DCAC
                                                                                                                                                                                                                                                        Strings
                                                                                                                                                                                                                                                        Memory Dump Source
                                                                                                                                                                                                                                                        • Source File: 00000001.00000002.2793245300.0000000000401000.00000020.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                                                                                                                        • Associated: 00000001.00000002.2793219234.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                                                                                                                                                                                                        • Associated: 00000001.00000002.2793346997.0000000000499000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                                                                                                                                                                                                        • Associated: 00000001.00000002.2793378529.000000000049A000.00000008.00000001.01000000.00000004.sdmpDownload File
                                                                                                                                                                                                                                                        • Associated: 00000001.00000002.2793416768.000000000049B000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                                                                                                                                                                                                        • Associated: 00000001.00000002.2793448951.00000000004AB000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                                                                                                                                                                                                        Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                                        • Snapshot File: hcaresult_1_2_400000_chica-pc-shield-1-75-0-1300-en-win.jbxd
                                                                                                                                                                                                                                                        Similarity
                                                                                                                                                                                                                                                        • API ID: QueryValue
                                                                                                                                                                                                                                                        • String ID: t8H
                                                                                                                                                                                                                                                        • API String ID: 3660427363-3273747655
                                                                                                                                                                                                                                                        • Opcode ID: 11a0b535a4667ef867bfe347ec5791e6c3ab33c895bd2caafeaf893bc9faecd5
                                                                                                                                                                                                                                                        • Instruction ID: 5bd1c55a509b6dee259ffcee94d68868fe84ce326e73fb4cf6662c4527ef549e
                                                                                                                                                                                                                                                        • Opcode Fuzzy Hash: 11a0b535a4667ef867bfe347ec5791e6c3ab33c895bd2caafeaf893bc9faecd5
                                                                                                                                                                                                                                                        • Instruction Fuzzy Hash: 9D414171E00529ABDB11DF95D881BAFB7B8EB04704F918466E810F7241D778AE00CBA5
                                                                                                                                                                                                                                                        Function 00478A20 Relevance: 5.3, APIs: 1, Strings: 2, Instructions: 86registryCOMMON
                                                                                                                                                                                                                                                        Download Yara Rule
                                                                                                                                                                                                                                                        APIs
                                                                                                                                                                                                                                                          • Part of subcall function 0042DE1C: RegOpenKeyExA.ADVAPI32(80000002,System\CurrentControlSet\Control\Windows,37H,?,00000001,?,?,00483733,?,00000001,00000000), ref: 0042DE38
                                                                                                                                                                                                                                                        • RegCloseKey.ADVAPI32(?,00478B06,?,?,00000001,00000000,00000000,00478B21), ref: 00478AEF
                                                                                                                                                                                                                                                        Strings
                                                                                                                                                                                                                                                        • Software\Microsoft\Windows\CurrentVersion\Uninstall, xrefs: 00478A7A
                                                                                                                                                                                                                                                        • %s\%s_is1, xrefs: 00478A98
                                                                                                                                                                                                                                                        Memory Dump Source
                                                                                                                                                                                                                                                        • Source File: 00000001.00000002.2793245300.0000000000401000.00000020.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                                                                                                                        • Associated: 00000001.00000002.2793219234.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                                                                                                                                                                                                        • Associated: 00000001.00000002.2793346997.0000000000499000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                                                                                                                                                                                                        • Associated: 00000001.00000002.2793378529.000000000049A000.00000008.00000001.01000000.00000004.sdmpDownload File
                                                                                                                                                                                                                                                        • Associated: 00000001.00000002.2793416768.000000000049B000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                                                                                                                                                                                                        • Associated: 00000001.00000002.2793448951.00000000004AB000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                                                                                                                                                                                                        Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                                        • Snapshot File: hcaresult_1_2_400000_chica-pc-shield-1-75-0-1300-en-win.jbxd
                                                                                                                                                                                                                                                        Similarity
                                                                                                                                                                                                                                                        • API ID: CloseOpen
                                                                                                                                                                                                                                                        • String ID: %s\%s_is1$Software\Microsoft\Windows\CurrentVersion\Uninstall
                                                                                                                                                                                                                                                        • API String ID: 47109696-1598650737
                                                                                                                                                                                                                                                        • Opcode ID: 786c54be934108f786759ad76196cefc8fa07037b31cfb1517f2fa762e4dd4f1
                                                                                                                                                                                                                                                        • Instruction ID: bc4647fd19b1406f2c24edaffaa7e5f79ca482a4abc40f74c7f03d766005c666
                                                                                                                                                                                                                                                        • Opcode Fuzzy Hash: 786c54be934108f786759ad76196cefc8fa07037b31cfb1517f2fa762e4dd4f1
                                                                                                                                                                                                                                                        • Instruction Fuzzy Hash: 68216470B403446FDB11DBA9CC5569EBBE8EB8D714F90847BF404E7381DA78AE01CA59
                                                                                                                                                                                                                                                        Function 00453A24 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 83COMMON
                                                                                                                                                                                                                                                        Download Yara Rule
                                                                                                                                                                                                                                                        APIs
                                                                                                                                                                                                                                                        • CreateDirectoryA.KERNEL32(00000000,00000000,?,00000000,00453B13,?,?,00000000,0049B628,00000000,00000000,00000000,00000000,00000000,00000000,00000000), ref: 00453A6A
                                                                                                                                                                                                                                                        • GetLastError.KERNEL32(00000000,00000000,?,00000000,00453B13,?,?,00000000,0049B628,00000000,00000000,00000000,00000000,00000000,00000000,00000000), ref: 00453A73
                                                                                                                                                                                                                                                        Strings
                                                                                                                                                                                                                                                        Memory Dump Source
                                                                                                                                                                                                                                                        • Source File: 00000001.00000002.2793245300.0000000000401000.00000020.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                                                                                                                        • Associated: 00000001.00000002.2793219234.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                                                                                                                                                                                                        • Associated: 00000001.00000002.2793346997.0000000000499000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                                                                                                                                                                                                        • Associated: 00000001.00000002.2793378529.000000000049A000.00000008.00000001.01000000.00000004.sdmpDownload File
                                                                                                                                                                                                                                                        • Associated: 00000001.00000002.2793416768.000000000049B000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                                                                                                                                                                                                        • Associated: 00000001.00000002.2793448951.00000000004AB000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                                                                                                                                                                                                        Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                                        • Snapshot File: hcaresult_1_2_400000_chica-pc-shield-1-75-0-1300-en-win.jbxd
                                                                                                                                                                                                                                                        Similarity
                                                                                                                                                                                                                                                        • API ID: CreateDirectoryErrorLast
                                                                                                                                                                                                                                                        • String ID: .tmp
                                                                                                                                                                                                                                                        • API String ID: 1375471231-2986845003
                                                                                                                                                                                                                                                        • Opcode ID: e73f07324749ba3b6bb8051b413134030b115f0023a9ed500ac47b5e556ef56f
                                                                                                                                                                                                                                                        • Instruction ID: ea6adcadec8e2c01cafa1ba510acc1338588d6ec7b4e1cf88163bb5bfef62d35
                                                                                                                                                                                                                                                        • Opcode Fuzzy Hash: e73f07324749ba3b6bb8051b413134030b115f0023a9ed500ac47b5e556ef56f
                                                                                                                                                                                                                                                        • Instruction Fuzzy Hash: A9213575A002089BDB01EFA1C8429DEB7B8EF49305F50457BE801B7343DA3CAF058B69
                                                                                                                                                                                                                                                        Function 00483AD8 Relevance: 5.3, APIs: 1, Strings: 2, Instructions: 68libraryloaderCOMMON
                                                                                                                                                                                                                                                        Download Yara Rule
                                                                                                                                                                                                                                                        APIs
                                                                                                                                                                                                                                                          • Part of subcall function 004835CC: GetModuleHandleA.KERNEL32(kernel32.dll), ref: 004835DD
                                                                                                                                                                                                                                                          • Part of subcall function 004835CC: GetProcAddress.KERNEL32(00000000,GetNativeSystemInfo), ref: 004835EA
                                                                                                                                                                                                                                                          • Part of subcall function 004835CC: GetNativeSystemInfo.KERNELBASE(?,00000000,GetNativeSystemInfo,kernel32.dll), ref: 004835F8
                                                                                                                                                                                                                                                          • Part of subcall function 004835CC: GetProcAddress.KERNEL32(00000000,IsWow64Process), ref: 00483600
                                                                                                                                                                                                                                                          • Part of subcall function 004835CC: GetCurrentProcess.KERNEL32(?,00000000,IsWow64Process), ref: 0048360C
                                                                                                                                                                                                                                                          • Part of subcall function 004835CC: GetProcAddress.KERNEL32(00000000,GetSystemWow64DirectoryA), ref: 0048362D
                                                                                                                                                                                                                                                          • Part of subcall function 004835CC: GetModuleHandleA.KERNEL32(advapi32.dll,RegDeleteKeyExA,00000000,GetSystemWow64DirectoryA,?,00000000,IsWow64Process), ref: 00483640
                                                                                                                                                                                                                                                          • Part of subcall function 004835CC: GetProcAddress.KERNEL32(00000000,advapi32.dll), ref: 00483646
                                                                                                                                                                                                                                                          • Part of subcall function 004838F8: GetVersionExA.KERNEL32(?,00483B0A,00000000,00483BDF,?,?,?,?,?,00498809), ref: 00483906
                                                                                                                                                                                                                                                          • Part of subcall function 004838F8: GetVersionExA.KERNEL32(0000009C,?,00483B0A,00000000,00483BDF,?,?,?,?,?,00498809), ref: 00483958
                                                                                                                                                                                                                                                          • Part of subcall function 0042E394: SetErrorMode.KERNEL32(00008000), ref: 0042E39E
                                                                                                                                                                                                                                                          • Part of subcall function 0042E394: LoadLibraryA.KERNEL32(00000000,00000000,0042E3E8,?,00000000,0042E406,?,00008000), ref: 0042E3CD
                                                                                                                                                                                                                                                        • GetProcAddress.KERNEL32(00000000,SHGetKnownFolderPath), ref: 00483BC7
                                                                                                                                                                                                                                                        Strings
                                                                                                                                                                                                                                                        Memory Dump Source
                                                                                                                                                                                                                                                        • Source File: 00000001.00000002.2793245300.0000000000401000.00000020.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                                                                                                                        • Associated: 00000001.00000002.2793219234.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                                                                                                                                                                                                        • Associated: 00000001.00000002.2793346997.0000000000499000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                                                                                                                                                                                                        • Associated: 00000001.00000002.2793378529.000000000049A000.00000008.00000001.01000000.00000004.sdmpDownload File
                                                                                                                                                                                                                                                        • Associated: 00000001.00000002.2793416768.000000000049B000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                                                                                                                                                                                                        • Associated: 00000001.00000002.2793448951.00000000004AB000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                                                                                                                                                                                                        Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                                        • Snapshot File: hcaresult_1_2_400000_chica-pc-shield-1-75-0-1300-en-win.jbxd
                                                                                                                                                                                                                                                        Similarity
                                                                                                                                                                                                                                                        • API ID: AddressProc$HandleModuleVersion$CurrentErrorInfoLibraryLoadModeNativeProcessSystem
                                                                                                                                                                                                                                                        • String ID: SHGetKnownFolderPath$shell32.dll
                                                                                                                                                                                                                                                        • API String ID: 3869789854-2936008475
                                                                                                                                                                                                                                                        • Opcode ID: c38c32ac8e21e1ef1c7c8d60e58cbfd2e67055f6aaa6ab8a85d379c1cf1e926e
                                                                                                                                                                                                                                                        • Instruction ID: 8d754446f8ced7e828df75db08f564e36c275066a6fcf3a280b0d464572047f3
                                                                                                                                                                                                                                                        • Opcode Fuzzy Hash: c38c32ac8e21e1ef1c7c8d60e58cbfd2e67055f6aaa6ab8a85d379c1cf1e926e
                                                                                                                                                                                                                                                        • Instruction Fuzzy Hash: E92130B06103506EC300BF7E59A661A3BA5EB5470C380893FF800EB3D2D77E68159B6E
                                                                                                                                                                                                                                                        Function 0042DD64 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 56registryCOMMON
                                                                                                                                                                                                                                                        Download Yara Rule
                                                                                                                                                                                                                                                        APIs
                                                                                                                                                                                                                                                        • RegQueryValueExA.ADVAPI32(?,Inno Setup: No Icons,00000000,00000000,00000000,00000000), ref: 0042DD78
                                                                                                                                                                                                                                                        • RegEnumValueA.ADVAPI32(?,00000000,?,?,00000000,00000000,00000000,00000000,?,Inno Setup: No Icons,00000000,00000000,00000000), ref: 0042DDB8
                                                                                                                                                                                                                                                        Strings
                                                                                                                                                                                                                                                        Memory Dump Source
                                                                                                                                                                                                                                                        • Source File: 00000001.00000002.2793245300.0000000000401000.00000020.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                                                                                                                        • Associated: 00000001.00000002.2793219234.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                                                                                                                                                                                                        • Associated: 00000001.00000002.2793346997.0000000000499000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                                                                                                                                                                                                        • Associated: 00000001.00000002.2793378529.000000000049A000.00000008.00000001.01000000.00000004.sdmpDownload File
                                                                                                                                                                                                                                                        • Associated: 00000001.00000002.2793416768.000000000049B000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                                                                                                                                                                                                        • Associated: 00000001.00000002.2793448951.00000000004AB000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                                                                                                                                                                                                        Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                                        • Snapshot File: hcaresult_1_2_400000_chica-pc-shield-1-75-0-1300-en-win.jbxd
                                                                                                                                                                                                                                                        Similarity
                                                                                                                                                                                                                                                        • API ID: Value$EnumQuery
                                                                                                                                                                                                                                                        • String ID: Inno Setup: No Icons
                                                                                                                                                                                                                                                        • API String ID: 1576479698-2016326496
                                                                                                                                                                                                                                                        • Opcode ID: 36a0b08f46d91d09f38f531e186592c2a543f82488f0210131226a48688c00be
                                                                                                                                                                                                                                                        • Instruction ID: 8d080c6700cf8453afd411d185ff7d2dd707f59376968ad674d2e7d16536e1ed
                                                                                                                                                                                                                                                        • Opcode Fuzzy Hash: 36a0b08f46d91d09f38f531e186592c2a543f82488f0210131226a48688c00be
                                                                                                                                                                                                                                                        • Instruction Fuzzy Hash: 1B012B33B55B7179FB3045256D01F7B57889B82B60F64013BF942EA2C0D6999C04936E
                                                                                                                                                                                                                                                        Function 0047C12C Relevance: 5.3, APIs: 1, Strings: 2, Instructions: 36registryCOMMON
                                                                                                                                                                                                                                                        Download Yara Rule
                                                                                                                                                                                                                                                        APIs
                                                                                                                                                                                                                                                        • RegCloseKey.ADVAPI32(?,?,00000001,00000000,?,?,?,0047C480,00000000,0047C496), ref: 0047C18E
                                                                                                                                                                                                                                                        Strings
                                                                                                                                                                                                                                                        Memory Dump Source
                                                                                                                                                                                                                                                        • Source File: 00000001.00000002.2793245300.0000000000401000.00000020.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                                                                                                                        • Associated: 00000001.00000002.2793219234.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                                                                                                                                                                                                        • Associated: 00000001.00000002.2793346997.0000000000499000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                                                                                                                                                                                                        • Associated: 00000001.00000002.2793378529.000000000049A000.00000008.00000001.01000000.00000004.sdmpDownload File
                                                                                                                                                                                                                                                        • Associated: 00000001.00000002.2793416768.000000000049B000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                                                                                                                                                                                                        • Associated: 00000001.00000002.2793448951.00000000004AB000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                                                                                                                                                                                                        Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                                        • Snapshot File: hcaresult_1_2_400000_chica-pc-shield-1-75-0-1300-en-win.jbxd
                                                                                                                                                                                                                                                        Similarity
                                                                                                                                                                                                                                                        • API ID: Close
                                                                                                                                                                                                                                                        • String ID: RegisteredOrganization$RegisteredOwner
                                                                                                                                                                                                                                                        • API String ID: 3535843008-1113070880
                                                                                                                                                                                                                                                        • Opcode ID: 1e88217f8c6a686059b1cc8b17c331cad9b4eafb174e051ef77faac6cc91a5cf
                                                                                                                                                                                                                                                        • Instruction ID: a98586ebc1dd8f6eb838f640b3930df9694dcbabcd7376c76b2eb4b88a119760
                                                                                                                                                                                                                                                        • Opcode Fuzzy Hash: 1e88217f8c6a686059b1cc8b17c331cad9b4eafb174e051ef77faac6cc91a5cf
                                                                                                                                                                                                                                                        • Instruction Fuzzy Hash: E0F09020704204AFE704DA69DDD2BAA3369D781304FE4803FA1049B347C6789E019B5C
                                                                                                                                                                                                                                                        Function 0046ED1C Relevance: 5.3, APIs: 1, Strings: 2, Instructions: 34registryCOMMON
                                                                                                                                                                                                                                                        Download Yara Rule
                                                                                                                                                                                                                                                        APIs
                                                                                                                                                                                                                                                        • RegSetValueExA.ADVAPI32(?,Inno Setup: Setup Version,00000000,00000001,00000000,00000001,f`G,?,0049C1DC,?,0046F033,?,00000000,0046F5CE,?,_is1), ref: 0046ED3F
                                                                                                                                                                                                                                                        Strings
                                                                                                                                                                                                                                                        Memory Dump Source
                                                                                                                                                                                                                                                        • Source File: 00000001.00000002.2793245300.0000000000401000.00000020.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                                                                                                                        • Associated: 00000001.00000002.2793219234.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                                                                                                                                                                                                        • Associated: 00000001.00000002.2793346997.0000000000499000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                                                                                                                                                                                                        • Associated: 00000001.00000002.2793378529.000000000049A000.00000008.00000001.01000000.00000004.sdmpDownload File
                                                                                                                                                                                                                                                        • Associated: 00000001.00000002.2793416768.000000000049B000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                                                                                                                                                                                                        • Associated: 00000001.00000002.2793448951.00000000004AB000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                                                                                                                                                                                                        Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                                        • Snapshot File: hcaresult_1_2_400000_chica-pc-shield-1-75-0-1300-en-win.jbxd
                                                                                                                                                                                                                                                        Similarity
                                                                                                                                                                                                                                                        • API ID: Value
                                                                                                                                                                                                                                                        • String ID: Inno Setup: Setup Version$f`G
                                                                                                                                                                                                                                                        • API String ID: 3702945584-3457340433
                                                                                                                                                                                                                                                        • Opcode ID: 9a0f65d316a07bbae5ca4561441a268b34a40409bea15b003c9f9f243cfcc325
                                                                                                                                                                                                                                                        • Instruction ID: f83a235de8ae442e911721d8788902edd6b0ca45a2d8472f1444dbca35bd6270
                                                                                                                                                                                                                                                        • Opcode Fuzzy Hash: 9a0f65d316a07bbae5ca4561441a268b34a40409bea15b003c9f9f243cfcc325
                                                                                                                                                                                                                                                        • Instruction Fuzzy Hash: 87E06D753012043FD710AA2B9C89F5BBBDCDF88365F10443AB908DB392D578DD0081A8
                                                                                                                                                                                                                                                        Function 00475128 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 28fileCOMMON
                                                                                                                                                                                                                                                        Download Yara Rule
                                                                                                                                                                                                                                                        APIs
                                                                                                                                                                                                                                                        • CreateFileA.KERNEL32(00000000,C0000000,00000000,00000000,00000001,00000080,00000000,00000000,?,0047535F), ref: 0047514D
                                                                                                                                                                                                                                                        • CloseHandle.KERNEL32(00000000,00000000,C0000000,00000000,00000000,00000001,00000080,00000000,00000000,?,0047535F), ref: 00475164
                                                                                                                                                                                                                                                          • Part of subcall function 0045349C: GetLastError.KERNEL32(00000000,00454031,00000005,00000000,00454066,?,?,00000000,0049B628,00000004,00000000,00000000,00000000,?,00497F85,00000000), ref: 0045349F
                                                                                                                                                                                                                                                        Strings
                                                                                                                                                                                                                                                        Memory Dump Source
                                                                                                                                                                                                                                                        • Source File: 00000001.00000002.2793245300.0000000000401000.00000020.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                                                                                                                        • Associated: 00000001.00000002.2793219234.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                                                                                                                                                                                                        • Associated: 00000001.00000002.2793346997.0000000000499000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                                                                                                                                                                                                        • Associated: 00000001.00000002.2793378529.000000000049A000.00000008.00000001.01000000.00000004.sdmpDownload File
                                                                                                                                                                                                                                                        • Associated: 00000001.00000002.2793416768.000000000049B000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                                                                                                                                                                                                        • Associated: 00000001.00000002.2793448951.00000000004AB000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                                                                                                                                                                                                        Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                                        • Snapshot File: hcaresult_1_2_400000_chica-pc-shield-1-75-0-1300-en-win.jbxd
                                                                                                                                                                                                                                                        Similarity
                                                                                                                                                                                                                                                        • API ID: CloseCreateErrorFileHandleLast
                                                                                                                                                                                                                                                        • String ID: CreateFile
                                                                                                                                                                                                                                                        • API String ID: 2528220319-823142352
                                                                                                                                                                                                                                                        • Opcode ID: ef990a5663e5edb92589d8d491dd3746fed10db6247803fa66726950be21a5ee
                                                                                                                                                                                                                                                        • Instruction ID: 546d462a2e4641071e1b60047c6a955c4a835f73968c03783858e9aa75523f0b
                                                                                                                                                                                                                                                        • Opcode Fuzzy Hash: ef990a5663e5edb92589d8d491dd3746fed10db6247803fa66726950be21a5ee
                                                                                                                                                                                                                                                        • Instruction Fuzzy Hash: 99E039306403047BEA10EA69CCC6F4A77989B04769F108152FA48AF2E2C5B9EC408658
                                                                                                                                                                                                                                                        Function 0046DFBC Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 28comCOMMON
                                                                                                                                                                                                                                                        Download Yara Rule
                                                                                                                                                                                                                                                        APIs
                                                                                                                                                                                                                                                        • GetVersion.KERNEL32(?,0046E052), ref: 0046DFC6
                                                                                                                                                                                                                                                        • CoCreateInstance.OLE32(00499B98,00000000,00000001,00499BA8,?,?,0046E052), ref: 0046DFE2
                                                                                                                                                                                                                                                        Strings
                                                                                                                                                                                                                                                        Memory Dump Source
                                                                                                                                                                                                                                                        • Source File: 00000001.00000002.2793245300.0000000000401000.00000020.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                                                                                                                        • Associated: 00000001.00000002.2793219234.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                                                                                                                                                                                                        • Associated: 00000001.00000002.2793346997.0000000000499000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                                                                                                                                                                                                        • Associated: 00000001.00000002.2793378529.000000000049A000.00000008.00000001.01000000.00000004.sdmpDownload File
                                                                                                                                                                                                                                                        • Associated: 00000001.00000002.2793416768.000000000049B000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                                                                                                                                                                                                        • Associated: 00000001.00000002.2793448951.00000000004AB000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                                                                                                                                                                                                        Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                                        • Snapshot File: hcaresult_1_2_400000_chica-pc-shield-1-75-0-1300-en-win.jbxd
                                                                                                                                                                                                                                                        Similarity
                                                                                                                                                                                                                                                        • API ID: CreateInstanceVersion
                                                                                                                                                                                                                                                        • String ID: 8m
                                                                                                                                                                                                                                                        • API String ID: 1462612201-1963270409
                                                                                                                                                                                                                                                        • Opcode ID: 3176ce1499194bff4308d94f2f95d7c7f74a03190291877a43d24721a6d06f51
                                                                                                                                                                                                                                                        • Instruction ID: 9d7e53e8e12081409dd358e1503977a6d7c63d54aec5d731c24cc192de25bb62
                                                                                                                                                                                                                                                        • Opcode Fuzzy Hash: 3176ce1499194bff4308d94f2f95d7c7f74a03190291877a43d24721a6d06f51
                                                                                                                                                                                                                                                        • Instruction Fuzzy Hash: 04F0A0352862109EEB20ABAADC49B4A37C4BB20318F44047BE04487291E3ED9850871F
                                                                                                                                                                                                                                                        Function 0042DE1C Relevance: 5.3, APIs: 1, Strings: 2, Instructions: 18registryCOMMON
                                                                                                                                                                                                                                                        Download Yara Rule
                                                                                                                                                                                                                                                        APIs
                                                                                                                                                                                                                                                        • RegOpenKeyExA.ADVAPI32(80000002,System\CurrentControlSet\Control\Windows,37H,?,00000001,?,?,00483733,?,00000001,00000000), ref: 0042DE38
                                                                                                                                                                                                                                                        Strings
                                                                                                                                                                                                                                                        Memory Dump Source
                                                                                                                                                                                                                                                        • Source File: 00000001.00000002.2793245300.0000000000401000.00000020.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                                                                                                                        • Associated: 00000001.00000002.2793219234.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                                                                                                                                                                                                        • Associated: 00000001.00000002.2793346997.0000000000499000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                                                                                                                                                                                                        • Associated: 00000001.00000002.2793378529.000000000049A000.00000008.00000001.01000000.00000004.sdmpDownload File
                                                                                                                                                                                                                                                        • Associated: 00000001.00000002.2793416768.000000000049B000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                                                                                                                                                                                                        • Associated: 00000001.00000002.2793448951.00000000004AB000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                                                                                                                                                                                                        Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                                        • Snapshot File: hcaresult_1_2_400000_chica-pc-shield-1-75-0-1300-en-win.jbxd
                                                                                                                                                                                                                                                        Similarity
                                                                                                                                                                                                                                                        • API ID: Open
                                                                                                                                                                                                                                                        • String ID: 37H$System\CurrentControlSet\Control\Windows
                                                                                                                                                                                                                                                        • API String ID: 71445658-295213744
                                                                                                                                                                                                                                                        • Opcode ID: a11f376e1d034aeb0d9ae53f60934921bcd728bb93d306f1768079d63b1ffdfe
                                                                                                                                                                                                                                                        • Instruction ID: 60e43675bb36a9eef4a15598a1848ca3f705ecc445ee8c9fe52fc6b05f1352bb
                                                                                                                                                                                                                                                        • Opcode Fuzzy Hash: a11f376e1d034aeb0d9ae53f60934921bcd728bb93d306f1768079d63b1ffdfe
                                                                                                                                                                                                                                                        • Instruction Fuzzy Hash: 29D09E72950128BB9B009A89DC41DFB775DDB15760F45441BF9049B141C5B4AC5197E4
                                                                                                                                                                                                                                                        Function 00456F8C Relevance: 5.3, APIs: 1, Strings: 2, Instructions: 11libraryloaderCOMMON
                                                                                                                                                                                                                                                        Download Yara Rule
                                                                                                                                                                                                                                                        APIs
                                                                                                                                                                                                                                                          • Part of subcall function 00456F1C: CoInitialize.OLE32(00000000), ref: 00456F22
                                                                                                                                                                                                                                                          • Part of subcall function 0042E394: SetErrorMode.KERNEL32(00008000), ref: 0042E39E
                                                                                                                                                                                                                                                          • Part of subcall function 0042E394: LoadLibraryA.KERNEL32(00000000,00000000,0042E3E8,?,00000000,0042E406,?,00008000), ref: 0042E3CD
                                                                                                                                                                                                                                                        • GetProcAddress.KERNEL32(00000000,SHCreateItemFromParsingName), ref: 00456FB0
                                                                                                                                                                                                                                                        Strings
                                                                                                                                                                                                                                                        Memory Dump Source
                                                                                                                                                                                                                                                        • Source File: 00000001.00000002.2793245300.0000000000401000.00000020.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                                                                                                                        • Associated: 00000001.00000002.2793219234.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                                                                                                                                                                                                        • Associated: 00000001.00000002.2793346997.0000000000499000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                                                                                                                                                                                                        • Associated: 00000001.00000002.2793378529.000000000049A000.00000008.00000001.01000000.00000004.sdmpDownload File
                                                                                                                                                                                                                                                        • Associated: 00000001.00000002.2793416768.000000000049B000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                                                                                                                                                                                                        • Associated: 00000001.00000002.2793448951.00000000004AB000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                                                                                                                                                                                                        Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                                        • Snapshot File: hcaresult_1_2_400000_chica-pc-shield-1-75-0-1300-en-win.jbxd
                                                                                                                                                                                                                                                        Similarity
                                                                                                                                                                                                                                                        • API ID: AddressErrorInitializeLibraryLoadModeProc
                                                                                                                                                                                                                                                        • String ID: SHCreateItemFromParsingName$shell32.dll
                                                                                                                                                                                                                                                        • API String ID: 2906209438-2320870614
                                                                                                                                                                                                                                                        • Opcode ID: 8c9e14898829cb5443ed632762dd3065d85b0c82af61ba438ad016217d0fb5e8
                                                                                                                                                                                                                                                        • Instruction ID: 2fc726b4a9e056db7c29aceefe67fc8584a8af6d4be502d82461f9bcaeee1902
                                                                                                                                                                                                                                                        • Opcode Fuzzy Hash: 8c9e14898829cb5443ed632762dd3065d85b0c82af61ba438ad016217d0fb5e8
                                                                                                                                                                                                                                                        • Instruction Fuzzy Hash: 19C08CA1F0020052C700B3FB740261F2C049B4035FB82803FB900A768BCF3D8C084B6E
                                                                                                                                                                                                                                                        Function 0046CCC8 Relevance: 5.3, APIs: 1, Strings: 2, Instructions: 8libraryloaderCOMMON
                                                                                                                                                                                                                                                        Download Yara Rule
                                                                                                                                                                                                                                                        APIs
                                                                                                                                                                                                                                                          • Part of subcall function 0042E394: SetErrorMode.KERNEL32(00008000), ref: 0042E39E
                                                                                                                                                                                                                                                          • Part of subcall function 0042E394: LoadLibraryA.KERNEL32(00000000,00000000,0042E3E8,?,00000000,0042E406,?,00008000), ref: 0042E3CD
                                                                                                                                                                                                                                                        • GetProcAddress.KERNEL32(00000000,SHPathPrepareForWriteA), ref: 0046CCDD
                                                                                                                                                                                                                                                        Strings
                                                                                                                                                                                                                                                        Memory Dump Source
                                                                                                                                                                                                                                                        • Source File: 00000001.00000002.2793245300.0000000000401000.00000020.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                                                                                                                        • Associated: 00000001.00000002.2793219234.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                                                                                                                                                                                                        • Associated: 00000001.00000002.2793346997.0000000000499000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                                                                                                                                                                                                        • Associated: 00000001.00000002.2793378529.000000000049A000.00000008.00000001.01000000.00000004.sdmpDownload File
                                                                                                                                                                                                                                                        • Associated: 00000001.00000002.2793416768.000000000049B000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                                                                                                                                                                                                        • Associated: 00000001.00000002.2793448951.00000000004AB000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                                                                                                                                                                                                        Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                                        • Snapshot File: hcaresult_1_2_400000_chica-pc-shield-1-75-0-1300-en-win.jbxd
                                                                                                                                                                                                                                                        Similarity
                                                                                                                                                                                                                                                        • API ID: AddressErrorLibraryLoadModeProc
                                                                                                                                                                                                                                                        • String ID: SHPathPrepareForWriteA$shell32.dll
                                                                                                                                                                                                                                                        • API String ID: 2492108670-2683653824
                                                                                                                                                                                                                                                        • Opcode ID: 6f7a6060dbea8608123eb84315140fc27ddd0186f719612547a4ad5d942bf35b
                                                                                                                                                                                                                                                        • Instruction ID: 42ebcd9fb95d62c415b6bc32f22e3161900c204dd3e918c1883918c963b40904
                                                                                                                                                                                                                                                        • Opcode Fuzzy Hash: 6f7a6060dbea8608123eb84315140fc27ddd0186f719612547a4ad5d942bf35b
                                                                                                                                                                                                                                                        • Instruction Fuzzy Hash: ECB092A070170086CA00BBAA6892A2A2805AB81319B50803B7188AB685EA3C88004B6F
                                                                                                                                                                                                                                                        Function 004817C8 Relevance: 4.6, APIs: 3, Instructions: 98windowCOMMON
                                                                                                                                                                                                                                                        Download Yara Rule
                                                                                                                                                                                                                                                        APIs
                                                                                                                                                                                                                                                        • GetSystemMenu.USER32(00000000,00000000,00000000,00481900), ref: 00481898
                                                                                                                                                                                                                                                        • AppendMenuA.USER32(00000000,00000800,00000000,00000000), ref: 004818A9
                                                                                                                                                                                                                                                        • AppendMenuA.USER32(00000000,00000000,0000270F,00000000), ref: 004818C1
                                                                                                                                                                                                                                                        Memory Dump Source
                                                                                                                                                                                                                                                        • Source File: 00000001.00000002.2793245300.0000000000401000.00000020.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                                                                                                                        • Associated: 00000001.00000002.2793219234.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                                                                                                                                                                                                        • Associated: 00000001.00000002.2793346997.0000000000499000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                                                                                                                                                                                                        • Associated: 00000001.00000002.2793378529.000000000049A000.00000008.00000001.01000000.00000004.sdmpDownload File
                                                                                                                                                                                                                                                        • Associated: 00000001.00000002.2793416768.000000000049B000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                                                                                                                                                                                                        • Associated: 00000001.00000002.2793448951.00000000004AB000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                                                                                                                                                                                                        Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                                        • Snapshot File: hcaresult_1_2_400000_chica-pc-shield-1-75-0-1300-en-win.jbxd
                                                                                                                                                                                                                                                        Similarity
                                                                                                                                                                                                                                                        • API ID: Menu$Append$System
                                                                                                                                                                                                                                                        • String ID:
                                                                                                                                                                                                                                                        • API String ID: 1489644407-0
                                                                                                                                                                                                                                                        • Opcode ID: 801fc58b86e0da2840a0eeeb4eb862893eccaa6a476f937b0111c0bf968b749f
                                                                                                                                                                                                                                                        • Instruction ID: fb7e7424c8280285121f5e03216e1827cf579b611b3bd4e8529c9af7391f4121
                                                                                                                                                                                                                                                        • Opcode Fuzzy Hash: 801fc58b86e0da2840a0eeeb4eb862893eccaa6a476f937b0111c0bf968b749f
                                                                                                                                                                                                                                                        • Instruction Fuzzy Hash: 8831A3307043441AD721FB7A9C83BAE3AA89F11718F54587FF800962E3CA7C9D0A879D
                                                                                                                                                                                                                                                        Function 004243FC Relevance: 4.6, APIs: 3, Instructions: 59windowCOMMON
                                                                                                                                                                                                                                                        Download Yara Rule
                                                                                                                                                                                                                                                        APIs
                                                                                                                                                                                                                                                        • PeekMessageA.USER32(?,00000000,00000000,00000000,00000001), ref: 00424412
                                                                                                                                                                                                                                                        • TranslateMessage.USER32(?), ref: 0042448F
                                                                                                                                                                                                                                                        • DispatchMessageA.USER32(?), ref: 00424499
                                                                                                                                                                                                                                                        Memory Dump Source
                                                                                                                                                                                                                                                        • Source File: 00000001.00000002.2793245300.0000000000401000.00000020.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                                                                                                                        • Associated: 00000001.00000002.2793219234.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                                                                                                                                                                                                        • Associated: 00000001.00000002.2793346997.0000000000499000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                                                                                                                                                                                                        • Associated: 00000001.00000002.2793378529.000000000049A000.00000008.00000001.01000000.00000004.sdmpDownload File
                                                                                                                                                                                                                                                        • Associated: 00000001.00000002.2793416768.000000000049B000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                                                                                                                                                                                                        • Associated: 00000001.00000002.2793448951.00000000004AB000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                                                                                                                                                                                                        Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                                        • Snapshot File: hcaresult_1_2_400000_chica-pc-shield-1-75-0-1300-en-win.jbxd
                                                                                                                                                                                                                                                        Similarity
                                                                                                                                                                                                                                                        • API ID: Message$DispatchPeekTranslate
                                                                                                                                                                                                                                                        • String ID:
                                                                                                                                                                                                                                                        • API String ID: 4217535847-0
                                                                                                                                                                                                                                                        • Opcode ID: d4f7142ddfb2041a0388c754ad29f8297397d1c5d5a6fc901d04af05902ad934
                                                                                                                                                                                                                                                        • Instruction ID: 8eae6dca0d2455523dd27ca57e4683f6da326f6f2f90499d04ddbfd693f83f9d
                                                                                                                                                                                                                                                        • Opcode Fuzzy Hash: d4f7142ddfb2041a0388c754ad29f8297397d1c5d5a6fc901d04af05902ad934
                                                                                                                                                                                                                                                        • Instruction Fuzzy Hash: E3116D303043205AEB20FA24A941B9F73D4DFC5758F80481EFC99972C2D77D9D49879A
                                                                                                                                                                                                                                                        Function 00416644 Relevance: 4.5, APIs: 3, Instructions: 39COMMON
                                                                                                                                                                                                                                                        Download Yara Rule
                                                                                                                                                                                                                                                        APIs
                                                                                                                                                                                                                                                        • SetPropA.USER32(00000000,00000000), ref: 0041666A
                                                                                                                                                                                                                                                        • SetPropA.USER32(00000000,00000000), ref: 0041667F
                                                                                                                                                                                                                                                        • SetWindowPos.USER32(00000000,00000000,00000000,00000000,00000000,00000000,00000013,00000000,00000000,?,00000000,00000000), ref: 004166A6
                                                                                                                                                                                                                                                        Memory Dump Source
                                                                                                                                                                                                                                                        • Source File: 00000001.00000002.2793245300.0000000000401000.00000020.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                                                                                                                        • Associated: 00000001.00000002.2793219234.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                                                                                                                                                                                                        • Associated: 00000001.00000002.2793346997.0000000000499000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                                                                                                                                                                                                        • Associated: 00000001.00000002.2793378529.000000000049A000.00000008.00000001.01000000.00000004.sdmpDownload File
                                                                                                                                                                                                                                                        • Associated: 00000001.00000002.2793416768.000000000049B000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                                                                                                                                                                                                        • Associated: 00000001.00000002.2793448951.00000000004AB000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                                                                                                                                                                                                        Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                                        • Snapshot File: hcaresult_1_2_400000_chica-pc-shield-1-75-0-1300-en-win.jbxd
                                                                                                                                                                                                                                                        Similarity
                                                                                                                                                                                                                                                        • API ID: Prop$Window
                                                                                                                                                                                                                                                        • String ID:
                                                                                                                                                                                                                                                        • API String ID: 3363284559-0
                                                                                                                                                                                                                                                        • Opcode ID: 7d8f8f86b8da0dfbd786005ea8c9fba063c8ea21b0325804e592c04f17898ad0
                                                                                                                                                                                                                                                        • Instruction ID: 6913c5f2d07602d921388148e43cadd8ab2d6729f30613f48e4cae6714e3bc13
                                                                                                                                                                                                                                                        • Opcode Fuzzy Hash: 7d8f8f86b8da0dfbd786005ea8c9fba063c8ea21b0325804e592c04f17898ad0
                                                                                                                                                                                                                                                        • Instruction Fuzzy Hash: ACF01271701210ABDB10AB599C85FA732DCAB09714F16057AB905EF286C778DC40C7A8
                                                                                                                                                                                                                                                        Function 0041EE54 Relevance: 4.5, APIs: 3, Instructions: 27windowCOMMON
                                                                                                                                                                                                                                                        Download Yara Rule
                                                                                                                                                                                                                                                        APIs
                                                                                                                                                                                                                                                        • IsWindowVisible.USER32(?), ref: 0041EE64
                                                                                                                                                                                                                                                        • IsWindowEnabled.USER32(?), ref: 0041EE6E
                                                                                                                                                                                                                                                        • EnableWindow.USER32(?,00000000), ref: 0041EE94
                                                                                                                                                                                                                                                        Memory Dump Source
                                                                                                                                                                                                                                                        • Source File: 00000001.00000002.2793245300.0000000000401000.00000020.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                                                                                                                        • Associated: 00000001.00000002.2793219234.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                                                                                                                                                                                                        • Associated: 00000001.00000002.2793346997.0000000000499000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                                                                                                                                                                                                        • Associated: 00000001.00000002.2793378529.000000000049A000.00000008.00000001.01000000.00000004.sdmpDownload File
                                                                                                                                                                                                                                                        • Associated: 00000001.00000002.2793416768.000000000049B000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                                                                                                                                                                                                        • Associated: 00000001.00000002.2793448951.00000000004AB000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                                                                                                                                                                                                        Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                                        • Snapshot File: hcaresult_1_2_400000_chica-pc-shield-1-75-0-1300-en-win.jbxd
                                                                                                                                                                                                                                                        Similarity
                                                                                                                                                                                                                                                        • API ID: Window$EnableEnabledVisible
                                                                                                                                                                                                                                                        • String ID:
                                                                                                                                                                                                                                                        • API String ID: 3234591441-0
                                                                                                                                                                                                                                                        • Opcode ID: 495d6a49dc4b54b7e424eeae3cce025a94256eba33976185de8149e812397146
                                                                                                                                                                                                                                                        • Instruction ID: 3b4cb379701a2ac24b7d0c87bf9454d2e26b3d0fb89a85d5a5a22e513a73856b
                                                                                                                                                                                                                                                        • Opcode Fuzzy Hash: 495d6a49dc4b54b7e424eeae3cce025a94256eba33976185de8149e812397146
                                                                                                                                                                                                                                                        • Instruction Fuzzy Hash: EAE06DB5100301AAE301AB2BDC81B5B7A9CAB54350F05843BA9089B292D63ADC408B7C
                                                                                                                                                                                                                                                        Function 00482F6C Relevance: 4.5, APIs: 3, Instructions: 25threadCOMMON
                                                                                                                                                                                                                                                        Download Yara Rule
                                                                                                                                                                                                                                                        APIs
                                                                                                                                                                                                                                                        • GetForegroundWindow.USER32(00000000,00000000,?,?,00482FD1,?,004830B6,?,?,00000000), ref: 00482F72
                                                                                                                                                                                                                                                        • GetWindowThreadProcessId.USER32(00000000,?), ref: 00482F84
                                                                                                                                                                                                                                                        • GetCurrentProcessId.KERNEL32(00000000,?,00000000,00000000,?,?,00482FD1,?,004830B6,?,?,00000000), ref: 00482F8D
                                                                                                                                                                                                                                                        Memory Dump Source
                                                                                                                                                                                                                                                        • Source File: 00000001.00000002.2793245300.0000000000401000.00000020.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                                                                                                                        • Associated: 00000001.00000002.2793219234.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                                                                                                                                                                                                        • Associated: 00000001.00000002.2793346997.0000000000499000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                                                                                                                                                                                                        • Associated: 00000001.00000002.2793378529.000000000049A000.00000008.00000001.01000000.00000004.sdmpDownload File
                                                                                                                                                                                                                                                        • Associated: 00000001.00000002.2793416768.000000000049B000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                                                                                                                                                                                                        • Associated: 00000001.00000002.2793448951.00000000004AB000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                                                                                                                                                                                                        Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                                        • Snapshot File: hcaresult_1_2_400000_chica-pc-shield-1-75-0-1300-en-win.jbxd
                                                                                                                                                                                                                                                        Similarity
                                                                                                                                                                                                                                                        • API ID: ProcessWindow$CurrentForegroundThread
                                                                                                                                                                                                                                                        • String ID:
                                                                                                                                                                                                                                                        • API String ID: 3477312055-0
                                                                                                                                                                                                                                                        • Opcode ID: 53227ee51045fa378d488872e8cf5f628c4f53fe8c6b675cba760793569b590d
                                                                                                                                                                                                                                                        • Instruction ID: ac944b23caf919ac87e9cfc51a9a52cc41904222b668436948df8c862bf8793a
                                                                                                                                                                                                                                                        • Opcode Fuzzy Hash: 53227ee51045fa378d488872e8cf5f628c4f53fe8c6b675cba760793569b590d
                                                                                                                                                                                                                                                        • Instruction Fuzzy Hash: 83D0C233505A2A6E6611F5E55D818AFB36CC900358714013BFA04A3281D7689E04C6BD
                                                                                                                                                                                                                                                        Function 00469DF4 Relevance: 3.7, APIs: 1, Strings: 1, Instructions: 232COMMON
                                                                                                                                                                                                                                                        Download Yara Rule
                                                                                                                                                                                                                                                        APIs
                                                                                                                                                                                                                                                        • SetActiveWindow.USER32(?), ref: 00469F05
                                                                                                                                                                                                                                                        Strings
                                                                                                                                                                                                                                                        Memory Dump Source
                                                                                                                                                                                                                                                        • Source File: 00000001.00000002.2793245300.0000000000401000.00000020.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                                                                                                                        • Associated: 00000001.00000002.2793219234.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                                                                                                                                                                                                        • Associated: 00000001.00000002.2793346997.0000000000499000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                                                                                                                                                                                                        • Associated: 00000001.00000002.2793378529.000000000049A000.00000008.00000001.01000000.00000004.sdmpDownload File
                                                                                                                                                                                                                                                        • Associated: 00000001.00000002.2793416768.000000000049B000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                                                                                                                                                                                                        • Associated: 00000001.00000002.2793448951.00000000004AB000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                                                                                                                                                                                                        Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                                        • Snapshot File: hcaresult_1_2_400000_chica-pc-shield-1-75-0-1300-en-win.jbxd
                                                                                                                                                                                                                                                        Similarity
                                                                                                                                                                                                                                                        • API ID: ActiveWindow
                                                                                                                                                                                                                                                        • String ID: PrepareToInstall
                                                                                                                                                                                                                                                        • API String ID: 2558294473-1101760603
                                                                                                                                                                                                                                                        • Opcode ID: 03b5a7062135bc08ac6c9968637263e6280f008c3cc91eb0c5f3a53be5c2b00e
                                                                                                                                                                                                                                                        • Instruction ID: b32d1113f626b33c33e5dda37d046e006f4720943d575063500f121db1088002
                                                                                                                                                                                                                                                        • Opcode Fuzzy Hash: 03b5a7062135bc08ac6c9968637263e6280f008c3cc91eb0c5f3a53be5c2b00e
                                                                                                                                                                                                                                                        • Instruction Fuzzy Hash: 6AA11934A00109DFCB00EF99D986EDEB7F5AF89344F5540B6E404AB366D738AE41CB99
                                                                                                                                                                                                                                                        Function 0046C394 Relevance: 3.7, APIs: 1, Strings: 1, Instructions: 209COMMON
                                                                                                                                                                                                                                                        Download Yara Rule
                                                                                                                                                                                                                                                        Strings
                                                                                                                                                                                                                                                        Memory Dump Source
                                                                                                                                                                                                                                                        • Source File: 00000001.00000002.2793245300.0000000000401000.00000020.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                                                                                                                        • Associated: 00000001.00000002.2793219234.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                                                                                                                                                                                                        • Associated: 00000001.00000002.2793346997.0000000000499000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                                                                                                                                                                                                        • Associated: 00000001.00000002.2793378529.000000000049A000.00000008.00000001.01000000.00000004.sdmpDownload File
                                                                                                                                                                                                                                                        • Associated: 00000001.00000002.2793416768.000000000049B000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                                                                                                                                                                                                        • Associated: 00000001.00000002.2793448951.00000000004AB000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                                                                                                                                                                                                        Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                                        • Snapshot File: hcaresult_1_2_400000_chica-pc-shield-1-75-0-1300-en-win.jbxd
                                                                                                                                                                                                                                                        Similarity
                                                                                                                                                                                                                                                        • API ID:
                                                                                                                                                                                                                                                        • String ID: /:*?"<>|
                                                                                                                                                                                                                                                        • API String ID: 0-4078764451
                                                                                                                                                                                                                                                        • Opcode ID: baeae3b569e444952e8f67b7659cb196a0efbe3f78f9fc9a052d5160d9971c3e
                                                                                                                                                                                                                                                        • Instruction ID: b81ff51e3587532d40105836ffa36bb77379fe4d4ab3fc563c1df1324d87f448
                                                                                                                                                                                                                                                        • Opcode Fuzzy Hash: baeae3b569e444952e8f67b7659cb196a0efbe3f78f9fc9a052d5160d9971c3e
                                                                                                                                                                                                                                                        • Instruction Fuzzy Hash: 4471C670B002546AEB20EB59DCD2BBE77A19F40308F108167F541BB292EA79AD45875F
                                                                                                                                                                                                                                                        Function 00482118 Relevance: 3.6, APIs: 1, Strings: 1, Instructions: 58COMMON
                                                                                                                                                                                                                                                        Download Yara Rule
                                                                                                                                                                                                                                                        APIs
                                                                                                                                                                                                                                                        • SetActiveWindow.USER32(?), ref: 004821C6
                                                                                                                                                                                                                                                        Strings
                                                                                                                                                                                                                                                        Memory Dump Source
                                                                                                                                                                                                                                                        • Source File: 00000001.00000002.2793245300.0000000000401000.00000020.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                                                                                                                        • Associated: 00000001.00000002.2793219234.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                                                                                                                                                                                                        • Associated: 00000001.00000002.2793346997.0000000000499000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                                                                                                                                                                                                        • Associated: 00000001.00000002.2793378529.000000000049A000.00000008.00000001.01000000.00000004.sdmpDownload File
                                                                                                                                                                                                                                                        • Associated: 00000001.00000002.2793416768.000000000049B000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                                                                                                                                                                                                        • Associated: 00000001.00000002.2793448951.00000000004AB000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                                                                                                                                                                                                        Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                                        • Snapshot File: hcaresult_1_2_400000_chica-pc-shield-1-75-0-1300-en-win.jbxd
                                                                                                                                                                                                                                                        Similarity
                                                                                                                                                                                                                                                        • API ID: ActiveWindow
                                                                                                                                                                                                                                                        • String ID: InitializeWizard
                                                                                                                                                                                                                                                        • API String ID: 2558294473-2356795471
                                                                                                                                                                                                                                                        • Opcode ID: deadc8968076f8caea13905e5e163463e25b816dffd795125141a152398972e1
                                                                                                                                                                                                                                                        • Instruction ID: 7d063ebd7b47e6a5ec4ad634c4b3a20d6578b94924e779883e75661c6baae00a
                                                                                                                                                                                                                                                        • Opcode Fuzzy Hash: deadc8968076f8caea13905e5e163463e25b816dffd795125141a152398972e1
                                                                                                                                                                                                                                                        • Instruction Fuzzy Hash: EC119434205200DFD701EBA9EE8AB5977D4EB58318F60043BF5008B3A1D7796C41D75D
                                                                                                                                                                                                                                                        Function 0047C8F0 Relevance: 3.6, APIs: 1, Strings: 1, Instructions: 51COMMON
                                                                                                                                                                                                                                                        Download Yara Rule
                                                                                                                                                                                                                                                        APIs
                                                                                                                                                                                                                                                        Strings
                                                                                                                                                                                                                                                        • Failed to remove temporary directory: , xrefs: 0047C953
                                                                                                                                                                                                                                                        Memory Dump Source
                                                                                                                                                                                                                                                        • Source File: 00000001.00000002.2793245300.0000000000401000.00000020.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                                                                                                                        • Associated: 00000001.00000002.2793219234.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                                                                                                                                                                                                        • Associated: 00000001.00000002.2793346997.0000000000499000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                                                                                                                                                                                                        • Associated: 00000001.00000002.2793378529.000000000049A000.00000008.00000001.01000000.00000004.sdmpDownload File
                                                                                                                                                                                                                                                        • Associated: 00000001.00000002.2793416768.000000000049B000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                                                                                                                                                                                                        • Associated: 00000001.00000002.2793448951.00000000004AB000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                                                                                                                                                                                                        Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                                        • Snapshot File: hcaresult_1_2_400000_chica-pc-shield-1-75-0-1300-en-win.jbxd
                                                                                                                                                                                                                                                        Similarity
                                                                                                                                                                                                                                                        • API ID: CountTick
                                                                                                                                                                                                                                                        • String ID: Failed to remove temporary directory:
                                                                                                                                                                                                                                                        • API String ID: 536389180-3544197614
                                                                                                                                                                                                                                                        • Opcode ID: dc8948da4a4a7ae9023587f3da3a2e6f7f3b241635aa5e5e9c389959d50d6392
                                                                                                                                                                                                                                                        • Instruction ID: 4760cced9017b54e13c9f61f972d9509a01cb90d2ec48e282b59cce5c1cf7d6e
                                                                                                                                                                                                                                                        • Opcode Fuzzy Hash: dc8948da4a4a7ae9023587f3da3a2e6f7f3b241635aa5e5e9c389959d50d6392
                                                                                                                                                                                                                                                        • Instruction Fuzzy Hash: 3601F5B0604300BBEB21EB72DCC3B9A3798DB04708F60847FB904A6192DA7C9D44C91C
                                                                                                                                                                                                                                                        Function 0047C048 Relevance: 3.5, APIs: 1, Strings: 1, Instructions: 39registryCOMMON
                                                                                                                                                                                                                                                        Download Yara Rule
                                                                                                                                                                                                                                                        APIs
                                                                                                                                                                                                                                                          • Part of subcall function 0042DE1C: RegOpenKeyExA.ADVAPI32(80000002,System\CurrentControlSet\Control\Windows,37H,?,00000001,?,?,00483733,?,00000001,00000000), ref: 0042DE38
                                                                                                                                                                                                                                                        • RegCloseKey.ADVAPI32(?,?,00000001,00000000,?,?,?,?,?,0047C294,00000000,0047C496), ref: 0047C08D
                                                                                                                                                                                                                                                        Strings
                                                                                                                                                                                                                                                        • Software\Microsoft\Windows\CurrentVersion, xrefs: 0047C05D
                                                                                                                                                                                                                                                        Memory Dump Source
                                                                                                                                                                                                                                                        • Source File: 00000001.00000002.2793245300.0000000000401000.00000020.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                                                                                                                        • Associated: 00000001.00000002.2793219234.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                                                                                                                                                                                                        • Associated: 00000001.00000002.2793346997.0000000000499000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                                                                                                                                                                                                        • Associated: 00000001.00000002.2793378529.000000000049A000.00000008.00000001.01000000.00000004.sdmpDownload File
                                                                                                                                                                                                                                                        • Associated: 00000001.00000002.2793416768.000000000049B000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                                                                                                                                                                                                        • Associated: 00000001.00000002.2793448951.00000000004AB000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                                                                                                                                                                                                        Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                                        • Snapshot File: hcaresult_1_2_400000_chica-pc-shield-1-75-0-1300-en-win.jbxd
                                                                                                                                                                                                                                                        Similarity
                                                                                                                                                                                                                                                        • API ID: CloseOpen
                                                                                                                                                                                                                                                        • String ID: Software\Microsoft\Windows\CurrentVersion
                                                                                                                                                                                                                                                        • API String ID: 47109696-1019749484
                                                                                                                                                                                                                                                        • Opcode ID: 4557a8a00227220340c3e4977130da833b2a1323f27f77b3f73a7f4a79cd4b82
                                                                                                                                                                                                                                                        • Instruction ID: 7780268eed0c8f4662378fdb42213bb4dbf55a51eddc9185eecb2e6195c6093a
                                                                                                                                                                                                                                                        • Opcode Fuzzy Hash: 4557a8a00227220340c3e4977130da833b2a1323f27f77b3f73a7f4a79cd4b82
                                                                                                                                                                                                                                                        • Instruction Fuzzy Hash: AEF08971700514A7DA10A5EA5D82B9F97DD8B84718F20403FF608DB242D97A9D0242AC
                                                                                                                                                                                                                                                        Function 0046ED8C Relevance: 3.5, APIs: 1, Strings: 1, Instructions: 24registryCOMMON
                                                                                                                                                                                                                                                        Download Yara Rule
                                                                                                                                                                                                                                                        APIs
                                                                                                                                                                                                                                                        • RegSetValueExA.ADVAPI32(?,NoModify,00000000,00000004,00000000,00000004,00000001,?,0046F40A,?,?,00000000,0046F5CE,?,_is1,?), ref: 0046ED9F
                                                                                                                                                                                                                                                        Strings
                                                                                                                                                                                                                                                        Memory Dump Source
                                                                                                                                                                                                                                                        • Source File: 00000001.00000002.2793245300.0000000000401000.00000020.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                                                                                                                        • Associated: 00000001.00000002.2793219234.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                                                                                                                                                                                                        • Associated: 00000001.00000002.2793346997.0000000000499000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                                                                                                                                                                                                        • Associated: 00000001.00000002.2793378529.000000000049A000.00000008.00000001.01000000.00000004.sdmpDownload File
                                                                                                                                                                                                                                                        • Associated: 00000001.00000002.2793416768.000000000049B000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                                                                                                                                                                                                        • Associated: 00000001.00000002.2793448951.00000000004AB000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                                                                                                                                                                                                        Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                                        • Snapshot File: hcaresult_1_2_400000_chica-pc-shield-1-75-0-1300-en-win.jbxd
                                                                                                                                                                                                                                                        Similarity
                                                                                                                                                                                                                                                        • API ID: Value
                                                                                                                                                                                                                                                        • String ID: NoModify
                                                                                                                                                                                                                                                        • API String ID: 3702945584-1699962838
                                                                                                                                                                                                                                                        • Opcode ID: b27336c5fecbb1443f888c6773f82653806ca827597cc1e8ae363085aea7e5d6
                                                                                                                                                                                                                                                        • Instruction ID: ce951061c90f104f5223ccf2311ea7346df234e4a3633a8a799f5004e5bcc4b2
                                                                                                                                                                                                                                                        • Opcode Fuzzy Hash: b27336c5fecbb1443f888c6773f82653806ca827597cc1e8ae363085aea7e5d6
                                                                                                                                                                                                                                                        • Instruction Fuzzy Hash: 8FE04FB4600304BFEB04DB55CD4AF6B77ECDB48710F104459BA049B2C1F674EE00C668
                                                                                                                                                                                                                                                        Function 00454100 Relevance: 3.2, APIs: 2, Instructions: 200fileCOMMON
                                                                                                                                                                                                                                                        Download Yara Rule
                                                                                                                                                                                                                                                        APIs
                                                                                                                                                                                                                                                        • FindNextFileA.KERNEL32(000000FF,?,00000000,00454346,?,00000000,004543BA,?,?,-00000001,00000000,?,0047C94F,00000000,0047C89C,00000000), ref: 00454322
                                                                                                                                                                                                                                                        • FindClose.KERNEL32(000000FF,0045434D,00454346,?,00000000,004543BA,?,?,-00000001,00000000,?,0047C94F,00000000,0047C89C,00000000,00000000), ref: 00454340
                                                                                                                                                                                                                                                        Memory Dump Source
                                                                                                                                                                                                                                                        • Source File: 00000001.00000002.2793245300.0000000000401000.00000020.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                                                                                                                        • Associated: 00000001.00000002.2793219234.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                                                                                                                                                                                                        • Associated: 00000001.00000002.2793346997.0000000000499000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                                                                                                                                                                                                        • Associated: 00000001.00000002.2793378529.000000000049A000.00000008.00000001.01000000.00000004.sdmpDownload File
                                                                                                                                                                                                                                                        • Associated: 00000001.00000002.2793416768.000000000049B000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                                                                                                                                                                                                        • Associated: 00000001.00000002.2793448951.00000000004AB000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                                                                                                                                                                                                        Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                                        • Snapshot File: hcaresult_1_2_400000_chica-pc-shield-1-75-0-1300-en-win.jbxd
                                                                                                                                                                                                                                                        Similarity
                                                                                                                                                                                                                                                        • API ID: Find$CloseFileNext
                                                                                                                                                                                                                                                        • String ID:
                                                                                                                                                                                                                                                        • API String ID: 2066263336-0
                                                                                                                                                                                                                                                        • Opcode ID: a2d2c427da41bec08c4131e075aeae3070bf8721d9ab0642b01b3075f7050549
                                                                                                                                                                                                                                                        • Instruction ID: 54d7d993b90550b5414970fc4389b15b7902a372ed294bc13edf2f45dfba5a61
                                                                                                                                                                                                                                                        • Opcode Fuzzy Hash: a2d2c427da41bec08c4131e075aeae3070bf8721d9ab0642b01b3075f7050549
                                                                                                                                                                                                                                                        • Instruction Fuzzy Hash: BE817430A0424D9FCF11DFA5C8457EFBB74AF49309F1440A6EC546B3A2D3399A8ACB58
                                                                                                                                                                                                                                                        Function 0047DFBC Relevance: 3.2, APIs: 2, Instructions: 160windowCOMMON
                                                                                                                                                                                                                                                        Download Yara Rule
                                                                                                                                                                                                                                                        APIs
                                                                                                                                                                                                                                                        • GetACP.KERNEL32(?,?,00000001,00000000,0047E29B,?,-0000001A,00480151,-00000010,?,00000004,0000001B,00000000,0048049E,?,0045DA40), ref: 0047E032
                                                                                                                                                                                                                                                          • Part of subcall function 0042E31C: GetDC.USER32(00000000), ref: 0042E32B
                                                                                                                                                                                                                                                          • Part of subcall function 0042E31C: EnumFontsA.GDI32(?,00000000,0042E308,00000000,00000000,0042E374,?,00000000,00000000,00480505,?,?,00000001,00000000,00000002,00000000), ref: 0042E356
                                                                                                                                                                                                                                                          • Part of subcall function 0042E31C: ReleaseDC.USER32(00000000,?), ref: 0042E36E
                                                                                                                                                                                                                                                        • SendNotifyMessageA.USER32(00020430,00000496,00002711,-00000001), ref: 0047E202
                                                                                                                                                                                                                                                        Memory Dump Source
                                                                                                                                                                                                                                                        • Source File: 00000001.00000002.2793245300.0000000000401000.00000020.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                                                                                                                        • Associated: 00000001.00000002.2793219234.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                                                                                                                                                                                                        • Associated: 00000001.00000002.2793346997.0000000000499000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                                                                                                                                                                                                        • Associated: 00000001.00000002.2793378529.000000000049A000.00000008.00000001.01000000.00000004.sdmpDownload File
                                                                                                                                                                                                                                                        • Associated: 00000001.00000002.2793416768.000000000049B000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                                                                                                                                                                                                        • Associated: 00000001.00000002.2793448951.00000000004AB000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                                                                                                                                                                                                        Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                                        • Snapshot File: hcaresult_1_2_400000_chica-pc-shield-1-75-0-1300-en-win.jbxd
                                                                                                                                                                                                                                                        Similarity
                                                                                                                                                                                                                                                        • API ID: EnumFontsMessageNotifyReleaseSend
                                                                                                                                                                                                                                                        • String ID:
                                                                                                                                                                                                                                                        • API String ID: 2649214853-0
                                                                                                                                                                                                                                                        • Opcode ID: e069609ba70995731fce56cf8c0ca3ad2046ca999320bde79dabfce6c78656cc
                                                                                                                                                                                                                                                        • Instruction ID: d64b11983fe8068f8d25d91e2f6d6775ebb50eb4b37eaa3905fc54ead9bc7a6e
                                                                                                                                                                                                                                                        • Opcode Fuzzy Hash: e069609ba70995731fce56cf8c0ca3ad2046ca999320bde79dabfce6c78656cc
                                                                                                                                                                                                                                                        • Instruction Fuzzy Hash: D85189346001108BC710FF67D98169A37E9EB58309B90C67BA4099B3A7D77CDD46C79E
                                                                                                                                                                                                                                                        Function 00402088 Relevance: 3.1, APIs: 2, Instructions: 122COMMON
                                                                                                                                                                                                                                                        Download Yara Rule
                                                                                                                                                                                                                                                        APIs
                                                                                                                                                                                                                                                        • RtlEnterCriticalSection.KERNEL32(0049B420,00000000,004021FC), ref: 004020CB
                                                                                                                                                                                                                                                          • Part of subcall function 004019CC: RtlInitializeCriticalSection.KERNEL32(0049B420,00000000,00401A82,?,?,0040222E,02188000,?,00000000,?,?,00401C49,00401C5E,00401DA2), ref: 004019E2
                                                                                                                                                                                                                                                          • Part of subcall function 004019CC: RtlEnterCriticalSection.KERNEL32(0049B420,0049B420,00000000,00401A82,?,?,0040222E,02188000,?,00000000,?,?,00401C49,00401C5E,00401DA2), ref: 004019F5
                                                                                                                                                                                                                                                          • Part of subcall function 004019CC: LocalAlloc.KERNEL32(00000000,00000FF8,0049B420,00000000,00401A82,?,?,0040222E,02188000,?,00000000,?,?,00401C49,00401C5E,00401DA2), ref: 00401A1F
                                                                                                                                                                                                                                                          • Part of subcall function 004019CC: RtlLeaveCriticalSection.KERNEL32(0049B420,00401A89,00000000,00401A82,?,?,0040222E,02188000,?,00000000,?,?,00401C49,00401C5E,00401DA2), ref: 00401A7C
                                                                                                                                                                                                                                                        Memory Dump Source
                                                                                                                                                                                                                                                        • Source File: 00000001.00000002.2793245300.0000000000401000.00000020.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                                                                                                                        • Associated: 00000001.00000002.2793219234.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                                                                                                                                                                                                        • Associated: 00000001.00000002.2793346997.0000000000499000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                                                                                                                                                                                                        • Associated: 00000001.00000002.2793378529.000000000049A000.00000008.00000001.01000000.00000004.sdmpDownload File
                                                                                                                                                                                                                                                        • Associated: 00000001.00000002.2793416768.000000000049B000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                                                                                                                                                                                                        • Associated: 00000001.00000002.2793448951.00000000004AB000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                                                                                                                                                                                                        Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                                        • Snapshot File: hcaresult_1_2_400000_chica-pc-shield-1-75-0-1300-en-win.jbxd
                                                                                                                                                                                                                                                        Similarity
                                                                                                                                                                                                                                                        • API ID: CriticalSection$Enter$AllocInitializeLeaveLocal
                                                                                                                                                                                                                                                        • String ID:
                                                                                                                                                                                                                                                        • API String ID: 296031713-0
                                                                                                                                                                                                                                                        • Opcode ID: ebf89ec9946ffca36a0132b944b47ea39fd8c2f47339ecb3e8f74b5db6fcd291
                                                                                                                                                                                                                                                        • Instruction ID: 30adadd309813d1a6846ca6b4958dbaac508113c784b73a5bb8d11bfdb372a30
                                                                                                                                                                                                                                                        • Opcode Fuzzy Hash: ebf89ec9946ffca36a0132b944b47ea39fd8c2f47339ecb3e8f74b5db6fcd291
                                                                                                                                                                                                                                                        • Instruction Fuzzy Hash: 3941E3B2E00304DFDB10CF69EE8521A77A4F7A8324B15417FD854A77E2D3789801DB88
                                                                                                                                                                                                                                                        Function 0042DEC0 Relevance: 3.1, APIs: 2, Instructions: 111registryCOMMON
                                                                                                                                                                                                                                                        Download Yara Rule
                                                                                                                                                                                                                                                        APIs
                                                                                                                                                                                                                                                        • RegEnumKeyExA.ADVAPI32(?,00000000,00000000,?,00000000,00000000,00000000,00000000,00000000,0042DFD6,?,?,00000008,00000000,00000000,0042E003), ref: 0042DF6C
                                                                                                                                                                                                                                                        • RegCloseKey.ADVAPI32(?,0042DFDD,?,00000000,00000000,00000000,00000000,00000000,0042DFD6,?,?,00000008,00000000,00000000,0042E003), ref: 0042DFD0
                                                                                                                                                                                                                                                        Memory Dump Source
                                                                                                                                                                                                                                                        • Source File: 00000001.00000002.2793245300.0000000000401000.00000020.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                                                                                                                        • Associated: 00000001.00000002.2793219234.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                                                                                                                                                                                                        • Associated: 00000001.00000002.2793346997.0000000000499000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                                                                                                                                                                                                        • Associated: 00000001.00000002.2793378529.000000000049A000.00000008.00000001.01000000.00000004.sdmpDownload File
                                                                                                                                                                                                                                                        • Associated: 00000001.00000002.2793416768.000000000049B000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                                                                                                                                                                                                        • Associated: 00000001.00000002.2793448951.00000000004AB000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                                                                                                                                                                                                        Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                                        • Snapshot File: hcaresult_1_2_400000_chica-pc-shield-1-75-0-1300-en-win.jbxd
                                                                                                                                                                                                                                                        Similarity
                                                                                                                                                                                                                                                        • API ID: CloseEnum
                                                                                                                                                                                                                                                        • String ID:
                                                                                                                                                                                                                                                        • API String ID: 2818636725-0
                                                                                                                                                                                                                                                        • Opcode ID: e77826d40a5e4f632c8342fe42b5bbba14c0f7fcc87f12accc1dd26e8e9f799a
                                                                                                                                                                                                                                                        • Instruction ID: d62689c7b7995b9893119ef97773413105dd68debc8ff02f2d4f9d8a28cc91ff
                                                                                                                                                                                                                                                        • Opcode Fuzzy Hash: e77826d40a5e4f632c8342fe42b5bbba14c0f7fcc87f12accc1dd26e8e9f799a
                                                                                                                                                                                                                                                        • Instruction Fuzzy Hash: DD31B270F04258AEDB11DFA6DD42BAEBBB9EB49304F91407BE501E6280D6785E01CA2D
                                                                                                                                                                                                                                                        Function 00476264 Relevance: 3.1, APIs: 2, Instructions: 89timeCOMMON
                                                                                                                                                                                                                                                        Download Yara Rule
                                                                                                                                                                                                                                                        APIs
                                                                                                                                                                                                                                                        • LocalFileTimeToFileTime.KERNEL32(?,?,?,00000000,00000000,0047635B,?,00000000,0047636C,?,00000000,004763B5), ref: 0047632C
                                                                                                                                                                                                                                                        • SetFileTime.KERNEL32(?,00000000,00000000,?,?,?,?,00000000,00000000,0047635B,?,00000000,0047636C,?,00000000,004763B5), ref: 00476340
                                                                                                                                                                                                                                                        Memory Dump Source
                                                                                                                                                                                                                                                        • Source File: 00000001.00000002.2793245300.0000000000401000.00000020.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                                                                                                                        • Associated: 00000001.00000002.2793219234.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                                                                                                                                                                                                        • Associated: 00000001.00000002.2793346997.0000000000499000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                                                                                                                                                                                                        • Associated: 00000001.00000002.2793378529.000000000049A000.00000008.00000001.01000000.00000004.sdmpDownload File
                                                                                                                                                                                                                                                        • Associated: 00000001.00000002.2793416768.000000000049B000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                                                                                                                                                                                                        • Associated: 00000001.00000002.2793448951.00000000004AB000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                                                                                                                                                                                                        Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                                        • Snapshot File: hcaresult_1_2_400000_chica-pc-shield-1-75-0-1300-en-win.jbxd
                                                                                                                                                                                                                                                        Similarity
                                                                                                                                                                                                                                                        • API ID: FileTime$Local
                                                                                                                                                                                                                                                        • String ID:
                                                                                                                                                                                                                                                        • API String ID: 791338737-0
                                                                                                                                                                                                                                                        • Opcode ID: 6c6a2467c40a63664237c32457b7bb5c1565228ee1ed6a70e795839eeaf50b2b
                                                                                                                                                                                                                                                        • Instruction ID: ef619fc15b639f47a17469def826feda9b5326419f2168b57c95aa5c70508a69
                                                                                                                                                                                                                                                        • Opcode Fuzzy Hash: 6c6a2467c40a63664237c32457b7bb5c1565228ee1ed6a70e795839eeaf50b2b
                                                                                                                                                                                                                                                        • Instruction Fuzzy Hash: FC31B530B04645AFCB11DFA5C892EAFBBB9EB09704F41847AFD04A7391D6799900CB55
                                                                                                                                                                                                                                                        Function 004527E8 Relevance: 3.1, APIs: 2, Instructions: 60processCOMMON
                                                                                                                                                                                                                                                        Download Yara Rule
                                                                                                                                                                                                                                                        APIs
                                                                                                                                                                                                                                                        • CreateProcessA.KERNEL32(00000000,00000000,?,?,00458150,00000000,00458138,?,?,?,00000000,00452862,?,?,?,00000001), ref: 0045283C
                                                                                                                                                                                                                                                        • GetLastError.KERNEL32(00000000,00000000,?,?,00458150,00000000,00458138,?,?,?,00000000,00452862,?,?,?,00000001), ref: 00452844
                                                                                                                                                                                                                                                        Memory Dump Source
                                                                                                                                                                                                                                                        • Source File: 00000001.00000002.2793245300.0000000000401000.00000020.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                                                                                                                        • Associated: 00000001.00000002.2793219234.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                                                                                                                                                                                                        • Associated: 00000001.00000002.2793346997.0000000000499000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                                                                                                                                                                                                        • Associated: 00000001.00000002.2793378529.000000000049A000.00000008.00000001.01000000.00000004.sdmpDownload File
                                                                                                                                                                                                                                                        • Associated: 00000001.00000002.2793416768.000000000049B000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                                                                                                                                                                                                        • Associated: 00000001.00000002.2793448951.00000000004AB000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                                                                                                                                                                                                        Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                                        • Snapshot File: hcaresult_1_2_400000_chica-pc-shield-1-75-0-1300-en-win.jbxd
                                                                                                                                                                                                                                                        Similarity
                                                                                                                                                                                                                                                        • API ID: CreateErrorLastProcess
                                                                                                                                                                                                                                                        • String ID:
                                                                                                                                                                                                                                                        • API String ID: 2919029540-0
                                                                                                                                                                                                                                                        • Opcode ID: 32d7980bd8ec2bee900e92c865b72ef71cfaa45d55aa0c85c0401d49ed696f28
                                                                                                                                                                                                                                                        • Instruction ID: fcc055d8c1a696a2a0db1e32a085008d871673fec5534948229a16d4440eefa6
                                                                                                                                                                                                                                                        • Opcode Fuzzy Hash: 32d7980bd8ec2bee900e92c865b72ef71cfaa45d55aa0c85c0401d49ed696f28
                                                                                                                                                                                                                                                        • Instruction Fuzzy Hash: A2113C72600208AF8B40DEA9DD41D9F77ECEB4E310B114567FD18D3241D678EE148B68
                                                                                                                                                                                                                                                        Function 0040ADD8 Relevance: 3.1, APIs: 2, Instructions: 51COMMON
                                                                                                                                                                                                                                                        Download Yara Rule
                                                                                                                                                                                                                                                        APIs
                                                                                                                                                                                                                                                        • FindResourceA.KERNEL32(00400000,00000000,0000000A), ref: 0040ADF2
                                                                                                                                                                                                                                                        • FreeResource.KERNEL32(00000000,00400000,00000000,0000000A,F0E80040,00000000,?,?,0040AF4F,00000000,0040AF67,?,?,?,00000000), ref: 0040AE03
                                                                                                                                                                                                                                                        Memory Dump Source
                                                                                                                                                                                                                                                        • Source File: 00000001.00000002.2793245300.0000000000401000.00000020.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                                                                                                                        • Associated: 00000001.00000002.2793219234.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                                                                                                                                                                                                        • Associated: 00000001.00000002.2793346997.0000000000499000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                                                                                                                                                                                                        • Associated: 00000001.00000002.2793378529.000000000049A000.00000008.00000001.01000000.00000004.sdmpDownload File
                                                                                                                                                                                                                                                        • Associated: 00000001.00000002.2793416768.000000000049B000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                                                                                                                                                                                                        • Associated: 00000001.00000002.2793448951.00000000004AB000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                                                                                                                                                                                                        Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                                        • Snapshot File: hcaresult_1_2_400000_chica-pc-shield-1-75-0-1300-en-win.jbxd
                                                                                                                                                                                                                                                        Similarity
                                                                                                                                                                                                                                                        • API ID: Resource$FindFree
                                                                                                                                                                                                                                                        • String ID:
                                                                                                                                                                                                                                                        • API String ID: 4097029671-0
                                                                                                                                                                                                                                                        • Opcode ID: fb2794c8357d1ecacf77e813736bb8f48658a636536de766f5b2d30593d93c64
                                                                                                                                                                                                                                                        • Instruction ID: 3d7a77417cef7b3885e8747e4544195f2de945da78ee84bb1155330bb8f828e3
                                                                                                                                                                                                                                                        • Opcode Fuzzy Hash: fb2794c8357d1ecacf77e813736bb8f48658a636536de766f5b2d30593d93c64
                                                                                                                                                                                                                                                        • Instruction Fuzzy Hash: 0301F771300700AFD700FF69EC52E1B77EDDB46714710807AF500AB3D1D639AC10966A
                                                                                                                                                                                                                                                        Function 0041EEA4 Relevance: 3.0, APIs: 2, Instructions: 49threadCOMMON
                                                                                                                                                                                                                                                        Download Yara Rule
                                                                                                                                                                                                                                                        APIs
                                                                                                                                                                                                                                                        • GetCurrentThreadId.KERNEL32 ref: 0041EEF3
                                                                                                                                                                                                                                                        • EnumThreadWindows.USER32(00000000,0041EE54,00000000), ref: 0041EEF9
                                                                                                                                                                                                                                                        Memory Dump Source
                                                                                                                                                                                                                                                        • Source File: 00000001.00000002.2793245300.0000000000401000.00000020.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                                                                                                                        • Associated: 00000001.00000002.2793219234.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                                                                                                                                                                                                        • Associated: 00000001.00000002.2793346997.0000000000499000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                                                                                                                                                                                                        • Associated: 00000001.00000002.2793378529.000000000049A000.00000008.00000001.01000000.00000004.sdmpDownload File
                                                                                                                                                                                                                                                        • Associated: 00000001.00000002.2793416768.000000000049B000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                                                                                                                                                                                                        • Associated: 00000001.00000002.2793448951.00000000004AB000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                                                                                                                                                                                                        Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                                        • Snapshot File: hcaresult_1_2_400000_chica-pc-shield-1-75-0-1300-en-win.jbxd
                                                                                                                                                                                                                                                        Similarity
                                                                                                                                                                                                                                                        • API ID: Thread$CurrentEnumWindows
                                                                                                                                                                                                                                                        • String ID:
                                                                                                                                                                                                                                                        • API String ID: 2396873506-0
                                                                                                                                                                                                                                                        • Opcode ID: 30aad164e0a195eeb96462141dc827bf49acbc8680001675c00c89b7ac155170
                                                                                                                                                                                                                                                        • Instruction ID: bcaa23655132f8f2785c0a842f21b48ac99b37e3223c43442b01e3940dbd0cdf
                                                                                                                                                                                                                                                        • Opcode Fuzzy Hash: 30aad164e0a195eeb96462141dc827bf49acbc8680001675c00c89b7ac155170
                                                                                                                                                                                                                                                        • Instruction Fuzzy Hash: 31015B76A04604BFD706CF6BEC1199ABBE8E789720B22887BEC04D3690E7355C10DF18
                                                                                                                                                                                                                                                        Function 00452C80 Relevance: 3.0, APIs: 2, Instructions: 48fileCOMMON
                                                                                                                                                                                                                                                        Download Yara Rule
                                                                                                                                                                                                                                                        APIs
                                                                                                                                                                                                                                                        • MoveFileA.KERNEL32(00000000,00000000), ref: 00452CC2
                                                                                                                                                                                                                                                        • GetLastError.KERNEL32(00000000,00000000,00000000,00452CE8), ref: 00452CCA
                                                                                                                                                                                                                                                        Memory Dump Source
                                                                                                                                                                                                                                                        • Source File: 00000001.00000002.2793245300.0000000000401000.00000020.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                                                                                                                        • Associated: 00000001.00000002.2793219234.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                                                                                                                                                                                                        • Associated: 00000001.00000002.2793346997.0000000000499000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                                                                                                                                                                                                        • Associated: 00000001.00000002.2793378529.000000000049A000.00000008.00000001.01000000.00000004.sdmpDownload File
                                                                                                                                                                                                                                                        • Associated: 00000001.00000002.2793416768.000000000049B000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                                                                                                                                                                                                        • Associated: 00000001.00000002.2793448951.00000000004AB000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                                                                                                                                                                                                        Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                                        • Snapshot File: hcaresult_1_2_400000_chica-pc-shield-1-75-0-1300-en-win.jbxd
                                                                                                                                                                                                                                                        Similarity
                                                                                                                                                                                                                                                        • API ID: ErrorFileLastMove
                                                                                                                                                                                                                                                        • String ID:
                                                                                                                                                                                                                                                        • API String ID: 55378915-0
                                                                                                                                                                                                                                                        • Opcode ID: 92f277caa9c3c56662d1ce6f28aaa0531c95695199337b3952b9b7b9e7465d28
                                                                                                                                                                                                                                                        • Instruction ID: 1f9035ddd188b097fe3d15476f32cd7793c58c8f4df07880d9fc6ba60e4ff235
                                                                                                                                                                                                                                                        • Opcode Fuzzy Hash: 92f277caa9c3c56662d1ce6f28aaa0531c95695199337b3952b9b7b9e7465d28
                                                                                                                                                                                                                                                        • Instruction Fuzzy Hash: 9401D671A04208AB8712EB799D4149EB7ECEB8A32575045BBFC04E3243EA785E048558
                                                                                                                                                                                                                                                        Function 00452770 Relevance: 3.0, APIs: 2, Instructions: 43COMMON
                                                                                                                                                                                                                                                        Download Yara Rule
                                                                                                                                                                                                                                                        APIs
                                                                                                                                                                                                                                                        • CreateDirectoryA.KERNEL32(00000000,00000000,00000000,004527CF), ref: 004527A9
                                                                                                                                                                                                                                                        • GetLastError.KERNEL32(00000000,00000000,00000000,004527CF), ref: 004527B1
                                                                                                                                                                                                                                                        Memory Dump Source
                                                                                                                                                                                                                                                        • Source File: 00000001.00000002.2793245300.0000000000401000.00000020.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                                                                                                                        • Associated: 00000001.00000002.2793219234.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                                                                                                                                                                                                        • Associated: 00000001.00000002.2793346997.0000000000499000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                                                                                                                                                                                                        • Associated: 00000001.00000002.2793378529.000000000049A000.00000008.00000001.01000000.00000004.sdmpDownload File
                                                                                                                                                                                                                                                        • Associated: 00000001.00000002.2793416768.000000000049B000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                                                                                                                                                                                                        • Associated: 00000001.00000002.2793448951.00000000004AB000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                                                                                                                                                                                                        Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                                        • Snapshot File: hcaresult_1_2_400000_chica-pc-shield-1-75-0-1300-en-win.jbxd
                                                                                                                                                                                                                                                        Similarity
                                                                                                                                                                                                                                                        • API ID: CreateDirectoryErrorLast
                                                                                                                                                                                                                                                        • String ID:
                                                                                                                                                                                                                                                        • API String ID: 1375471231-0
                                                                                                                                                                                                                                                        • Opcode ID: 4f51abd24ab49e498324db0d830057948f0c156f87ca6c4ec52d10be1f4c5d92
                                                                                                                                                                                                                                                        • Instruction ID: e3b373b60118a844676bb749001e6832c3b26a50706decb61b3ae2e0e224b701
                                                                                                                                                                                                                                                        • Opcode Fuzzy Hash: 4f51abd24ab49e498324db0d830057948f0c156f87ca6c4ec52d10be1f4c5d92
                                                                                                                                                                                                                                                        • Instruction Fuzzy Hash: 40F02871A00308BBCB01EF759D4259EB7E8EB4E311B2045B7FC04E3642E6B94E04859C
                                                                                                                                                                                                                                                        Function 00452908 Relevance: 3.0, APIs: 2, Instructions: 42fileCOMMON
                                                                                                                                                                                                                                                        Download Yara Rule
                                                                                                                                                                                                                                                        APIs
                                                                                                                                                                                                                                                        • DeleteFileA.KERNEL32(00000000,00000000,00452965,?,-00000001,?), ref: 0045293F
                                                                                                                                                                                                                                                        • GetLastError.KERNEL32(00000000,00000000,00452965,?,-00000001,?), ref: 00452947
                                                                                                                                                                                                                                                        Memory Dump Source
                                                                                                                                                                                                                                                        • Source File: 00000001.00000002.2793245300.0000000000401000.00000020.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                                                                                                                        • Associated: 00000001.00000002.2793219234.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                                                                                                                                                                                                        • Associated: 00000001.00000002.2793346997.0000000000499000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                                                                                                                                                                                                        • Associated: 00000001.00000002.2793378529.000000000049A000.00000008.00000001.01000000.00000004.sdmpDownload File
                                                                                                                                                                                                                                                        • Associated: 00000001.00000002.2793416768.000000000049B000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                                                                                                                                                                                                        • Associated: 00000001.00000002.2793448951.00000000004AB000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                                                                                                                                                                                                        Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                                        • Snapshot File: hcaresult_1_2_400000_chica-pc-shield-1-75-0-1300-en-win.jbxd
                                                                                                                                                                                                                                                        Similarity
                                                                                                                                                                                                                                                        • API ID: DeleteErrorFileLast
                                                                                                                                                                                                                                                        • String ID:
                                                                                                                                                                                                                                                        • API String ID: 2018770650-0
                                                                                                                                                                                                                                                        • Opcode ID: 8e20ab251d088d0bfaf69feb7d17608973a6f06366ba1158c9466a0d895ab982
                                                                                                                                                                                                                                                        • Instruction ID: a1d21d86fbcf93c7076efe682877c1f84c37cf58088428800e153654eea74c02
                                                                                                                                                                                                                                                        • Opcode Fuzzy Hash: 8e20ab251d088d0bfaf69feb7d17608973a6f06366ba1158c9466a0d895ab982
                                                                                                                                                                                                                                                        • Instruction Fuzzy Hash: 05F0C2B2B04608ABDB01EFB59D414AEB7E8EB4E315B6045B7FC04E3742E6B85E148598
                                                                                                                                                                                                                                                        Function 00452E10 Relevance: 3.0, APIs: 2, Instructions: 42COMMON
                                                                                                                                                                                                                                                        Download Yara Rule
                                                                                                                                                                                                                                                        APIs
                                                                                                                                                                                                                                                        • RemoveDirectoryA.KERNEL32(00000000,00000000,00452E6D,?,-00000001,00000000), ref: 00452E47
                                                                                                                                                                                                                                                        • GetLastError.KERNEL32(00000000,00000000,00452E6D,?,-00000001,00000000), ref: 00452E4F
                                                                                                                                                                                                                                                        Memory Dump Source
                                                                                                                                                                                                                                                        • Source File: 00000001.00000002.2793245300.0000000000401000.00000020.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                                                                                                                        • Associated: 00000001.00000002.2793219234.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                                                                                                                                                                                                        • Associated: 00000001.00000002.2793346997.0000000000499000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                                                                                                                                                                                                        • Associated: 00000001.00000002.2793378529.000000000049A000.00000008.00000001.01000000.00000004.sdmpDownload File
                                                                                                                                                                                                                                                        • Associated: 00000001.00000002.2793416768.000000000049B000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                                                                                                                                                                                                        • Associated: 00000001.00000002.2793448951.00000000004AB000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                                                                                                                                                                                                        Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                                        • Snapshot File: hcaresult_1_2_400000_chica-pc-shield-1-75-0-1300-en-win.jbxd
                                                                                                                                                                                                                                                        Similarity
                                                                                                                                                                                                                                                        • API ID: DirectoryErrorLastRemove
                                                                                                                                                                                                                                                        • String ID:
                                                                                                                                                                                                                                                        • API String ID: 377330604-0
                                                                                                                                                                                                                                                        • Opcode ID: f20199e737e539a63e7b44ed2747663bd9db8366f39d7150388d1a26e91210d5
                                                                                                                                                                                                                                                        • Instruction ID: a8b2bafe79397aca91686f8656b478e2385adfe3b855dfce5f6cc0b9ba314abc
                                                                                                                                                                                                                                                        • Opcode Fuzzy Hash: f20199e737e539a63e7b44ed2747663bd9db8366f39d7150388d1a26e91210d5
                                                                                                                                                                                                                                                        • Instruction Fuzzy Hash: 70F0FC71A04708AFCF01EF759D4249EB7E8DB4E31575049B7FC14E3642E7785E048598
                                                                                                                                                                                                                                                        Function 0042323C Relevance: 3.0, APIs: 2, Instructions: 35COMMON
                                                                                                                                                                                                                                                        Download Yara Rule
                                                                                                                                                                                                                                                        APIs
                                                                                                                                                                                                                                                        • LoadCursorA.USER32(00000000,00007F00), ref: 00423249
                                                                                                                                                                                                                                                        • LoadCursorA.USER32(00000000,00000000), ref: 00423273
                                                                                                                                                                                                                                                        Memory Dump Source
                                                                                                                                                                                                                                                        • Source File: 00000001.00000002.2793245300.0000000000401000.00000020.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                                                                                                                        • Associated: 00000001.00000002.2793219234.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                                                                                                                                                                                                        • Associated: 00000001.00000002.2793346997.0000000000499000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                                                                                                                                                                                                        • Associated: 00000001.00000002.2793378529.000000000049A000.00000008.00000001.01000000.00000004.sdmpDownload File
                                                                                                                                                                                                                                                        • Associated: 00000001.00000002.2793416768.000000000049B000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                                                                                                                                                                                                        • Associated: 00000001.00000002.2793448951.00000000004AB000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                                                                                                                                                                                                        Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                                        • Snapshot File: hcaresult_1_2_400000_chica-pc-shield-1-75-0-1300-en-win.jbxd
                                                                                                                                                                                                                                                        Similarity
                                                                                                                                                                                                                                                        • API ID: CursorLoad
                                                                                                                                                                                                                                                        • String ID:
                                                                                                                                                                                                                                                        • API String ID: 3238433803-0
                                                                                                                                                                                                                                                        • Opcode ID: 0c9a104e89a33193f60416200903d3bd70bbd31149720632682593485f60625b
                                                                                                                                                                                                                                                        • Instruction ID: 5e34cf6406f075c2c63d733b1f02ef4b9a88184ee1572dc0f3c8875cc615d59b
                                                                                                                                                                                                                                                        • Opcode Fuzzy Hash: 0c9a104e89a33193f60416200903d3bd70bbd31149720632682593485f60625b
                                                                                                                                                                                                                                                        • Instruction Fuzzy Hash: 9EF0A711B04254AADA109E7E6CC0D6B72A8DF82735B61037BFA3EC72D1C62E1D414569
                                                                                                                                                                                                                                                        Function 0042E394 Relevance: 3.0, APIs: 2, Instructions: 33libraryCOMMON
                                                                                                                                                                                                                                                        Download Yara Rule
                                                                                                                                                                                                                                                        APIs
                                                                                                                                                                                                                                                        • SetErrorMode.KERNEL32(00008000), ref: 0042E39E
                                                                                                                                                                                                                                                        • LoadLibraryA.KERNEL32(00000000,00000000,0042E3E8,?,00000000,0042E406,?,00008000), ref: 0042E3CD
                                                                                                                                                                                                                                                        Memory Dump Source
                                                                                                                                                                                                                                                        • Source File: 00000001.00000002.2793245300.0000000000401000.00000020.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                                                                                                                        • Associated: 00000001.00000002.2793219234.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                                                                                                                                                                                                        • Associated: 00000001.00000002.2793346997.0000000000499000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                                                                                                                                                                                                        • Associated: 00000001.00000002.2793378529.000000000049A000.00000008.00000001.01000000.00000004.sdmpDownload File
                                                                                                                                                                                                                                                        • Associated: 00000001.00000002.2793416768.000000000049B000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                                                                                                                                                                                                        • Associated: 00000001.00000002.2793448951.00000000004AB000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                                                                                                                                                                                                        Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                                        • Snapshot File: hcaresult_1_2_400000_chica-pc-shield-1-75-0-1300-en-win.jbxd
                                                                                                                                                                                                                                                        Similarity
                                                                                                                                                                                                                                                        • API ID: ErrorLibraryLoadMode
                                                                                                                                                                                                                                                        • String ID:
                                                                                                                                                                                                                                                        • API String ID: 2987862817-0
                                                                                                                                                                                                                                                        • Opcode ID: 255a0478d79177ccbef95319841b9e9e828fbe5b8587ea3eaa3c8c427559dbd8
                                                                                                                                                                                                                                                        • Instruction ID: 14c2566281f292fbf4bc3f3871eddb8f7eb4f11f4d1149329263d7d1c8790498
                                                                                                                                                                                                                                                        • Opcode Fuzzy Hash: 255a0478d79177ccbef95319841b9e9e828fbe5b8587ea3eaa3c8c427559dbd8
                                                                                                                                                                                                                                                        • Instruction Fuzzy Hash: 02F08970B147447FDB119F779CA241BBBECDB49B1175249B6F800A3591E53C4910C928
                                                                                                                                                                                                                                                        Function 0047678C Relevance: 3.0, APIs: 2, Instructions: 33COMMON
                                                                                                                                                                                                                                                        Download Yara Rule
                                                                                                                                                                                                                                                        APIs
                                                                                                                                                                                                                                                        • CallWindowProcW.USER32(6F5027E0,?,?,?,?), ref: 004767B9
                                                                                                                                                                                                                                                        • CallWindowProcW.USER32(FFFF0469,?,?,?,?), ref: 004767CA
                                                                                                                                                                                                                                                        Memory Dump Source
                                                                                                                                                                                                                                                        • Source File: 00000001.00000002.2793245300.0000000000401000.00000020.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                                                                                                                        • Associated: 00000001.00000002.2793219234.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                                                                                                                                                                                                        • Associated: 00000001.00000002.2793346997.0000000000499000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                                                                                                                                                                                                        • Associated: 00000001.00000002.2793378529.000000000049A000.00000008.00000001.01000000.00000004.sdmpDownload File
                                                                                                                                                                                                                                                        • Associated: 00000001.00000002.2793416768.000000000049B000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                                                                                                                                                                                                        • Associated: 00000001.00000002.2793448951.00000000004AB000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                                                                                                                                                                                                        Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                                        • Snapshot File: hcaresult_1_2_400000_chica-pc-shield-1-75-0-1300-en-win.jbxd
                                                                                                                                                                                                                                                        Similarity
                                                                                                                                                                                                                                                        • API ID: CallProcWindow
                                                                                                                                                                                                                                                        • String ID:
                                                                                                                                                                                                                                                        • API String ID: 2714655100-0
                                                                                                                                                                                                                                                        • Opcode ID: 4aae512627136846cb04b36f127d2b35c30ac0fa2ec00dc50a7c14aa0d4939c4
                                                                                                                                                                                                                                                        • Instruction ID: 1219a5ba84ab03939c43bccac728164024fd08da7027a3a95cad6b1af82576aa
                                                                                                                                                                                                                                                        • Opcode Fuzzy Hash: 4aae512627136846cb04b36f127d2b35c30ac0fa2ec00dc50a7c14aa0d4939c4
                                                                                                                                                                                                                                                        • Instruction Fuzzy Hash: EAF030B6110708BBEA04DAA9DCD9CA7776DDF49364B048227BD18972A0D178AC0486B8
                                                                                                                                                                                                                                                        Function 0047C3DF Relevance: 3.0, APIs: 2, Instructions: 26COMMON
                                                                                                                                                                                                                                                        Download Yara Rule
                                                                                                                                                                                                                                                        APIs
                                                                                                                                                                                                                                                        • SHGetKnownFolderPath.SHELL32(00499D40,00008000,00000000,?), ref: 0047C3EF
                                                                                                                                                                                                                                                        • CoTaskMemFree.OLE32(?,0047C432), ref: 0047C425
                                                                                                                                                                                                                                                        Strings
                                                                                                                                                                                                                                                        Memory Dump Source
                                                                                                                                                                                                                                                        • Source File: 00000001.00000002.2793245300.0000000000401000.00000020.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                                                                                                                        • Associated: 00000001.00000002.2793219234.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                                                                                                                                                                                                        • Associated: 00000001.00000002.2793346997.0000000000499000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                                                                                                                                                                                                        • Associated: 00000001.00000002.2793378529.000000000049A000.00000008.00000001.01000000.00000004.sdmpDownload File
                                                                                                                                                                                                                                                        • Associated: 00000001.00000002.2793416768.000000000049B000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                                                                                                                                                                                                        • Associated: 00000001.00000002.2793448951.00000000004AB000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                                                                                                                                                                                                        Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                                        • Snapshot File: hcaresult_1_2_400000_chica-pc-shield-1-75-0-1300-en-win.jbxd
                                                                                                                                                                                                                                                        Similarity
                                                                                                                                                                                                                                                        • API ID: FolderFreeKnownPathTask
                                                                                                                                                                                                                                                        • String ID: COMMAND.COM$Common Files$CommonFilesDir$Failed to get path of 64-bit Common Files directory$Failed to get path of 64-bit Program Files directory$ProgramFilesDir$SystemDrive$\Program Files$cmd.exe
                                                                                                                                                                                                                                                        • API String ID: 969438705-544719455
                                                                                                                                                                                                                                                        • Opcode ID: f49e17189a8e127d810c726b17742940271c18109cdabf392ea144cc89c97294
                                                                                                                                                                                                                                                        • Instruction ID: 78bb290b036081a8c854dfe2dcd0608ff47ffb153639a71a40c08638323bd745
                                                                                                                                                                                                                                                        • Opcode Fuzzy Hash: f49e17189a8e127d810c726b17742940271c18109cdabf392ea144cc89c97294
                                                                                                                                                                                                                                                        • Instruction Fuzzy Hash: 92E09B70340600AEDB11DB61DDA3F7977ACEB48B00BA18477F500E1681D67C6D00895C
                                                                                                                                                                                                                                                        Function 00482FA0 Relevance: 3.0, APIs: 2, Instructions: 17COMMON
                                                                                                                                                                                                                                                        Download Yara Rule
                                                                                                                                                                                                                                                        APIs
                                                                                                                                                                                                                                                        • GetTickCount.KERNEL32 ref: 00482FAA
                                                                                                                                                                                                                                                        • GetTickCount.KERNEL32 ref: 00482FA1
                                                                                                                                                                                                                                                          • Part of subcall function 00482F6C: GetForegroundWindow.USER32(00000000,00000000,?,?,00482FD1,?,004830B6,?,?,00000000), ref: 00482F72
                                                                                                                                                                                                                                                          • Part of subcall function 00482F6C: GetWindowThreadProcessId.USER32(00000000,?), ref: 00482F84
                                                                                                                                                                                                                                                          • Part of subcall function 00482F6C: GetCurrentProcessId.KERNEL32(00000000,?,00000000,00000000,?,?,00482FD1,?,004830B6,?,?,00000000), ref: 00482F8D
                                                                                                                                                                                                                                                        Memory Dump Source
                                                                                                                                                                                                                                                        • Source File: 00000001.00000002.2793245300.0000000000401000.00000020.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                                                                                                                        • Associated: 00000001.00000002.2793219234.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                                                                                                                                                                                                        • Associated: 00000001.00000002.2793346997.0000000000499000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                                                                                                                                                                                                        • Associated: 00000001.00000002.2793378529.000000000049A000.00000008.00000001.01000000.00000004.sdmpDownload File
                                                                                                                                                                                                                                                        • Associated: 00000001.00000002.2793416768.000000000049B000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                                                                                                                                                                                                        • Associated: 00000001.00000002.2793448951.00000000004AB000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                                                                                                                                                                                                        Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                                        • Snapshot File: hcaresult_1_2_400000_chica-pc-shield-1-75-0-1300-en-win.jbxd
                                                                                                                                                                                                                                                        Similarity
                                                                                                                                                                                                                                                        • API ID: CountProcessTickWindow$CurrentForegroundThread
                                                                                                                                                                                                                                                        • String ID:
                                                                                                                                                                                                                                                        • API String ID: 711787588-0
                                                                                                                                                                                                                                                        • Opcode ID: 0111aa82c2b9838541359b9666df3c7aa511cc11df4b908869c74b293a307c4c
                                                                                                                                                                                                                                                        • Instruction ID: 2e8ccacf02ce903f79dbe11524d4d09067cf2d2383abf652664fbdbb30b0bc4a
                                                                                                                                                                                                                                                        • Opcode Fuzzy Hash: 0111aa82c2b9838541359b9666df3c7aa511cc11df4b908869c74b293a307c4c
                                                                                                                                                                                                                                                        • Instruction Fuzzy Hash: 8DD0A95020024241CE0032FB468622D0128AF1636CB001C2FBB4AAA083CE9C4086E33F
                                                                                                                                                                                                                                                        Function 0041EFF4 Relevance: 3.0, APIs: 2, Instructions: 16threadCOMMON
                                                                                                                                                                                                                                                        Download Yara Rule
                                                                                                                                                                                                                                                        APIs
                                                                                                                                                                                                                                                        • GetCurrentThreadId.KERNEL32 ref: 0041F00E
                                                                                                                                                                                                                                                        • EnumThreadWindows.USER32(00000000,0041EF90,00000000), ref: 0041F014
                                                                                                                                                                                                                                                        Memory Dump Source
                                                                                                                                                                                                                                                        • Source File: 00000001.00000002.2793245300.0000000000401000.00000020.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                                                                                                                        • Associated: 00000001.00000002.2793219234.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                                                                                                                                                                                                        • Associated: 00000001.00000002.2793346997.0000000000499000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                                                                                                                                                                                                        • Associated: 00000001.00000002.2793378529.000000000049A000.00000008.00000001.01000000.00000004.sdmpDownload File
                                                                                                                                                                                                                                                        • Associated: 00000001.00000002.2793416768.000000000049B000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                                                                                                                                                                                                        • Associated: 00000001.00000002.2793448951.00000000004AB000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                                                                                                                                                                                                        Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                                        • Snapshot File: hcaresult_1_2_400000_chica-pc-shield-1-75-0-1300-en-win.jbxd
                                                                                                                                                                                                                                                        Similarity
                                                                                                                                                                                                                                                        • API ID: Thread$CurrentEnumWindows
                                                                                                                                                                                                                                                        • String ID:
                                                                                                                                                                                                                                                        • API String ID: 2396873506-0
                                                                                                                                                                                                                                                        • Opcode ID: 28faba8d13260114aebe4435219a546304dde162066a62bc81d999aa95987238
                                                                                                                                                                                                                                                        • Instruction ID: 1bd0ab66c6aeceffdc4f5e21b8af03a27ec20acb013402289ac5ff21683637d0
                                                                                                                                                                                                                                                        • Opcode Fuzzy Hash: 28faba8d13260114aebe4435219a546304dde162066a62bc81d999aa95987238
                                                                                                                                                                                                                                                        • Instruction Fuzzy Hash: EBE02676600200AEDB12DF7AAD4575B37D0A394314F12483FA904D61A1D2745C84DB19
                                                                                                                                                                                                                                                        Function 004014E4 Relevance: 2.5, APIs: 2, Instructions: 37memoryCOMMON
                                                                                                                                                                                                                                                        Download Yara Rule
                                                                                                                                                                                                                                                        APIs
                                                                                                                                                                                                                                                        • VirtualAlloc.KERNEL32(00000000,?,00002000,00000001,?,?,?,004017ED), ref: 00401513
                                                                                                                                                                                                                                                        • VirtualFree.KERNEL32(00000000,00000000,00008000,00000000,?,00002000,00000001,?,?,?,004017ED), ref: 0040153A
                                                                                                                                                                                                                                                        Memory Dump Source
                                                                                                                                                                                                                                                        • Source File: 00000001.00000002.2793245300.0000000000401000.00000020.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                                                                                                                        • Associated: 00000001.00000002.2793219234.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                                                                                                                                                                                                        • Associated: 00000001.00000002.2793346997.0000000000499000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                                                                                                                                                                                                        • Associated: 00000001.00000002.2793378529.000000000049A000.00000008.00000001.01000000.00000004.sdmpDownload File
                                                                                                                                                                                                                                                        • Associated: 00000001.00000002.2793416768.000000000049B000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                                                                                                                                                                                                        • Associated: 00000001.00000002.2793448951.00000000004AB000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                                                                                                                                                                                                        Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                                        • Snapshot File: hcaresult_1_2_400000_chica-pc-shield-1-75-0-1300-en-win.jbxd
                                                                                                                                                                                                                                                        Similarity
                                                                                                                                                                                                                                                        • API ID: Virtual$AllocFree
                                                                                                                                                                                                                                                        • String ID:
                                                                                                                                                                                                                                                        • API String ID: 2087232378-0
                                                                                                                                                                                                                                                        • Opcode ID: 94577317c2bcd4d3a70d22c0b2f2fc78c72c60cff144ef5375d29febf27e2799
                                                                                                                                                                                                                                                        • Instruction ID: 119661fe7174a079321c86e78af40791ac039b5eb8373b45468023a5ba433726
                                                                                                                                                                                                                                                        • Opcode Fuzzy Hash: 94577317c2bcd4d3a70d22c0b2f2fc78c72c60cff144ef5375d29febf27e2799
                                                                                                                                                                                                                                                        • Instruction Fuzzy Hash: F7F08272A0063067EB60596A4C81B5359859BC5B94F154076FD09FF3E9D6B58C0142A9
                                                                                                                                                                                                                                                        Function 004085DC Relevance: 1.6, APIs: 1, Instructions: 99COMMON
                                                                                                                                                                                                                                                        Download Yara Rule
                                                                                                                                                                                                                                                        APIs
                                                                                                                                                                                                                                                        • GetSystemDefaultLCID.KERNEL32(00000000,00408712), ref: 004085FB
                                                                                                                                                                                                                                                          • Part of subcall function 00406DEC: LoadStringA.USER32(00400000,0000FF87,?,00000400), ref: 00406E09
                                                                                                                                                                                                                                                          • Part of subcall function 00408568: GetLocaleInfoA.KERNEL32(?,00000044,?,00000100,0049B4C0,00000001,?,00408633,?,00000000,00408712), ref: 00408586
                                                                                                                                                                                                                                                        Memory Dump Source
                                                                                                                                                                                                                                                        • Source File: 00000001.00000002.2793245300.0000000000401000.00000020.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                                                                                                                        • Associated: 00000001.00000002.2793219234.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                                                                                                                                                                                                        • Associated: 00000001.00000002.2793346997.0000000000499000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                                                                                                                                                                                                        • Associated: 00000001.00000002.2793378529.000000000049A000.00000008.00000001.01000000.00000004.sdmpDownload File
                                                                                                                                                                                                                                                        • Associated: 00000001.00000002.2793416768.000000000049B000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                                                                                                                                                                                                        • Associated: 00000001.00000002.2793448951.00000000004AB000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                                                                                                                                                                                                        Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                                        • Snapshot File: hcaresult_1_2_400000_chica-pc-shield-1-75-0-1300-en-win.jbxd
                                                                                                                                                                                                                                                        Similarity
                                                                                                                                                                                                                                                        • API ID: DefaultInfoLoadLocaleStringSystem
                                                                                                                                                                                                                                                        • String ID:
                                                                                                                                                                                                                                                        • API String ID: 1658689577-0
                                                                                                                                                                                                                                                        • Opcode ID: 92125e52594e5bc8ee6d97e09480d95589045c4468e862feaba19903f63d3f1d
                                                                                                                                                                                                                                                        • Instruction ID: 9026c6f0acc6bf601755118861b832b1e3c4c92574a9a05948c89544872af2a3
                                                                                                                                                                                                                                                        • Opcode Fuzzy Hash: 92125e52594e5bc8ee6d97e09480d95589045c4468e862feaba19903f63d3f1d
                                                                                                                                                                                                                                                        • Instruction Fuzzy Hash: 47314E35E00109ABCB00EB55CC819EEB779EF84314F558577E815BB286EB38AA018B98
                                                                                                                                                                                                                                                        Function 0041FB9C Relevance: 1.6, APIs: 1, Instructions: 65COMMON
                                                                                                                                                                                                                                                        Download Yara Rule
                                                                                                                                                                                                                                                        APIs
                                                                                                                                                                                                                                                        • SetScrollInfo.USER32(00000000,?,?,00000001), ref: 0041FC39
                                                                                                                                                                                                                                                        Memory Dump Source
                                                                                                                                                                                                                                                        • Source File: 00000001.00000002.2793245300.0000000000401000.00000020.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                                                                                                                        • Associated: 00000001.00000002.2793219234.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                                                                                                                                                                                                        • Associated: 00000001.00000002.2793346997.0000000000499000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                                                                                                                                                                                                        • Associated: 00000001.00000002.2793378529.000000000049A000.00000008.00000001.01000000.00000004.sdmpDownload File
                                                                                                                                                                                                                                                        • Associated: 00000001.00000002.2793416768.000000000049B000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                                                                                                                                                                                                        • Associated: 00000001.00000002.2793448951.00000000004AB000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                                                                                                                                                                                                        Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                                        • Snapshot File: hcaresult_1_2_400000_chica-pc-shield-1-75-0-1300-en-win.jbxd
                                                                                                                                                                                                                                                        Similarity
                                                                                                                                                                                                                                                        • API ID: InfoScroll
                                                                                                                                                                                                                                                        • String ID:
                                                                                                                                                                                                                                                        • API String ID: 629608716-0
                                                                                                                                                                                                                                                        • Opcode ID: a0ce2aaa01497ac04468ea6ac7a83421c49688bcbeeff2d3e991700215f3b25f
                                                                                                                                                                                                                                                        • Instruction ID: 6365c2cd079840e4170b7c9ce409c3d873e807bce8729d2e10e5c00059922083
                                                                                                                                                                                                                                                        • Opcode Fuzzy Hash: a0ce2aaa01497ac04468ea6ac7a83421c49688bcbeeff2d3e991700215f3b25f
                                                                                                                                                                                                                                                        • Instruction Fuzzy Hash: D8214FB1608746AFC351DF3984407A6BBE4BB48344F14893EE498C3741E778E99ACBD6
                                                                                                                                                                                                                                                        Function 0046C328 Relevance: 1.5, APIs: 1, Instructions: 37COMMON
                                                                                                                                                                                                                                                        Download Yara Rule
                                                                                                                                                                                                                                                        APIs
                                                                                                                                                                                                                                                          • Part of subcall function 0041EEA4: GetCurrentThreadId.KERNEL32 ref: 0041EEF3
                                                                                                                                                                                                                                                          • Part of subcall function 0041EEA4: EnumThreadWindows.USER32(00000000,0041EE54,00000000), ref: 0041EEF9
                                                                                                                                                                                                                                                        • SHPathPrepareForWriteA.SHELL32(00000000,00000000,00000000,00000000,00000000,0046C386,?,00000000,?,?,0046C598,?,00000000,0046C60C), ref: 0046C36A
                                                                                                                                                                                                                                                          • Part of subcall function 0041EF58: IsWindow.USER32(?), ref: 0041EF66
                                                                                                                                                                                                                                                          • Part of subcall function 0041EF58: EnableWindow.USER32(?,00000001), ref: 0041EF75
                                                                                                                                                                                                                                                        Memory Dump Source
                                                                                                                                                                                                                                                        • Source File: 00000001.00000002.2793245300.0000000000401000.00000020.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                                                                                                                        • Associated: 00000001.00000002.2793219234.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                                                                                                                                                                                                        • Associated: 00000001.00000002.2793346997.0000000000499000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                                                                                                                                                                                                        • Associated: 00000001.00000002.2793378529.000000000049A000.00000008.00000001.01000000.00000004.sdmpDownload File
                                                                                                                                                                                                                                                        • Associated: 00000001.00000002.2793416768.000000000049B000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                                                                                                                                                                                                        • Associated: 00000001.00000002.2793448951.00000000004AB000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                                                                                                                                                                                                        Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                                        • Snapshot File: hcaresult_1_2_400000_chica-pc-shield-1-75-0-1300-en-win.jbxd
                                                                                                                                                                                                                                                        Similarity
                                                                                                                                                                                                                                                        • API ID: ThreadWindow$CurrentEnableEnumPathPrepareWindowsWrite
                                                                                                                                                                                                                                                        • String ID:
                                                                                                                                                                                                                                                        • API String ID: 3319771486-0
                                                                                                                                                                                                                                                        • Opcode ID: 875ecd16d026c9fb2f47fe667a946e0b43a0f47f451e50900a60f5c842b0ed02
                                                                                                                                                                                                                                                        • Instruction ID: 7e5312134c404819c948a8388fb2839a3e812e0a8cd15d5c2d1e8ddeefbff487
                                                                                                                                                                                                                                                        • Opcode Fuzzy Hash: 875ecd16d026c9fb2f47fe667a946e0b43a0f47f451e50900a60f5c842b0ed02
                                                                                                                                                                                                                                                        • Instruction Fuzzy Hash: 7FF0E270209300BFEB15AFB2EC96B2977E8E748714F61443BF904C6690E6795880C52E
                                                                                                                                                                                                                                                        Function 00416550 Relevance: 1.5, APIs: 1, Instructions: 32COMMON
                                                                                                                                                                                                                                                        Download Yara Rule
                                                                                                                                                                                                                                                        APIs
                                                                                                                                                                                                                                                        • CreateWindowExA.USER32(?,?,?,?,?,?,?,?,?,00000000,00400000,?), ref: 00416585
                                                                                                                                                                                                                                                        Memory Dump Source
                                                                                                                                                                                                                                                        • Source File: 00000001.00000002.2793245300.0000000000401000.00000020.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                                                                                                                        • Associated: 00000001.00000002.2793219234.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                                                                                                                                                                                                        • Associated: 00000001.00000002.2793346997.0000000000499000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                                                                                                                                                                                                        • Associated: 00000001.00000002.2793378529.000000000049A000.00000008.00000001.01000000.00000004.sdmpDownload File
                                                                                                                                                                                                                                                        • Associated: 00000001.00000002.2793416768.000000000049B000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                                                                                                                                                                                                        • Associated: 00000001.00000002.2793448951.00000000004AB000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                                                                                                                                                                                                        Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                                        • Snapshot File: hcaresult_1_2_400000_chica-pc-shield-1-75-0-1300-en-win.jbxd
                                                                                                                                                                                                                                                        Similarity
                                                                                                                                                                                                                                                        • API ID: CreateWindow
                                                                                                                                                                                                                                                        • String ID:
                                                                                                                                                                                                                                                        • API String ID: 716092398-0
                                                                                                                                                                                                                                                        • Opcode ID: b152e844846ae8a52721441d180559fdf16f7956a15d86c9ff4cf0dcda8b9698
                                                                                                                                                                                                                                                        • Instruction ID: 158b8484bb218b41c698b3aa21f26e2dd86497bc01e640ef524e7c8f4c0ee3c6
                                                                                                                                                                                                                                                        • Opcode Fuzzy Hash: b152e844846ae8a52721441d180559fdf16f7956a15d86c9ff4cf0dcda8b9698
                                                                                                                                                                                                                                                        • Instruction Fuzzy Hash: 4BF019B2200510AFDB84DE9CD9C0F9773ECEB0C210B0481A6FA08CB21AD220EC108BB0
                                                                                                                                                                                                                                                        Function 004149B4 Relevance: 1.5, APIs: 1, Instructions: 31COMMON
                                                                                                                                                                                                                                                        Download Yara Rule
                                                                                                                                                                                                                                                        APIs
                                                                                                                                                                                                                                                        • KiUserCallbackDispatcher.NTDLL(?,?), ref: 004149EF
                                                                                                                                                                                                                                                        Memory Dump Source
                                                                                                                                                                                                                                                        • Source File: 00000001.00000002.2793245300.0000000000401000.00000020.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                                                                                                                        • Associated: 00000001.00000002.2793219234.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                                                                                                                                                                                                        • Associated: 00000001.00000002.2793346997.0000000000499000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                                                                                                                                                                                                        • Associated: 00000001.00000002.2793378529.000000000049A000.00000008.00000001.01000000.00000004.sdmpDownload File
                                                                                                                                                                                                                                                        • Associated: 00000001.00000002.2793416768.000000000049B000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                                                                                                                                                                                                        • Associated: 00000001.00000002.2793448951.00000000004AB000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                                                                                                                                                                                                        Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                                        • Snapshot File: hcaresult_1_2_400000_chica-pc-shield-1-75-0-1300-en-win.jbxd
                                                                                                                                                                                                                                                        Similarity
                                                                                                                                                                                                                                                        • API ID: CallbackDispatcherUser
                                                                                                                                                                                                                                                        • String ID:
                                                                                                                                                                                                                                                        • API String ID: 2492992576-0
                                                                                                                                                                                                                                                        • Opcode ID: 9e73aedc2ede48524128b4fba7c94cddd86b5e43f4b9cee2e76a3e9f018a4363
                                                                                                                                                                                                                                                        • Instruction ID: 59ac3629b8f45f7a6bca1b57e2bf54285868c68ba6336e642f1ef9b7bb8d2b05
                                                                                                                                                                                                                                                        • Opcode Fuzzy Hash: 9e73aedc2ede48524128b4fba7c94cddd86b5e43f4b9cee2e76a3e9f018a4363
                                                                                                                                                                                                                                                        • Instruction Fuzzy Hash: B2F0DA762042019FC740DF6CC8C488A77E5FF89255B5546A9F989CB356C731EC54CB91
                                                                                                                                                                                                                                                        Function 004507C4 Relevance: 1.5, APIs: 1, Instructions: 29fileCOMMON
                                                                                                                                                                                                                                                        Download Yara Rule
                                                                                                                                                                                                                                                        APIs
                                                                                                                                                                                                                                                        • CreateFileA.KERNEL32(00000000,?,?,00000000,?,00000080,00000000), ref: 00450804
                                                                                                                                                                                                                                                        Memory Dump Source
                                                                                                                                                                                                                                                        • Source File: 00000001.00000002.2793245300.0000000000401000.00000020.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                                                                                                                        • Associated: 00000001.00000002.2793219234.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                                                                                                                                                                                                        • Associated: 00000001.00000002.2793346997.0000000000499000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                                                                                                                                                                                                        • Associated: 00000001.00000002.2793378529.000000000049A000.00000008.00000001.01000000.00000004.sdmpDownload File
                                                                                                                                                                                                                                                        • Associated: 00000001.00000002.2793416768.000000000049B000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                                                                                                                                                                                                        • Associated: 00000001.00000002.2793448951.00000000004AB000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                                                                                                                                                                                                        Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                                        • Snapshot File: hcaresult_1_2_400000_chica-pc-shield-1-75-0-1300-en-win.jbxd
                                                                                                                                                                                                                                                        Similarity
                                                                                                                                                                                                                                                        • API ID: CreateFile
                                                                                                                                                                                                                                                        • String ID:
                                                                                                                                                                                                                                                        • API String ID: 823142352-0
                                                                                                                                                                                                                                                        • Opcode ID: ce99838f7be0491c6923214398908b2fd93372403a84c7b432a549debe4dc153
                                                                                                                                                                                                                                                        • Instruction ID: 52eb814c7c241dc182afdc6c3e242d4e4c9a4e6d94000e289351c80ae23ff87c
                                                                                                                                                                                                                                                        • Opcode Fuzzy Hash: ce99838f7be0491c6923214398908b2fd93372403a84c7b432a549debe4dc153
                                                                                                                                                                                                                                                        • Instruction Fuzzy Hash: 53E012B53541483EE780EEAD6C42F9777DC971A714F008037B998D7341D461DD158BA8
                                                                                                                                                                                                                                                        Function 0042CCCC Relevance: 1.5, APIs: 1, Instructions: 29COMMON
                                                                                                                                                                                                                                                        Download Yara Rule
                                                                                                                                                                                                                                                        APIs
                                                                                                                                                                                                                                                        • GetFileAttributesA.KERNEL32(00000000,00000000,0042CD14,?,00000001,?,?,00000000,?,0042CD66,00000000,00452A25,00000000,00452A46,?,00000000), ref: 0042CCF7
                                                                                                                                                                                                                                                        Memory Dump Source
                                                                                                                                                                                                                                                        • Source File: 00000001.00000002.2793245300.0000000000401000.00000020.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                                                                                                                        • Associated: 00000001.00000002.2793219234.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                                                                                                                                                                                                        • Associated: 00000001.00000002.2793346997.0000000000499000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                                                                                                                                                                                                        • Associated: 00000001.00000002.2793378529.000000000049A000.00000008.00000001.01000000.00000004.sdmpDownload File
                                                                                                                                                                                                                                                        • Associated: 00000001.00000002.2793416768.000000000049B000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                                                                                                                                                                                                        • Associated: 00000001.00000002.2793448951.00000000004AB000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                                                                                                                                                                                                        Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                                        • Snapshot File: hcaresult_1_2_400000_chica-pc-shield-1-75-0-1300-en-win.jbxd
                                                                                                                                                                                                                                                        Similarity
                                                                                                                                                                                                                                                        • API ID: AttributesFile
                                                                                                                                                                                                                                                        • String ID:
                                                                                                                                                                                                                                                        • API String ID: 3188754299-0
                                                                                                                                                                                                                                                        • Opcode ID: 00b3057be2b7f487f29192626b11eab3da9f9548613e8b85f168c5d0410c37ae
                                                                                                                                                                                                                                                        • Instruction ID: d3c11148bbbe1678040d416a6bc301cfea82702c80b798926358c5e84281cc0e
                                                                                                                                                                                                                                                        • Opcode Fuzzy Hash: 00b3057be2b7f487f29192626b11eab3da9f9548613e8b85f168c5d0410c37ae
                                                                                                                                                                                                                                                        • Instruction Fuzzy Hash: 80E065B1304304BFD701EB66EC92A5EBAACDB49754BA14876B50097592D5B86E008468
                                                                                                                                                                                                                                                        Function 0042E8C8 Relevance: 1.5, APIs: 1, Instructions: 28windowCOMMON
                                                                                                                                                                                                                                                        Download Yara Rule
                                                                                                                                                                                                                                                        APIs
                                                                                                                                                                                                                                                        • FormatMessageA.KERNEL32(00003200,00000000,4C783AFB,00000000,?,00000400,00000000,?,00453273,00000000,kernel32.dll,Wow64RevertWow64FsRedirection,00000000,kernel32.dll,Wow64DisableWow64FsRedirection,00000000), ref: 0042E8E7
                                                                                                                                                                                                                                                        Memory Dump Source
                                                                                                                                                                                                                                                        • Source File: 00000001.00000002.2793245300.0000000000401000.00000020.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                                                                                                                        • Associated: 00000001.00000002.2793219234.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                                                                                                                                                                                                        • Associated: 00000001.00000002.2793346997.0000000000499000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                                                                                                                                                                                                        • Associated: 00000001.00000002.2793378529.000000000049A000.00000008.00000001.01000000.00000004.sdmpDownload File
                                                                                                                                                                                                                                                        • Associated: 00000001.00000002.2793416768.000000000049B000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                                                                                                                                                                                                        • Associated: 00000001.00000002.2793448951.00000000004AB000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                                                                                                                                                                                                        Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                                        • Snapshot File: hcaresult_1_2_400000_chica-pc-shield-1-75-0-1300-en-win.jbxd
                                                                                                                                                                                                                                                        Similarity
                                                                                                                                                                                                                                                        • API ID: FormatMessage
                                                                                                                                                                                                                                                        • String ID:
                                                                                                                                                                                                                                                        • API String ID: 1306739567-0
                                                                                                                                                                                                                                                        • Opcode ID: 07eb917982e44065cc90d67cadef310e262c4caec6bcfbb1197f6d5f5d2cfc19
                                                                                                                                                                                                                                                        • Instruction ID: fbc307da5c1359fbfbc351051067b699ae1438aedf6613c80dda169529e76e7e
                                                                                                                                                                                                                                                        • Opcode Fuzzy Hash: 07eb917982e44065cc90d67cadef310e262c4caec6bcfbb1197f6d5f5d2cfc19
                                                                                                                                                                                                                                                        • Instruction Fuzzy Hash: BCE0206278431116F2353416AC47B77150E43C0708F944027BB90DF3D3D6AF9945D25E
                                                                                                                                                                                                                                                        Function 004062E8 Relevance: 1.5, APIs: 1, Instructions: 27COMMON
                                                                                                                                                                                                                                                        Download Yara Rule
                                                                                                                                                                                                                                                        APIs
                                                                                                                                                                                                                                                        • CreateWindowExA.USER32(00000000,0042367C,00000000,94CA0000,00000000,00000000,00000000,00000000,00000000,00000001,00000000,00423C0C), ref: 00406311
                                                                                                                                                                                                                                                        Memory Dump Source
                                                                                                                                                                                                                                                        • Source File: 00000001.00000002.2793245300.0000000000401000.00000020.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                                                                                                                        • Associated: 00000001.00000002.2793219234.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                                                                                                                                                                                                        • Associated: 00000001.00000002.2793346997.0000000000499000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                                                                                                                                                                                                        • Associated: 00000001.00000002.2793378529.000000000049A000.00000008.00000001.01000000.00000004.sdmpDownload File
                                                                                                                                                                                                                                                        • Associated: 00000001.00000002.2793416768.000000000049B000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                                                                                                                                                                                                        • Associated: 00000001.00000002.2793448951.00000000004AB000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                                                                                                                                                                                                        Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                                        • Snapshot File: hcaresult_1_2_400000_chica-pc-shield-1-75-0-1300-en-win.jbxd
                                                                                                                                                                                                                                                        Similarity
                                                                                                                                                                                                                                                        • API ID: CreateWindow
                                                                                                                                                                                                                                                        • String ID:
                                                                                                                                                                                                                                                        • API String ID: 716092398-0
                                                                                                                                                                                                                                                        • Opcode ID: ff94722aa4050723ad3f6c96c0112c9f8192a5aa4540eb1f1ae13447e7542d04
                                                                                                                                                                                                                                                        • Instruction ID: 53e57476791a39574122dfc8a3f58f2f78c4a621b5a82e38d1c80b15216a1e52
                                                                                                                                                                                                                                                        • Opcode Fuzzy Hash: ff94722aa4050723ad3f6c96c0112c9f8192a5aa4540eb1f1ae13447e7542d04
                                                                                                                                                                                                                                                        • Instruction Fuzzy Hash: EEE0FEB2214209BBDB00DE8ADCC1DABB7ACFB4C654F808105BB1C972428275AC608B71
                                                                                                                                                                                                                                                        Function 0042DDE4 Relevance: 1.5, APIs: 1, Instructions: 26registryCOMMON
                                                                                                                                                                                                                                                        Download Yara Rule
                                                                                                                                                                                                                                                        APIs
                                                                                                                                                                                                                                                        • RegCreateKeyExA.ADVAPI32(?,?,?,?,?,?,?,?,?), ref: 0042DE10
                                                                                                                                                                                                                                                        Memory Dump Source
                                                                                                                                                                                                                                                        • Source File: 00000001.00000002.2793245300.0000000000401000.00000020.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                                                                                                                        • Associated: 00000001.00000002.2793219234.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                                                                                                                                                                                                        • Associated: 00000001.00000002.2793346997.0000000000499000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                                                                                                                                                                                                        • Associated: 00000001.00000002.2793378529.000000000049A000.00000008.00000001.01000000.00000004.sdmpDownload File
                                                                                                                                                                                                                                                        • Associated: 00000001.00000002.2793416768.000000000049B000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                                                                                                                                                                                                        • Associated: 00000001.00000002.2793448951.00000000004AB000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                                                                                                                                                                                                        Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                                        • Snapshot File: hcaresult_1_2_400000_chica-pc-shield-1-75-0-1300-en-win.jbxd
                                                                                                                                                                                                                                                        Similarity
                                                                                                                                                                                                                                                        • API ID: Create
                                                                                                                                                                                                                                                        • String ID:
                                                                                                                                                                                                                                                        • API String ID: 2289755597-0
                                                                                                                                                                                                                                                        • Opcode ID: 296f4a6b1841180fcb6525c1425398a2afe0618770c3240f8adf4a5c8222c494
                                                                                                                                                                                                                                                        • Instruction ID: 68673b5cf84413dff1d7ecec16939cb2303f89f305828e6cd22260af4b89741b
                                                                                                                                                                                                                                                        • Opcode Fuzzy Hash: 296f4a6b1841180fcb6525c1425398a2afe0618770c3240f8adf4a5c8222c494
                                                                                                                                                                                                                                                        • Instruction Fuzzy Hash: EDE07EB2610119AF9B40DE8CDC81EEB37ADAB1D350F404016FA08E7200C2B4EC519BB4
                                                                                                                                                                                                                                                        Function 00454BF8 Relevance: 1.5, APIs: 1, Instructions: 25COMMON
                                                                                                                                                                                                                                                        Download Yara Rule
                                                                                                                                                                                                                                                        APIs
                                                                                                                                                                                                                                                        • FindClose.KERNEL32(00000000,000000FF,00470848,00000000,0047165E,?,00000000,004716A7,?,00000000,004717E0,?,00000000,?,00000000), ref: 00454C0E
                                                                                                                                                                                                                                                        Memory Dump Source
                                                                                                                                                                                                                                                        • Source File: 00000001.00000002.2793245300.0000000000401000.00000020.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                                                                                                                        • Associated: 00000001.00000002.2793219234.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                                                                                                                                                                                                        • Associated: 00000001.00000002.2793346997.0000000000499000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                                                                                                                                                                                                        • Associated: 00000001.00000002.2793378529.000000000049A000.00000008.00000001.01000000.00000004.sdmpDownload File
                                                                                                                                                                                                                                                        • Associated: 00000001.00000002.2793416768.000000000049B000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                                                                                                                                                                                                        • Associated: 00000001.00000002.2793448951.00000000004AB000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                                                                                                                                                                                                        Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                                        • Snapshot File: hcaresult_1_2_400000_chica-pc-shield-1-75-0-1300-en-win.jbxd
                                                                                                                                                                                                                                                        Similarity
                                                                                                                                                                                                                                                        • API ID: CloseFind
                                                                                                                                                                                                                                                        • String ID:
                                                                                                                                                                                                                                                        • API String ID: 1863332320-0
                                                                                                                                                                                                                                                        • Opcode ID: aadebc8b53df3de256c4b1b5725a3a32280a250bc883bef4a10d561e7000b356
                                                                                                                                                                                                                                                        • Instruction ID: 5c2dbd3a099336849a47a332199978da45cb785deb8a29a76394180ab3bc5383
                                                                                                                                                                                                                                                        • Opcode Fuzzy Hash: aadebc8b53df3de256c4b1b5725a3a32280a250bc883bef4a10d561e7000b356
                                                                                                                                                                                                                                                        • Instruction Fuzzy Hash: A1E09BB09097004BC715DF39858031A76D19FC9325F05C96AEC99CF3D7E77D84454617
                                                                                                                                                                                                                                                        Function 0041467C Relevance: 1.5, APIs: 1, Instructions: 23COMMON
                                                                                                                                                                                                                                                        Download Yara Rule
                                                                                                                                                                                                                                                        APIs
                                                                                                                                                                                                                                                        • KiUserCallbackDispatcher.NTDLL(004955C2,?,004955E4,?,?,00000000,004955C2,?,?), ref: 0041469B
                                                                                                                                                                                                                                                        Memory Dump Source
                                                                                                                                                                                                                                                        • Source File: 00000001.00000002.2793245300.0000000000401000.00000020.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                                                                                                                        • Associated: 00000001.00000002.2793219234.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                                                                                                                                                                                                        • Associated: 00000001.00000002.2793346997.0000000000499000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                                                                                                                                                                                                        • Associated: 00000001.00000002.2793378529.000000000049A000.00000008.00000001.01000000.00000004.sdmpDownload File
                                                                                                                                                                                                                                                        • Associated: 00000001.00000002.2793416768.000000000049B000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                                                                                                                                                                                                        • Associated: 00000001.00000002.2793448951.00000000004AB000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                                                                                                                                                                                                        Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                                        • Snapshot File: hcaresult_1_2_400000_chica-pc-shield-1-75-0-1300-en-win.jbxd
                                                                                                                                                                                                                                                        Similarity
                                                                                                                                                                                                                                                        • API ID: CallbackDispatcherUser
                                                                                                                                                                                                                                                        • String ID:
                                                                                                                                                                                                                                                        • API String ID: 2492992576-0
                                                                                                                                                                                                                                                        • Opcode ID: 6e76042b9040d81ea616cca6ecacd77bc76811df147480a1eef497ac36b7c045
                                                                                                                                                                                                                                                        • Instruction ID: 3a83c41fa5c3d176b15f2666d2672a78f9af76d4247255e2ff0bda4df6ea0631
                                                                                                                                                                                                                                                        • Opcode Fuzzy Hash: 6e76042b9040d81ea616cca6ecacd77bc76811df147480a1eef497ac36b7c045
                                                                                                                                                                                                                                                        • Instruction Fuzzy Hash: 59E012723001199F8250CE5EDC88C57FBEDEBC966130983A6F508C7306DA31EC44C7A0
                                                                                                                                                                                                                                                        Function 00406F10 Relevance: 1.5, APIs: 1, Instructions: 23fileCOMMON
                                                                                                                                                                                                                                                        Download Yara Rule
                                                                                                                                                                                                                                                        APIs
                                                                                                                                                                                                                                                        • WriteFile.KERNEL32(?,?,?,?,00000000), ref: 00406F24
                                                                                                                                                                                                                                                        Memory Dump Source
                                                                                                                                                                                                                                                        • Source File: 00000001.00000002.2793245300.0000000000401000.00000020.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                                                                                                                        • Associated: 00000001.00000002.2793219234.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                                                                                                                                                                                                        • Associated: 00000001.00000002.2793346997.0000000000499000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                                                                                                                                                                                                        • Associated: 00000001.00000002.2793378529.000000000049A000.00000008.00000001.01000000.00000004.sdmpDownload File
                                                                                                                                                                                                                                                        • Associated: 00000001.00000002.2793416768.000000000049B000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                                                                                                                                                                                                        • Associated: 00000001.00000002.2793448951.00000000004AB000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                                                                                                                                                                                                        Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                                        • Snapshot File: hcaresult_1_2_400000_chica-pc-shield-1-75-0-1300-en-win.jbxd
                                                                                                                                                                                                                                                        Similarity
                                                                                                                                                                                                                                                        • API ID: FileWrite
                                                                                                                                                                                                                                                        • String ID:
                                                                                                                                                                                                                                                        • API String ID: 3934441357-0
                                                                                                                                                                                                                                                        • Opcode ID: 4c02731fe18b0a47ab7745946c5e8dd4c7dfafdb2aa22804bebcbb41d9412fbb
                                                                                                                                                                                                                                                        • Instruction ID: adeaf4ebd0e6cd94d64be6b3cb299443ba394f13a0b1cd3d8337db6b6af80796
                                                                                                                                                                                                                                                        • Opcode Fuzzy Hash: 4c02731fe18b0a47ab7745946c5e8dd4c7dfafdb2aa22804bebcbb41d9412fbb
                                                                                                                                                                                                                                                        • Instruction Fuzzy Hash: 53D012722091506AD220965A6C44EAB6BDCCBC5770F11063AB558C2181D7209C01C675
                                                                                                                                                                                                                                                        Function 0042364C Relevance: 1.5, APIs: 1, Instructions: 22COMMON
                                                                                                                                                                                                                                                        Download Yara Rule
                                                                                                                                                                                                                                                        APIs
                                                                                                                                                                                                                                                          • Part of subcall function 004235F8: SystemParametersInfoA.USER32(00000048,00000000,00000000,00000000), ref: 0042360D
                                                                                                                                                                                                                                                        • ShowWindow.USER32(00410460,00000009,?,00000000,0041EDA4,0042393A,00000000,00400000,00000000,00000000,00000000,00000000,00000000,00000001,00000000,00423C0C), ref: 00423667
                                                                                                                                                                                                                                                          • Part of subcall function 00423628: SystemParametersInfoA.USER32(00000049,00000000,00000000,00000000), ref: 00423644
                                                                                                                                                                                                                                                        Memory Dump Source
                                                                                                                                                                                                                                                        • Source File: 00000001.00000002.2793245300.0000000000401000.00000020.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                                                                                                                        • Associated: 00000001.00000002.2793219234.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                                                                                                                                                                                                        • Associated: 00000001.00000002.2793346997.0000000000499000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                                                                                                                                                                                                        • Associated: 00000001.00000002.2793378529.000000000049A000.00000008.00000001.01000000.00000004.sdmpDownload File
                                                                                                                                                                                                                                                        • Associated: 00000001.00000002.2793416768.000000000049B000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                                                                                                                                                                                                        • Associated: 00000001.00000002.2793448951.00000000004AB000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                                                                                                                                                                                                        Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                                        • Snapshot File: hcaresult_1_2_400000_chica-pc-shield-1-75-0-1300-en-win.jbxd
                                                                                                                                                                                                                                                        Similarity
                                                                                                                                                                                                                                                        • API ID: InfoParametersSystem$ShowWindow
                                                                                                                                                                                                                                                        • String ID:
                                                                                                                                                                                                                                                        • API String ID: 3202724764-0
                                                                                                                                                                                                                                                        • Opcode ID: 7b120fb8f3e198202e6e1662029165cdd5ac94201a1216f50b6deb174ece9cf4
                                                                                                                                                                                                                                                        • Instruction ID: 3e39ddd90fb628193caaea160b6f4ed5bf244f394cc2da11a07db6b12dca8b82
                                                                                                                                                                                                                                                        • Opcode Fuzzy Hash: 7b120fb8f3e198202e6e1662029165cdd5ac94201a1216f50b6deb174ece9cf4
                                                                                                                                                                                                                                                        • Instruction Fuzzy Hash: 34D05E123821703142307ABB280699B46EC8D822EB389043BB5449B312ED5DCE01116C
                                                                                                                                                                                                                                                        Function 004242C4 Relevance: 1.5, APIs: 1, Instructions: 21COMMON
                                                                                                                                                                                                                                                        Download Yara Rule
                                                                                                                                                                                                                                                        APIs
                                                                                                                                                                                                                                                        • SetWindowTextA.USER32(?,00000000), ref: 004242DC
                                                                                                                                                                                                                                                        Memory Dump Source
                                                                                                                                                                                                                                                        • Source File: 00000001.00000002.2793245300.0000000000401000.00000020.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                                                                                                                        • Associated: 00000001.00000002.2793219234.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                                                                                                                                                                                                        • Associated: 00000001.00000002.2793346997.0000000000499000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                                                                                                                                                                                                        • Associated: 00000001.00000002.2793378529.000000000049A000.00000008.00000001.01000000.00000004.sdmpDownload File
                                                                                                                                                                                                                                                        • Associated: 00000001.00000002.2793416768.000000000049B000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                                                                                                                                                                                                        • Associated: 00000001.00000002.2793448951.00000000004AB000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                                                                                                                                                                                                        Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                                        • Snapshot File: hcaresult_1_2_400000_chica-pc-shield-1-75-0-1300-en-win.jbxd
                                                                                                                                                                                                                                                        Similarity
                                                                                                                                                                                                                                                        • API ID: TextWindow
                                                                                                                                                                                                                                                        • String ID:
                                                                                                                                                                                                                                                        • API String ID: 530164218-0
                                                                                                                                                                                                                                                        • Opcode ID: 968e2600307bd84f4d65718215a4df57ccfa9b7919b98356d7a542cd4e907fd2
                                                                                                                                                                                                                                                        • Instruction ID: e359d8c046b4275bb87a72ac3440150ee0889cd0e7de0465f76ccf46c1161c2e
                                                                                                                                                                                                                                                        • Opcode Fuzzy Hash: 968e2600307bd84f4d65718215a4df57ccfa9b7919b98356d7a542cd4e907fd2
                                                                                                                                                                                                                                                        • Instruction Fuzzy Hash: 81D05EE27011602BCB01BAED54C4AC667CC9B8D25AB1840BBF904EF257D638CE40C398
                                                                                                                                                                                                                                                        Function 0042CD6C Relevance: 1.5, APIs: 1, Instructions: 18COMMON
                                                                                                                                                                                                                                                        Download Yara Rule
                                                                                                                                                                                                                                                        APIs
                                                                                                                                                                                                                                                        • GetFileAttributesA.KERNEL32(00000000,?,00452C55,00000000,00452C6E,?,-00000001,00000000), ref: 0042CD77
                                                                                                                                                                                                                                                        Memory Dump Source
                                                                                                                                                                                                                                                        • Source File: 00000001.00000002.2793245300.0000000000401000.00000020.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                                                                                                                        • Associated: 00000001.00000002.2793219234.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                                                                                                                                                                                                        • Associated: 00000001.00000002.2793346997.0000000000499000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                                                                                                                                                                                                        • Associated: 00000001.00000002.2793378529.000000000049A000.00000008.00000001.01000000.00000004.sdmpDownload File
                                                                                                                                                                                                                                                        • Associated: 00000001.00000002.2793416768.000000000049B000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                                                                                                                                                                                                        • Associated: 00000001.00000002.2793448951.00000000004AB000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                                                                                                                                                                                                        Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                                        • Snapshot File: hcaresult_1_2_400000_chica-pc-shield-1-75-0-1300-en-win.jbxd
                                                                                                                                                                                                                                                        Similarity
                                                                                                                                                                                                                                                        • API ID: AttributesFile
                                                                                                                                                                                                                                                        • String ID:
                                                                                                                                                                                                                                                        • API String ID: 3188754299-0
                                                                                                                                                                                                                                                        • Opcode ID: e4e221269d90e6e77bb9141cf69f4d14af136adba67872c9c3d3ba7e619b8cd0
                                                                                                                                                                                                                                                        • Instruction ID: 2eab32a2699244162946c929296992ee32eb3599f5fc22494aed3d9886f7b4af
                                                                                                                                                                                                                                                        • Opcode Fuzzy Hash: e4e221269d90e6e77bb9141cf69f4d14af136adba67872c9c3d3ba7e619b8cd0
                                                                                                                                                                                                                                                        • Instruction Fuzzy Hash: 51D012D036121015DF1455BD28C535F05884B65375BA82F37B66DE62E2D23D8857281C
                                                                                                                                                                                                                                                        Function 00466A18 Relevance: 1.5, APIs: 1, Instructions: 16COMMON
                                                                                                                                                                                                                                                        Download Yara Rule
                                                                                                                                                                                                                                                        APIs
                                                                                                                                                                                                                                                        • KiUserCallbackDispatcher.NTDLL(?,?,00000000,?,00467700,00000000,00000000,00000000,0000000C,00000000), ref: 00466A30
                                                                                                                                                                                                                                                        Memory Dump Source
                                                                                                                                                                                                                                                        • Source File: 00000001.00000002.2793245300.0000000000401000.00000020.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                                                                                                                        • Associated: 00000001.00000002.2793219234.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                                                                                                                                                                                                        • Associated: 00000001.00000002.2793346997.0000000000499000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                                                                                                                                                                                                        • Associated: 00000001.00000002.2793378529.000000000049A000.00000008.00000001.01000000.00000004.sdmpDownload File
                                                                                                                                                                                                                                                        • Associated: 00000001.00000002.2793416768.000000000049B000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                                                                                                                                                                                                        • Associated: 00000001.00000002.2793448951.00000000004AB000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                                                                                                                                                                                                        Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                                        • Snapshot File: hcaresult_1_2_400000_chica-pc-shield-1-75-0-1300-en-win.jbxd
                                                                                                                                                                                                                                                        Similarity
                                                                                                                                                                                                                                                        • API ID: CallbackDispatcherUser
                                                                                                                                                                                                                                                        • String ID:
                                                                                                                                                                                                                                                        • API String ID: 2492992576-0
                                                                                                                                                                                                                                                        • Opcode ID: 1170af52fdfa1b22d402febd08e71c9ecbcd6356f79449625b478cc807a9fefe
                                                                                                                                                                                                                                                        • Instruction ID: a3a9c25b9c80179eca176ae0059a0aa24e3542550d9dc9bac8dced773014ab2a
                                                                                                                                                                                                                                                        • Opcode Fuzzy Hash: 1170af52fdfa1b22d402febd08e71c9ecbcd6356f79449625b478cc807a9fefe
                                                                                                                                                                                                                                                        • Instruction Fuzzy Hash: 0ED09272210A109F8364CAADC9C4C97B3ECEF4C2213004659E54AC3B15D664FC018BA0
                                                                                                                                                                                                                                                        Function 0042CD24 Relevance: 1.5, APIs: 1, Instructions: 16COMMON
                                                                                                                                                                                                                                                        Download Yara Rule
                                                                                                                                                                                                                                                        APIs
                                                                                                                                                                                                                                                        • GetFileAttributesA.KERNEL32(00000000,00000000,004515CB,00000000), ref: 0042CD2F
                                                                                                                                                                                                                                                        Memory Dump Source
                                                                                                                                                                                                                                                        • Source File: 00000001.00000002.2793245300.0000000000401000.00000020.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                                                                                                                        • Associated: 00000001.00000002.2793219234.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                                                                                                                                                                                                        • Associated: 00000001.00000002.2793346997.0000000000499000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                                                                                                                                                                                                        • Associated: 00000001.00000002.2793378529.000000000049A000.00000008.00000001.01000000.00000004.sdmpDownload File
                                                                                                                                                                                                                                                        • Associated: 00000001.00000002.2793416768.000000000049B000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                                                                                                                                                                                                        • Associated: 00000001.00000002.2793448951.00000000004AB000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                                                                                                                                                                                                        Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                                        • Snapshot File: hcaresult_1_2_400000_chica-pc-shield-1-75-0-1300-en-win.jbxd
                                                                                                                                                                                                                                                        Similarity
                                                                                                                                                                                                                                                        • API ID: AttributesFile
                                                                                                                                                                                                                                                        • String ID:
                                                                                                                                                                                                                                                        • API String ID: 3188754299-0
                                                                                                                                                                                                                                                        • Opcode ID: 3e212e939afd4966d1e5dd69d95018e4efbd2efd6da352e945c0cda6919741a9
                                                                                                                                                                                                                                                        • Instruction ID: 53db4a1afaa3b7bebcc80daf879f764776582c58df104e6651e2d127eece83ed
                                                                                                                                                                                                                                                        • Opcode Fuzzy Hash: 3e212e939afd4966d1e5dd69d95018e4efbd2efd6da352e945c0cda6919741a9
                                                                                                                                                                                                                                                        • Instruction Fuzzy Hash: 48C08CE03222001A9E60A6BD2CC551F06CC891423A3A41E3BB129EB2E2D23D88162818
                                                                                                                                                                                                                                                        Function 00406EC0 Relevance: 1.5, APIs: 1, Instructions: 14fileCOMMON
                                                                                                                                                                                                                                                        Download Yara Rule
                                                                                                                                                                                                                                                        APIs
                                                                                                                                                                                                                                                        • CreateFileA.KERNEL32(00000000,C0000000,00000000,00000000,00000002,00000080,00000000,0040A6D4,0040CC80,?,00000000,?), ref: 00406EDD
                                                                                                                                                                                                                                                        Memory Dump Source
                                                                                                                                                                                                                                                        • Source File: 00000001.00000002.2793245300.0000000000401000.00000020.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                                                                                                                        • Associated: 00000001.00000002.2793219234.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                                                                                                                                                                                                        • Associated: 00000001.00000002.2793346997.0000000000499000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                                                                                                                                                                                                        • Associated: 00000001.00000002.2793378529.000000000049A000.00000008.00000001.01000000.00000004.sdmpDownload File
                                                                                                                                                                                                                                                        • Associated: 00000001.00000002.2793416768.000000000049B000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                                                                                                                                                                                                        • Associated: 00000001.00000002.2793448951.00000000004AB000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                                                                                                                                                                                                        Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                                        • Snapshot File: hcaresult_1_2_400000_chica-pc-shield-1-75-0-1300-en-win.jbxd
                                                                                                                                                                                                                                                        Similarity
                                                                                                                                                                                                                                                        • API ID: CreateFile
                                                                                                                                                                                                                                                        • String ID:
                                                                                                                                                                                                                                                        • API String ID: 823142352-0
                                                                                                                                                                                                                                                        • Opcode ID: d487f09bce5ab2446fefe52ff91139140134d323c8d44495a9ab4cbc0f9c4527
                                                                                                                                                                                                                                                        • Instruction ID: fbce42704b7dd2fd8be74a622cf743b4adaa06f64be9adac3ea2875d17ee2119
                                                                                                                                                                                                                                                        • Opcode Fuzzy Hash: d487f09bce5ab2446fefe52ff91139140134d323c8d44495a9ab4cbc0f9c4527
                                                                                                                                                                                                                                                        • Instruction Fuzzy Hash: EAC048A13C130032F92035A60C87F16008C5754F0AE60C43AB740BF1C2D8E9A818022C
                                                                                                                                                                                                                                                        Function 0045092C Relevance: 1.5, APIs: 1, Instructions: 11fileCOMMON
                                                                                                                                                                                                                                                        Download Yara Rule
                                                                                                                                                                                                                                                        APIs
                                                                                                                                                                                                                                                        • SetEndOfFile.KERNEL32(?,?,0045C21A,00000000,0045C3A5,?,00000000,00000002,00000002), ref: 00450933
                                                                                                                                                                                                                                                          • Part of subcall function 004506B4: GetLastError.KERNEL32(004504D0,00450776,?,00000000,?,00497A0C,00000001,00000000,00000002,00000000,00497B6D,?,?,00000005,00000000,00497BA1), ref: 004506B7
                                                                                                                                                                                                                                                        Memory Dump Source
                                                                                                                                                                                                                                                        • Source File: 00000001.00000002.2793245300.0000000000401000.00000020.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                                                                                                                        • Associated: 00000001.00000002.2793219234.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                                                                                                                                                                                                        • Associated: 00000001.00000002.2793346997.0000000000499000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                                                                                                                                                                                                        • Associated: 00000001.00000002.2793378529.000000000049A000.00000008.00000001.01000000.00000004.sdmpDownload File
                                                                                                                                                                                                                                                        • Associated: 00000001.00000002.2793416768.000000000049B000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                                                                                                                                                                                                        • Associated: 00000001.00000002.2793448951.00000000004AB000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                                                                                                                                                                                                        Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                                        • Snapshot File: hcaresult_1_2_400000_chica-pc-shield-1-75-0-1300-en-win.jbxd
                                                                                                                                                                                                                                                        Similarity
                                                                                                                                                                                                                                                        • API ID: ErrorFileLast
                                                                                                                                                                                                                                                        • String ID:
                                                                                                                                                                                                                                                        • API String ID: 734332943-0
                                                                                                                                                                                                                                                        • Opcode ID: dfd6122944db5b319254e7b77af95d7469dcf5406d44b15aeae4525e96e42585
                                                                                                                                                                                                                                                        • Instruction ID: 9573b676cf6dd5fef234c73c81a1a5d02d78d5ca05287b50762f3c98dcfac2da
                                                                                                                                                                                                                                                        • Opcode Fuzzy Hash: dfd6122944db5b319254e7b77af95d7469dcf5406d44b15aeae4525e96e42585
                                                                                                                                                                                                                                                        • Instruction Fuzzy Hash: 1AC04CA5700211479F10A6BA85C1A0662D86A5D3157144066BD08CF207D668D8148A18
                                                                                                                                                                                                                                                        Function 00406F50 Relevance: 1.5, APIs: 1, Instructions: 11fileCOMMON
                                                                                                                                                                                                                                                        Download Yara Rule
                                                                                                                                                                                                                                                        APIs
                                                                                                                                                                                                                                                        • DeleteFileA.KERNEL32(00000000,0049B628,004982D1,00000000,00498326,?,?,00000005,?,00000000,00000000,00000000,Inno-Setup-RegSvr-Mutex,?,00000005,00000000), ref: 00406F5B
                                                                                                                                                                                                                                                        Memory Dump Source
                                                                                                                                                                                                                                                        • Source File: 00000001.00000002.2793245300.0000000000401000.00000020.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                                                                                                                        • Associated: 00000001.00000002.2793219234.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                                                                                                                                                                                                        • Associated: 00000001.00000002.2793346997.0000000000499000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                                                                                                                                                                                                        • Associated: 00000001.00000002.2793378529.000000000049A000.00000008.00000001.01000000.00000004.sdmpDownload File
                                                                                                                                                                                                                                                        • Associated: 00000001.00000002.2793416768.000000000049B000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                                                                                                                                                                                                        • Associated: 00000001.00000002.2793448951.00000000004AB000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                                                                                                                                                                                                        Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                                        • Snapshot File: hcaresult_1_2_400000_chica-pc-shield-1-75-0-1300-en-win.jbxd
                                                                                                                                                                                                                                                        Similarity
                                                                                                                                                                                                                                                        • API ID: DeleteFile
                                                                                                                                                                                                                                                        • String ID:
                                                                                                                                                                                                                                                        • API String ID: 4033686569-0
                                                                                                                                                                                                                                                        • Opcode ID: 974406c8209f5f2baf9aa7f60898e2c16b4dbb69ce3e1bfb04616041c36a0a4c
                                                                                                                                                                                                                                                        • Instruction ID: 1cff4f98fe1f8e2c1d524c72e998173d896329315b0501cca3ecf0a0fad01fcd
                                                                                                                                                                                                                                                        • Opcode Fuzzy Hash: 974406c8209f5f2baf9aa7f60898e2c16b4dbb69ce3e1bfb04616041c36a0a4c
                                                                                                                                                                                                                                                        • Instruction Fuzzy Hash: E4B012E13D224A26CB0079FE4CC1D1A00CC4A293063406A3A3006F72C3D83CC8180014
                                                                                                                                                                                                                                                        Function 004072A8 Relevance: 1.5, APIs: 1, Instructions: 11COMMON
                                                                                                                                                                                                                                                        Download Yara Rule
                                                                                                                                                                                                                                                        APIs
                                                                                                                                                                                                                                                        • SetCurrentDirectoryA.KERNEL32(00000000,?,0049799A,00000000,00497B6D,?,?,00000005,00000000,00497BA1,?,?,00000000), ref: 004072B3
                                                                                                                                                                                                                                                        Memory Dump Source
                                                                                                                                                                                                                                                        • Source File: 00000001.00000002.2793245300.0000000000401000.00000020.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                                                                                                                        • Associated: 00000001.00000002.2793219234.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                                                                                                                                                                                                        • Associated: 00000001.00000002.2793346997.0000000000499000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                                                                                                                                                                                                        • Associated: 00000001.00000002.2793378529.000000000049A000.00000008.00000001.01000000.00000004.sdmpDownload File
                                                                                                                                                                                                                                                        • Associated: 00000001.00000002.2793416768.000000000049B000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                                                                                                                                                                                                        • Associated: 00000001.00000002.2793448951.00000000004AB000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                                                                                                                                                                                                        Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                                        • Snapshot File: hcaresult_1_2_400000_chica-pc-shield-1-75-0-1300-en-win.jbxd
                                                                                                                                                                                                                                                        Similarity
                                                                                                                                                                                                                                                        • API ID: CurrentDirectory
                                                                                                                                                                                                                                                        • String ID:
                                                                                                                                                                                                                                                        • API String ID: 1611563598-0
                                                                                                                                                                                                                                                        • Opcode ID: 9cfe1b671e2ded52e2a4f1899edd371c25323ab6eac1b77aed394817f5a1d109
                                                                                                                                                                                                                                                        • Instruction ID: 2ee9fcf0c2ecb8048618371478a38130c752a95b947e2a8aefd026f579ab26ad
                                                                                                                                                                                                                                                        • Opcode Fuzzy Hash: 9cfe1b671e2ded52e2a4f1899edd371c25323ab6eac1b77aed394817f5a1d109
                                                                                                                                                                                                                                                        • Instruction Fuzzy Hash: 33B012E03D120A2BCA0079FE4CC192A00CC46292163401B3B3006EB1C3D83DC8180824
                                                                                                                                                                                                                                                        Function 0044FE04 Relevance: 1.5, APIs: 1, Instructions: 11COMMON
                                                                                                                                                                                                                                                        Download Yara Rule
                                                                                                                                                                                                                                                        APIs
                                                                                                                                                                                                                                                        • FreeLibrary.KERNEL32(00000000,00450010,00000000,?,004682B8,0000000C,00000000,00000000,00000000,00000000,00000000,00000000,?,?,00000000,?), ref: 0044FE22
                                                                                                                                                                                                                                                        Memory Dump Source
                                                                                                                                                                                                                                                        • Source File: 00000001.00000002.2793245300.0000000000401000.00000020.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                                                                                                                        • Associated: 00000001.00000002.2793219234.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                                                                                                                                                                                                        • Associated: 00000001.00000002.2793346997.0000000000499000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                                                                                                                                                                                                        • Associated: 00000001.00000002.2793378529.000000000049A000.00000008.00000001.01000000.00000004.sdmpDownload File
                                                                                                                                                                                                                                                        • Associated: 00000001.00000002.2793416768.000000000049B000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                                                                                                                                                                                                        • Associated: 00000001.00000002.2793448951.00000000004AB000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                                                                                                                                                                                                        Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                                        • Snapshot File: hcaresult_1_2_400000_chica-pc-shield-1-75-0-1300-en-win.jbxd
                                                                                                                                                                                                                                                        Similarity
                                                                                                                                                                                                                                                        • API ID: FreeLibrary
                                                                                                                                                                                                                                                        • String ID:
                                                                                                                                                                                                                                                        • API String ID: 3664257935-0
                                                                                                                                                                                                                                                        • Opcode ID: 80b3e3336f136fa094e5bf735bbe293ae774cbadf16b6798ba5e4c8953333e60
                                                                                                                                                                                                                                                        • Instruction ID: 66f3cd114cd8849fa0b5cd02f95834ec0ce5bd652375c405162ae2aedd08d897
                                                                                                                                                                                                                                                        • Opcode Fuzzy Hash: 80b3e3336f136fa094e5bf735bbe293ae774cbadf16b6798ba5e4c8953333e60
                                                                                                                                                                                                                                                        • Instruction Fuzzy Hash: A1D0C9B05022448EDB50EB69FA8472233E4E328346F18503FE500CA26AF33A8C44CF9C
                                                                                                                                                                                                                                                        Function 0042E3EF Relevance: 1.5, APIs: 1, Instructions: 10COMMON
                                                                                                                                                                                                                                                        Download Yara Rule
                                                                                                                                                                                                                                                        APIs
                                                                                                                                                                                                                                                        • SetErrorMode.KERNEL32(?,0042E40D), ref: 0042E400
                                                                                                                                                                                                                                                        Memory Dump Source
                                                                                                                                                                                                                                                        • Source File: 00000001.00000002.2793245300.0000000000401000.00000020.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                                                                                                                        • Associated: 00000001.00000002.2793219234.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                                                                                                                                                                                                        • Associated: 00000001.00000002.2793346997.0000000000499000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                                                                                                                                                                                                        • Associated: 00000001.00000002.2793378529.000000000049A000.00000008.00000001.01000000.00000004.sdmpDownload File
                                                                                                                                                                                                                                                        • Associated: 00000001.00000002.2793416768.000000000049B000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                                                                                                                                                                                                        • Associated: 00000001.00000002.2793448951.00000000004AB000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                                                                                                                                                                                                        Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                                        • Snapshot File: hcaresult_1_2_400000_chica-pc-shield-1-75-0-1300-en-win.jbxd
                                                                                                                                                                                                                                                        Similarity
                                                                                                                                                                                                                                                        • API ID: ErrorMode
                                                                                                                                                                                                                                                        • String ID:
                                                                                                                                                                                                                                                        • API String ID: 2340568224-0
                                                                                                                                                                                                                                                        • Opcode ID: cb8e2ebd86b0ac1182f6c4657d989dfa6a466ad308997f4b3834ff3b1e7758f7
                                                                                                                                                                                                                                                        • Instruction ID: 426ac138898b17598b25982f2c454791bd479401c65f9a69ae9baa170422678e
                                                                                                                                                                                                                                                        • Opcode Fuzzy Hash: cb8e2ebd86b0ac1182f6c4657d989dfa6a466ad308997f4b3834ff3b1e7758f7
                                                                                                                                                                                                                                                        • Instruction Fuzzy Hash: CDB09B7670C6105EE709D6D5B45552D63D4D7C57207E14477F010D2581D57D58054E18
                                                                                                                                                                                                                                                        Function 0047CC20 Relevance: 1.5, APIs: 1, Instructions: 10COMMON
                                                                                                                                                                                                                                                        Download Yara Rule
                                                                                                                                                                                                                                                        APIs
                                                                                                                                                                                                                                                        • FreeLibrary.KERNEL32(00000000,0048157B), ref: 0047CC36
                                                                                                                                                                                                                                                        Memory Dump Source
                                                                                                                                                                                                                                                        • Source File: 00000001.00000002.2793245300.0000000000401000.00000020.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                                                                                                                        • Associated: 00000001.00000002.2793219234.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                                                                                                                                                                                                        • Associated: 00000001.00000002.2793346997.0000000000499000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                                                                                                                                                                                                        • Associated: 00000001.00000002.2793378529.000000000049A000.00000008.00000001.01000000.00000004.sdmpDownload File
                                                                                                                                                                                                                                                        • Associated: 00000001.00000002.2793416768.000000000049B000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                                                                                                                                                                                                        • Associated: 00000001.00000002.2793448951.00000000004AB000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                                                                                                                                                                                                        Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                                        • Snapshot File: hcaresult_1_2_400000_chica-pc-shield-1-75-0-1300-en-win.jbxd
                                                                                                                                                                                                                                                        Similarity
                                                                                                                                                                                                                                                        • API ID: FreeLibrary
                                                                                                                                                                                                                                                        • String ID:
                                                                                                                                                                                                                                                        • API String ID: 3664257935-0
                                                                                                                                                                                                                                                        • Opcode ID: 7ac9dcef1b4596372a865af428db5c1749cc9498ac2df90e17d1b598c6576eff
                                                                                                                                                                                                                                                        • Instruction ID: ed453d699ff6dac46e13df25dce852f7a9571d2290e9a004c16fc2be8befa713
                                                                                                                                                                                                                                                        • Opcode Fuzzy Hash: 7ac9dcef1b4596372a865af428db5c1749cc9498ac2df90e17d1b598c6576eff
                                                                                                                                                                                                                                                        • Instruction Fuzzy Hash: A4C002717512018EC759DB799DD5B6536D8A724305F00543B5414E7165DA346440CB6C
                                                                                                                                                                                                                                                        Function 004817B8 Relevance: 1.5, APIs: 1, Instructions: 6windowCOMMON
                                                                                                                                                                                                                                                        Download Yara Rule
                                                                                                                                                                                                                                                        APIs
                                                                                                                                                                                                                                                        • PostMessageA.USER32(00000000,00000012,00000000,00000000), ref: 004817C0
                                                                                                                                                                                                                                                        Memory Dump Source
                                                                                                                                                                                                                                                        • Source File: 00000001.00000002.2793245300.0000000000401000.00000020.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                                                                                                                        • Associated: 00000001.00000002.2793219234.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                                                                                                                                                                                                        • Associated: 00000001.00000002.2793346997.0000000000499000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                                                                                                                                                                                                        • Associated: 00000001.00000002.2793378529.000000000049A000.00000008.00000001.01000000.00000004.sdmpDownload File
                                                                                                                                                                                                                                                        • Associated: 00000001.00000002.2793416768.000000000049B000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                                                                                                                                                                                                        • Associated: 00000001.00000002.2793448951.00000000004AB000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                                                                                                                                                                                                        Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                                        • Snapshot File: hcaresult_1_2_400000_chica-pc-shield-1-75-0-1300-en-win.jbxd
                                                                                                                                                                                                                                                        Similarity
                                                                                                                                                                                                                                                        • API ID: MessagePost
                                                                                                                                                                                                                                                        • String ID:
                                                                                                                                                                                                                                                        • API String ID: 410705778-0
                                                                                                                                                                                                                                                        • Opcode ID: 8abd7250b863d5bcc9c16d1c67e29cf1100666b6d2ef3896e20c3eae561ef315
                                                                                                                                                                                                                                                        • Instruction ID: fbd2fd99f2342ae97ce2e912f06b4f6775a0193fa59faa32ac81747571f1ea96
                                                                                                                                                                                                                                                        • Opcode Fuzzy Hash: 8abd7250b863d5bcc9c16d1c67e29cf1100666b6d2ef3896e20c3eae561ef315
                                                                                                                                                                                                                                                        • Instruction Fuzzy Hash: E2A002343C430430F47462511D03F4400441744F05EE1909573053C0C704D82520201E
                                                                                                                                                                                                                                                        Function 004165EC Relevance: 1.5, APIs: 1, Instructions: 4COMMON
                                                                                                                                                                                                                                                        Download Yara Rule
                                                                                                                                                                                                                                                        APIs
                                                                                                                                                                                                                                                        Memory Dump Source
                                                                                                                                                                                                                                                        • Source File: 00000001.00000002.2793245300.0000000000401000.00000020.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                                                                                                                        • Associated: 00000001.00000002.2793219234.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                                                                                                                                                                                                        • Associated: 00000001.00000002.2793346997.0000000000499000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                                                                                                                                                                                                        • Associated: 00000001.00000002.2793378529.000000000049A000.00000008.00000001.01000000.00000004.sdmpDownload File
                                                                                                                                                                                                                                                        • Associated: 00000001.00000002.2793416768.000000000049B000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                                                                                                                                                                                                        • Associated: 00000001.00000002.2793448951.00000000004AB000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                                                                                                                                                                                                        Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                                        • Snapshot File: hcaresult_1_2_400000_chica-pc-shield-1-75-0-1300-en-win.jbxd
                                                                                                                                                                                                                                                        Similarity
                                                                                                                                                                                                                                                        • API ID: DestroyWindow
                                                                                                                                                                                                                                                        • String ID:
                                                                                                                                                                                                                                                        • API String ID: 3375834691-0
                                                                                                                                                                                                                                                        • Opcode ID: 1244af60e57b01067fe56da529b9c4312cbd500fa9ed17bad69dff1823a021af
                                                                                                                                                                                                                                                        • Instruction ID: 4f6e5339ba6c71e81ef5aec1f6829bfe42d3c8de95bc03762545e97b2cddf6f9
                                                                                                                                                                                                                                                        • Opcode Fuzzy Hash: 1244af60e57b01067fe56da529b9c4312cbd500fa9ed17bad69dff1823a021af
                                                                                                                                                                                                                                                        • Instruction Fuzzy Hash: 1AA00275501500AADA00E7B5D849F7E2298BB44204FD905F9714897056C57C99008B55
                                                                                                                                                                                                                                                        Function 00448728 Relevance: 1.4, APIs: 1, Instructions: 158COMMON
                                                                                                                                                                                                                                                        Download Yara Rule
                                                                                                                                                                                                                                                        Memory Dump Source
                                                                                                                                                                                                                                                        • Source File: 00000001.00000002.2793245300.0000000000401000.00000020.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                                                                                                                        • Associated: 00000001.00000002.2793219234.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                                                                                                                                                                                                        • Associated: 00000001.00000002.2793346997.0000000000499000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                                                                                                                                                                                                        • Associated: 00000001.00000002.2793378529.000000000049A000.00000008.00000001.01000000.00000004.sdmpDownload File
                                                                                                                                                                                                                                                        • Associated: 00000001.00000002.2793416768.000000000049B000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                                                                                                                                                                                                        • Associated: 00000001.00000002.2793448951.00000000004AB000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                                                                                                                                                                                                        Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                                        • Snapshot File: hcaresult_1_2_400000_chica-pc-shield-1-75-0-1300-en-win.jbxd
                                                                                                                                                                                                                                                        Similarity
                                                                                                                                                                                                                                                        • API ID:
                                                                                                                                                                                                                                                        • String ID:
                                                                                                                                                                                                                                                        • API String ID:
                                                                                                                                                                                                                                                        • Opcode ID: 23cd19f4d157b610881d156a0561bf24660ed88a0cfede39be00974ae65a3954
                                                                                                                                                                                                                                                        • Instruction ID: 41a6872630840156d23f43a697f0b10540748f54e9aa1b8241e7bbe25a2b1888
                                                                                                                                                                                                                                                        • Opcode Fuzzy Hash: 23cd19f4d157b610881d156a0561bf24660ed88a0cfede39be00974ae65a3954
                                                                                                                                                                                                                                                        • Instruction Fuzzy Hash: 73517574E002099FDB00EFA9C892AAFBBF5EB49314F50817AE500E7351DB389D41CB98
                                                                                                                                                                                                                                                        Function 0041F3C4 Relevance: 1.3, APIs: 1, Instructions: 52memoryCOMMON
                                                                                                                                                                                                                                                        Download Yara Rule
                                                                                                                                                                                                                                                        APIs
                                                                                                                                                                                                                                                        • VirtualAlloc.KERNEL32(00000000,00001000,00001000,00000040,?,00000000,0041EDA4,?,0042388F,00423C0C,0041EDA4), ref: 0041F3E2
                                                                                                                                                                                                                                                        Memory Dump Source
                                                                                                                                                                                                                                                        • Source File: 00000001.00000002.2793245300.0000000000401000.00000020.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                                                                                                                        • Associated: 00000001.00000002.2793219234.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                                                                                                                                                                                                        • Associated: 00000001.00000002.2793346997.0000000000499000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                                                                                                                                                                                                        • Associated: 00000001.00000002.2793378529.000000000049A000.00000008.00000001.01000000.00000004.sdmpDownload File
                                                                                                                                                                                                                                                        • Associated: 00000001.00000002.2793416768.000000000049B000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                                                                                                                                                                                                        • Associated: 00000001.00000002.2793448951.00000000004AB000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                                                                                                                                                                                                        Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                                        • Snapshot File: hcaresult_1_2_400000_chica-pc-shield-1-75-0-1300-en-win.jbxd
                                                                                                                                                                                                                                                        Similarity
                                                                                                                                                                                                                                                        • API ID: AllocVirtual
                                                                                                                                                                                                                                                        • String ID:
                                                                                                                                                                                                                                                        • API String ID: 4275171209-0
                                                                                                                                                                                                                                                        • Opcode ID: f624f178b2757757f6ee0ed82108e7e17b49aa81eb1cfd09d0e3ddd3732ee692
                                                                                                                                                                                                                                                        • Instruction ID: 3312bc658de40493dbbbdb628fa1ac862c14c743cb2aabe02eeb7d71ec829e14
                                                                                                                                                                                                                                                        • Opcode Fuzzy Hash: f624f178b2757757f6ee0ed82108e7e17b49aa81eb1cfd09d0e3ddd3732ee692
                                                                                                                                                                                                                                                        • Instruction Fuzzy Hash: D5115A752007059BCB20DF19D880B82FBE5EF98390F10C53BE9688B385D3B4E8458BA9
                                                                                                                                                                                                                                                        Function 00452FC4 Relevance: 1.3, APIs: 1, Instructions: 48COMMON
                                                                                                                                                                                                                                                        Download Yara Rule
                                                                                                                                                                                                                                                        APIs
                                                                                                                                                                                                                                                        • GetLastError.KERNEL32(00000000,0045302D), ref: 0045300F
                                                                                                                                                                                                                                                        Memory Dump Source
                                                                                                                                                                                                                                                        • Source File: 00000001.00000002.2793245300.0000000000401000.00000020.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                                                                                                                        • Associated: 00000001.00000002.2793219234.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                                                                                                                                                                                                        • Associated: 00000001.00000002.2793346997.0000000000499000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                                                                                                                                                                                                        • Associated: 00000001.00000002.2793378529.000000000049A000.00000008.00000001.01000000.00000004.sdmpDownload File
                                                                                                                                                                                                                                                        • Associated: 00000001.00000002.2793416768.000000000049B000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                                                                                                                                                                                                        • Associated: 00000001.00000002.2793448951.00000000004AB000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                                                                                                                                                                                                        Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                                        • Snapshot File: hcaresult_1_2_400000_chica-pc-shield-1-75-0-1300-en-win.jbxd
                                                                                                                                                                                                                                                        Similarity
                                                                                                                                                                                                                                                        • API ID: ErrorLast
                                                                                                                                                                                                                                                        • String ID:
                                                                                                                                                                                                                                                        • API String ID: 1452528299-0
                                                                                                                                                                                                                                                        • Opcode ID: 796ee09302341f2f0fe022b6b7ad64e2259239b3e6510a293da86372227c0e6a
                                                                                                                                                                                                                                                        • Instruction ID: b902f5f71593d0acd8113edc39c0d5725662cc955bae9521e0e34912f41e4d76
                                                                                                                                                                                                                                                        • Opcode Fuzzy Hash: 796ee09302341f2f0fe022b6b7ad64e2259239b3e6510a293da86372227c0e6a
                                                                                                                                                                                                                                                        • Instruction Fuzzy Hash: 850170356042486FC701DF699C008EEFBE8EB4D76171082B7FC24C3382D7345E059664
                                                                                                                                                                                                                                                        Function 0040170C Relevance: 1.3, APIs: 1, Instructions: 48COMMON
                                                                                                                                                                                                                                                        Download Yara Rule
                                                                                                                                                                                                                                                        APIs
                                                                                                                                                                                                                                                        • VirtualFree.KERNEL32(00000000,00000000,00004000,?,?,?,?,?,00401973), ref: 00401766
                                                                                                                                                                                                                                                        Memory Dump Source
                                                                                                                                                                                                                                                        • Source File: 00000001.00000002.2793245300.0000000000401000.00000020.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                                                                                                                        • Associated: 00000001.00000002.2793219234.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                                                                                                                                                                                                        • Associated: 00000001.00000002.2793346997.0000000000499000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                                                                                                                                                                                                        • Associated: 00000001.00000002.2793378529.000000000049A000.00000008.00000001.01000000.00000004.sdmpDownload File
                                                                                                                                                                                                                                                        • Associated: 00000001.00000002.2793416768.000000000049B000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                                                                                                                                                                                                        • Associated: 00000001.00000002.2793448951.00000000004AB000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                                                                                                                                                                                                        Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                                        • Snapshot File: hcaresult_1_2_400000_chica-pc-shield-1-75-0-1300-en-win.jbxd
                                                                                                                                                                                                                                                        Similarity
                                                                                                                                                                                                                                                        • API ID: FreeVirtual
                                                                                                                                                                                                                                                        • String ID:
                                                                                                                                                                                                                                                        • API String ID: 1263568516-0
                                                                                                                                                                                                                                                        • Opcode ID: 3cb279d385dc81f8188aef87182d0a586e7f532f71175ddb5b892d42a5daf7f8
                                                                                                                                                                                                                                                        • Instruction ID: fd45504e6079eb3c344fd15592bdf3984e08e9418c18d248e8b2091ea2ac4f2a
                                                                                                                                                                                                                                                        • Opcode Fuzzy Hash: 3cb279d385dc81f8188aef87182d0a586e7f532f71175ddb5b892d42a5daf7f8
                                                                                                                                                                                                                                                        • Instruction Fuzzy Hash: A10120766443148FC3109F29EDC0E2677E8D794378F15453EDA85673A1D37A6C0187D8

                                                                                                                                                                                                                                                        Non-executed Functions

                                                                                                                                                                                                                                                        Function 0041F118 Relevance: 45.6, APIs: 15, Strings: 11, Instructions: 87libraryloaderCOMMON
                                                                                                                                                                                                                                                        Download Yara Rule
                                                                                                                                                                                                                                                        APIs
                                                                                                                                                                                                                                                        • GetVersion.KERNEL32(?,00418FF0,00000000,?,?,?,00000001), ref: 0041F126
                                                                                                                                                                                                                                                        • SetErrorMode.KERNEL32(00008000,?,00418FF0,00000000,?,?,?,00000001), ref: 0041F142
                                                                                                                                                                                                                                                        • LoadLibraryA.KERNEL32(CTL3D32.DLL,00008000,?,00418FF0,00000000,?,?,?,00000001), ref: 0041F14E
                                                                                                                                                                                                                                                        • SetErrorMode.KERNEL32(00000000,CTL3D32.DLL,00008000,?,00418FF0,00000000,?,?,?,00000001), ref: 0041F15C
                                                                                                                                                                                                                                                        • GetProcAddress.KERNEL32(00000001,Ctl3dRegister), ref: 0041F18C
                                                                                                                                                                                                                                                        • GetProcAddress.KERNEL32(00000001,Ctl3dUnregister), ref: 0041F1B5
                                                                                                                                                                                                                                                        • GetProcAddress.KERNEL32(00000001,Ctl3dSubclassCtl), ref: 0041F1CA
                                                                                                                                                                                                                                                        • GetProcAddress.KERNEL32(00000001,Ctl3dSubclassDlgEx), ref: 0041F1DF
                                                                                                                                                                                                                                                        • GetProcAddress.KERNEL32(00000001,Ctl3dDlgFramePaint), ref: 0041F1F4
                                                                                                                                                                                                                                                        • GetProcAddress.KERNEL32(00000001,Ctl3dCtlColorEx), ref: 0041F209
                                                                                                                                                                                                                                                        • GetProcAddress.KERNEL32(00000001,Ctl3dAutoSubclass), ref: 0041F21E
                                                                                                                                                                                                                                                        • GetProcAddress.KERNEL32(00000001,Ctl3dUnAutoSubclass), ref: 0041F233
                                                                                                                                                                                                                                                        • GetProcAddress.KERNEL32(00000001,Ctl3DColorChange), ref: 0041F248
                                                                                                                                                                                                                                                        • GetProcAddress.KERNEL32(00000001,BtnWndProc3d), ref: 0041F25D
                                                                                                                                                                                                                                                        • FreeLibrary.KERNEL32(00000001,?,00418FF0,00000000,?,?,?,00000001), ref: 0041F26F
                                                                                                                                                                                                                                                        Strings
                                                                                                                                                                                                                                                        Memory Dump Source
                                                                                                                                                                                                                                                        • Source File: 00000001.00000002.2793245300.0000000000401000.00000020.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                                                                                                                        • Associated: 00000001.00000002.2793219234.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                                                                                                                                                                                                        • Associated: 00000001.00000002.2793346997.0000000000499000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                                                                                                                                                                                                        • Associated: 00000001.00000002.2793378529.000000000049A000.00000008.00000001.01000000.00000004.sdmpDownload File
                                                                                                                                                                                                                                                        • Associated: 00000001.00000002.2793416768.000000000049B000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                                                                                                                                                                                                        • Associated: 00000001.00000002.2793448951.00000000004AB000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                                                                                                                                                                                                        Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                                        • Snapshot File: hcaresult_1_2_400000_chica-pc-shield-1-75-0-1300-en-win.jbxd
                                                                                                                                                                                                                                                        Similarity
                                                                                                                                                                                                                                                        • API ID: AddressProc$ErrorLibraryMode$FreeLoadVersion
                                                                                                                                                                                                                                                        • String ID: BtnWndProc3d$CTL3D32.DLL$Ctl3DColorChange$Ctl3dAutoSubclass$Ctl3dCtlColorEx$Ctl3dDlgFramePaint$Ctl3dRegister$Ctl3dSubclassCtl$Ctl3dSubclassDlgEx$Ctl3dUnAutoSubclass$Ctl3dUnregister
                                                                                                                                                                                                                                                        • API String ID: 2323315520-3614243559
                                                                                                                                                                                                                                                        • Opcode ID: 14e3e5f2e917328749ef093614a986abae05d3f075f7e2c7ef23893690e5ba28
                                                                                                                                                                                                                                                        • Instruction ID: e724c2aa341d6685c6ab1c4031cb88844a897dd828fe35f3324890dc483947ec
                                                                                                                                                                                                                                                        • Opcode Fuzzy Hash: 14e3e5f2e917328749ef093614a986abae05d3f075f7e2c7ef23893690e5ba28
                                                                                                                                                                                                                                                        • Instruction Fuzzy Hash: 8E314FB2640700ABEB01EBB9AC46A6B3794F328724741093FB508D7192D77C5C55CF5C
                                                                                                                                                                                                                                                        Function 004584A0 Relevance: 40.4, APIs: 11, Strings: 12, Instructions: 186pipeprocessfileCOMMON
                                                                                                                                                                                                                                                        Download Yara Rule
                                                                                                                                                                                                                                                        APIs
                                                                                                                                                                                                                                                        • GetTickCount.KERNEL32 ref: 00458507
                                                                                                                                                                                                                                                        • QueryPerformanceCounter.KERNEL32(00000000,00000000,0045879A,?,?,00000000,00000000,?,00458E96,?,00000000,00000000), ref: 00458510
                                                                                                                                                                                                                                                        • GetSystemTimeAsFileTime.KERNEL32(00000000,00000000), ref: 0045851A
                                                                                                                                                                                                                                                        • GetCurrentProcessId.KERNEL32(?,00000000,00000000,0045879A,?,?,00000000,00000000,?,00458E96,?,00000000,00000000), ref: 00458523
                                                                                                                                                                                                                                                        • CreateNamedPipeA.KERNEL32(00000000,40080003,00000006,00000001,00002000,00002000,00000000,00000000), ref: 00458599
                                                                                                                                                                                                                                                        • GetLastError.KERNEL32(00000000,40080003,00000006,00000001,00002000,00002000,00000000,00000000,?,00000000,00000000), ref: 004585A7
                                                                                                                                                                                                                                                        • CreateFileA.KERNEL32(00000000,C0000000,00000000,00499B24,00000003,00000000,00000000,00000000,00458756), ref: 004585EF
                                                                                                                                                                                                                                                        • SetNamedPipeHandleState.KERNEL32(000000FF,00000002,00000000,00000000,00000000,00458745,?,00000000,C0000000,00000000,00499B24,00000003,00000000,00000000,00000000,00458756), ref: 00458628
                                                                                                                                                                                                                                                          • Part of subcall function 0042D8C4: GetSystemDirectoryA.KERNEL32(?,00000104), ref: 0042D8D7
                                                                                                                                                                                                                                                        • CreateProcessA.KERNEL32(00000000,00000000,?,00000000,00000000,00000001,0C000000,00000000,00000000,00000044,?,000000FF,00000002,00000000,00000000,00000000), ref: 004586D1
                                                                                                                                                                                                                                                        • CloseHandle.KERNEL32(?,00000000,00000000,?,00000000,00000000,00000001,0C000000,00000000,00000000,00000044,?,000000FF,00000002,00000000,00000000), ref: 00458707
                                                                                                                                                                                                                                                        • CloseHandle.KERNEL32(000000FF,0045874C,?,00000000,00000000,00000001,0C000000,00000000,00000000,00000044,?,000000FF,00000002,00000000,00000000,00000000), ref: 0045873F
                                                                                                                                                                                                                                                          • Part of subcall function 0045349C: GetLastError.KERNEL32(00000000,00454031,00000005,00000000,00454066,?,?,00000000,0049B628,00000004,00000000,00000000,00000000,?,00497F85,00000000), ref: 0045349F
                                                                                                                                                                                                                                                        Strings
                                                                                                                                                                                                                                                        Memory Dump Source
                                                                                                                                                                                                                                                        • Source File: 00000001.00000002.2793245300.0000000000401000.00000020.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                                                                                                                        • Associated: 00000001.00000002.2793219234.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                                                                                                                                                                                                        • Associated: 00000001.00000002.2793346997.0000000000499000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                                                                                                                                                                                                        • Associated: 00000001.00000002.2793378529.000000000049A000.00000008.00000001.01000000.00000004.sdmpDownload File
                                                                                                                                                                                                                                                        • Associated: 00000001.00000002.2793416768.000000000049B000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                                                                                                                                                                                                        • Associated: 00000001.00000002.2793448951.00000000004AB000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                                                                                                                                                                                                        Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                                        • Snapshot File: hcaresult_1_2_400000_chica-pc-shield-1-75-0-1300-en-win.jbxd
                                                                                                                                                                                                                                                        Similarity
                                                                                                                                                                                                                                                        • API ID: CreateHandle$CloseErrorFileLastNamedPipeProcessSystemTime$CountCounterCurrentDirectoryPerformanceQueryStateTick
                                                                                                                                                                                                                                                        • String ID: 64-bit helper EXE wasn't extracted$Cannot utilize 64-bit features on this version of Windows$CreateFile$CreateNamedPipe$CreateProcess$D$Helper process PID: %u$SetNamedPipeHandleState$Starting 64-bit helper process.$\\.\pipe\InnoSetup64BitHelper-%.8x-%.8x-%.8x-%.8x%.8x$helper %d 0x%x$i
                                                                                                                                                                                                                                                        • API String ID: 770386003-3271284199
                                                                                                                                                                                                                                                        • Opcode ID: 7b80e965207cd8113120de85ca987cc547943186837d511df9b56330fc4b4e25
                                                                                                                                                                                                                                                        • Instruction ID: 4fac45827f99e86d35fc8880dd95b28a2747ee355542b7261400ff42129ab219
                                                                                                                                                                                                                                                        • Opcode Fuzzy Hash: 7b80e965207cd8113120de85ca987cc547943186837d511df9b56330fc4b4e25
                                                                                                                                                                                                                                                        • Instruction Fuzzy Hash: 19710470A007449EDB10EF69CC45B9EBBF4EB19705F5084BAF904FB282DB7899448F69
                                                                                                                                                                                                                                                        Function 0047808C Relevance: 19.3, APIs: 5, Strings: 6, Instructions: 94COMMON
                                                                                                                                                                                                                                                        Download Yara Rule
                                                                                                                                                                                                                                                        APIs
                                                                                                                                                                                                                                                          • Part of subcall function 00477EF8: GetModuleHandleA.KERNEL32(kernel32.dll,GetFinalPathNameByHandleA,02132C0C,?,?,?,02132C0C,004780BC,00000000,004781DA,?,?,-00000010,?), ref: 00477F11
                                                                                                                                                                                                                                                          • Part of subcall function 00477EF8: GetProcAddress.KERNEL32(00000000,kernel32.dll), ref: 00477F17
                                                                                                                                                                                                                                                          • Part of subcall function 00477EF8: GetFileAttributesA.KERNEL32(00000000,00000000,kernel32.dll,GetFinalPathNameByHandleA,02132C0C,?,?,?,02132C0C,004780BC,00000000,004781DA,?,?,-00000010,?), ref: 00477F2A
                                                                                                                                                                                                                                                          • Part of subcall function 00477EF8: CreateFileA.KERNEL32(00000000,00000000,00000007,00000000,00000003,00000000,00000000,00000000,00000000,kernel32.dll,GetFinalPathNameByHandleA,02132C0C,?,?,?,02132C0C), ref: 00477F54
                                                                                                                                                                                                                                                          • Part of subcall function 00477EF8: CloseHandle.KERNEL32(00000000,?,?,?,02132C0C,004780BC,00000000,004781DA,?,?,-00000010,?), ref: 00477F72
                                                                                                                                                                                                                                                          • Part of subcall function 00477FD0: GetCurrentDirectoryA.KERNEL32(00000104,?,00000000,00478062,?,?,?,02132C0C,?,004780C4,00000000,004781DA,?,?,-00000010,?), ref: 00478000
                                                                                                                                                                                                                                                        • ShellExecuteEx.SHELL32(0000003C), ref: 00478114
                                                                                                                                                                                                                                                        • GetLastError.KERNEL32(00000000,004781DA,?,?,-00000010,?), ref: 0047811D
                                                                                                                                                                                                                                                        • MsgWaitForMultipleObjects.USER32(00000001,00000000,00000000,000000FF,000000FF), ref: 0047816A
                                                                                                                                                                                                                                                        • GetExitCodeProcess.KERNEL32(00000000,00000000), ref: 0047818E
                                                                                                                                                                                                                                                        • CloseHandle.KERNEL32(00000000,004781BF,00000000,00000000,000000FF,000000FF,00000000,004781B8,?,00000000,004781DA,?,?,-00000010,?), ref: 004781B2
                                                                                                                                                                                                                                                        Strings
                                                                                                                                                                                                                                                        Memory Dump Source
                                                                                                                                                                                                                                                        • Source File: 00000001.00000002.2793245300.0000000000401000.00000020.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                                                                                                                        • Associated: 00000001.00000002.2793219234.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                                                                                                                                                                                                        • Associated: 00000001.00000002.2793346997.0000000000499000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                                                                                                                                                                                                        • Associated: 00000001.00000002.2793378529.000000000049A000.00000008.00000001.01000000.00000004.sdmpDownload File
                                                                                                                                                                                                                                                        • Associated: 00000001.00000002.2793416768.000000000049B000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                                                                                                                                                                                                        • Associated: 00000001.00000002.2793448951.00000000004AB000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                                                                                                                                                                                                        Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                                        • Snapshot File: hcaresult_1_2_400000_chica-pc-shield-1-75-0-1300-en-win.jbxd
                                                                                                                                                                                                                                                        Similarity
                                                                                                                                                                                                                                                        • API ID: Handle$CloseFile$AddressAttributesCodeCreateCurrentDirectoryErrorExecuteExitLastModuleMultipleObjectsProcProcessShellWait
                                                                                                                                                                                                                                                        • String ID: =G$GetExitCodeProcess$MsgWaitForMultipleObjects$ShellExecuteEx$ShellExecuteEx returned hProcess=0$runas
                                                                                                                                                                                                                                                        • API String ID: 883996979-2356621170
                                                                                                                                                                                                                                                        • Opcode ID: 98a4e4fae55201d08ea22943755bdad011bffdb5cef3b6d211370a4e50a33d78
                                                                                                                                                                                                                                                        • Instruction ID: 465927b674a78934c6441533dfbac97f16e6c6102eec2a8575dd2df8133d4ea1
                                                                                                                                                                                                                                                        • Opcode Fuzzy Hash: 98a4e4fae55201d08ea22943755bdad011bffdb5cef3b6d211370a4e50a33d78
                                                                                                                                                                                                                                                        • Instruction Fuzzy Hash: 8531A770A40204AEDB11EFA6C8456DEB7B8EF05314F90843FF408F7682DB3C49018B19
                                                                                                                                                                                                                                                        Function 00418384 Relevance: 14.1, APIs: 7, Strings: 1, Instructions: 58windowCOMMON
                                                                                                                                                                                                                                                        Download Yara Rule
                                                                                                                                                                                                                                                        APIs
                                                                                                                                                                                                                                                        • IsIconic.USER32(?), ref: 00418393
                                                                                                                                                                                                                                                        • GetWindowPlacement.USER32(?,0000002C), ref: 004183B0
                                                                                                                                                                                                                                                        • GetWindowRect.USER32(?), ref: 004183CC
                                                                                                                                                                                                                                                        • GetWindowLongA.USER32(?,000000F0), ref: 004183DA
                                                                                                                                                                                                                                                        • GetWindowLongA.USER32(?,000000F8), ref: 004183EF
                                                                                                                                                                                                                                                        • ScreenToClient.USER32(00000000), ref: 004183F8
                                                                                                                                                                                                                                                        • ScreenToClient.USER32(00000000,?), ref: 00418403
                                                                                                                                                                                                                                                        Strings
                                                                                                                                                                                                                                                        Memory Dump Source
                                                                                                                                                                                                                                                        • Source File: 00000001.00000002.2793245300.0000000000401000.00000020.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                                                                                                                        • Associated: 00000001.00000002.2793219234.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                                                                                                                                                                                                        • Associated: 00000001.00000002.2793346997.0000000000499000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                                                                                                                                                                                                        • Associated: 00000001.00000002.2793378529.000000000049A000.00000008.00000001.01000000.00000004.sdmpDownload File
                                                                                                                                                                                                                                                        • Associated: 00000001.00000002.2793416768.000000000049B000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                                                                                                                                                                                                        • Associated: 00000001.00000002.2793448951.00000000004AB000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                                                                                                                                                                                                        Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                                        • Snapshot File: hcaresult_1_2_400000_chica-pc-shield-1-75-0-1300-en-win.jbxd
                                                                                                                                                                                                                                                        Similarity
                                                                                                                                                                                                                                                        • API ID: Window$ClientLongScreen$IconicPlacementRect
                                                                                                                                                                                                                                                        • String ID: ,
                                                                                                                                                                                                                                                        • API String ID: 2266315723-3772416878
                                                                                                                                                                                                                                                        • Opcode ID: 093fbc58c9f2bb22a74bd7cb36b3f86111f4d6c014dbe9a16a5ffda61369e0f0
                                                                                                                                                                                                                                                        • Instruction ID: 8875a2d430ef8be2c5346fa25315cde737655516302bc4d2344e38a88124d083
                                                                                                                                                                                                                                                        • Opcode Fuzzy Hash: 093fbc58c9f2bb22a74bd7cb36b3f86111f4d6c014dbe9a16a5ffda61369e0f0
                                                                                                                                                                                                                                                        • Instruction Fuzzy Hash: 2B112B71505201ABEB00DF69C885F9B77E8AF48314F04067EFD58DB296D738D900CB65
                                                                                                                                                                                                                                                        Function 004555E4 Relevance: 12.3, APIs: 6, Strings: 1, Instructions: 41shutdownCOMMON
                                                                                                                                                                                                                                                        Download Yara Rule
                                                                                                                                                                                                                                                        APIs
                                                                                                                                                                                                                                                        • GetCurrentProcess.KERNEL32(00000028), ref: 004555F3
                                                                                                                                                                                                                                                        • OpenProcessToken.ADVAPI32(00000000,00000028), ref: 004555F9
                                                                                                                                                                                                                                                        • LookupPrivilegeValueA.ADVAPI32(00000000,SeShutdownPrivilege,00000028), ref: 00455612
                                                                                                                                                                                                                                                        • AdjustTokenPrivileges.ADVAPI32(?,00000000,00000002,00000000,00000000,00000000), ref: 00455639
                                                                                                                                                                                                                                                        • GetLastError.KERNEL32(?,00000000,00000002,00000000,00000000,00000000), ref: 0045563E
                                                                                                                                                                                                                                                        • ExitWindowsEx.USER32(00000002,00000000), ref: 0045564F
                                                                                                                                                                                                                                                        Strings
                                                                                                                                                                                                                                                        Memory Dump Source
                                                                                                                                                                                                                                                        • Source File: 00000001.00000002.2793245300.0000000000401000.00000020.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                                                                                                                        • Associated: 00000001.00000002.2793219234.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                                                                                                                                                                                                        • Associated: 00000001.00000002.2793346997.0000000000499000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                                                                                                                                                                                                        • Associated: 00000001.00000002.2793378529.000000000049A000.00000008.00000001.01000000.00000004.sdmpDownload File
                                                                                                                                                                                                                                                        • Associated: 00000001.00000002.2793416768.000000000049B000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                                                                                                                                                                                                        • Associated: 00000001.00000002.2793448951.00000000004AB000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                                                                                                                                                                                                        Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                                        • Snapshot File: hcaresult_1_2_400000_chica-pc-shield-1-75-0-1300-en-win.jbxd
                                                                                                                                                                                                                                                        Similarity
                                                                                                                                                                                                                                                        • API ID: ProcessToken$AdjustCurrentErrorExitLastLookupOpenPrivilegePrivilegesValueWindows
                                                                                                                                                                                                                                                        • String ID: SeShutdownPrivilege
                                                                                                                                                                                                                                                        • API String ID: 107509674-3733053543
                                                                                                                                                                                                                                                        • Opcode ID: 1153bac2f19f83d143aadd10bfaa5f2371894b6c1f4acab214bba93ce73f3def
                                                                                                                                                                                                                                                        • Instruction ID: 23182b732e3c774e917f784577cc733395bd6f0e504c2650860deaf78f25ff04
                                                                                                                                                                                                                                                        • Opcode Fuzzy Hash: 1153bac2f19f83d143aadd10bfaa5f2371894b6c1f4acab214bba93ce73f3def
                                                                                                                                                                                                                                                        • Instruction Fuzzy Hash: CBF0C870294B41B9EA10A6718C17F3B21C89B40709F80083ABD05E90D3D7BDD40C4A2E
                                                                                                                                                                                                                                                        Function 00497C84 Relevance: 10.6, APIs: 4, Strings: 2, Instructions: 90fileCOMMON
                                                                                                                                                                                                                                                        Download Yara Rule
                                                                                                                                                                                                                                                        APIs
                                                                                                                                                                                                                                                        • FindFirstFileA.KERNEL32(00000000,?,00000000,00497DC2,?,?,00000000,0049B628,?,00497F4C,00000000,00497FA0,?,?,00000000,0049B628), ref: 00497CDB
                                                                                                                                                                                                                                                        • SetFileAttributesA.KERNEL32(00000000,00000010), ref: 00497D5E
                                                                                                                                                                                                                                                        • FindNextFileA.KERNEL32(000000FF,?,00000000,00497D9A,?,00000000,?,00000000,00497DC2,?,?,00000000,0049B628,?,00497F4C,00000000), ref: 00497D76
                                                                                                                                                                                                                                                        • FindClose.KERNEL32(000000FF,00497DA1,00497D9A,?,00000000,?,00000000,00497DC2,?,?,00000000,0049B628,?,00497F4C,00000000,00497FA0), ref: 00497D94
                                                                                                                                                                                                                                                        Strings
                                                                                                                                                                                                                                                        Memory Dump Source
                                                                                                                                                                                                                                                        • Source File: 00000001.00000002.2793245300.0000000000401000.00000020.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                                                                                                                        • Associated: 00000001.00000002.2793219234.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                                                                                                                                                                                                        • Associated: 00000001.00000002.2793346997.0000000000499000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                                                                                                                                                                                                        • Associated: 00000001.00000002.2793378529.000000000049A000.00000008.00000001.01000000.00000004.sdmpDownload File
                                                                                                                                                                                                                                                        • Associated: 00000001.00000002.2793416768.000000000049B000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                                                                                                                                                                                                        • Associated: 00000001.00000002.2793448951.00000000004AB000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                                                                                                                                                                                                        Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                                        • Snapshot File: hcaresult_1_2_400000_chica-pc-shield-1-75-0-1300-en-win.jbxd
                                                                                                                                                                                                                                                        Similarity
                                                                                                                                                                                                                                                        • API ID: FileFind$AttributesCloseFirstNext
                                                                                                                                                                                                                                                        • String ID: isRS-$isRS-???.tmp
                                                                                                                                                                                                                                                        • API String ID: 134685335-3422211394
                                                                                                                                                                                                                                                        • Opcode ID: 9a592638bc2750322f214c0eb344c8148df857e83d765ddb3acdf8ed9d2ec43c
                                                                                                                                                                                                                                                        • Instruction ID: 077204e4b59ba8174d874b411549c05da503e5c3c4c12a43784b6924d2c4c749
                                                                                                                                                                                                                                                        • Opcode Fuzzy Hash: 9a592638bc2750322f214c0eb344c8148df857e83d765ddb3acdf8ed9d2ec43c
                                                                                                                                                                                                                                                        • Instruction Fuzzy Hash: 00317671A146086BCF11EF65CC81ADEBBBCDF45305F5085B7A808A32A1E6389E458F58
                                                                                                                                                                                                                                                        Function 0045746C Relevance: 9.0, APIs: 4, Strings: 1, Instructions: 241windownativeCOMMON
                                                                                                                                                                                                                                                        Download Yara Rule
                                                                                                                                                                                                                                                        APIs
                                                                                                                                                                                                                                                        • PostMessageA.USER32(00000000,00000000,00000000,00000000), ref: 004574E9
                                                                                                                                                                                                                                                        • PostMessageA.USER32(00000000,00000000,00000000,00000000), ref: 00457510
                                                                                                                                                                                                                                                        • SetForegroundWindow.USER32(?), ref: 00457521
                                                                                                                                                                                                                                                        • NtdllDefWindowProc_A.USER32(00000000,?,?,?,00000000,004577F9,?,00000000,00457835), ref: 004577E4
                                                                                                                                                                                                                                                        Strings
                                                                                                                                                                                                                                                        • Cannot evaluate variable because [Code] isn't running yet, xrefs: 00457664
                                                                                                                                                                                                                                                        Memory Dump Source
                                                                                                                                                                                                                                                        • Source File: 00000001.00000002.2793245300.0000000000401000.00000020.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                                                                                                                        • Associated: 00000001.00000002.2793219234.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                                                                                                                                                                                                        • Associated: 00000001.00000002.2793346997.0000000000499000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                                                                                                                                                                                                        • Associated: 00000001.00000002.2793378529.000000000049A000.00000008.00000001.01000000.00000004.sdmpDownload File
                                                                                                                                                                                                                                                        • Associated: 00000001.00000002.2793416768.000000000049B000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                                                                                                                                                                                                        • Associated: 00000001.00000002.2793448951.00000000004AB000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                                                                                                                                                                                                        Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                                        • Snapshot File: hcaresult_1_2_400000_chica-pc-shield-1-75-0-1300-en-win.jbxd
                                                                                                                                                                                                                                                        Similarity
                                                                                                                                                                                                                                                        • API ID: MessagePostWindow$ForegroundNtdllProc_
                                                                                                                                                                                                                                                        • String ID: Cannot evaluate variable because [Code] isn't running yet
                                                                                                                                                                                                                                                        • API String ID: 2236967946-3182603685
                                                                                                                                                                                                                                                        • Opcode ID: 96aa167a3baa95a2338ad81f9a381b760b400273dfe998f23b0892c305739983
                                                                                                                                                                                                                                                        • Instruction ID: 49c7ca61fbccde69a4bda81b3c117289df4d71a96d4cc10d1dff28d50592e65c
                                                                                                                                                                                                                                                        • Opcode Fuzzy Hash: 96aa167a3baa95a2338ad81f9a381b760b400273dfe998f23b0892c305739983
                                                                                                                                                                                                                                                        • Instruction Fuzzy Hash: 4191CF34608204EFD715DF69E991F5ABBF9FB49304F2180BAEC0497792D638AE04DB58
                                                                                                                                                                                                                                                        Function 00417CD0 Relevance: 8.8, APIs: 4, Strings: 1, Instructions: 76windowCOMMON
                                                                                                                                                                                                                                                        Download Yara Rule
                                                                                                                                                                                                                                                        APIs
                                                                                                                                                                                                                                                        • IsIconic.USER32(?), ref: 00417D0F
                                                                                                                                                                                                                                                        • SetWindowPos.USER32(?,00000000,?,?,?,?,00000014,?), ref: 00417D2D
                                                                                                                                                                                                                                                        • GetWindowPlacement.USER32(?,0000002C), ref: 00417D63
                                                                                                                                                                                                                                                        • SetWindowPlacement.USER32(?,0000002C,?,0000002C), ref: 00417D8A
                                                                                                                                                                                                                                                        Strings
                                                                                                                                                                                                                                                        Memory Dump Source
                                                                                                                                                                                                                                                        • Source File: 00000001.00000002.2793245300.0000000000401000.00000020.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                                                                                                                        • Associated: 00000001.00000002.2793219234.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                                                                                                                                                                                                        • Associated: 00000001.00000002.2793346997.0000000000499000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                                                                                                                                                                                                        • Associated: 00000001.00000002.2793378529.000000000049A000.00000008.00000001.01000000.00000004.sdmpDownload File
                                                                                                                                                                                                                                                        • Associated: 00000001.00000002.2793416768.000000000049B000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                                                                                                                                                                                                        • Associated: 00000001.00000002.2793448951.00000000004AB000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                                                                                                                                                                                                        Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                                        • Snapshot File: hcaresult_1_2_400000_chica-pc-shield-1-75-0-1300-en-win.jbxd
                                                                                                                                                                                                                                                        Similarity
                                                                                                                                                                                                                                                        • API ID: Window$Placement$Iconic
                                                                                                                                                                                                                                                        • String ID: ,
                                                                                                                                                                                                                                                        • API String ID: 568898626-3772416878
                                                                                                                                                                                                                                                        • Opcode ID: 9bef5f2699a14fc460bb8f4c137cb8544ee30b66db2c811631afee2a7eee1c15
                                                                                                                                                                                                                                                        • Instruction ID: e85585575f8c5a3e7823c55acc6b28d6d187d41511fbfc80546af44b70413e2d
                                                                                                                                                                                                                                                        • Opcode Fuzzy Hash: 9bef5f2699a14fc460bb8f4c137cb8544ee30b66db2c811631afee2a7eee1c15
                                                                                                                                                                                                                                                        • Instruction Fuzzy Hash: 4C2112716042089BDF10EF69D8C1AEA77B8AF48314F05456AFD18DF346D678DD84CBA8
                                                                                                                                                                                                                                                        Function 00464030 Relevance: 7.6, APIs: 5, Instructions: 129fileCOMMON
                                                                                                                                                                                                                                                        Download Yara Rule
                                                                                                                                                                                                                                                        APIs
                                                                                                                                                                                                                                                        • SetErrorMode.KERNEL32(00000001,00000000,00464217), ref: 004640A5
                                                                                                                                                                                                                                                        • FindFirstFileA.KERNEL32(00000000,?,00000000,004641E2,?,00000001,00000000,00464217), ref: 004640EB
                                                                                                                                                                                                                                                        • FindNextFileA.KERNEL32(000000FF,?,00000000,004641C4,?,00000000,?,00000000,004641E2,?,00000001,00000000,00464217), ref: 004641A0
                                                                                                                                                                                                                                                        • FindClose.KERNEL32(000000FF,004641CB,004641C4,?,00000000,?,00000000,004641E2,?,00000001,00000000,00464217), ref: 004641BE
                                                                                                                                                                                                                                                        Memory Dump Source
                                                                                                                                                                                                                                                        • Source File: 00000001.00000002.2793245300.0000000000401000.00000020.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                                                                                                                        • Associated: 00000001.00000002.2793219234.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                                                                                                                                                                                                        • Associated: 00000001.00000002.2793346997.0000000000499000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                                                                                                                                                                                                        • Associated: 00000001.00000002.2793378529.000000000049A000.00000008.00000001.01000000.00000004.sdmpDownload File
                                                                                                                                                                                                                                                        • Associated: 00000001.00000002.2793416768.000000000049B000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                                                                                                                                                                                                        • Associated: 00000001.00000002.2793448951.00000000004AB000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                                                                                                                                                                                                        Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                                        • Snapshot File: hcaresult_1_2_400000_chica-pc-shield-1-75-0-1300-en-win.jbxd
                                                                                                                                                                                                                                                        Similarity
                                                                                                                                                                                                                                                        • API ID: Find$File$CloseErrorFirstModeNext
                                                                                                                                                                                                                                                        • String ID:
                                                                                                                                                                                                                                                        • API String ID: 4011626565-0
                                                                                                                                                                                                                                                        • Opcode ID: d1b1abdae6da0b26b18feb454965bdec43d4a67e9dcbe06fdf23a7501467d4e3
                                                                                                                                                                                                                                                        • Instruction ID: 06a8d60215f6d5d9d871a504bfff84f6e0c1ecbd426c21799f33ee47dd91da96
                                                                                                                                                                                                                                                        • Opcode Fuzzy Hash: d1b1abdae6da0b26b18feb454965bdec43d4a67e9dcbe06fdf23a7501467d4e3
                                                                                                                                                                                                                                                        • Instruction Fuzzy Hash: 8A418675A00A18DFCB10EFA5DC959DEB7B9EB88305F4044AAF804A7341E7789E848E59
                                                                                                                                                                                                                                                        Function 00463BB4 Relevance: 7.6, APIs: 5, Instructions: 129fileCOMMON
                                                                                                                                                                                                                                                        Download Yara Rule
                                                                                                                                                                                                                                                        APIs
                                                                                                                                                                                                                                                        • SetErrorMode.KERNEL32(00000001,00000000,00463D71), ref: 00463BE5
                                                                                                                                                                                                                                                        • FindFirstFileA.KERNEL32(00000000,?,00000000,00463D44,?,00000001,00000000,00463D71), ref: 00463C74
                                                                                                                                                                                                                                                        • FindNextFileA.KERNEL32(000000FF,?,00000000,00463D26,?,00000000,?,00000000,00463D44,?,00000001,00000000,00463D71), ref: 00463D06
                                                                                                                                                                                                                                                        • FindClose.KERNEL32(000000FF,00463D2D,00463D26,?,00000000,?,00000000,00463D44,?,00000001,00000000,00463D71), ref: 00463D20
                                                                                                                                                                                                                                                        Memory Dump Source
                                                                                                                                                                                                                                                        • Source File: 00000001.00000002.2793245300.0000000000401000.00000020.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                                                                                                                        • Associated: 00000001.00000002.2793219234.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                                                                                                                                                                                                        • Associated: 00000001.00000002.2793346997.0000000000499000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                                                                                                                                                                                                        • Associated: 00000001.00000002.2793378529.000000000049A000.00000008.00000001.01000000.00000004.sdmpDownload File
                                                                                                                                                                                                                                                        • Associated: 00000001.00000002.2793416768.000000000049B000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                                                                                                                                                                                                        • Associated: 00000001.00000002.2793448951.00000000004AB000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                                                                                                                                                                                                        Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                                        • Snapshot File: hcaresult_1_2_400000_chica-pc-shield-1-75-0-1300-en-win.jbxd
                                                                                                                                                                                                                                                        Similarity
                                                                                                                                                                                                                                                        • API ID: Find$File$CloseErrorFirstModeNext
                                                                                                                                                                                                                                                        • String ID:
                                                                                                                                                                                                                                                        • API String ID: 4011626565-0
                                                                                                                                                                                                                                                        • Opcode ID: c341d22c7a053e48ac2d12a3ad3a7dbd5d641ad6df1598854ae3d6088d37969b
                                                                                                                                                                                                                                                        • Instruction ID: 11f8cf6308ec642fe3db94f9052ed69b05f75390ec556d34b8037de08a3bd43b
                                                                                                                                                                                                                                                        • Opcode Fuzzy Hash: c341d22c7a053e48ac2d12a3ad3a7dbd5d641ad6df1598854ae3d6088d37969b
                                                                                                                                                                                                                                                        • Instruction Fuzzy Hash: 94418434A00A589FDB11EF65DC55ADEB7B8EF88306F4044BAF404A7381E67C9F488E59
                                                                                                                                                                                                                                                        Function 0042E934 Relevance: 7.6, APIs: 5, Instructions: 50fileCOMMON
                                                                                                                                                                                                                                                        Download Yara Rule
                                                                                                                                                                                                                                                        APIs
                                                                                                                                                                                                                                                        • CreateFileA.KERNEL32(00000000,C0000000,00000001,00000000,00000003,02000000,00000000,?,?,?,?,00452F3F,00000000,00452F60), ref: 0042E956
                                                                                                                                                                                                                                                        • DeviceIoControl.KERNEL32(00000000,0009C040,?,00000002,00000000,00000000,?,00000000), ref: 0042E981
                                                                                                                                                                                                                                                        • GetLastError.KERNEL32(00000000,C0000000,00000001,00000000,00000003,02000000,00000000,?,?,?,?,00452F3F,00000000,00452F60), ref: 0042E98E
                                                                                                                                                                                                                                                        • CloseHandle.KERNEL32(00000000,00000000,C0000000,00000001,00000000,00000003,02000000,00000000,?,?,?,?,00452F3F,00000000,00452F60), ref: 0042E996
                                                                                                                                                                                                                                                        • SetLastError.KERNEL32(00000000,00000000,00000000,C0000000,00000001,00000000,00000003,02000000,00000000,?,?,?,?,00452F3F,00000000,00452F60), ref: 0042E99C
                                                                                                                                                                                                                                                        Memory Dump Source
                                                                                                                                                                                                                                                        • Source File: 00000001.00000002.2793245300.0000000000401000.00000020.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                                                                                                                        • Associated: 00000001.00000002.2793219234.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                                                                                                                                                                                                        • Associated: 00000001.00000002.2793346997.0000000000499000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                                                                                                                                                                                                        • Associated: 00000001.00000002.2793378529.000000000049A000.00000008.00000001.01000000.00000004.sdmpDownload File
                                                                                                                                                                                                                                                        • Associated: 00000001.00000002.2793416768.000000000049B000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                                                                                                                                                                                                        • Associated: 00000001.00000002.2793448951.00000000004AB000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                                                                                                                                                                                                        Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                                        • Snapshot File: hcaresult_1_2_400000_chica-pc-shield-1-75-0-1300-en-win.jbxd
                                                                                                                                                                                                                                                        Similarity
                                                                                                                                                                                                                                                        • API ID: ErrorLast$CloseControlCreateDeviceFileHandle
                                                                                                                                                                                                                                                        • String ID:
                                                                                                                                                                                                                                                        • API String ID: 1177325624-0
                                                                                                                                                                                                                                                        • Opcode ID: 00c40fca2cfdd97ba02e44e9efda7f487b55ec81a2bcf6d63bb4130569f45397
                                                                                                                                                                                                                                                        • Instruction ID: 661b18b1de4eb1238568a50ab540e77c3175952f9b14320adb6d96c9b056064d
                                                                                                                                                                                                                                                        • Opcode Fuzzy Hash: 00c40fca2cfdd97ba02e44e9efda7f487b55ec81a2bcf6d63bb4130569f45397
                                                                                                                                                                                                                                                        • Instruction Fuzzy Hash: 80F090B23A17207AF620B57A5C86F7F418CCB89B68F10423BBA04FF1D1D9A85D0555AD
                                                                                                                                                                                                                                                        Function 0048348C Relevance: 6.0, APIs: 4, Instructions: 47windowCOMMON
                                                                                                                                                                                                                                                        Download Yara Rule
                                                                                                                                                                                                                                                        APIs
                                                                                                                                                                                                                                                        • IsIconic.USER32(?), ref: 004834CA
                                                                                                                                                                                                                                                        • GetWindowLongA.USER32(00000000,000000F0), ref: 004834E8
                                                                                                                                                                                                                                                        • ShowWindow.USER32(00000000,00000005,00000000,000000F0,0049C0A4,004829A6,004829DA,00000000,004829FA,?,?,?,0049C0A4), ref: 0048350A
                                                                                                                                                                                                                                                        • ShowWindow.USER32(00000000,00000000,00000000,000000F0,0049C0A4,004829A6,004829DA,00000000,004829FA,?,?,?,0049C0A4), ref: 0048351E
                                                                                                                                                                                                                                                        Memory Dump Source
                                                                                                                                                                                                                                                        • Source File: 00000001.00000002.2793245300.0000000000401000.00000020.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                                                                                                                        • Associated: 00000001.00000002.2793219234.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                                                                                                                                                                                                        • Associated: 00000001.00000002.2793346997.0000000000499000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                                                                                                                                                                                                        • Associated: 00000001.00000002.2793378529.000000000049A000.00000008.00000001.01000000.00000004.sdmpDownload File
                                                                                                                                                                                                                                                        • Associated: 00000001.00000002.2793416768.000000000049B000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                                                                                                                                                                                                        • Associated: 00000001.00000002.2793448951.00000000004AB000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                                                                                                                                                                                                        Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                                        • Snapshot File: hcaresult_1_2_400000_chica-pc-shield-1-75-0-1300-en-win.jbxd
                                                                                                                                                                                                                                                        Similarity
                                                                                                                                                                                                                                                        • API ID: Window$Show$IconicLong
                                                                                                                                                                                                                                                        • String ID:
                                                                                                                                                                                                                                                        • API String ID: 2754861897-0
                                                                                                                                                                                                                                                        • Opcode ID: 7ffa2f78d84017fdfeacbfdda1e85d43c8c51a80690e172a9d98e1415006cbb5
                                                                                                                                                                                                                                                        • Instruction ID: 42b5823d88870d489630fed61ffe24a9a5c61b02f9884224dbb3fdac0babcbec
                                                                                                                                                                                                                                                        • Opcode Fuzzy Hash: 7ffa2f78d84017fdfeacbfdda1e85d43c8c51a80690e172a9d98e1415006cbb5
                                                                                                                                                                                                                                                        • Instruction Fuzzy Hash: 74017170705200ABEF01FFA5DD8AB5A37D46B14B45F08187BB9019F2A3CA6CEE41872C
                                                                                                                                                                                                                                                        Function 00462628 Relevance: 4.6, APIs: 3, Instructions: 67fileCOMMON
                                                                                                                                                                                                                                                        Download Yara Rule
                                                                                                                                                                                                                                                        APIs
                                                                                                                                                                                                                                                        • FindFirstFileA.KERNEL32(00000000,?,00000000,004626FC), ref: 00462680
                                                                                                                                                                                                                                                        • FindNextFileA.KERNEL32(000000FF,?,00000000,004626DC,?,00000000,?,00000000,004626FC), ref: 004626BC
                                                                                                                                                                                                                                                        • FindClose.KERNEL32(000000FF,004626E3,004626DC,?,00000000,?,00000000,004626FC), ref: 004626D6
                                                                                                                                                                                                                                                        Memory Dump Source
                                                                                                                                                                                                                                                        • Source File: 00000001.00000002.2793245300.0000000000401000.00000020.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                                                                                                                        • Associated: 00000001.00000002.2793219234.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                                                                                                                                                                                                        • Associated: 00000001.00000002.2793346997.0000000000499000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                                                                                                                                                                                                        • Associated: 00000001.00000002.2793378529.000000000049A000.00000008.00000001.01000000.00000004.sdmpDownload File
                                                                                                                                                                                                                                                        • Associated: 00000001.00000002.2793416768.000000000049B000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                                                                                                                                                                                                        • Associated: 00000001.00000002.2793448951.00000000004AB000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                                                                                                                                                                                                        Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                                        • Snapshot File: hcaresult_1_2_400000_chica-pc-shield-1-75-0-1300-en-win.jbxd
                                                                                                                                                                                                                                                        Similarity
                                                                                                                                                                                                                                                        • API ID: Find$File$CloseFirstNext
                                                                                                                                                                                                                                                        • String ID:
                                                                                                                                                                                                                                                        • API String ID: 3541575487-0
                                                                                                                                                                                                                                                        • Opcode ID: f57a64d85c54d353e45a018184ec90ae3d27a327a474c1dd2b6888a4f83ab7a6
                                                                                                                                                                                                                                                        • Instruction ID: 348d5188472d8d67b5ed560b6c21b28065d15f8f2fc4a6e80af24ab03650058e
                                                                                                                                                                                                                                                        • Opcode Fuzzy Hash: f57a64d85c54d353e45a018184ec90ae3d27a327a474c1dd2b6888a4f83ab7a6
                                                                                                                                                                                                                                                        • Instruction Fuzzy Hash: F021D871904B087EDB11EB65CC41ADEBBACDB49304F5084F7A808E26A1E6B89E54CE59
                                                                                                                                                                                                                                                        Function 004241DC Relevance: 4.5, APIs: 3, Instructions: 32windowCOMMON
                                                                                                                                                                                                                                                        Download Yara Rule
                                                                                                                                                                                                                                                        APIs
                                                                                                                                                                                                                                                        • IsIconic.USER32(?), ref: 004241E4
                                                                                                                                                                                                                                                        • SetActiveWindow.USER32(?,?,?,0046CC2B), ref: 004241F1
                                                                                                                                                                                                                                                          • Part of subcall function 0042364C: ShowWindow.USER32(00410460,00000009,?,00000000,0041EDA4,0042393A,00000000,00400000,00000000,00000000,00000000,00000000,00000000,00000001,00000000,00423C0C), ref: 00423667
                                                                                                                                                                                                                                                          • Part of subcall function 00423B14: SetWindowPos.USER32(00000000,000000FF,00000000,00000000,00000000,00000000,00000013,?,021325AC,0042420A,?,?,?,0046CC2B), ref: 00423B4F
                                                                                                                                                                                                                                                        • SetFocus.USER32(00000000,?,?,?,0046CC2B), ref: 0042421E
                                                                                                                                                                                                                                                        Memory Dump Source
                                                                                                                                                                                                                                                        • Source File: 00000001.00000002.2793245300.0000000000401000.00000020.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                                                                                                                        • Associated: 00000001.00000002.2793219234.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                                                                                                                                                                                                        • Associated: 00000001.00000002.2793346997.0000000000499000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                                                                                                                                                                                                        • Associated: 00000001.00000002.2793378529.000000000049A000.00000008.00000001.01000000.00000004.sdmpDownload File
                                                                                                                                                                                                                                                        • Associated: 00000001.00000002.2793416768.000000000049B000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                                                                                                                                                                                                        • Associated: 00000001.00000002.2793448951.00000000004AB000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                                                                                                                                                                                                        Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                                        • Snapshot File: hcaresult_1_2_400000_chica-pc-shield-1-75-0-1300-en-win.jbxd
                                                                                                                                                                                                                                                        Similarity
                                                                                                                                                                                                                                                        • API ID: Window$ActiveFocusIconicShow
                                                                                                                                                                                                                                                        • String ID:
                                                                                                                                                                                                                                                        • API String ID: 649377781-0
                                                                                                                                                                                                                                                        • Opcode ID: 1be179083055f96161d8b165ddd04f1e3bd56871e014c6a07f585ac04199aa1a
                                                                                                                                                                                                                                                        • Instruction ID: c953833529836f01456b8f788e47b4b7c36f7a841d6c6df07f57e62630513da6
                                                                                                                                                                                                                                                        • Opcode Fuzzy Hash: 1be179083055f96161d8b165ddd04f1e3bd56871e014c6a07f585ac04199aa1a
                                                                                                                                                                                                                                                        • Instruction Fuzzy Hash: 8CF030B170012097CB10BFAAA8C5B9676A8AB48344F5500BBBD05DF357CA7CDC018778
                                                                                                                                                                                                                                                        Function 00417CCE Relevance: 3.0, APIs: 2, Instructions: 49windowCOMMON
                                                                                                                                                                                                                                                        Download Yara Rule
                                                                                                                                                                                                                                                        APIs
                                                                                                                                                                                                                                                        • IsIconic.USER32(?), ref: 00417D0F
                                                                                                                                                                                                                                                        • SetWindowPos.USER32(?,00000000,?,?,?,?,00000014,?), ref: 00417D2D
                                                                                                                                                                                                                                                        • GetWindowPlacement.USER32(?,0000002C), ref: 00417D63
                                                                                                                                                                                                                                                        • SetWindowPlacement.USER32(?,0000002C,?,0000002C), ref: 00417D8A
                                                                                                                                                                                                                                                        Memory Dump Source
                                                                                                                                                                                                                                                        • Source File: 00000001.00000002.2793245300.0000000000401000.00000020.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                                                                                                                        • Associated: 00000001.00000002.2793219234.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                                                                                                                                                                                                        • Associated: 00000001.00000002.2793346997.0000000000499000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                                                                                                                                                                                                        • Associated: 00000001.00000002.2793378529.000000000049A000.00000008.00000001.01000000.00000004.sdmpDownload File
                                                                                                                                                                                                                                                        • Associated: 00000001.00000002.2793416768.000000000049B000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                                                                                                                                                                                                        • Associated: 00000001.00000002.2793448951.00000000004AB000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                                                                                                                                                                                                        Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                                        • Snapshot File: hcaresult_1_2_400000_chica-pc-shield-1-75-0-1300-en-win.jbxd
                                                                                                                                                                                                                                                        Similarity
                                                                                                                                                                                                                                                        • API ID: Window$Placement$Iconic
                                                                                                                                                                                                                                                        • String ID:
                                                                                                                                                                                                                                                        • API String ID: 568898626-0
                                                                                                                                                                                                                                                        • Opcode ID: ebd707d3ae313beec07553f07bd7f77ab110097aa9cac76d67ea171003520b00
                                                                                                                                                                                                                                                        • Instruction ID: d9358ea7cd183770b33139a8ac7b7a0a70302bd2c01e5fc8313c3e2814ac7f2c
                                                                                                                                                                                                                                                        • Opcode Fuzzy Hash: ebd707d3ae313beec07553f07bd7f77ab110097aa9cac76d67ea171003520b00
                                                                                                                                                                                                                                                        • Instruction Fuzzy Hash: 33012C71204108ABDB10EE59D8C1EF673A8AF45724F154566FD19DF242D639ED8087A8
                                                                                                                                                                                                                                                        Function 00417598 Relevance: 3.0, APIs: 2, Instructions: 44windowCOMMON
                                                                                                                                                                                                                                                        Download Yara Rule
                                                                                                                                                                                                                                                        APIs
                                                                                                                                                                                                                                                        Memory Dump Source
                                                                                                                                                                                                                                                        • Source File: 00000001.00000002.2793245300.0000000000401000.00000020.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                                                                                                                        • Associated: 00000001.00000002.2793219234.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                                                                                                                                                                                                        • Associated: 00000001.00000002.2793346997.0000000000499000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                                                                                                                                                                                                        • Associated: 00000001.00000002.2793378529.000000000049A000.00000008.00000001.01000000.00000004.sdmpDownload File
                                                                                                                                                                                                                                                        • Associated: 00000001.00000002.2793416768.000000000049B000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                                                                                                                                                                                                        • Associated: 00000001.00000002.2793448951.00000000004AB000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                                                                                                                                                                                                        Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                                        • Snapshot File: hcaresult_1_2_400000_chica-pc-shield-1-75-0-1300-en-win.jbxd
                                                                                                                                                                                                                                                        Similarity
                                                                                                                                                                                                                                                        • API ID: CaptureIconic
                                                                                                                                                                                                                                                        • String ID:
                                                                                                                                                                                                                                                        • API String ID: 2277910766-0
                                                                                                                                                                                                                                                        • Opcode ID: c8f0edb1377470e81cbec4a2b95b5efcfd9f911131a56f14dd142127f01798ba
                                                                                                                                                                                                                                                        • Instruction ID: 6cb7601519473143bf4e876ebf6758ccc8fc4fa751d6c6e0357a6193460a6b05
                                                                                                                                                                                                                                                        • Opcode Fuzzy Hash: c8f0edb1377470e81cbec4a2b95b5efcfd9f911131a56f14dd142127f01798ba
                                                                                                                                                                                                                                                        • Instruction Fuzzy Hash: 0AF0A4723056425BD730AB2EC984AB762F69F84314B14403BE419CBFA1EB3CDCC08798
                                                                                                                                                                                                                                                        Function 00424194 Relevance: 3.0, APIs: 2, Instructions: 22windowCOMMON
                                                                                                                                                                                                                                                        Download Yara Rule
                                                                                                                                                                                                                                                        APIs
                                                                                                                                                                                                                                                        • IsIconic.USER32(?), ref: 0042419B
                                                                                                                                                                                                                                                          • Part of subcall function 00423A84: EnumWindows.USER32(00423A1C), ref: 00423AA8
                                                                                                                                                                                                                                                          • Part of subcall function 00423A84: GetWindow.USER32(?,00000003), ref: 00423ABD
                                                                                                                                                                                                                                                          • Part of subcall function 00423A84: GetWindowLongA.USER32(?,000000EC), ref: 00423ACC
                                                                                                                                                                                                                                                          • Part of subcall function 00423A84: SetWindowPos.USER32(00000000,\AB,00000000,00000000,00000000,00000000,00000013,?,000000EC,?,?,?,004241AB,?,?,00423D73), ref: 00423B02
                                                                                                                                                                                                                                                        • SetActiveWindow.USER32(?,?,?,00423D73,00000000,0042415C), ref: 004241AF
                                                                                                                                                                                                                                                          • Part of subcall function 0042364C: ShowWindow.USER32(00410460,00000009,?,00000000,0041EDA4,0042393A,00000000,00400000,00000000,00000000,00000000,00000000,00000000,00000001,00000000,00423C0C), ref: 00423667
                                                                                                                                                                                                                                                        Memory Dump Source
                                                                                                                                                                                                                                                        • Source File: 00000001.00000002.2793245300.0000000000401000.00000020.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                                                                                                                        • Associated: 00000001.00000002.2793219234.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                                                                                                                                                                                                        • Associated: 00000001.00000002.2793346997.0000000000499000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                                                                                                                                                                                                        • Associated: 00000001.00000002.2793378529.000000000049A000.00000008.00000001.01000000.00000004.sdmpDownload File
                                                                                                                                                                                                                                                        • Associated: 00000001.00000002.2793416768.000000000049B000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                                                                                                                                                                                                        • Associated: 00000001.00000002.2793448951.00000000004AB000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                                                                                                                                                                                                        Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                                        • Snapshot File: hcaresult_1_2_400000_chica-pc-shield-1-75-0-1300-en-win.jbxd
                                                                                                                                                                                                                                                        Similarity
                                                                                                                                                                                                                                                        • API ID: Window$ActiveEnumIconicLongShowWindows
                                                                                                                                                                                                                                                        • String ID:
                                                                                                                                                                                                                                                        • API String ID: 2671590913-0
                                                                                                                                                                                                                                                        • Opcode ID: b2ff140757208bd7b7cc33ac29151dbeb423d1cdddd3b288bc041a56f1810338
                                                                                                                                                                                                                                                        • Instruction ID: ce5d4440ec1c13bcfda566247f28ea27228b22b89c70f7a48f218b5e8bc86154
                                                                                                                                                                                                                                                        • Opcode Fuzzy Hash: b2ff140757208bd7b7cc33ac29151dbeb423d1cdddd3b288bc041a56f1810338
                                                                                                                                                                                                                                                        • Instruction Fuzzy Hash: 55E01AA070011087DB10AFAADCC8B9632A9BB48304F55017ABD49CF35BD63CC8608724
                                                                                                                                                                                                                                                        Function 004125D8 Relevance: 1.7, APIs: 1, Instructions: 188nativeCOMMON
                                                                                                                                                                                                                                                        Download Yara Rule
                                                                                                                                                                                                                                                        APIs
                                                                                                                                                                                                                                                        • NtdllDefWindowProc_A.USER32(?,?,?,?,00000000,004127D5), ref: 004127C3
                                                                                                                                                                                                                                                        Memory Dump Source
                                                                                                                                                                                                                                                        • Source File: 00000001.00000002.2793245300.0000000000401000.00000020.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                                                                                                                        • Associated: 00000001.00000002.2793219234.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                                                                                                                                                                                                        • Associated: 00000001.00000002.2793346997.0000000000499000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                                                                                                                                                                                                        • Associated: 00000001.00000002.2793378529.000000000049A000.00000008.00000001.01000000.00000004.sdmpDownload File
                                                                                                                                                                                                                                                        • Associated: 00000001.00000002.2793416768.000000000049B000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                                                                                                                                                                                                        • Associated: 00000001.00000002.2793448951.00000000004AB000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                                                                                                                                                                                                        Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                                        • Snapshot File: hcaresult_1_2_400000_chica-pc-shield-1-75-0-1300-en-win.jbxd
                                                                                                                                                                                                                                                        Similarity
                                                                                                                                                                                                                                                        • API ID: NtdllProc_Window
                                                                                                                                                                                                                                                        • String ID:
                                                                                                                                                                                                                                                        • API String ID: 4255912815-0
                                                                                                                                                                                                                                                        • Opcode ID: 120c9c179850e2d77f2b5158c289480559fb4752f9becda92d3f5c4f199058c9
                                                                                                                                                                                                                                                        • Instruction ID: 2c049f03cfb376e3baa0368465928f91904f6d03483072bf0e6cb5f6a46bccc5
                                                                                                                                                                                                                                                        • Opcode Fuzzy Hash: 120c9c179850e2d77f2b5158c289480559fb4752f9becda92d3f5c4f199058c9
                                                                                                                                                                                                                                                        • Instruction Fuzzy Hash: 4A5102357082048FD710DB6ADA80A9BF3E5EF98314B2082BBD814C77A1D7B8AD91C75D
                                                                                                                                                                                                                                                        Function 00478648 Relevance: 1.6, APIs: 1, Instructions: 107nativeCOMMON
                                                                                                                                                                                                                                                        Download Yara Rule
                                                                                                                                                                                                                                                        APIs
                                                                                                                                                                                                                                                        • NtdllDefWindowProc_A.USER32(?,?,?,?), ref: 00478796
                                                                                                                                                                                                                                                        Memory Dump Source
                                                                                                                                                                                                                                                        • Source File: 00000001.00000002.2793245300.0000000000401000.00000020.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                                                                                                                        • Associated: 00000001.00000002.2793219234.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                                                                                                                                                                                                        • Associated: 00000001.00000002.2793346997.0000000000499000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                                                                                                                                                                                                        • Associated: 00000001.00000002.2793378529.000000000049A000.00000008.00000001.01000000.00000004.sdmpDownload File
                                                                                                                                                                                                                                                        • Associated: 00000001.00000002.2793416768.000000000049B000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                                                                                                                                                                                                        • Associated: 00000001.00000002.2793448951.00000000004AB000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                                                                                                                                                                                                        Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                                        • Snapshot File: hcaresult_1_2_400000_chica-pc-shield-1-75-0-1300-en-win.jbxd
                                                                                                                                                                                                                                                        Similarity
                                                                                                                                                                                                                                                        • API ID: NtdllProc_Window
                                                                                                                                                                                                                                                        • String ID:
                                                                                                                                                                                                                                                        • API String ID: 4255912815-0
                                                                                                                                                                                                                                                        • Opcode ID: 92d8ff69c8f9015843013c8ef6195f22e1eec5ec2e4e9776c301f132ad58bf6e
                                                                                                                                                                                                                                                        • Instruction ID: e013cb3c42dd58cceab177a6d205a04243eb2a1ac844c0beb79983e020d4b19f
                                                                                                                                                                                                                                                        • Opcode Fuzzy Hash: 92d8ff69c8f9015843013c8ef6195f22e1eec5ec2e4e9776c301f132ad58bf6e
                                                                                                                                                                                                                                                        • Instruction Fuzzy Hash: F7414939604104DF9B24CF99CA888AAB7F5FB48310B34C59AE80ADB705D738EE409B95
                                                                                                                                                                                                                                                        Function 0044B658 Relevance: 166.5, APIs: 48, Strings: 47, Instructions: 252libraryloaderCOMMON
                                                                                                                                                                                                                                                        Download Yara Rule
                                                                                                                                                                                                                                                        APIs
                                                                                                                                                                                                                                                          • Part of subcall function 0044B604: GetVersionExA.KERNEL32(00000094), ref: 0044B621
                                                                                                                                                                                                                                                        • LoadLibraryA.KERNEL32(uxtheme.dll,?,0044F775,004987D2), ref: 0044B67F
                                                                                                                                                                                                                                                        • GetProcAddress.KERNEL32(00000000,OpenThemeData), ref: 0044B697
                                                                                                                                                                                                                                                        • GetProcAddress.KERNEL32(00000000,CloseThemeData), ref: 0044B6A9
                                                                                                                                                                                                                                                        • GetProcAddress.KERNEL32(00000000,DrawThemeBackground), ref: 0044B6BB
                                                                                                                                                                                                                                                        • GetProcAddress.KERNEL32(00000000,DrawThemeText), ref: 0044B6CD
                                                                                                                                                                                                                                                        • GetProcAddress.KERNEL32(00000000,GetThemeBackgroundContentRect), ref: 0044B6DF
                                                                                                                                                                                                                                                        • GetProcAddress.KERNEL32(00000000,GetThemeBackgroundContentRect), ref: 0044B6F1
                                                                                                                                                                                                                                                        • GetProcAddress.KERNEL32(00000000,GetThemePartSize), ref: 0044B703
                                                                                                                                                                                                                                                        • GetProcAddress.KERNEL32(00000000,GetThemeTextExtent), ref: 0044B715
                                                                                                                                                                                                                                                        • GetProcAddress.KERNEL32(00000000,GetThemeTextMetrics), ref: 0044B727
                                                                                                                                                                                                                                                        • GetProcAddress.KERNEL32(00000000,GetThemeBackgroundRegion), ref: 0044B739
                                                                                                                                                                                                                                                        • GetProcAddress.KERNEL32(00000000,HitTestThemeBackground), ref: 0044B74B
                                                                                                                                                                                                                                                        • GetProcAddress.KERNEL32(00000000,DrawThemeEdge), ref: 0044B75D
                                                                                                                                                                                                                                                        • GetProcAddress.KERNEL32(00000000,DrawThemeIcon), ref: 0044B76F
                                                                                                                                                                                                                                                        • GetProcAddress.KERNEL32(00000000,IsThemePartDefined), ref: 0044B781
                                                                                                                                                                                                                                                        • GetProcAddress.KERNEL32(00000000,IsThemeBackgroundPartiallyTransparent), ref: 0044B793
                                                                                                                                                                                                                                                        • GetProcAddress.KERNEL32(00000000,GetThemeColor), ref: 0044B7A5
                                                                                                                                                                                                                                                        • GetProcAddress.KERNEL32(00000000,GetThemeMetric), ref: 0044B7B7
                                                                                                                                                                                                                                                        • GetProcAddress.KERNEL32(00000000,GetThemeString), ref: 0044B7C9
                                                                                                                                                                                                                                                        • GetProcAddress.KERNEL32(00000000,GetThemeBool), ref: 0044B7DB
                                                                                                                                                                                                                                                        • GetProcAddress.KERNEL32(00000000,GetThemeInt), ref: 0044B7ED
                                                                                                                                                                                                                                                        • GetProcAddress.KERNEL32(00000000,GetThemeEnumValue), ref: 0044B7FF
                                                                                                                                                                                                                                                        • GetProcAddress.KERNEL32(00000000,GetThemePosition), ref: 0044B811
                                                                                                                                                                                                                                                        • GetProcAddress.KERNEL32(00000000,GetThemeFont), ref: 0044B823
                                                                                                                                                                                                                                                        • GetProcAddress.KERNEL32(00000000,GetThemeRect), ref: 0044B835
                                                                                                                                                                                                                                                        • GetProcAddress.KERNEL32(00000000,GetThemeMargins), ref: 0044B847
                                                                                                                                                                                                                                                        • GetProcAddress.KERNEL32(00000000,GetThemeIntList), ref: 0044B859
                                                                                                                                                                                                                                                        • GetProcAddress.KERNEL32(00000000,GetThemePropertyOrigin), ref: 0044B86B
                                                                                                                                                                                                                                                        • GetProcAddress.KERNEL32(00000000,SetWindowTheme), ref: 0044B87D
                                                                                                                                                                                                                                                        • GetProcAddress.KERNEL32(00000000,GetThemeFilename), ref: 0044B88F
                                                                                                                                                                                                                                                        • GetProcAddress.KERNEL32(00000000,GetThemeSysColor), ref: 0044B8A1
                                                                                                                                                                                                                                                        • GetProcAddress.KERNEL32(00000000,GetThemeSysColorBrush), ref: 0044B8B3
                                                                                                                                                                                                                                                        • GetProcAddress.KERNEL32(00000000,GetThemeSysBool), ref: 0044B8C5
                                                                                                                                                                                                                                                        • GetProcAddress.KERNEL32(00000000,GetThemeSysSize), ref: 0044B8D7
                                                                                                                                                                                                                                                        • GetProcAddress.KERNEL32(00000000,GetThemeSysFont), ref: 0044B8E9
                                                                                                                                                                                                                                                        • GetProcAddress.KERNEL32(00000000,GetThemeSysString), ref: 0044B8FB
                                                                                                                                                                                                                                                        • GetProcAddress.KERNEL32(00000000,GetThemeSysInt), ref: 0044B90D
                                                                                                                                                                                                                                                        • GetProcAddress.KERNEL32(00000000,IsThemeActive), ref: 0044B91F
                                                                                                                                                                                                                                                        • GetProcAddress.KERNEL32(00000000,IsAppThemed), ref: 0044B931
                                                                                                                                                                                                                                                        • GetProcAddress.KERNEL32(00000000,GetWindowTheme), ref: 0044B943
                                                                                                                                                                                                                                                        • GetProcAddress.KERNEL32(00000000,EnableThemeDialogTexture), ref: 0044B955
                                                                                                                                                                                                                                                        • GetProcAddress.KERNEL32(00000000,IsThemeDialogTextureEnabled), ref: 0044B967
                                                                                                                                                                                                                                                        • GetProcAddress.KERNEL32(00000000,GetThemeAppProperties), ref: 0044B979
                                                                                                                                                                                                                                                        • GetProcAddress.KERNEL32(00000000,SetThemeAppProperties), ref: 0044B98B
                                                                                                                                                                                                                                                        • GetProcAddress.KERNEL32(00000000,GetCurrentThemeName), ref: 0044B99D
                                                                                                                                                                                                                                                        • GetProcAddress.KERNEL32(00000000,GetThemeDocumentationProperty), ref: 0044B9AF
                                                                                                                                                                                                                                                        • GetProcAddress.KERNEL32(00000000,DrawThemeParentBackground), ref: 0044B9C1
                                                                                                                                                                                                                                                        • GetProcAddress.KERNEL32(00000000,EnableTheming), ref: 0044B9D3
                                                                                                                                                                                                                                                        Strings
                                                                                                                                                                                                                                                        Memory Dump Source
                                                                                                                                                                                                                                                        • Source File: 00000001.00000002.2793245300.0000000000401000.00000020.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                                                                                                                        • Associated: 00000001.00000002.2793219234.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                                                                                                                                                                                                        • Associated: 00000001.00000002.2793346997.0000000000499000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                                                                                                                                                                                                        • Associated: 00000001.00000002.2793378529.000000000049A000.00000008.00000001.01000000.00000004.sdmpDownload File
                                                                                                                                                                                                                                                        • Associated: 00000001.00000002.2793416768.000000000049B000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                                                                                                                                                                                                        • Associated: 00000001.00000002.2793448951.00000000004AB000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                                                                                                                                                                                                        Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                                        • Snapshot File: hcaresult_1_2_400000_chica-pc-shield-1-75-0-1300-en-win.jbxd
                                                                                                                                                                                                                                                        Similarity
                                                                                                                                                                                                                                                        • API ID: AddressProc$LibraryLoadVersion
                                                                                                                                                                                                                                                        • String ID: CloseThemeData$DrawThemeBackground$DrawThemeEdge$DrawThemeIcon$DrawThemeParentBackground$DrawThemeText$EnableThemeDialogTexture$EnableTheming$GetCurrentThemeName$GetThemeAppProperties$GetThemeBackgroundContentRect$GetThemeBackgroundRegion$GetThemeBool$GetThemeColor$GetThemeDocumentationProperty$GetThemeEnumValue$GetThemeFilename$GetThemeFont$GetThemeInt$GetThemeIntList$GetThemeMargins$GetThemeMetric$GetThemePartSize$GetThemePosition$GetThemePropertyOrigin$GetThemeRect$GetThemeString$GetThemeSysBool$GetThemeSysColor$GetThemeSysColorBrush$GetThemeSysFont$GetThemeSysInt$GetThemeSysSize$GetThemeSysString$GetThemeTextExtent$GetThemeTextMetrics$GetWindowTheme$HitTestThemeBackground$IsAppThemed$IsThemeActive$IsThemeBackgroundPartiallyTransparent$IsThemeDialogTextureEnabled$IsThemePartDefined$OpenThemeData$SetThemeAppProperties$SetWindowTheme$uxtheme.dll
                                                                                                                                                                                                                                                        • API String ID: 1968650500-2910565190
                                                                                                                                                                                                                                                        • Opcode ID: 95dc7e01f57bcb691e719ed2fb4b3cf68dab2605f840b59d7f83adc2db29b4cf
                                                                                                                                                                                                                                                        • Instruction ID: e93aa9000a3b975727f71862fff1c9a8a52c50bca2d3d110ef64c9f3a3b13d35
                                                                                                                                                                                                                                                        • Opcode Fuzzy Hash: 95dc7e01f57bcb691e719ed2fb4b3cf68dab2605f840b59d7f83adc2db29b4cf
                                                                                                                                                                                                                                                        • Instruction Fuzzy Hash: D391A8F0A40B11ABEB00EFB5AD96A2A3BA8EB15714310067BB454DF295D778DC108FDD
                                                                                                                                                                                                                                                        Function 00492414 Relevance: 56.4, APIs: 16, Strings: 16, Instructions: 431sleepCOMMON
                                                                                                                                                                                                                                                        Download Yara Rule
                                                                                                                                                                                                                                                        APIs
                                                                                                                                                                                                                                                        • Sleep.KERNEL32(00000000,00000000,00492909,?,?,?,?,00000000,00000000,00000000), ref: 00492454
                                                                                                                                                                                                                                                        • FindWindowA.USER32(00000000,00000000), ref: 00492485
                                                                                                                                                                                                                                                        Strings
                                                                                                                                                                                                                                                        Memory Dump Source
                                                                                                                                                                                                                                                        • Source File: 00000001.00000002.2793245300.0000000000401000.00000020.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                                                                                                                        • Associated: 00000001.00000002.2793219234.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                                                                                                                                                                                                        • Associated: 00000001.00000002.2793346997.0000000000499000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                                                                                                                                                                                                        • Associated: 00000001.00000002.2793378529.000000000049A000.00000008.00000001.01000000.00000004.sdmpDownload File
                                                                                                                                                                                                                                                        • Associated: 00000001.00000002.2793416768.000000000049B000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                                                                                                                                                                                                        • Associated: 00000001.00000002.2793448951.00000000004AB000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                                                                                                                                                                                                        Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                                        • Snapshot File: hcaresult_1_2_400000_chica-pc-shield-1-75-0-1300-en-win.jbxd
                                                                                                                                                                                                                                                        Similarity
                                                                                                                                                                                                                                                        • API ID: FindSleepWindow
                                                                                                                                                                                                                                                        • String ID: CALLDLLPROC$CHARTOOEMBUFF$CREATEMUTEX$FINDWINDOWBYCLASSNAME$FINDWINDOWBYWINDOWNAME$FREEDLL$LOADDLL$OEMTOCHARBUFF$POSTBROADCASTMESSAGE$POSTMESSAGE$REGISTERWINDOWMESSAGE$SENDBROADCASTMESSAGE$SENDBROADCASTNOTIFYMESSAGE$SENDMESSAGE$SENDNOTIFYMESSAGE$SLEEP
                                                                                                                                                                                                                                                        • API String ID: 3078808852-3310373309
                                                                                                                                                                                                                                                        • Opcode ID: b663632e49e180770bec75779cfad8c50b21de5265e4831b2eb78b7839abac61
                                                                                                                                                                                                                                                        • Instruction ID: f9b6100cdcb125238a703780d580572f8216b12678261aa4779c5284adf6670e
                                                                                                                                                                                                                                                        • Opcode Fuzzy Hash: b663632e49e180770bec75779cfad8c50b21de5265e4831b2eb78b7839abac61
                                                                                                                                                                                                                                                        • Instruction Fuzzy Hash: AFC173A0B042003BDB14BF3E9D4551F59AA9B84708B11DA3FB446EB78BCE7DEC0A4359
                                                                                                                                                                                                                                                        Function 0041CA0C Relevance: 33.2, APIs: 22, Instructions: 213windowCOMMON
                                                                                                                                                                                                                                                        Download Yara Rule
                                                                                                                                                                                                                                                        APIs
                                                                                                                                                                                                                                                        • GetDC.USER32(00000000), ref: 0041CA40
                                                                                                                                                                                                                                                        • CreateCompatibleDC.GDI32(?), ref: 0041CA4C
                                                                                                                                                                                                                                                        • CreateBitmap.GDI32(0041A944,?,00000001,00000001,00000000), ref: 0041CA70
                                                                                                                                                                                                                                                        • CreateCompatibleBitmap.GDI32(?,0041A944,?), ref: 0041CA80
                                                                                                                                                                                                                                                        • SelectObject.GDI32(0041CE3C,00000000), ref: 0041CA9B
                                                                                                                                                                                                                                                        • FillRect.USER32(0041CE3C,?,?), ref: 0041CAD6
                                                                                                                                                                                                                                                        • SetTextColor.GDI32(0041CE3C,00000000), ref: 0041CAEB
                                                                                                                                                                                                                                                        • SetBkColor.GDI32(0041CE3C,00000000), ref: 0041CB02
                                                                                                                                                                                                                                                        • PatBlt.GDI32(0041CE3C,00000000,00000000,0041A944,?,00FF0062), ref: 0041CB18
                                                                                                                                                                                                                                                        • CreateCompatibleDC.GDI32(?), ref: 0041CB2B
                                                                                                                                                                                                                                                        • SelectObject.GDI32(00000000,00000000), ref: 0041CB5C
                                                                                                                                                                                                                                                        • SelectPalette.GDI32(00000000,00000000,00000001), ref: 0041CB74
                                                                                                                                                                                                                                                        • RealizePalette.GDI32(00000000), ref: 0041CB7D
                                                                                                                                                                                                                                                        • SelectPalette.GDI32(0041CE3C,00000000,00000001), ref: 0041CB8C
                                                                                                                                                                                                                                                        • RealizePalette.GDI32(0041CE3C), ref: 0041CB95
                                                                                                                                                                                                                                                        • SetTextColor.GDI32(00000000,00000000), ref: 0041CBAE
                                                                                                                                                                                                                                                        • SetBkColor.GDI32(00000000,00000000), ref: 0041CBC5
                                                                                                                                                                                                                                                        • BitBlt.GDI32(0041CE3C,00000000,00000000,0041A944,?,00000000,00000000,00000000,00CC0020), ref: 0041CBE1
                                                                                                                                                                                                                                                        • SelectObject.GDI32(00000000,?), ref: 0041CBEE
                                                                                                                                                                                                                                                        • DeleteDC.GDI32(00000000), ref: 0041CC04
                                                                                                                                                                                                                                                          • Part of subcall function 0041A058: GetSysColor.USER32(?), ref: 0041A062
                                                                                                                                                                                                                                                        Memory Dump Source
                                                                                                                                                                                                                                                        • Source File: 00000001.00000002.2793245300.0000000000401000.00000020.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                                                                                                                        • Associated: 00000001.00000002.2793219234.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                                                                                                                                                                                                        • Associated: 00000001.00000002.2793346997.0000000000499000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                                                                                                                                                                                                        • Associated: 00000001.00000002.2793378529.000000000049A000.00000008.00000001.01000000.00000004.sdmpDownload File
                                                                                                                                                                                                                                                        • Associated: 00000001.00000002.2793416768.000000000049B000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                                                                                                                                                                                                        • Associated: 00000001.00000002.2793448951.00000000004AB000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                                                                                                                                                                                                        Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                                        • Snapshot File: hcaresult_1_2_400000_chica-pc-shield-1-75-0-1300-en-win.jbxd
                                                                                                                                                                                                                                                        Similarity
                                                                                                                                                                                                                                                        • API ID: ColorSelect$CreatePalette$CompatibleObject$BitmapRealizeText$DeleteFillRect
                                                                                                                                                                                                                                                        • String ID:
                                                                                                                                                                                                                                                        • API String ID: 269503290-0
                                                                                                                                                                                                                                                        • Opcode ID: 9806164d1606c634515afc64932ea3bc8f16e9e6d983aee2c5c16924e4641f34
                                                                                                                                                                                                                                                        • Instruction ID: 91afdf38925dfcc0a19aef53af63d8b93a06df8cfedaf367688fa0d34ebdb442
                                                                                                                                                                                                                                                        • Opcode Fuzzy Hash: 9806164d1606c634515afc64932ea3bc8f16e9e6d983aee2c5c16924e4641f34
                                                                                                                                                                                                                                                        • Instruction Fuzzy Hash: 01610071A44648AFDF10EBE9DC86FDFB7B8EB48704F10446AB504E7281D67CA940CB68
                                                                                                                                                                                                                                                        Function 004502C0 Relevance: 26.3, APIs: 8, Strings: 7, Instructions: 45libraryloaderCOMMON
                                                                                                                                                                                                                                                        Download Yara Rule
                                                                                                                                                                                                                                                        APIs
                                                                                                                                                                                                                                                        • GetVersion.KERNEL32(0048069A), ref: 004502D3
                                                                                                                                                                                                                                                        • LoadLibraryA.KERNEL32(Rstrtmgr.dll,0048069A), ref: 004502EB
                                                                                                                                                                                                                                                        • GetProcAddress.KERNEL32(00000000,RmStartSession), ref: 00450309
                                                                                                                                                                                                                                                        • GetProcAddress.KERNEL32(00000000,RmRegisterResources), ref: 0045031E
                                                                                                                                                                                                                                                        • GetProcAddress.KERNEL32(00000000,RmGetList), ref: 00450333
                                                                                                                                                                                                                                                        • GetProcAddress.KERNEL32(00000000,RmShutdown), ref: 00450348
                                                                                                                                                                                                                                                        • GetProcAddress.KERNEL32(00000000,RmRestart), ref: 0045035D
                                                                                                                                                                                                                                                        • GetProcAddress.KERNEL32(00000000,RmEndSession), ref: 00450372
                                                                                                                                                                                                                                                        Strings
                                                                                                                                                                                                                                                        Memory Dump Source
                                                                                                                                                                                                                                                        • Source File: 00000001.00000002.2793245300.0000000000401000.00000020.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                                                                                                                        • Associated: 00000001.00000002.2793219234.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                                                                                                                                                                                                        • Associated: 00000001.00000002.2793346997.0000000000499000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                                                                                                                                                                                                        • Associated: 00000001.00000002.2793378529.000000000049A000.00000008.00000001.01000000.00000004.sdmpDownload File
                                                                                                                                                                                                                                                        • Associated: 00000001.00000002.2793416768.000000000049B000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                                                                                                                                                                                                        • Associated: 00000001.00000002.2793448951.00000000004AB000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                                                                                                                                                                                                        Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                                        • Snapshot File: hcaresult_1_2_400000_chica-pc-shield-1-75-0-1300-en-win.jbxd
                                                                                                                                                                                                                                                        Similarity
                                                                                                                                                                                                                                                        • API ID: AddressProc$LibraryLoadVersion
                                                                                                                                                                                                                                                        • String ID: RmEndSession$RmGetList$RmRegisterResources$RmRestart$RmShutdown$RmStartSession$Rstrtmgr.dll
                                                                                                                                                                                                                                                        • API String ID: 1968650500-3419246398
                                                                                                                                                                                                                                                        • Opcode ID: 368ac912df4a413815acbb426437c023a97144279f6b51fe123355473e8d046a
                                                                                                                                                                                                                                                        • Instruction ID: c77cef2ad5653e61b65a4477cbb73d0d56cf7b8a9d174f96be3e9b6947252677
                                                                                                                                                                                                                                                        • Opcode Fuzzy Hash: 368ac912df4a413815acbb426437c023a97144279f6b51fe123355473e8d046a
                                                                                                                                                                                                                                                        • Instruction Fuzzy Hash: B211F7B4510301DBD710FB61BF45A2E36E9E728315B08063FE804961A2CB7C4844CF8C
                                                                                                                                                                                                                                                        Function 00497FB0 Relevance: 23.0, APIs: 7, Strings: 6, Instructions: 251synchronizationCOMMON
                                                                                                                                                                                                                                                        Download Yara Rule
                                                                                                                                                                                                                                                        APIs
                                                                                                                                                                                                                                                        • ShowWindow.USER32(?,00000005,00000000,00498348,?,?,00000000,?,00000000,00000000,?,004986FF,00000000,00498709,?,00000000), ref: 00498033
                                                                                                                                                                                                                                                        • CreateMutexA.KERNEL32(00000000,00000000,Inno-Setup-RegSvr-Mutex,?,00000005,00000000,00498348,?,?,00000000,?,00000000,00000000,?,004986FF,00000000), ref: 00498046
                                                                                                                                                                                                                                                        • ShowWindow.USER32(?,00000000,00000000,00000000,Inno-Setup-RegSvr-Mutex,?,00000005,00000000,00498348,?,?,00000000,?,00000000,00000000), ref: 00498056
                                                                                                                                                                                                                                                        • MsgWaitForMultipleObjects.USER32(00000001,00000000,00000000,000000FF,000000FF), ref: 00498077
                                                                                                                                                                                                                                                        • ShowWindow.USER32(?,00000005,?,00000000,00000000,00000000,Inno-Setup-RegSvr-Mutex,?,00000005,00000000,00498348,?,?,00000000,?,00000000), ref: 00498087
                                                                                                                                                                                                                                                          • Part of subcall function 0042D44C: GetModuleFileNameA.KERNEL32(00000000,?,00000104,00000000,0042D4DA,?,?,?,00000001,?,0045607E,00000000,004560E6), ref: 0042D481
                                                                                                                                                                                                                                                        Strings
                                                                                                                                                                                                                                                        Memory Dump Source
                                                                                                                                                                                                                                                        • Source File: 00000001.00000002.2793245300.0000000000401000.00000020.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                                                                                                                        • Associated: 00000001.00000002.2793219234.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                                                                                                                                                                                                        • Associated: 00000001.00000002.2793346997.0000000000499000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                                                                                                                                                                                                        • Associated: 00000001.00000002.2793378529.000000000049A000.00000008.00000001.01000000.00000004.sdmpDownload File
                                                                                                                                                                                                                                                        • Associated: 00000001.00000002.2793416768.000000000049B000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                                                                                                                                                                                                        • Associated: 00000001.00000002.2793448951.00000000004AB000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                                                                                                                                                                                                        Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                                        • Snapshot File: hcaresult_1_2_400000_chica-pc-shield-1-75-0-1300-en-win.jbxd
                                                                                                                                                                                                                                                        Similarity
                                                                                                                                                                                                                                                        • API ID: ShowWindow$CreateFileModuleMultipleMutexNameObjectsWait
                                                                                                                                                                                                                                                        • String ID: .lst$.msg$/REG$/REGU$Inno-Setup-RegSvr-Mutex$Setup
                                                                                                                                                                                                                                                        • API String ID: 2000705611-3672972446
                                                                                                                                                                                                                                                        • Opcode ID: be167af9581472d792d676f9cd6aca47b85cc2d924e5f6cfd1bab36a441b3776
                                                                                                                                                                                                                                                        • Instruction ID: 514ae71ba50caa4962cee2ce17bbe530033c2a842a2b30bc95236382d26c0aa5
                                                                                                                                                                                                                                                        • Opcode Fuzzy Hash: be167af9581472d792d676f9cd6aca47b85cc2d924e5f6cfd1bab36a441b3776
                                                                                                                                                                                                                                                        • Instruction Fuzzy Hash: AC91B734A046449FDF11EBA9C852BAE7BB4EF4A704F51447BF900AB292CE7D9805CB1D
                                                                                                                                                                                                                                                        Function 0045A5B0 Relevance: 23.0, APIs: 2, Strings: 11, Instructions: 209COMMON
                                                                                                                                                                                                                                                        Download Yara Rule
                                                                                                                                                                                                                                                        APIs
                                                                                                                                                                                                                                                        • GetLastError.KERNEL32(00000000,0045A86C,?,?,?,?,?,00000006,?,00000000,00497439,?,00000000,004974DC), ref: 0045A71E
                                                                                                                                                                                                                                                        Strings
                                                                                                                                                                                                                                                        Memory Dump Source
                                                                                                                                                                                                                                                        • Source File: 00000001.00000002.2793245300.0000000000401000.00000020.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                                                                                                                        • Associated: 00000001.00000002.2793219234.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                                                                                                                                                                                                        • Associated: 00000001.00000002.2793346997.0000000000499000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                                                                                                                                                                                                        • Associated: 00000001.00000002.2793378529.000000000049A000.00000008.00000001.01000000.00000004.sdmpDownload File
                                                                                                                                                                                                                                                        • Associated: 00000001.00000002.2793416768.000000000049B000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                                                                                                                                                                                                        • Associated: 00000001.00000002.2793448951.00000000004AB000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                                                                                                                                                                                                        Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                                        • Snapshot File: hcaresult_1_2_400000_chica-pc-shield-1-75-0-1300-en-win.jbxd
                                                                                                                                                                                                                                                        Similarity
                                                                                                                                                                                                                                                        • API ID: ErrorLast
                                                                                                                                                                                                                                                        • String ID: .chm$.chw$.fts$.gid$.hlp$.lnk$Deleting file: %s$Failed to delete the file; it may be in use (%d).$Failed to strip read-only attribute.$Stripped read-only attribute.$The file appears to be in use (%d). Will delete on restart.
                                                                                                                                                                                                                                                        • API String ID: 1452528299-3112430753
                                                                                                                                                                                                                                                        • Opcode ID: 013e8754df7b10902fd09dccc84370fbcd1ca9cb2211e1a7bf3e698d7b97e334
                                                                                                                                                                                                                                                        • Instruction ID: 048478fdc0414bf964f0012d81fb6b7d529e35510f272ac8cc0834971c44cb08
                                                                                                                                                                                                                                                        • Opcode Fuzzy Hash: 013e8754df7b10902fd09dccc84370fbcd1ca9cb2211e1a7bf3e698d7b97e334
                                                                                                                                                                                                                                                        • Instruction Fuzzy Hash: 31718230B042445BDB10EB6988417AE7BA5AF49315F50856BFC01EB383DB7CDA1E875E
                                                                                                                                                                                                                                                        Function 0045CA98 Relevance: 22.9, APIs: 8, Strings: 5, Instructions: 182libraryloadermemoryCOMMON
                                                                                                                                                                                                                                                        Download Yara Rule
                                                                                                                                                                                                                                                        APIs
                                                                                                                                                                                                                                                        • GetVersion.KERNEL32 ref: 0045CAB2
                                                                                                                                                                                                                                                        • GetModuleHandleA.KERNEL32(advapi32.dll), ref: 0045CAD2
                                                                                                                                                                                                                                                        • GetProcAddress.KERNEL32(00000000,GetNamedSecurityInfoW), ref: 0045CADF
                                                                                                                                                                                                                                                        • GetProcAddress.KERNEL32(00000000,SetNamedSecurityInfoW), ref: 0045CAEC
                                                                                                                                                                                                                                                        • GetProcAddress.KERNEL32(00000000,SetEntriesInAclW), ref: 0045CAFA
                                                                                                                                                                                                                                                          • Part of subcall function 0045C9A0: MultiByteToWideChar.KERNEL32(00000000,00000000,00000000,00000000,?,00000000,00000000,0045CA3F,?,00000000,00000000,00000000,00000000,00000000,00000000), ref: 0045CA19
                                                                                                                                                                                                                                                        • AllocateAndInitializeSid.ADVAPI32(?,?,?,00000000,00000000,00000000,00000000,00000000,00000000,00000000,?,00000000,0045CCED,?,?,00000000), ref: 0045CBB3
                                                                                                                                                                                                                                                        • GetLastError.KERNEL32(?,?,?,00000000,00000000,00000000,00000000,00000000,00000000,00000000,?,00000000,0045CCED,?,?,00000000), ref: 0045CBBC
                                                                                                                                                                                                                                                        Strings
                                                                                                                                                                                                                                                        Memory Dump Source
                                                                                                                                                                                                                                                        • Source File: 00000001.00000002.2793245300.0000000000401000.00000020.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                                                                                                                        • Associated: 00000001.00000002.2793219234.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                                                                                                                                                                                                        • Associated: 00000001.00000002.2793346997.0000000000499000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                                                                                                                                                                                                        • Associated: 00000001.00000002.2793378529.000000000049A000.00000008.00000001.01000000.00000004.sdmpDownload File
                                                                                                                                                                                                                                                        • Associated: 00000001.00000002.2793416768.000000000049B000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                                                                                                                                                                                                        • Associated: 00000001.00000002.2793448951.00000000004AB000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                                                                                                                                                                                                        Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                                        • Snapshot File: hcaresult_1_2_400000_chica-pc-shield-1-75-0-1300-en-win.jbxd
                                                                                                                                                                                                                                                        Similarity
                                                                                                                                                                                                                                                        • API ID: AddressProc$AllocateByteCharErrorHandleInitializeLastModuleMultiVersionWide
                                                                                                                                                                                                                                                        • String ID: GetNamedSecurityInfoW$SetEntriesInAclW$SetNamedSecurityInfoW$W$advapi32.dll
                                                                                                                                                                                                                                                        • API String ID: 59345061-4263478283
                                                                                                                                                                                                                                                        • Opcode ID: b78dba30cedf2a73cdf13b83454b281f3a3408169449f6210df8ffb2a7e5822a
                                                                                                                                                                                                                                                        • Instruction ID: a358b2862a28276d7d6860985b60e8ecba44f528035a1e3ad3a8a0dac7ee7aee
                                                                                                                                                                                                                                                        • Opcode Fuzzy Hash: b78dba30cedf2a73cdf13b83454b281f3a3408169449f6210df8ffb2a7e5822a
                                                                                                                                                                                                                                                        • Instruction Fuzzy Hash: A15165B1A00708AFDB10DF99C885BAEBBB8EB48311F14806AF915E7241D6789945CF69
                                                                                                                                                                                                                                                        Function 0041B3AC Relevance: 21.1, APIs: 14, Instructions: 126windowCOMMON
                                                                                                                                                                                                                                                        Download Yara Rule
                                                                                                                                                                                                                                                        APIs
                                                                                                                                                                                                                                                        • CreateCompatibleDC.GDI32(00000000), ref: 0041B3C3
                                                                                                                                                                                                                                                        • CreateCompatibleDC.GDI32(00000000), ref: 0041B3CD
                                                                                                                                                                                                                                                        • GetObjectA.GDI32(?,00000018,00000004), ref: 0041B3DF
                                                                                                                                                                                                                                                        • CreateBitmap.GDI32(0000000B,?,00000001,00000001,00000000), ref: 0041B3F6
                                                                                                                                                                                                                                                        • GetDC.USER32(00000000), ref: 0041B402
                                                                                                                                                                                                                                                        • CreateCompatibleBitmap.GDI32(00000000,0000000B,?), ref: 0041B42F
                                                                                                                                                                                                                                                        • ReleaseDC.USER32(00000000,00000000), ref: 0041B455
                                                                                                                                                                                                                                                        • SelectObject.GDI32(00000000,?), ref: 0041B470
                                                                                                                                                                                                                                                        • SelectObject.GDI32(?,00000000), ref: 0041B47F
                                                                                                                                                                                                                                                        • StretchBlt.GDI32(?,00000000,00000000,0000000B,?,00000000,00000000,00000000,?,?,00CC0020), ref: 0041B4AB
                                                                                                                                                                                                                                                        • SelectObject.GDI32(00000000,00000000), ref: 0041B4B9
                                                                                                                                                                                                                                                        • SelectObject.GDI32(?,00000000), ref: 0041B4C7
                                                                                                                                                                                                                                                        • DeleteDC.GDI32(00000000), ref: 0041B4D0
                                                                                                                                                                                                                                                        • DeleteDC.GDI32(?), ref: 0041B4D9
                                                                                                                                                                                                                                                        Memory Dump Source
                                                                                                                                                                                                                                                        • Source File: 00000001.00000002.2793245300.0000000000401000.00000020.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                                                                                                                        • Associated: 00000001.00000002.2793219234.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                                                                                                                                                                                                        • Associated: 00000001.00000002.2793346997.0000000000499000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                                                                                                                                                                                                        • Associated: 00000001.00000002.2793378529.000000000049A000.00000008.00000001.01000000.00000004.sdmpDownload File
                                                                                                                                                                                                                                                        • Associated: 00000001.00000002.2793416768.000000000049B000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                                                                                                                                                                                                        • Associated: 00000001.00000002.2793448951.00000000004AB000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                                                                                                                                                                                                        Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                                        • Snapshot File: hcaresult_1_2_400000_chica-pc-shield-1-75-0-1300-en-win.jbxd
                                                                                                                                                                                                                                                        Similarity
                                                                                                                                                                                                                                                        • API ID: Object$CreateSelect$Compatible$BitmapDelete$ReleaseStretch
                                                                                                                                                                                                                                                        • String ID:
                                                                                                                                                                                                                                                        • API String ID: 644427674-0
                                                                                                                                                                                                                                                        • Opcode ID: 9212dc48eb065078ffd6e64a0fe4b3e7e755c3ed7e1f96497366cc94fc87ddf9
                                                                                                                                                                                                                                                        • Instruction ID: 0f3e5998203d07172116f12fa3fedaa120d09cd030f2870c51d139f455c41937
                                                                                                                                                                                                                                                        • Opcode Fuzzy Hash: 9212dc48eb065078ffd6e64a0fe4b3e7e755c3ed7e1f96497366cc94fc87ddf9
                                                                                                                                                                                                                                                        • Instruction Fuzzy Hash: E941AD71E44619AFDB10DAE9C846FEFB7BCEB08704F104466B614F7281D6786D408BA8
                                                                                                                                                                                                                                                        Function 00454874 Relevance: 19.5, APIs: 7, Strings: 4, Instructions: 244registryCOMMON
                                                                                                                                                                                                                                                        Download Yara Rule
                                                                                                                                                                                                                                                        APIs
                                                                                                                                                                                                                                                          • Part of subcall function 0042DE1C: RegOpenKeyExA.ADVAPI32(80000002,System\CurrentControlSet\Control\Windows,37H,?,00000001,?,?,00483733,?,00000001,00000000), ref: 0042DE38
                                                                                                                                                                                                                                                        • RegQueryValueExA.ADVAPI32(0045AA42,00000000,00000000,?,00000000,?,00000000,00454B0D,?,0045AA42,00000003,00000000,00000000,00454B44), ref: 0045498D
                                                                                                                                                                                                                                                          • Part of subcall function 0042E8C8: FormatMessageA.KERNEL32(00003200,00000000,4C783AFB,00000000,?,00000400,00000000,?,00453273,00000000,kernel32.dll,Wow64RevertWow64FsRedirection,00000000,kernel32.dll,Wow64DisableWow64FsRedirection,00000000), ref: 0042E8E7
                                                                                                                                                                                                                                                        • RegQueryValueExA.ADVAPI32(0045AA42,00000000,00000000,00000000,?,00000004,00000000,00454A57,?,0045AA42,00000000,00000000,?,00000000,?,00000000), ref: 00454A11
                                                                                                                                                                                                                                                        • RegQueryValueExA.ADVAPI32(0045AA42,00000000,00000000,00000000,?,00000004,00000000,00454A57,?,0045AA42,00000000,00000000,?,00000000,?,00000000), ref: 00454A40
                                                                                                                                                                                                                                                        Strings
                                                                                                                                                                                                                                                        • Software\Microsoft\Windows\CurrentVersion\SharedDLLs, xrefs: 004548E4
                                                                                                                                                                                                                                                        • Software\Microsoft\Windows\CurrentVersion\SharedDLLs, xrefs: 004548AB
                                                                                                                                                                                                                                                        • , xrefs: 004548FE
                                                                                                                                                                                                                                                        • RegOpenKeyEx, xrefs: 00454910
                                                                                                                                                                                                                                                        Memory Dump Source
                                                                                                                                                                                                                                                        • Source File: 00000001.00000002.2793245300.0000000000401000.00000020.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                                                                                                                        • Associated: 00000001.00000002.2793219234.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                                                                                                                                                                                                        • Associated: 00000001.00000002.2793346997.0000000000499000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                                                                                                                                                                                                        • Associated: 00000001.00000002.2793378529.000000000049A000.00000008.00000001.01000000.00000004.sdmpDownload File
                                                                                                                                                                                                                                                        • Associated: 00000001.00000002.2793416768.000000000049B000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                                                                                                                                                                                                        • Associated: 00000001.00000002.2793448951.00000000004AB000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                                                                                                                                                                                                        Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                                        • Snapshot File: hcaresult_1_2_400000_chica-pc-shield-1-75-0-1300-en-win.jbxd
                                                                                                                                                                                                                                                        Similarity
                                                                                                                                                                                                                                                        • API ID: QueryValue$FormatMessageOpen
                                                                                                                                                                                                                                                        • String ID: $RegOpenKeyEx$Software\Microsoft\Windows\CurrentVersion\SharedDLLs$Software\Microsoft\Windows\CurrentVersion\SharedDLLs
                                                                                                                                                                                                                                                        • API String ID: 2812809588-1577016196
                                                                                                                                                                                                                                                        • Opcode ID: fcd4d493ddb343decf7749ef48b5cbc365a509ed3611e34bcf7a5cf6bf8218e6
                                                                                                                                                                                                                                                        • Instruction ID: 10c729c5df0f457655d9edc07d187ac9b2ad403c2690153cc8aec617143616fc
                                                                                                                                                                                                                                                        • Opcode Fuzzy Hash: fcd4d493ddb343decf7749ef48b5cbc365a509ed3611e34bcf7a5cf6bf8218e6
                                                                                                                                                                                                                                                        • Instruction Fuzzy Hash: D1914871E44148ABDB10DF95C842BDEB7FCEB49309F50406BF900FB282D6789E458B69
                                                                                                                                                                                                                                                        Function 00459330 Relevance: 19.4, APIs: 3, Strings: 8, Instructions: 165registryCOMMON
                                                                                                                                                                                                                                                        Download Yara Rule
                                                                                                                                                                                                                                                        APIs
                                                                                                                                                                                                                                                          • Part of subcall function 0045923C: RegCloseKey.ADVAPI32(00000000,00000000,00000001,00000000,?,00000000,?,00000002,00459379,00000000,00459531,?,00000000,00000000,00000000), ref: 00459289
                                                                                                                                                                                                                                                        • RegCloseKey.ADVAPI32(00000000,00000000,00000001,00000000,00000000,00459531,?,00000000,00000000,00000000), ref: 004593D7
                                                                                                                                                                                                                                                        • RegCloseKey.ADVAPI32(00000000,00000000,00000001,00000000,00000000,00459531,?,00000000,00000000,00000000), ref: 00459441
                                                                                                                                                                                                                                                          • Part of subcall function 0042DE1C: RegOpenKeyExA.ADVAPI32(80000002,System\CurrentControlSet\Control\Windows,37H,?,00000001,?,?,00483733,?,00000001,00000000), ref: 0042DE38
                                                                                                                                                                                                                                                        • RegCloseKey.ADVAPI32(00000000,00000000,00000001,00000000,00000000,00000001,00000000,00000000,00459531,?,00000000,00000000,00000000), ref: 004594A8
                                                                                                                                                                                                                                                        Strings
                                                                                                                                                                                                                                                        • SOFTWARE\Microsoft\.NETFramework\Policy\v4.0, xrefs: 0045938A
                                                                                                                                                                                                                                                        • v2.0.50727, xrefs: 00459433
                                                                                                                                                                                                                                                        • SOFTWARE\Microsoft\.NETFramework\Policy\v2.0, xrefs: 004593F4
                                                                                                                                                                                                                                                        • v4.0.30319, xrefs: 004593C9
                                                                                                                                                                                                                                                        • SOFTWARE\Microsoft\.NETFramework\Policy\v1.1, xrefs: 0045945B
                                                                                                                                                                                                                                                        • .NET Framework version %s not found, xrefs: 004594E1
                                                                                                                                                                                                                                                        • .NET Framework not found, xrefs: 004594F5
                                                                                                                                                                                                                                                        • v1.1.4322, xrefs: 0045949A
                                                                                                                                                                                                                                                        Memory Dump Source
                                                                                                                                                                                                                                                        • Source File: 00000001.00000002.2793245300.0000000000401000.00000020.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                                                                                                                        • Associated: 00000001.00000002.2793219234.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                                                                                                                                                                                                        • Associated: 00000001.00000002.2793346997.0000000000499000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                                                                                                                                                                                                        • Associated: 00000001.00000002.2793378529.000000000049A000.00000008.00000001.01000000.00000004.sdmpDownload File
                                                                                                                                                                                                                                                        • Associated: 00000001.00000002.2793416768.000000000049B000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                                                                                                                                                                                                        • Associated: 00000001.00000002.2793448951.00000000004AB000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                                                                                                                                                                                                        Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                                        • Snapshot File: hcaresult_1_2_400000_chica-pc-shield-1-75-0-1300-en-win.jbxd
                                                                                                                                                                                                                                                        Similarity
                                                                                                                                                                                                                                                        • API ID: Close$Open
                                                                                                                                                                                                                                                        • String ID: .NET Framework not found$.NET Framework version %s not found$SOFTWARE\Microsoft\.NETFramework\Policy\v1.1$SOFTWARE\Microsoft\.NETFramework\Policy\v2.0$SOFTWARE\Microsoft\.NETFramework\Policy\v4.0$v1.1.4322$v2.0.50727$v4.0.30319
                                                                                                                                                                                                                                                        • API String ID: 2976201327-446240816
                                                                                                                                                                                                                                                        • Opcode ID: 350e4df8e04af077fe02aa66194ae6a40507e73a84c8321153f8b8b98bc436f5
                                                                                                                                                                                                                                                        • Instruction ID: a1bdb027ff648d56d57a6d7e975bd84a611c623bc5fe4c8cd801963552f4df29
                                                                                                                                                                                                                                                        • Opcode Fuzzy Hash: 350e4df8e04af077fe02aa66194ae6a40507e73a84c8321153f8b8b98bc436f5
                                                                                                                                                                                                                                                        • Instruction Fuzzy Hash: A851A431A04145EBCB00DFA8D8A17EE77B6DB59305F5444BBE901DB352E63D9E0E8B18
                                                                                                                                                                                                                                                        Function 0045891C Relevance: 19.3, APIs: 6, Strings: 5, Instructions: 70sleepsynchronizationCOMMON
                                                                                                                                                                                                                                                        Download Yara Rule
                                                                                                                                                                                                                                                        APIs
                                                                                                                                                                                                                                                        • CloseHandle.KERNEL32(?), ref: 00458953
                                                                                                                                                                                                                                                        • TerminateProcess.KERNEL32(?,00000001,?,00002710,?), ref: 0045896F
                                                                                                                                                                                                                                                        • WaitForSingleObject.KERNEL32(?,00002710,?), ref: 0045897D
                                                                                                                                                                                                                                                        • GetExitCodeProcess.KERNEL32(?), ref: 0045898E
                                                                                                                                                                                                                                                        • CloseHandle.KERNEL32(?,?,?,?,00002710,?,00000001,?,00002710,?), ref: 004589D5
                                                                                                                                                                                                                                                        • Sleep.KERNEL32(000000FA,?,?,?,?,00002710,?,00000001,?,00002710,?), ref: 004589F1
                                                                                                                                                                                                                                                        Strings
                                                                                                                                                                                                                                                        • Stopping 64-bit helper process. (PID: %u), xrefs: 00458945
                                                                                                                                                                                                                                                        • Helper process exited., xrefs: 0045899D
                                                                                                                                                                                                                                                        • Helper isn't responding; killing it., xrefs: 0045895F
                                                                                                                                                                                                                                                        • Helper process exited with failure code: 0x%x, xrefs: 004589BB
                                                                                                                                                                                                                                                        • Helper process exited, but failed to get exit code., xrefs: 004589C7
                                                                                                                                                                                                                                                        Memory Dump Source
                                                                                                                                                                                                                                                        • Source File: 00000001.00000002.2793245300.0000000000401000.00000020.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                                                                                                                        • Associated: 00000001.00000002.2793219234.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                                                                                                                                                                                                        • Associated: 00000001.00000002.2793346997.0000000000499000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                                                                                                                                                                                                        • Associated: 00000001.00000002.2793378529.000000000049A000.00000008.00000001.01000000.00000004.sdmpDownload File
                                                                                                                                                                                                                                                        • Associated: 00000001.00000002.2793416768.000000000049B000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                                                                                                                                                                                                        • Associated: 00000001.00000002.2793448951.00000000004AB000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                                                                                                                                                                                                        Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                                        • Snapshot File: hcaresult_1_2_400000_chica-pc-shield-1-75-0-1300-en-win.jbxd
                                                                                                                                                                                                                                                        Similarity
                                                                                                                                                                                                                                                        • API ID: CloseHandleProcess$CodeExitObjectSingleSleepTerminateWait
                                                                                                                                                                                                                                                        • String ID: Helper isn't responding; killing it.$Helper process exited with failure code: 0x%x$Helper process exited, but failed to get exit code.$Helper process exited.$Stopping 64-bit helper process. (PID: %u)
                                                                                                                                                                                                                                                        • API String ID: 3355656108-1243109208
                                                                                                                                                                                                                                                        • Opcode ID: 19115aeb8cc828f4877c8e64310325412b092dec34bdac0bc308453008b78928
                                                                                                                                                                                                                                                        • Instruction ID: 607cb17b66f328b897cb67912c8e5c96499f04238989bb189b7f5ef4a6f94b21
                                                                                                                                                                                                                                                        • Opcode Fuzzy Hash: 19115aeb8cc828f4877c8e64310325412b092dec34bdac0bc308453008b78928
                                                                                                                                                                                                                                                        • Instruction Fuzzy Hash: 502130B16087409BD710E77DC44576BB7D49F48305F04892FB99AEB293DE78E8488B2B
                                                                                                                                                                                                                                                        Function 00454528 Relevance: 17.7, APIs: 6, Strings: 4, Instructions: 228registryCOMMON
                                                                                                                                                                                                                                                        Download Yara Rule
                                                                                                                                                                                                                                                        APIs
                                                                                                                                                                                                                                                          • Part of subcall function 0042DDE4: RegCreateKeyExA.ADVAPI32(?,?,?,?,?,?,?,?,?), ref: 0042DE10
                                                                                                                                                                                                                                                        • RegQueryValueExA.ADVAPI32(?,?,00000000,?,00000000,?,00000000,004546FF,?,00000000,004547C3), ref: 0045464F
                                                                                                                                                                                                                                                        • RegCloseKey.ADVAPI32(?,?,?,00000000,00000004,00000000,00000001,?,00000000,?,00000000,004546FF,?,00000000,004547C3), ref: 0045478B
                                                                                                                                                                                                                                                          • Part of subcall function 0042E8C8: FormatMessageA.KERNEL32(00003200,00000000,4C783AFB,00000000,?,00000400,00000000,?,00453273,00000000,kernel32.dll,Wow64RevertWow64FsRedirection,00000000,kernel32.dll,Wow64DisableWow64FsRedirection,00000000), ref: 0042E8E7
                                                                                                                                                                                                                                                        Strings
                                                                                                                                                                                                                                                        • Software\Microsoft\Windows\CurrentVersion\SharedDLLs, xrefs: 00454597
                                                                                                                                                                                                                                                        • , xrefs: 004545B1
                                                                                                                                                                                                                                                        • Software\Microsoft\Windows\CurrentVersion\SharedDLLs, xrefs: 00454567
                                                                                                                                                                                                                                                        • RegCreateKeyEx, xrefs: 004545C3
                                                                                                                                                                                                                                                        Memory Dump Source
                                                                                                                                                                                                                                                        • Source File: 00000001.00000002.2793245300.0000000000401000.00000020.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                                                                                                                        • Associated: 00000001.00000002.2793219234.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                                                                                                                                                                                                        • Associated: 00000001.00000002.2793346997.0000000000499000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                                                                                                                                                                                                        • Associated: 00000001.00000002.2793378529.000000000049A000.00000008.00000001.01000000.00000004.sdmpDownload File
                                                                                                                                                                                                                                                        • Associated: 00000001.00000002.2793416768.000000000049B000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                                                                                                                                                                                                        • Associated: 00000001.00000002.2793448951.00000000004AB000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                                                                                                                                                                                                        Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                                        • Snapshot File: hcaresult_1_2_400000_chica-pc-shield-1-75-0-1300-en-win.jbxd
                                                                                                                                                                                                                                                        Similarity
                                                                                                                                                                                                                                                        • API ID: CloseCreateFormatMessageQueryValue
                                                                                                                                                                                                                                                        • String ID: $RegCreateKeyEx$Software\Microsoft\Windows\CurrentVersion\SharedDLLs$Software\Microsoft\Windows\CurrentVersion\SharedDLLs
                                                                                                                                                                                                                                                        • API String ID: 2481121983-1280779767
                                                                                                                                                                                                                                                        • Opcode ID: eb870b7264be2e79576d733cc433dee21af662c2ed5ee69006979a4f4339c867
                                                                                                                                                                                                                                                        • Instruction ID: cde7545684c4620c2d036396f19d9a4160a162433608d969df8f63117b7f1412
                                                                                                                                                                                                                                                        • Opcode Fuzzy Hash: eb870b7264be2e79576d733cc433dee21af662c2ed5ee69006979a4f4339c867
                                                                                                                                                                                                                                                        • Instruction Fuzzy Hash: AC81FF75A00209ABDB00DFD5C981BDEB7B9EB49309F50452AF900FB282D7789A45CB69
                                                                                                                                                                                                                                                        Function 0049682C Relevance: 17.6, APIs: 8, Strings: 2, Instructions: 141fileCOMMON
                                                                                                                                                                                                                                                        Download Yara Rule
                                                                                                                                                                                                                                                        APIs
                                                                                                                                                                                                                                                          • Part of subcall function 004538BC: CreateFileA.KERNEL32(00000000,C0000000,00000000,00000000,00000002,00000080,00000000,.tmp,004969FD,_iu,?,00000000,004539F6), ref: 004539AB
                                                                                                                                                                                                                                                          • Part of subcall function 004538BC: CloseHandle.KERNEL32(00000000,00000000,C0000000,00000000,00000000,00000002,00000080,00000000,.tmp,004969FD,_iu,?,00000000,004539F6), ref: 004539BB
                                                                                                                                                                                                                                                        • CopyFileA.KERNEL32(00000000,00000000,00000000), ref: 004968A9
                                                                                                                                                                                                                                                        • SetFileAttributesA.KERNEL32(00000000,00000080,00000000,004969FD), ref: 004968CA
                                                                                                                                                                                                                                                        • CreateWindowExA.USER32(00000000,STATIC,00496A0C,00000000,00000000,00000000,00000000,00000000,00000000,00000000,00400000,00000000), ref: 004968F1
                                                                                                                                                                                                                                                        • SetWindowLongA.USER32(?,000000FC,00496084), ref: 00496904
                                                                                                                                                                                                                                                        • SetWindowPos.USER32(?,00000000,00000000,00000000,00000000,00000000,00000097,00000000,004969D0,?,?,000000FC,00496084,00000000,STATIC,00496A0C), ref: 00496934
                                                                                                                                                                                                                                                        • MsgWaitForMultipleObjects.USER32(00000001,?,00000000,000000FF,000000FF), ref: 004969A8
                                                                                                                                                                                                                                                        • CloseHandle.KERNEL32(?,?,?,00000000,00000000,00000000,00000000,00000000,00000097,00000000,004969D0,?,?,000000FC,00496084,00000000), ref: 004969B4
                                                                                                                                                                                                                                                          • Part of subcall function 00453D30: WritePrivateProfileStringA.KERNEL32(00000000,00000000,00000000,00000000), ref: 00453E17
                                                                                                                                                                                                                                                        • DestroyWindow.USER32(?,004969D7,00000000,00000000,00000000,00000000,00000000,00000097,00000000,004969D0,?,?,000000FC,00496084,00000000,STATIC), ref: 004969CA
                                                                                                                                                                                                                                                        Strings
                                                                                                                                                                                                                                                        Memory Dump Source
                                                                                                                                                                                                                                                        • Source File: 00000001.00000002.2793245300.0000000000401000.00000020.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                                                                                                                        • Associated: 00000001.00000002.2793219234.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                                                                                                                                                                                                        • Associated: 00000001.00000002.2793346997.0000000000499000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                                                                                                                                                                                                        • Associated: 00000001.00000002.2793378529.000000000049A000.00000008.00000001.01000000.00000004.sdmpDownload File
                                                                                                                                                                                                                                                        • Associated: 00000001.00000002.2793416768.000000000049B000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                                                                                                                                                                                                        • Associated: 00000001.00000002.2793448951.00000000004AB000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                                                                                                                                                                                                        Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                                        • Snapshot File: hcaresult_1_2_400000_chica-pc-shield-1-75-0-1300-en-win.jbxd
                                                                                                                                                                                                                                                        Similarity
                                                                                                                                                                                                                                                        • API ID: Window$File$CloseCreateHandle$AttributesCopyDestroyLongMultipleObjectsPrivateProfileStringWaitWrite
                                                                                                                                                                                                                                                        • String ID: /SECONDPHASE="%s" /FIRSTPHASEWND=$%x $STATIC
                                                                                                                                                                                                                                                        • API String ID: 1549857992-2312673372
                                                                                                                                                                                                                                                        • Opcode ID: 0ff8806cfc16226b8271fea6881625880f8b34c0fceb2e6630b06791538ea603
                                                                                                                                                                                                                                                        • Instruction ID: 05662a77ac8dbb229cb1f217f99859aac6875f761ccc70cea94f4b310aaeaa54
                                                                                                                                                                                                                                                        • Opcode Fuzzy Hash: 0ff8806cfc16226b8271fea6881625880f8b34c0fceb2e6630b06791538ea603
                                                                                                                                                                                                                                                        • Instruction Fuzzy Hash: 85414D70A00208AFDF00EFA5DC42F9E7BB8EB09704F11457AF510F7291D679AA008B68
                                                                                                                                                                                                                                                        Function 0042E418 Relevance: 17.6, APIs: 4, Strings: 6, Instructions: 86registrylibraryloaderCOMMON
                                                                                                                                                                                                                                                        Download Yara Rule
                                                                                                                                                                                                                                                        APIs
                                                                                                                                                                                                                                                        • GetModuleHandleA.KERNEL32(kernel32.dll,GetUserDefaultUILanguage,00000000,0042E51D,?,00000000,0047E224,00000000), ref: 0042E441
                                                                                                                                                                                                                                                        • GetProcAddress.KERNEL32(00000000,kernel32.dll), ref: 0042E447
                                                                                                                                                                                                                                                        • RegCloseKey.ADVAPI32(00000000,00000000,00000001,00000000,00000000,kernel32.dll,GetUserDefaultUILanguage,00000000,0042E51D,?,00000000,0047E224,00000000), ref: 0042E495
                                                                                                                                                                                                                                                        Strings
                                                                                                                                                                                                                                                        Memory Dump Source
                                                                                                                                                                                                                                                        • Source File: 00000001.00000002.2793245300.0000000000401000.00000020.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                                                                                                                        • Associated: 00000001.00000002.2793219234.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                                                                                                                                                                                                        • Associated: 00000001.00000002.2793346997.0000000000499000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                                                                                                                                                                                                        • Associated: 00000001.00000002.2793378529.000000000049A000.00000008.00000001.01000000.00000004.sdmpDownload File
                                                                                                                                                                                                                                                        • Associated: 00000001.00000002.2793416768.000000000049B000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                                                                                                                                                                                                        • Associated: 00000001.00000002.2793448951.00000000004AB000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                                                                                                                                                                                                        Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                                        • Snapshot File: hcaresult_1_2_400000_chica-pc-shield-1-75-0-1300-en-win.jbxd
                                                                                                                                                                                                                                                        Similarity
                                                                                                                                                                                                                                                        • API ID: AddressCloseHandleModuleProc
                                                                                                                                                                                                                                                        • String ID: .DEFAULT\Control Panel\International$Control Panel\Desktop\ResourceLocale$GetUserDefaultUILanguage$Locale$QaE$kernel32.dll
                                                                                                                                                                                                                                                        • API String ID: 4190037839-2312295185
                                                                                                                                                                                                                                                        • Opcode ID: 35095e656ef5d7fa0a9fc776174aa0ebe5c7f31f1e54572c1a22f8c063aae220
                                                                                                                                                                                                                                                        • Instruction ID: f42d7e7755912f49377b3a3c2778cbb45b18f2cdc7334bb7b0fb93ca3fe573dd
                                                                                                                                                                                                                                                        • Opcode Fuzzy Hash: 35095e656ef5d7fa0a9fc776174aa0ebe5c7f31f1e54572c1a22f8c063aae220
                                                                                                                                                                                                                                                        • Instruction Fuzzy Hash: E8213230B10225BBDB10EAE6DC51B9E76B8EB44308F90447BA504E7281E77CDE419B5C
                                                                                                                                                                                                                                                        Function 004628C8 Relevance: 17.6, APIs: 6, Strings: 4, Instructions: 82libraryloaderCOMMON
                                                                                                                                                                                                                                                        Download Yara Rule
                                                                                                                                                                                                                                                        APIs
                                                                                                                                                                                                                                                        • GetActiveWindow.USER32 ref: 004628D4
                                                                                                                                                                                                                                                        • GetModuleHandleA.KERNEL32(user32.dll), ref: 004628E8
                                                                                                                                                                                                                                                        • GetProcAddress.KERNEL32(00000000,MonitorFromWindow), ref: 004628F5
                                                                                                                                                                                                                                                        • GetProcAddress.KERNEL32(00000000,GetMonitorInfoA), ref: 00462902
                                                                                                                                                                                                                                                        • GetWindowRect.USER32(?,00000000), ref: 0046294E
                                                                                                                                                                                                                                                        • SetWindowPos.USER32(?,00000000,?,?,00000000,00000000,0000001D,?,00000000), ref: 0046298C
                                                                                                                                                                                                                                                        Strings
                                                                                                                                                                                                                                                        Memory Dump Source
                                                                                                                                                                                                                                                        • Source File: 00000001.00000002.2793245300.0000000000401000.00000020.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                                                                                                                        • Associated: 00000001.00000002.2793219234.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                                                                                                                                                                                                        • Associated: 00000001.00000002.2793346997.0000000000499000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                                                                                                                                                                                                        • Associated: 00000001.00000002.2793378529.000000000049A000.00000008.00000001.01000000.00000004.sdmpDownload File
                                                                                                                                                                                                                                                        • Associated: 00000001.00000002.2793416768.000000000049B000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                                                                                                                                                                                                        • Associated: 00000001.00000002.2793448951.00000000004AB000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                                                                                                                                                                                                        Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                                        • Snapshot File: hcaresult_1_2_400000_chica-pc-shield-1-75-0-1300-en-win.jbxd
                                                                                                                                                                                                                                                        Similarity
                                                                                                                                                                                                                                                        • API ID: Window$AddressProc$ActiveHandleModuleRect
                                                                                                                                                                                                                                                        • String ID: ($GetMonitorInfoA$MonitorFromWindow$user32.dll
                                                                                                                                                                                                                                                        • API String ID: 2610873146-3407710046
                                                                                                                                                                                                                                                        • Opcode ID: 51933d510fdc2b35f8277f6e81f95ff0a6ecacb1625e4b1c97d49bbd47144a3d
                                                                                                                                                                                                                                                        • Instruction ID: b88ed3b497c956bed5d3405569dd74873656c78e9379ed97482968eb64e54f8d
                                                                                                                                                                                                                                                        • Opcode Fuzzy Hash: 51933d510fdc2b35f8277f6e81f95ff0a6ecacb1625e4b1c97d49bbd47144a3d
                                                                                                                                                                                                                                                        • Instruction Fuzzy Hash: E22183B5705B147BD7009A64DD41F7F3699DBC4720F09453AF944DB382E6B8EC048A9A
                                                                                                                                                                                                                                                        Function 0042F188 Relevance: 17.6, APIs: 6, Strings: 4, Instructions: 82libraryloaderCOMMON
                                                                                                                                                                                                                                                        Download Yara Rule
                                                                                                                                                                                                                                                        APIs
                                                                                                                                                                                                                                                        • GetActiveWindow.USER32 ref: 0042F194
                                                                                                                                                                                                                                                        • GetModuleHandleA.KERNEL32(user32.dll), ref: 0042F1A8
                                                                                                                                                                                                                                                        • GetProcAddress.KERNEL32(00000000,MonitorFromWindow), ref: 0042F1B5
                                                                                                                                                                                                                                                        • GetProcAddress.KERNEL32(00000000,GetMonitorInfoA), ref: 0042F1C2
                                                                                                                                                                                                                                                        • GetWindowRect.USER32(?,00000000), ref: 0042F20E
                                                                                                                                                                                                                                                        • SetWindowPos.USER32(?,00000000,?,?,00000000,00000000,0000001D), ref: 0042F24C
                                                                                                                                                                                                                                                        Strings
                                                                                                                                                                                                                                                        Memory Dump Source
                                                                                                                                                                                                                                                        • Source File: 00000001.00000002.2793245300.0000000000401000.00000020.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                                                                                                                        • Associated: 00000001.00000002.2793219234.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                                                                                                                                                                                                        • Associated: 00000001.00000002.2793346997.0000000000499000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                                                                                                                                                                                                        • Associated: 00000001.00000002.2793378529.000000000049A000.00000008.00000001.01000000.00000004.sdmpDownload File
                                                                                                                                                                                                                                                        • Associated: 00000001.00000002.2793416768.000000000049B000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                                                                                                                                                                                                        • Associated: 00000001.00000002.2793448951.00000000004AB000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                                                                                                                                                                                                        Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                                        • Snapshot File: hcaresult_1_2_400000_chica-pc-shield-1-75-0-1300-en-win.jbxd
                                                                                                                                                                                                                                                        Similarity
                                                                                                                                                                                                                                                        • API ID: Window$AddressProc$ActiveHandleModuleRect
                                                                                                                                                                                                                                                        • String ID: ($GetMonitorInfoA$MonitorFromWindow$user32.dll
                                                                                                                                                                                                                                                        • API String ID: 2610873146-3407710046
                                                                                                                                                                                                                                                        • Opcode ID: d03a5336eb35153ccda785e1be34bacea57cfdeb7a98c38ce42309e3d491c1fb
                                                                                                                                                                                                                                                        • Instruction ID: 50a2e38ba83faf67dd7c56e8d7733487d454ef14a416094e89dadcccf0bf0910
                                                                                                                                                                                                                                                        • Opcode Fuzzy Hash: d03a5336eb35153ccda785e1be34bacea57cfdeb7a98c38ce42309e3d491c1fb
                                                                                                                                                                                                                                                        • Instruction Fuzzy Hash: 3821F279704710ABD300EA68ED41F3B37A9DB89714F88457AF944DB382DA79EC044BA9
                                                                                                                                                                                                                                                        Function 00458AF4 Relevance: 15.9, APIs: 7, Strings: 2, Instructions: 127pipeCOMMON
                                                                                                                                                                                                                                                        Download Yara Rule
                                                                                                                                                                                                                                                        APIs
                                                                                                                                                                                                                                                        • CreateEventA.KERNEL32(00000000,00000001,00000000,00000000,00000000,00458CD3,?,00000000,00458D36,?,?,00000000,00000000), ref: 00458B51
                                                                                                                                                                                                                                                        • TransactNamedPipe.KERNEL32(?,-00000020,0000000C,-00004034,00000014,00000000,?,00000000,00458C68,?,00000000,00000001,00000000,00000000,00000000,00458CD3), ref: 00458BAE
                                                                                                                                                                                                                                                        • GetLastError.KERNEL32(?,-00000020,0000000C,-00004034,00000014,00000000,?,00000000,00458C68,?,00000000,00000001,00000000,00000000,00000000,00458CD3), ref: 00458BBB
                                                                                                                                                                                                                                                        • MsgWaitForMultipleObjects.USER32(00000001,00000000,00000000,000000FF,000000FF), ref: 00458C07
                                                                                                                                                                                                                                                        • GetOverlappedResult.KERNEL32(?,?,00000000,00000001,00458C41,?,-00000020,0000000C,-00004034,00000014,00000000,?,00000000,00458C68,?,00000000), ref: 00458C2D
                                                                                                                                                                                                                                                        • GetLastError.KERNEL32(?,?,00000000,00000001,00458C41,?,-00000020,0000000C,-00004034,00000014,00000000,?,00000000,00458C68,?,00000000), ref: 00458C34
                                                                                                                                                                                                                                                          • Part of subcall function 0045349C: GetLastError.KERNEL32(00000000,00454031,00000005,00000000,00454066,?,?,00000000,0049B628,00000004,00000000,00000000,00000000,?,00497F85,00000000), ref: 0045349F
                                                                                                                                                                                                                                                        Strings
                                                                                                                                                                                                                                                        Memory Dump Source
                                                                                                                                                                                                                                                        • Source File: 00000001.00000002.2793245300.0000000000401000.00000020.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                                                                                                                        • Associated: 00000001.00000002.2793219234.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                                                                                                                                                                                                        • Associated: 00000001.00000002.2793346997.0000000000499000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                                                                                                                                                                                                        • Associated: 00000001.00000002.2793378529.000000000049A000.00000008.00000001.01000000.00000004.sdmpDownload File
                                                                                                                                                                                                                                                        • Associated: 00000001.00000002.2793416768.000000000049B000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                                                                                                                                                                                                        • Associated: 00000001.00000002.2793448951.00000000004AB000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                                                                                                                                                                                                        Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                                        • Snapshot File: hcaresult_1_2_400000_chica-pc-shield-1-75-0-1300-en-win.jbxd
                                                                                                                                                                                                                                                        Similarity
                                                                                                                                                                                                                                                        • API ID: ErrorLast$CreateEventMultipleNamedObjectsOverlappedPipeResultTransactWait
                                                                                                                                                                                                                                                        • String ID: CreateEvent$TransactNamedPipe
                                                                                                                                                                                                                                                        • API String ID: 2182916169-3012584893
                                                                                                                                                                                                                                                        • Opcode ID: cd445275fb89d6df69e78ee85778bd79cffcc07580db40040f45f034c0efb706
                                                                                                                                                                                                                                                        • Instruction ID: 0ef67bb603c363795969125e94a580235eeff181ddb05b6f1d1be6d110ffec77
                                                                                                                                                                                                                                                        • Opcode Fuzzy Hash: cd445275fb89d6df69e78ee85778bd79cffcc07580db40040f45f034c0efb706
                                                                                                                                                                                                                                                        • Instruction Fuzzy Hash: 70418E71A00608EFDB15DF95C981F9EB7F9EB08715F1040AAF900F7292DA789E44DA28
                                                                                                                                                                                                                                                        Function 00456BF8 Relevance: 15.8, APIs: 3, Strings: 6, Instructions: 99libraryloaderCOMMON
                                                                                                                                                                                                                                                        Download Yara Rule
                                                                                                                                                                                                                                                        APIs
                                                                                                                                                                                                                                                        • GetModuleHandleA.KERNEL32(OLEAUT32.DLL,UnRegisterTypeLib,00000000,00456D5D,?,?,00000031,?), ref: 00456C20
                                                                                                                                                                                                                                                        • GetProcAddress.KERNEL32(00000000,OLEAUT32.DLL), ref: 00456C26
                                                                                                                                                                                                                                                        • LoadTypeLib.OLEAUT32(00000000,?), ref: 00456C73
                                                                                                                                                                                                                                                          • Part of subcall function 0045349C: GetLastError.KERNEL32(00000000,00454031,00000005,00000000,00454066,?,?,00000000,0049B628,00000004,00000000,00000000,00000000,?,00497F85,00000000), ref: 0045349F
                                                                                                                                                                                                                                                        Strings
                                                                                                                                                                                                                                                        Memory Dump Source
                                                                                                                                                                                                                                                        • Source File: 00000001.00000002.2793245300.0000000000401000.00000020.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                                                                                                                        • Associated: 00000001.00000002.2793219234.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                                                                                                                                                                                                        • Associated: 00000001.00000002.2793346997.0000000000499000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                                                                                                                                                                                                        • Associated: 00000001.00000002.2793378529.000000000049A000.00000008.00000001.01000000.00000004.sdmpDownload File
                                                                                                                                                                                                                                                        • Associated: 00000001.00000002.2793416768.000000000049B000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                                                                                                                                                                                                        • Associated: 00000001.00000002.2793448951.00000000004AB000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                                                                                                                                                                                                        Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                                        • Snapshot File: hcaresult_1_2_400000_chica-pc-shield-1-75-0-1300-en-win.jbxd
                                                                                                                                                                                                                                                        Similarity
                                                                                                                                                                                                                                                        • API ID: AddressErrorHandleLastLoadModuleProcType
                                                                                                                                                                                                                                                        • String ID: GetProcAddress$ITypeLib::GetLibAttr$LoadTypeLib$OLEAUT32.DLL$UnRegisterTypeLib$UnRegisterTypeLib
                                                                                                                                                                                                                                                        • API String ID: 1914119943-2711329623
                                                                                                                                                                                                                                                        • Opcode ID: 3e19e1f9d82f0627edce4b12e1e0f8f8c598e604cb4ac052333ecb52fec70c2c
                                                                                                                                                                                                                                                        • Instruction ID: b3f5faa621b90d83088b4b17fb935927980fc0aea231793fdf23f6d5fbfe6d64
                                                                                                                                                                                                                                                        • Opcode Fuzzy Hash: 3e19e1f9d82f0627edce4b12e1e0f8f8c598e604cb4ac052333ecb52fec70c2c
                                                                                                                                                                                                                                                        • Instruction Fuzzy Hash: 3E31A371B00604AFDB12EFAACC11D5A77BDEB897057528466FC04D3352DA38DD08CB28
                                                                                                                                                                                                                                                        Function 00416D80 Relevance: 15.2, APIs: 10, Instructions: 167windowCOMMON
                                                                                                                                                                                                                                                        Download Yara Rule
                                                                                                                                                                                                                                                        APIs
                                                                                                                                                                                                                                                        • RectVisible.GDI32(?,?), ref: 00416E13
                                                                                                                                                                                                                                                        • SaveDC.GDI32(?), ref: 00416E27
                                                                                                                                                                                                                                                        • IntersectClipRect.GDI32(?,00000000,00000000,?,?), ref: 00416E4A
                                                                                                                                                                                                                                                        • RestoreDC.GDI32(?,?), ref: 00416E65
                                                                                                                                                                                                                                                        • CreateSolidBrush.GDI32(00000000), ref: 00416EE5
                                                                                                                                                                                                                                                        • FrameRect.USER32(?,?,?), ref: 00416F18
                                                                                                                                                                                                                                                        • DeleteObject.GDI32(?), ref: 00416F22
                                                                                                                                                                                                                                                        • CreateSolidBrush.GDI32(00000000), ref: 00416F32
                                                                                                                                                                                                                                                        • FrameRect.USER32(?,?,?), ref: 00416F65
                                                                                                                                                                                                                                                        • DeleteObject.GDI32(?), ref: 00416F6F
                                                                                                                                                                                                                                                        Memory Dump Source
                                                                                                                                                                                                                                                        • Source File: 00000001.00000002.2793245300.0000000000401000.00000020.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                                                                                                                        • Associated: 00000001.00000002.2793219234.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                                                                                                                                                                                                        • Associated: 00000001.00000002.2793346997.0000000000499000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                                                                                                                                                                                                        • Associated: 00000001.00000002.2793378529.000000000049A000.00000008.00000001.01000000.00000004.sdmpDownload File
                                                                                                                                                                                                                                                        • Associated: 00000001.00000002.2793416768.000000000049B000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                                                                                                                                                                                                        • Associated: 00000001.00000002.2793448951.00000000004AB000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                                                                                                                                                                                                        Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                                        • Snapshot File: hcaresult_1_2_400000_chica-pc-shield-1-75-0-1300-en-win.jbxd
                                                                                                                                                                                                                                                        Similarity
                                                                                                                                                                                                                                                        • API ID: Rect$BrushCreateDeleteFrameObjectSolid$ClipIntersectRestoreSaveVisible
                                                                                                                                                                                                                                                        • String ID:
                                                                                                                                                                                                                                                        • API String ID: 375863564-0
                                                                                                                                                                                                                                                        • Opcode ID: 9d71f870ed9c6b7adb0073f445c908c0d6bb0069ee5c7552777bb1b8ba5f0c9b
                                                                                                                                                                                                                                                        • Instruction ID: c082a38e55a2621cff38c0036c5e412d4739722926df34ebe37a7eff5f7859fc
                                                                                                                                                                                                                                                        • Opcode Fuzzy Hash: 9d71f870ed9c6b7adb0073f445c908c0d6bb0069ee5c7552777bb1b8ba5f0c9b
                                                                                                                                                                                                                                                        • Instruction Fuzzy Hash: 70515A712086459FDB50EF69C8C4B9B77E8AF48314F15466AFD488B286C738EC81CB99
                                                                                                                                                                                                                                                        Function 00404ABF Relevance: 15.1, APIs: 10, Instructions: 122fileCOMMON
                                                                                                                                                                                                                                                        Download Yara Rule
                                                                                                                                                                                                                                                        APIs
                                                                                                                                                                                                                                                        • CreateFileA.KERNEL32(00000000,80000000,00000002,00000000,00000003,00000080,00000000), ref: 00404B46
                                                                                                                                                                                                                                                        • GetFileSize.KERNEL32(?,00000000,00000000,80000000,00000002,00000000,00000003,00000080,00000000), ref: 00404B6A
                                                                                                                                                                                                                                                        • SetFilePointer.KERNEL32(?,-00000080,00000000,00000000,?,00000000,00000000,80000000,00000002,00000000,00000003,00000080,00000000), ref: 00404B86
                                                                                                                                                                                                                                                        • ReadFile.KERNEL32(?,?,00000080,?,00000000,00000000,?,-00000080,00000000,00000000,?,00000000,00000000,80000000,00000002,00000000), ref: 00404BA7
                                                                                                                                                                                                                                                        • SetFilePointer.KERNEL32(?,00000000,00000000,00000002), ref: 00404BD0
                                                                                                                                                                                                                                                        • SetEndOfFile.KERNEL32(?,?,00000000,00000000,00000002), ref: 00404BDA
                                                                                                                                                                                                                                                        • GetStdHandle.KERNEL32(000000F5), ref: 00404BFA
                                                                                                                                                                                                                                                        • GetFileType.KERNEL32(?,000000F5), ref: 00404C11
                                                                                                                                                                                                                                                        • CloseHandle.KERNEL32(?,?,000000F5), ref: 00404C2C
                                                                                                                                                                                                                                                        • GetLastError.KERNEL32(000000F5), ref: 00404C46
                                                                                                                                                                                                                                                        Memory Dump Source
                                                                                                                                                                                                                                                        • Source File: 00000001.00000002.2793245300.0000000000401000.00000020.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                                                                                                                        • Associated: 00000001.00000002.2793219234.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                                                                                                                                                                                                        • Associated: 00000001.00000002.2793346997.0000000000499000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                                                                                                                                                                                                        • Associated: 00000001.00000002.2793378529.000000000049A000.00000008.00000001.01000000.00000004.sdmpDownload File
                                                                                                                                                                                                                                                        • Associated: 00000001.00000002.2793416768.000000000049B000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                                                                                                                                                                                                        • Associated: 00000001.00000002.2793448951.00000000004AB000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                                                                                                                                                                                                        Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                                        • Snapshot File: hcaresult_1_2_400000_chica-pc-shield-1-75-0-1300-en-win.jbxd
                                                                                                                                                                                                                                                        Similarity
                                                                                                                                                                                                                                                        • API ID: File$HandlePointer$CloseCreateErrorLastReadSizeType
                                                                                                                                                                                                                                                        • String ID:
                                                                                                                                                                                                                                                        • API String ID: 1694776339-0
                                                                                                                                                                                                                                                        • Opcode ID: 9f56c7289f94e04900e6d065ddfea074988f08e379b72121dafcd5ad7d79337d
                                                                                                                                                                                                                                                        • Instruction ID: 0555156f4d2a620bb114dc01d937536d57074fdea11cd86abdfeb4dd56d828b4
                                                                                                                                                                                                                                                        • Opcode Fuzzy Hash: 9f56c7289f94e04900e6d065ddfea074988f08e379b72121dafcd5ad7d79337d
                                                                                                                                                                                                                                                        • Instruction Fuzzy Hash: 3741B3F02093009AF7305E248905B2375E5EBC0755F208E3FE296BA6E0D7BDE8458B1D
                                                                                                                                                                                                                                                        Function 004221E8 Relevance: 15.1, APIs: 10, Instructions: 74windowCOMMON
                                                                                                                                                                                                                                                        Download Yara Rule
                                                                                                                                                                                                                                                        APIs
                                                                                                                                                                                                                                                        • GetSystemMenu.USER32(00000000,00000000), ref: 00422233
                                                                                                                                                                                                                                                        • DeleteMenu.USER32(00000000,0000F130,00000000,00000000,00000000), ref: 00422251
                                                                                                                                                                                                                                                        • DeleteMenu.USER32(00000000,00000007,00000400,00000000,0000F130,00000000,00000000,00000000), ref: 0042225E
                                                                                                                                                                                                                                                        • DeleteMenu.USER32(00000000,00000005,00000400,00000000,00000007,00000400,00000000,0000F130,00000000,00000000,00000000), ref: 0042226B
                                                                                                                                                                                                                                                        • DeleteMenu.USER32(00000000,0000F030,00000000,00000000,00000005,00000400,00000000,00000007,00000400,00000000,0000F130,00000000,00000000,00000000), ref: 00422278
                                                                                                                                                                                                                                                        • DeleteMenu.USER32(00000000,0000F020,00000000,00000000,0000F030,00000000,00000000,00000005,00000400,00000000,00000007,00000400,00000000,0000F130,00000000,00000000), ref: 00422285
                                                                                                                                                                                                                                                        • DeleteMenu.USER32(00000000,0000F000,00000000,00000000,0000F020,00000000,00000000,0000F030,00000000,00000000,00000005,00000400,00000000,00000007,00000400,00000000), ref: 00422292
                                                                                                                                                                                                                                                        • DeleteMenu.USER32(00000000,0000F120,00000000,00000000,0000F000,00000000,00000000,0000F020,00000000,00000000,0000F030,00000000,00000000,00000005,00000400,00000000), ref: 0042229F
                                                                                                                                                                                                                                                        • EnableMenuItem.USER32(00000000,0000F020,00000001), ref: 004222BD
                                                                                                                                                                                                                                                        • EnableMenuItem.USER32(00000000,0000F030,00000001), ref: 004222D9
                                                                                                                                                                                                                                                        Memory Dump Source
                                                                                                                                                                                                                                                        • Source File: 00000001.00000002.2793245300.0000000000401000.00000020.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                                                                                                                        • Associated: 00000001.00000002.2793219234.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                                                                                                                                                                                                        • Associated: 00000001.00000002.2793346997.0000000000499000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                                                                                                                                                                                                        • Associated: 00000001.00000002.2793378529.000000000049A000.00000008.00000001.01000000.00000004.sdmpDownload File
                                                                                                                                                                                                                                                        • Associated: 00000001.00000002.2793416768.000000000049B000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                                                                                                                                                                                                        • Associated: 00000001.00000002.2793448951.00000000004AB000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                                                                                                                                                                                                        Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                                        • Snapshot File: hcaresult_1_2_400000_chica-pc-shield-1-75-0-1300-en-win.jbxd
                                                                                                                                                                                                                                                        Similarity
                                                                                                                                                                                                                                                        • API ID: Menu$Delete$EnableItem$System
                                                                                                                                                                                                                                                        • String ID:
                                                                                                                                                                                                                                                        • API String ID: 3985193851-0
                                                                                                                                                                                                                                                        • Opcode ID: fc4199aaac3f99511bb4ff32e12d7dfce3aae71cb8e2bfb07c8f1265a7c3622c
                                                                                                                                                                                                                                                        • Instruction ID: 662ae76830c3dbb110fd6952920e185112f137d20e740dc0dcce1beff7d7cd05
                                                                                                                                                                                                                                                        • Opcode Fuzzy Hash: fc4199aaac3f99511bb4ff32e12d7dfce3aae71cb8e2bfb07c8f1265a7c3622c
                                                                                                                                                                                                                                                        • Instruction Fuzzy Hash: AF2144703407047AE720E724CD8BF9BBBD89B04708F5451A5BA487F6D3C6F9AB804698
                                                                                                                                                                                                                                                        Function 00461564 Relevance: 14.1, APIs: 7, Strings: 1, Instructions: 82COMMON
                                                                                                                                                                                                                                                        Download Yara Rule
                                                                                                                                                                                                                                                        APIs
                                                                                                                                                                                                                                                        • SHGetMalloc.SHELL32(?), ref: 0046159F
                                                                                                                                                                                                                                                        • GetActiveWindow.USER32 ref: 00461603
                                                                                                                                                                                                                                                        • CoInitialize.OLE32(00000000), ref: 00461617
                                                                                                                                                                                                                                                        • SHBrowseForFolder.SHELL32(?), ref: 0046162E
                                                                                                                                                                                                                                                        • CoUninitialize.OLE32(0046166F,00000000,?,?,?,?,?,00000000,004616F3), ref: 00461643
                                                                                                                                                                                                                                                        • SetActiveWindow.USER32(?,0046166F,00000000,?,?,?,?,?,00000000,004616F3), ref: 00461659
                                                                                                                                                                                                                                                        • SetActiveWindow.USER32(?,?,0046166F,00000000,?,?,?,?,?,00000000,004616F3), ref: 00461662
                                                                                                                                                                                                                                                        Strings
                                                                                                                                                                                                                                                        Memory Dump Source
                                                                                                                                                                                                                                                        • Source File: 00000001.00000002.2793245300.0000000000401000.00000020.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                                                                                                                        • Associated: 00000001.00000002.2793219234.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                                                                                                                                                                                                        • Associated: 00000001.00000002.2793346997.0000000000499000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                                                                                                                                                                                                        • Associated: 00000001.00000002.2793378529.000000000049A000.00000008.00000001.01000000.00000004.sdmpDownload File
                                                                                                                                                                                                                                                        • Associated: 00000001.00000002.2793416768.000000000049B000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                                                                                                                                                                                                        • Associated: 00000001.00000002.2793448951.00000000004AB000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                                                                                                                                                                                                        Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                                        • Snapshot File: hcaresult_1_2_400000_chica-pc-shield-1-75-0-1300-en-win.jbxd
                                                                                                                                                                                                                                                        Similarity
                                                                                                                                                                                                                                                        • API ID: ActiveWindow$BrowseFolderInitializeMallocUninitialize
                                                                                                                                                                                                                                                        • String ID: A
                                                                                                                                                                                                                                                        • API String ID: 2684663990-3554254475
                                                                                                                                                                                                                                                        • Opcode ID: 30089e3c30d0c3d36f39b8b1d4781c2a21ffec0060a5585bd299ad216e4990aa
                                                                                                                                                                                                                                                        • Instruction ID: 887b805d7b7894e7c3e16e65f0cb8bc8b62606f18410bd973e890a89b0dd1abf
                                                                                                                                                                                                                                                        • Opcode Fuzzy Hash: 30089e3c30d0c3d36f39b8b1d4781c2a21ffec0060a5585bd299ad216e4990aa
                                                                                                                                                                                                                                                        • Instruction Fuzzy Hash: 3D310F70E00348AFDB01EFB6D885A9EBBF8EB09304F55447AF415E7251E7785A04CB5A
                                                                                                                                                                                                                                                        Function 0045D18C Relevance: 14.0, APIs: 4, Strings: 4, Instructions: 41libraryloaderCOMMON
                                                                                                                                                                                                                                                        Download Yara Rule
                                                                                                                                                                                                                                                        APIs
                                                                                                                                                                                                                                                        • GetProcAddress.KERNEL32(00000000,inflateInit_), ref: 0045D195
                                                                                                                                                                                                                                                        • GetProcAddress.KERNEL32(00000000,inflate), ref: 0045D1A5
                                                                                                                                                                                                                                                        • GetProcAddress.KERNEL32(00000000,inflateEnd), ref: 0045D1B5
                                                                                                                                                                                                                                                        • GetProcAddress.KERNEL32(00000000,inflateReset), ref: 0045D1C5
                                                                                                                                                                                                                                                        Strings
                                                                                                                                                                                                                                                        Memory Dump Source
                                                                                                                                                                                                                                                        • Source File: 00000001.00000002.2793245300.0000000000401000.00000020.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                                                                                                                        • Associated: 00000001.00000002.2793219234.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                                                                                                                                                                                                        • Associated: 00000001.00000002.2793346997.0000000000499000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                                                                                                                                                                                                        • Associated: 00000001.00000002.2793378529.000000000049A000.00000008.00000001.01000000.00000004.sdmpDownload File
                                                                                                                                                                                                                                                        • Associated: 00000001.00000002.2793416768.000000000049B000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                                                                                                                                                                                                        • Associated: 00000001.00000002.2793448951.00000000004AB000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                                                                                                                                                                                                        Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                                        • Snapshot File: hcaresult_1_2_400000_chica-pc-shield-1-75-0-1300-en-win.jbxd
                                                                                                                                                                                                                                                        Similarity
                                                                                                                                                                                                                                                        • API ID: AddressProc
                                                                                                                                                                                                                                                        • String ID: inflate$inflateEnd$inflateInit_$inflateReset
                                                                                                                                                                                                                                                        • API String ID: 190572456-3516654456
                                                                                                                                                                                                                                                        • Opcode ID: 80c5134a1f55eac21adb9a8231f5c97f635f55f56804fe188f7ba9ee36614b8d
                                                                                                                                                                                                                                                        • Instruction ID: e76692604156c969a14c628a7f3d38bcbb79e262894e7ece3495cd036a1d4bae
                                                                                                                                                                                                                                                        • Opcode Fuzzy Hash: 80c5134a1f55eac21adb9a8231f5c97f635f55f56804fe188f7ba9ee36614b8d
                                                                                                                                                                                                                                                        • Instruction Fuzzy Hash: 640162B0D00701DAD728DFB6ACD172636A5EBA4306F10C13BE809962A2D37D4459DF3D
                                                                                                                                                                                                                                                        Function 0041A8DC Relevance: 13.7, APIs: 9, Instructions: 176windowCOMMON
                                                                                                                                                                                                                                                        Download Yara Rule
                                                                                                                                                                                                                                                        APIs
                                                                                                                                                                                                                                                        • SetBkColor.GDI32(?,00000000), ref: 0041A9B9
                                                                                                                                                                                                                                                        • BitBlt.GDI32(?,00000000,00000000,?,?,?,00000000,00000000,00CC0020), ref: 0041A9F3
                                                                                                                                                                                                                                                        • SetBkColor.GDI32(?,?), ref: 0041AA08
                                                                                                                                                                                                                                                        • StretchBlt.GDI32(00000000,00000000,00000000,?,00000000,?,00000000,00000000,?,?,00CC0020), ref: 0041AA52
                                                                                                                                                                                                                                                        • SetTextColor.GDI32(00000000,00000000), ref: 0041AA5D
                                                                                                                                                                                                                                                        • SetBkColor.GDI32(00000000,00FFFFFF), ref: 0041AA6D
                                                                                                                                                                                                                                                        • StretchBlt.GDI32(00000000,00000000,00000000,?,00000000,?,00000000,00000000,?,?,00E20746), ref: 0041AAAC
                                                                                                                                                                                                                                                        • SetTextColor.GDI32(00000000,00000000), ref: 0041AAB6
                                                                                                                                                                                                                                                        • SetBkColor.GDI32(00000000,?), ref: 0041AAC3
                                                                                                                                                                                                                                                        Memory Dump Source
                                                                                                                                                                                                                                                        • Source File: 00000001.00000002.2793245300.0000000000401000.00000020.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                                                                                                                        • Associated: 00000001.00000002.2793219234.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                                                                                                                                                                                                        • Associated: 00000001.00000002.2793346997.0000000000499000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                                                                                                                                                                                                        • Associated: 00000001.00000002.2793378529.000000000049A000.00000008.00000001.01000000.00000004.sdmpDownload File
                                                                                                                                                                                                                                                        • Associated: 00000001.00000002.2793416768.000000000049B000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                                                                                                                                                                                                        • Associated: 00000001.00000002.2793448951.00000000004AB000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                                                                                                                                                                                                        Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                                        • Snapshot File: hcaresult_1_2_400000_chica-pc-shield-1-75-0-1300-en-win.jbxd
                                                                                                                                                                                                                                                        Similarity
                                                                                                                                                                                                                                                        • API ID: Color$StretchText
                                                                                                                                                                                                                                                        • String ID:
                                                                                                                                                                                                                                                        • API String ID: 2984075790-0
                                                                                                                                                                                                                                                        • Opcode ID: d5776733ae79b3841affab46b3657f1400c4e8fd3bac8129ab5b82e8e92c5d66
                                                                                                                                                                                                                                                        • Instruction ID: 4467ea82dd13d464879b0bd0dd0607b47ee3045dce17e21d2c6451b7f26a8ea4
                                                                                                                                                                                                                                                        • Opcode Fuzzy Hash: d5776733ae79b3841affab46b3657f1400c4e8fd3bac8129ab5b82e8e92c5d66
                                                                                                                                                                                                                                                        • Instruction Fuzzy Hash: 8761E5B5A00505AFCB40EFADD985E9AB7F8EF08314B10816AF908DB262C775ED40CF58
                                                                                                                                                                                                                                                        Function 0044D178 Relevance: 13.6, APIs: 9, Instructions: 90COMMON
                                                                                                                                                                                                                                                        Download Yara Rule
                                                                                                                                                                                                                                                        APIs
                                                                                                                                                                                                                                                        • OffsetRect.USER32(?,00000001,00000001), ref: 0044D1A9
                                                                                                                                                                                                                                                        • GetSysColor.USER32(00000014), ref: 0044D1B0
                                                                                                                                                                                                                                                        • SetTextColor.GDI32(00000000,00000000), ref: 0044D1C8
                                                                                                                                                                                                                                                        • DrawTextA.USER32(00000000,00000000,00000000), ref: 0044D1F1
                                                                                                                                                                                                                                                        • OffsetRect.USER32(?,000000FF,000000FF), ref: 0044D1FB
                                                                                                                                                                                                                                                        • GetSysColor.USER32(00000010), ref: 0044D202
                                                                                                                                                                                                                                                        • SetTextColor.GDI32(00000000,00000000), ref: 0044D21A
                                                                                                                                                                                                                                                        • DrawTextA.USER32(00000000,00000000,00000000), ref: 0044D243
                                                                                                                                                                                                                                                        • DrawTextA.USER32(00000000,00000000,00000000), ref: 0044D26E
                                                                                                                                                                                                                                                        Memory Dump Source
                                                                                                                                                                                                                                                        • Source File: 00000001.00000002.2793245300.0000000000401000.00000020.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                                                                                                                        • Associated: 00000001.00000002.2793219234.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                                                                                                                                                                                                        • Associated: 00000001.00000002.2793346997.0000000000499000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                                                                                                                                                                                                        • Associated: 00000001.00000002.2793378529.000000000049A000.00000008.00000001.01000000.00000004.sdmpDownload File
                                                                                                                                                                                                                                                        • Associated: 00000001.00000002.2793416768.000000000049B000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                                                                                                                                                                                                        • Associated: 00000001.00000002.2793448951.00000000004AB000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                                                                                                                                                                                                        Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                                        • Snapshot File: hcaresult_1_2_400000_chica-pc-shield-1-75-0-1300-en-win.jbxd
                                                                                                                                                                                                                                                        Similarity
                                                                                                                                                                                                                                                        • API ID: Text$Color$Draw$OffsetRect
                                                                                                                                                                                                                                                        • String ID:
                                                                                                                                                                                                                                                        • API String ID: 1005981011-0
                                                                                                                                                                                                                                                        • Opcode ID: 64e894641ce67cbe80cb84d1f014edff4e193ae3d7429a1fbcc6453b09a2e017
                                                                                                                                                                                                                                                        • Instruction ID: 8406a00effd73db105afccad7da3796984cf264811f0ddac3e5cace4e0ac1d2b
                                                                                                                                                                                                                                                        • Opcode Fuzzy Hash: 64e894641ce67cbe80cb84d1f014edff4e193ae3d7429a1fbcc6453b09a2e017
                                                                                                                                                                                                                                                        • Instruction Fuzzy Hash: A021BDB42015047FC710FB2ACD8AE8B6BDCDF19319B05457AB958EB292C67CDD404668
                                                                                                                                                                                                                                                        Function 0041B66C Relevance: 12.4, APIs: 6, Strings: 1, Instructions: 144windowCOMMON
                                                                                                                                                                                                                                                        Download Yara Rule
                                                                                                                                                                                                                                                        APIs
                                                                                                                                                                                                                                                        • GetFocus.USER32 ref: 0041B745
                                                                                                                                                                                                                                                        • GetDC.USER32(?), ref: 0041B751
                                                                                                                                                                                                                                                        • SelectPalette.GDI32(00000000,?,00000000), ref: 0041B786
                                                                                                                                                                                                                                                        • RealizePalette.GDI32(00000000), ref: 0041B792
                                                                                                                                                                                                                                                        • CreateDIBitmap.GDI32(00000000,?,00000004,?,?,00000000), ref: 0041B7C0
                                                                                                                                                                                                                                                        • SelectPalette.GDI32(00000000,00000000,00000000), ref: 0041B7F4
                                                                                                                                                                                                                                                        Strings
                                                                                                                                                                                                                                                        Memory Dump Source
                                                                                                                                                                                                                                                        • Source File: 00000001.00000002.2793245300.0000000000401000.00000020.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                                                                                                                        • Associated: 00000001.00000002.2793219234.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                                                                                                                                                                                                        • Associated: 00000001.00000002.2793346997.0000000000499000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                                                                                                                                                                                                        • Associated: 00000001.00000002.2793378529.000000000049A000.00000008.00000001.01000000.00000004.sdmpDownload File
                                                                                                                                                                                                                                                        • Associated: 00000001.00000002.2793416768.000000000049B000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                                                                                                                                                                                                        • Associated: 00000001.00000002.2793448951.00000000004AB000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                                                                                                                                                                                                        Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                                        • Snapshot File: hcaresult_1_2_400000_chica-pc-shield-1-75-0-1300-en-win.jbxd
                                                                                                                                                                                                                                                        Similarity
                                                                                                                                                                                                                                                        • API ID: Palette$Select$BitmapCreateFocusRealize
                                                                                                                                                                                                                                                        • String ID: 3!H
                                                                                                                                                                                                                                                        • API String ID: 3275473261-770989722
                                                                                                                                                                                                                                                        • Opcode ID: 9b17a45ebd00e155e5aeae17ac6cac102e8e00fd56b9a0d3692e3d2bf0971335
                                                                                                                                                                                                                                                        • Instruction ID: 38bdddf8d72f5571b31e8017bfcff87152bbfcb95d4f6cd7f9962c0a723fddb9
                                                                                                                                                                                                                                                        • Opcode Fuzzy Hash: 9b17a45ebd00e155e5aeae17ac6cac102e8e00fd56b9a0d3692e3d2bf0971335
                                                                                                                                                                                                                                                        • Instruction Fuzzy Hash: 8A512F70A002099FDF11DFA9C881AEEBBF9FF49704F104066F504A7791D7799981CBA9
                                                                                                                                                                                                                                                        Function 0041B93C Relevance: 12.4, APIs: 6, Strings: 1, Instructions: 142windowCOMMON
                                                                                                                                                                                                                                                        Download Yara Rule
                                                                                                                                                                                                                                                        APIs
                                                                                                                                                                                                                                                        • GetFocus.USER32 ref: 0041BA17
                                                                                                                                                                                                                                                        • GetDC.USER32(?), ref: 0041BA23
                                                                                                                                                                                                                                                        • SelectPalette.GDI32(00000000,?,00000000), ref: 0041BA5D
                                                                                                                                                                                                                                                        • RealizePalette.GDI32(00000000), ref: 0041BA69
                                                                                                                                                                                                                                                        • CreateDIBitmap.GDI32(00000000,?,00000004,?,?,00000000), ref: 0041BA8D
                                                                                                                                                                                                                                                        • SelectPalette.GDI32(00000000,00000000,00000000), ref: 0041BAC1
                                                                                                                                                                                                                                                        Strings
                                                                                                                                                                                                                                                        Memory Dump Source
                                                                                                                                                                                                                                                        • Source File: 00000001.00000002.2793245300.0000000000401000.00000020.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                                                                                                                        • Associated: 00000001.00000002.2793219234.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                                                                                                                                                                                                        • Associated: 00000001.00000002.2793346997.0000000000499000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                                                                                                                                                                                                        • Associated: 00000001.00000002.2793378529.000000000049A000.00000008.00000001.01000000.00000004.sdmpDownload File
                                                                                                                                                                                                                                                        • Associated: 00000001.00000002.2793416768.000000000049B000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                                                                                                                                                                                                        • Associated: 00000001.00000002.2793448951.00000000004AB000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                                                                                                                                                                                                        Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                                        • Snapshot File: hcaresult_1_2_400000_chica-pc-shield-1-75-0-1300-en-win.jbxd
                                                                                                                                                                                                                                                        Similarity
                                                                                                                                                                                                                                                        • API ID: Palette$Select$BitmapCreateFocusRealize
                                                                                                                                                                                                                                                        • String ID: 3!H
                                                                                                                                                                                                                                                        • API String ID: 3275473261-770989722
                                                                                                                                                                                                                                                        • Opcode ID: f1b656a7ede54f8d65f93cc35dc493626dae048aef23b352968a277fb398f08e
                                                                                                                                                                                                                                                        • Instruction ID: 3fcaffe560058c7771eaec6053d79e0e1924f360d52694d27862de55114c0f48
                                                                                                                                                                                                                                                        • Opcode Fuzzy Hash: f1b656a7ede54f8d65f93cc35dc493626dae048aef23b352968a277fb398f08e
                                                                                                                                                                                                                                                        • Instruction Fuzzy Hash: 9D512A74A002189FDB11DFA9C891AAEBBF9FF49700F154066F904EB751D738AD40CBA4
                                                                                                                                                                                                                                                        Function 004960D0 Relevance: 12.3, APIs: 6, Strings: 1, Instructions: 90sleepsynchronizationthreadCOMMON
                                                                                                                                                                                                                                                        Download Yara Rule
                                                                                                                                                                                                                                                        APIs
                                                                                                                                                                                                                                                          • Part of subcall function 0045092C: SetEndOfFile.KERNEL32(?,?,0045C21A,00000000,0045C3A5,?,00000000,00000002,00000002), ref: 00450933
                                                                                                                                                                                                                                                          • Part of subcall function 00406F50: DeleteFileA.KERNEL32(00000000,0049B628,004982D1,00000000,00498326,?,?,00000005,?,00000000,00000000,00000000,Inno-Setup-RegSvr-Mutex,?,00000005,00000000), ref: 00406F5B
                                                                                                                                                                                                                                                        • GetWindowThreadProcessId.USER32(00000000,?), ref: 00496161
                                                                                                                                                                                                                                                        • OpenProcess.KERNEL32(00100000,00000000,?,00000000,?), ref: 00496175
                                                                                                                                                                                                                                                        • SendNotifyMessageA.USER32(00000000,0000054D,00000000,00000000), ref: 0049618F
                                                                                                                                                                                                                                                        • WaitForSingleObject.KERNEL32(00000000,000000FF,00000000,0000054D,00000000,00000000,00000000,?), ref: 0049619B
                                                                                                                                                                                                                                                        • CloseHandle.KERNEL32(00000000,00000000,000000FF,00000000,0000054D,00000000,00000000,00000000,?), ref: 004961A1
                                                                                                                                                                                                                                                        • Sleep.KERNEL32(000001F4,00000000,0000054D,00000000,00000000,00000000,?), ref: 004961B4
                                                                                                                                                                                                                                                        Strings
                                                                                                                                                                                                                                                        • Deleting Uninstall data files., xrefs: 004960D7
                                                                                                                                                                                                                                                        Memory Dump Source
                                                                                                                                                                                                                                                        • Source File: 00000001.00000002.2793245300.0000000000401000.00000020.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                                                                                                                        • Associated: 00000001.00000002.2793219234.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                                                                                                                                                                                                        • Associated: 00000001.00000002.2793346997.0000000000499000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                                                                                                                                                                                                        • Associated: 00000001.00000002.2793378529.000000000049A000.00000008.00000001.01000000.00000004.sdmpDownload File
                                                                                                                                                                                                                                                        • Associated: 00000001.00000002.2793416768.000000000049B000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                                                                                                                                                                                                        • Associated: 00000001.00000002.2793448951.00000000004AB000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                                                                                                                                                                                                        Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                                        • Snapshot File: hcaresult_1_2_400000_chica-pc-shield-1-75-0-1300-en-win.jbxd
                                                                                                                                                                                                                                                        Similarity
                                                                                                                                                                                                                                                        • API ID: FileProcess$CloseDeleteHandleMessageNotifyObjectOpenSendSingleSleepThreadWaitWindow
                                                                                                                                                                                                                                                        • String ID: Deleting Uninstall data files.
                                                                                                                                                                                                                                                        • API String ID: 1570157960-2568741658
                                                                                                                                                                                                                                                        • Opcode ID: 098eea10618780f686b7a3c8f577816b854df39408f499a4f4d6e418665acdc5
                                                                                                                                                                                                                                                        • Instruction ID: f761780b945b7fe8b82d6e025c481ead527c030d3f8fe43749ea068a3773b499
                                                                                                                                                                                                                                                        • Opcode Fuzzy Hash: 098eea10618780f686b7a3c8f577816b854df39408f499a4f4d6e418665acdc5
                                                                                                                                                                                                                                                        • Instruction Fuzzy Hash: 10217370304250AFEB10E77AEC87B2A3798DB15328F52453BB504962E3D67CAC04CA6D
                                                                                                                                                                                                                                                        Function 004700D8 Relevance: 12.3, APIs: 4, Strings: 3, Instructions: 89registrywindowCOMMON
                                                                                                                                                                                                                                                        Download Yara Rule
                                                                                                                                                                                                                                                        APIs
                                                                                                                                                                                                                                                          • Part of subcall function 0042DE1C: RegOpenKeyExA.ADVAPI32(80000002,System\CurrentControlSet\Control\Windows,37H,?,00000001,?,?,00483733,?,00000001,00000000), ref: 0042DE38
                                                                                                                                                                                                                                                        • RegSetValueExA.ADVAPI32(?,00000000,00000000,00000001,00000000,00000001,?,00000002,00000000,00000000,004701D5,?,?,?,?,00000000), ref: 0047013F
                                                                                                                                                                                                                                                        • RegCloseKey.ADVAPI32(?,?,00000000,00000000,00000001,00000000,00000001,?,00000002,00000000,00000000,004701D5), ref: 00470156
                                                                                                                                                                                                                                                        • AddFontResourceA.GDI32(00000000), ref: 00470173
                                                                                                                                                                                                                                                        • SendNotifyMessageA.USER32(0000FFFF,0000001D,00000000,00000000), ref: 00470187
                                                                                                                                                                                                                                                        Strings
                                                                                                                                                                                                                                                        • Failed to set value in Fonts registry key., xrefs: 00470148
                                                                                                                                                                                                                                                        • AddFontResource, xrefs: 00470191
                                                                                                                                                                                                                                                        • Failed to open Fonts registry key., xrefs: 0047015D
                                                                                                                                                                                                                                                        Memory Dump Source
                                                                                                                                                                                                                                                        • Source File: 00000001.00000002.2793245300.0000000000401000.00000020.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                                                                                                                        • Associated: 00000001.00000002.2793219234.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                                                                                                                                                                                                        • Associated: 00000001.00000002.2793346997.0000000000499000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                                                                                                                                                                                                        • Associated: 00000001.00000002.2793378529.000000000049A000.00000008.00000001.01000000.00000004.sdmpDownload File
                                                                                                                                                                                                                                                        • Associated: 00000001.00000002.2793416768.000000000049B000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                                                                                                                                                                                                        • Associated: 00000001.00000002.2793448951.00000000004AB000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                                                                                                                                                                                                        Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                                        • Snapshot File: hcaresult_1_2_400000_chica-pc-shield-1-75-0-1300-en-win.jbxd
                                                                                                                                                                                                                                                        Similarity
                                                                                                                                                                                                                                                        • API ID: CloseFontMessageNotifyOpenResourceSendValue
                                                                                                                                                                                                                                                        • String ID: AddFontResource$Failed to open Fonts registry key.$Failed to set value in Fonts registry key.
                                                                                                                                                                                                                                                        • API String ID: 955540645-649663873
                                                                                                                                                                                                                                                        • Opcode ID: 01bf44dadb164a8cfbd18d444b82604aded5fab2352620559528e680a448af29
                                                                                                                                                                                                                                                        • Instruction ID: edb246ac8d360be22e831a605db15bcf50c93ef0f31456572a4f1831c9a006fe
                                                                                                                                                                                                                                                        • Opcode Fuzzy Hash: 01bf44dadb164a8cfbd18d444b82604aded5fab2352620559528e680a448af29
                                                                                                                                                                                                                                                        • Instruction Fuzzy Hash: 2B21B270741204BAD710EAA69C42F9E779DDB45704FA08077F904EB3C2DA7D9E02866D
                                                                                                                                                                                                                                                        Function 00462D08 Relevance: 12.3, APIs: 6, Strings: 1, Instructions: 75windowCOMMON
                                                                                                                                                                                                                                                        Download Yara Rule
                                                                                                                                                                                                                                                        APIs
                                                                                                                                                                                                                                                          • Part of subcall function 00416410: GetClassInfoA.USER32(00400000,?,?), ref: 0041647F
                                                                                                                                                                                                                                                          • Part of subcall function 00416410: UnregisterClassA.USER32(?,00400000), ref: 004164AB
                                                                                                                                                                                                                                                          • Part of subcall function 00416410: RegisterClassA.USER32(?), ref: 004164CE
                                                                                                                                                                                                                                                        • GetVersion.KERNEL32 ref: 00462D38
                                                                                                                                                                                                                                                        • SendMessageA.USER32(00000000,0000112C,00000004,00000004), ref: 00462D76
                                                                                                                                                                                                                                                        • SHGetFileInfo.SHELL32(00462E14,00000000,?,00000160,00004011), ref: 00462D93
                                                                                                                                                                                                                                                        • LoadCursorA.USER32(00000000,00007F02), ref: 00462DB1
                                                                                                                                                                                                                                                        • SetCursor.USER32(00000000,00000000,00007F02,00462E14,00000000,?,00000160,00004011), ref: 00462DB7
                                                                                                                                                                                                                                                        • SetCursor.USER32(?,00462DF7,00007F02,00462E14,00000000,?,00000160,00004011), ref: 00462DEA
                                                                                                                                                                                                                                                        Strings
                                                                                                                                                                                                                                                        Memory Dump Source
                                                                                                                                                                                                                                                        • Source File: 00000001.00000002.2793245300.0000000000401000.00000020.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                                                                                                                        • Associated: 00000001.00000002.2793219234.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                                                                                                                                                                                                        • Associated: 00000001.00000002.2793346997.0000000000499000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                                                                                                                                                                                                        • Associated: 00000001.00000002.2793378529.000000000049A000.00000008.00000001.01000000.00000004.sdmpDownload File
                                                                                                                                                                                                                                                        • Associated: 00000001.00000002.2793416768.000000000049B000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                                                                                                                                                                                                        • Associated: 00000001.00000002.2793448951.00000000004AB000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                                                                                                                                                                                                        Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                                        • Snapshot File: hcaresult_1_2_400000_chica-pc-shield-1-75-0-1300-en-win.jbxd
                                                                                                                                                                                                                                                        Similarity
                                                                                                                                                                                                                                                        • API ID: ClassCursor$Info$FileLoadMessageRegisterSendUnregisterVersion
                                                                                                                                                                                                                                                        • String ID: Explorer
                                                                                                                                                                                                                                                        • API String ID: 2594429197-512347832
                                                                                                                                                                                                                                                        • Opcode ID: a2e9ae9cb6bbe51d8d64c1330c559a6660772c754723a6bd460fb469bd151c7a
                                                                                                                                                                                                                                                        • Instruction ID: ffdf2bcf01de770556fc9a1a904d7b5cbe2215756c8dfda3fdc8a5fea8adaa53
                                                                                                                                                                                                                                                        • Opcode Fuzzy Hash: a2e9ae9cb6bbe51d8d64c1330c559a6660772c754723a6bd460fb469bd151c7a
                                                                                                                                                                                                                                                        • Instruction Fuzzy Hash: 5221D5307407047BE711BB758D47B9A3698EB09708F4004BFF604EA2C3EEBD985186AD
                                                                                                                                                                                                                                                        Function 00477EF8 Relevance: 12.3, APIs: 5, Strings: 2, Instructions: 66libraryfileloaderCOMMON
                                                                                                                                                                                                                                                        Download Yara Rule
                                                                                                                                                                                                                                                        APIs
                                                                                                                                                                                                                                                        • GetModuleHandleA.KERNEL32(kernel32.dll,GetFinalPathNameByHandleA,02132C0C,?,?,?,02132C0C,004780BC,00000000,004781DA,?,?,-00000010,?), ref: 00477F11
                                                                                                                                                                                                                                                        • GetProcAddress.KERNEL32(00000000,kernel32.dll), ref: 00477F17
                                                                                                                                                                                                                                                        • GetFileAttributesA.KERNEL32(00000000,00000000,kernel32.dll,GetFinalPathNameByHandleA,02132C0C,?,?,?,02132C0C,004780BC,00000000,004781DA,?,?,-00000010,?), ref: 00477F2A
                                                                                                                                                                                                                                                        • CreateFileA.KERNEL32(00000000,00000000,00000007,00000000,00000003,00000000,00000000,00000000,00000000,kernel32.dll,GetFinalPathNameByHandleA,02132C0C,?,?,?,02132C0C), ref: 00477F54
                                                                                                                                                                                                                                                        • CloseHandle.KERNEL32(00000000,?,?,?,02132C0C,004780BC,00000000,004781DA,?,?,-00000010,?), ref: 00477F72
                                                                                                                                                                                                                                                        Strings
                                                                                                                                                                                                                                                        Memory Dump Source
                                                                                                                                                                                                                                                        • Source File: 00000001.00000002.2793245300.0000000000401000.00000020.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                                                                                                                        • Associated: 00000001.00000002.2793219234.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                                                                                                                                                                                                        • Associated: 00000001.00000002.2793346997.0000000000499000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                                                                                                                                                                                                        • Associated: 00000001.00000002.2793378529.000000000049A000.00000008.00000001.01000000.00000004.sdmpDownload File
                                                                                                                                                                                                                                                        • Associated: 00000001.00000002.2793416768.000000000049B000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                                                                                                                                                                                                        • Associated: 00000001.00000002.2793448951.00000000004AB000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                                                                                                                                                                                                        Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                                        • Snapshot File: hcaresult_1_2_400000_chica-pc-shield-1-75-0-1300-en-win.jbxd
                                                                                                                                                                                                                                                        Similarity
                                                                                                                                                                                                                                                        • API ID: FileHandle$AddressAttributesCloseCreateModuleProc
                                                                                                                                                                                                                                                        • String ID: GetFinalPathNameByHandleA$kernel32.dll
                                                                                                                                                                                                                                                        • API String ID: 2704155762-2318956294
                                                                                                                                                                                                                                                        • Opcode ID: 02635a6eba41d1d381b3ff010b71e21b86f61c13db2d6aeaf7634f2930668ec2
                                                                                                                                                                                                                                                        • Instruction ID: f6b14e4403fa6e021c9b420378acc5d4cb4866daa4f233b6b4aef587dbeed81a
                                                                                                                                                                                                                                                        • Opcode Fuzzy Hash: 02635a6eba41d1d381b3ff010b71e21b86f61c13db2d6aeaf7634f2930668ec2
                                                                                                                                                                                                                                                        • Instruction Fuzzy Hash: 0401B951748B0436E520326A4D86FBB654D8B4076DF648537FA1CEF2D2D9AC9D06019E
                                                                                                                                                                                                                                                        Function 00459CE4 Relevance: 12.1, APIs: 1, Strings: 7, Instructions: 121COMMON
                                                                                                                                                                                                                                                        Download Yara Rule
                                                                                                                                                                                                                                                        APIs
                                                                                                                                                                                                                                                        • GetLastError.KERNEL32(00000000,00459E66,?,00000000,00000000,00000000,?,00000006,?,00000000,00497439,?,00000000,004974DC), ref: 00459DAA
                                                                                                                                                                                                                                                          • Part of subcall function 004543F4: FindClose.KERNEL32(000000FF,004544EA), ref: 004544D9
                                                                                                                                                                                                                                                        Strings
                                                                                                                                                                                                                                                        • Failed to delete directory (%d)., xrefs: 00459E40
                                                                                                                                                                                                                                                        • Failed to delete directory (%d). Will delete on restart (if empty)., xrefs: 00459E1F
                                                                                                                                                                                                                                                        • Stripped read-only attribute., xrefs: 00459D6C
                                                                                                                                                                                                                                                        • Failed to strip read-only attribute., xrefs: 00459D78
                                                                                                                                                                                                                                                        • Not stripping read-only attribute because the directory does not appear to be empty., xrefs: 00459D84
                                                                                                                                                                                                                                                        • Deleting directory: %s, xrefs: 00459D33
                                                                                                                                                                                                                                                        • Failed to delete directory (%d). Will retry later., xrefs: 00459DC3
                                                                                                                                                                                                                                                        Memory Dump Source
                                                                                                                                                                                                                                                        • Source File: 00000001.00000002.2793245300.0000000000401000.00000020.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                                                                                                                        • Associated: 00000001.00000002.2793219234.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                                                                                                                                                                                                        • Associated: 00000001.00000002.2793346997.0000000000499000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                                                                                                                                                                                                        • Associated: 00000001.00000002.2793378529.000000000049A000.00000008.00000001.01000000.00000004.sdmpDownload File
                                                                                                                                                                                                                                                        • Associated: 00000001.00000002.2793416768.000000000049B000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                                                                                                                                                                                                        • Associated: 00000001.00000002.2793448951.00000000004AB000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                                                                                                                                                                                                        Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                                        • Snapshot File: hcaresult_1_2_400000_chica-pc-shield-1-75-0-1300-en-win.jbxd
                                                                                                                                                                                                                                                        Similarity
                                                                                                                                                                                                                                                        • API ID: CloseErrorFindLast
                                                                                                                                                                                                                                                        • String ID: Deleting directory: %s$Failed to delete directory (%d).$Failed to delete directory (%d). Will delete on restart (if empty).$Failed to delete directory (%d). Will retry later.$Failed to strip read-only attribute.$Not stripping read-only attribute because the directory does not appear to be empty.$Stripped read-only attribute.
                                                                                                                                                                                                                                                        • API String ID: 754982922-1448842058
                                                                                                                                                                                                                                                        • Opcode ID: 2b5b70f1799cd2e20623f0c3bad5597a11f99a08b1534049f065463acc6bba50
                                                                                                                                                                                                                                                        • Instruction ID: 487a8df0da378a50a54402f8a8e6859597fb7ae5ca12eb66e0df57f27e629c6b
                                                                                                                                                                                                                                                        • Opcode Fuzzy Hash: 2b5b70f1799cd2e20623f0c3bad5597a11f99a08b1534049f065463acc6bba50
                                                                                                                                                                                                                                                        • Instruction Fuzzy Hash: 1F417130A04244CACB10EB69C8423AE76A59F8930AF54857BAC15A73D3DB7C8D0DC75A
                                                                                                                                                                                                                                                        Function 0042F290 Relevance: 12.1, APIs: 8, Instructions: 102windowCOMMON
                                                                                                                                                                                                                                                        Download Yara Rule
                                                                                                                                                                                                                                                        APIs
                                                                                                                                                                                                                                                        • GetWindowLongA.USER32(?,000000F0), ref: 0042F2BA
                                                                                                                                                                                                                                                        • GetWindowLongA.USER32(?,000000EC), ref: 0042F2D1
                                                                                                                                                                                                                                                        • GetActiveWindow.USER32 ref: 0042F2DA
                                                                                                                                                                                                                                                        • MessageBoxA.USER32(00000000,00000000,00000000,00000000), ref: 0042F307
                                                                                                                                                                                                                                                        • SetActiveWindow.USER32(?,0042F437,00000000,?), ref: 0042F328
                                                                                                                                                                                                                                                        Memory Dump Source
                                                                                                                                                                                                                                                        • Source File: 00000001.00000002.2793245300.0000000000401000.00000020.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                                                                                                                        • Associated: 00000001.00000002.2793219234.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                                                                                                                                                                                                        • Associated: 00000001.00000002.2793346997.0000000000499000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                                                                                                                                                                                                        • Associated: 00000001.00000002.2793378529.000000000049A000.00000008.00000001.01000000.00000004.sdmpDownload File
                                                                                                                                                                                                                                                        • Associated: 00000001.00000002.2793416768.000000000049B000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                                                                                                                                                                                                        • Associated: 00000001.00000002.2793448951.00000000004AB000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                                                                                                                                                                                                        Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                                        • Snapshot File: hcaresult_1_2_400000_chica-pc-shield-1-75-0-1300-en-win.jbxd
                                                                                                                                                                                                                                                        Similarity
                                                                                                                                                                                                                                                        • API ID: Window$ActiveLong$Message
                                                                                                                                                                                                                                                        • String ID:
                                                                                                                                                                                                                                                        • API String ID: 2785966331-0
                                                                                                                                                                                                                                                        • Opcode ID: 11db5c39fda7e9e37fc13726db040ca70a735e85c888501a128082291c1f2969
                                                                                                                                                                                                                                                        • Instruction ID: ac844ef734d24c76dc9aa96f201b13a865b129e9c1b137beabd8cb6517960092
                                                                                                                                                                                                                                                        • Opcode Fuzzy Hash: 11db5c39fda7e9e37fc13726db040ca70a735e85c888501a128082291c1f2969
                                                                                                                                                                                                                                                        • Instruction Fuzzy Hash: F931D271A00254AFEB01EFA5DD52E6EBBB8EB09304F9144BAF804E3291D73C9D10CB58
                                                                                                                                                                                                                                                        Function 00429480 Relevance: 12.1, APIs: 8, Instructions: 62COMMON
                                                                                                                                                                                                                                                        Download Yara Rule
                                                                                                                                                                                                                                                        APIs
                                                                                                                                                                                                                                                        • GetDC.USER32(00000000), ref: 0042948A
                                                                                                                                                                                                                                                        • GetTextMetricsA.GDI32(00000000), ref: 00429493
                                                                                                                                                                                                                                                          • Part of subcall function 0041A1E8: CreateFontIndirectA.GDI32(?), ref: 0041A2A7
                                                                                                                                                                                                                                                        • SelectObject.GDI32(00000000,00000000), ref: 004294A2
                                                                                                                                                                                                                                                        • GetTextMetricsA.GDI32(00000000,?), ref: 004294AF
                                                                                                                                                                                                                                                        • SelectObject.GDI32(00000000,00000000), ref: 004294B6
                                                                                                                                                                                                                                                        • ReleaseDC.USER32(00000000,00000000), ref: 004294BE
                                                                                                                                                                                                                                                        • GetSystemMetrics.USER32(00000006), ref: 004294E3
                                                                                                                                                                                                                                                        • GetSystemMetrics.USER32(00000006), ref: 004294FD
                                                                                                                                                                                                                                                        Memory Dump Source
                                                                                                                                                                                                                                                        • Source File: 00000001.00000002.2793245300.0000000000401000.00000020.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                                                                                                                        • Associated: 00000001.00000002.2793219234.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                                                                                                                                                                                                        • Associated: 00000001.00000002.2793346997.0000000000499000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                                                                                                                                                                                                        • Associated: 00000001.00000002.2793378529.000000000049A000.00000008.00000001.01000000.00000004.sdmpDownload File
                                                                                                                                                                                                                                                        • Associated: 00000001.00000002.2793416768.000000000049B000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                                                                                                                                                                                                        • Associated: 00000001.00000002.2793448951.00000000004AB000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                                                                                                                                                                                                        Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                                        • Snapshot File: hcaresult_1_2_400000_chica-pc-shield-1-75-0-1300-en-win.jbxd
                                                                                                                                                                                                                                                        Similarity
                                                                                                                                                                                                                                                        • API ID: Metrics$ObjectSelectSystemText$CreateFontIndirectRelease
                                                                                                                                                                                                                                                        • String ID:
                                                                                                                                                                                                                                                        • API String ID: 1583807278-0
                                                                                                                                                                                                                                                        • Opcode ID: 33023116b38033d851b06c26603ef1f627da642c76d1d31b10a48b25f89d3417
                                                                                                                                                                                                                                                        • Instruction ID: 8a5b62ad3b2811282b00f4aa11bc4c2c065e9b9ae855548013837f5c18493421
                                                                                                                                                                                                                                                        • Opcode Fuzzy Hash: 33023116b38033d851b06c26603ef1f627da642c76d1d31b10a48b25f89d3417
                                                                                                                                                                                                                                                        • Instruction Fuzzy Hash: 0F01C4A17087103BE321767A9CC6F6F65C8DB44358F84043BF686D63D3D96C9C41866A
                                                                                                                                                                                                                                                        Function 0041DE24 Relevance: 12.1, APIs: 8, Instructions: 60windowCOMMON
                                                                                                                                                                                                                                                        Download Yara Rule
                                                                                                                                                                                                                                                        APIs
                                                                                                                                                                                                                                                        • GetDC.USER32(00000000), ref: 0041DE27
                                                                                                                                                                                                                                                        • GetDeviceCaps.GDI32(00000000,0000005A), ref: 0041DE31
                                                                                                                                                                                                                                                        • ReleaseDC.USER32(00000000,00000000), ref: 0041DE3E
                                                                                                                                                                                                                                                        • MulDiv.KERNEL32(00000008,00000060,00000048), ref: 0041DE4D
                                                                                                                                                                                                                                                        • GetStockObject.GDI32(00000007), ref: 0041DE5B
                                                                                                                                                                                                                                                        • GetStockObject.GDI32(00000005), ref: 0041DE67
                                                                                                                                                                                                                                                        • GetStockObject.GDI32(0000000D), ref: 0041DE73
                                                                                                                                                                                                                                                        • LoadIconA.USER32(00000000,00007F00), ref: 0041DE84
                                                                                                                                                                                                                                                        Memory Dump Source
                                                                                                                                                                                                                                                        • Source File: 00000001.00000002.2793245300.0000000000401000.00000020.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                                                                                                                        • Associated: 00000001.00000002.2793219234.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                                                                                                                                                                                                        • Associated: 00000001.00000002.2793346997.0000000000499000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                                                                                                                                                                                                        • Associated: 00000001.00000002.2793378529.000000000049A000.00000008.00000001.01000000.00000004.sdmpDownload File
                                                                                                                                                                                                                                                        • Associated: 00000001.00000002.2793416768.000000000049B000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                                                                                                                                                                                                        • Associated: 00000001.00000002.2793448951.00000000004AB000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                                                                                                                                                                                                        Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                                        • Snapshot File: hcaresult_1_2_400000_chica-pc-shield-1-75-0-1300-en-win.jbxd
                                                                                                                                                                                                                                                        Similarity
                                                                                                                                                                                                                                                        • API ID: ObjectStock$CapsDeviceIconLoadRelease
                                                                                                                                                                                                                                                        • String ID:
                                                                                                                                                                                                                                                        • API String ID: 225703358-0
                                                                                                                                                                                                                                                        • Opcode ID: 93123cf7b7da28845296a778695a34f9ae7968dfa7e72d2685fd09fde09bf652
                                                                                                                                                                                                                                                        • Instruction ID: 282f56568f1177e4dad385ec7f61a974d29090d827cf1f87eb40c920fa9ca7e8
                                                                                                                                                                                                                                                        • Opcode Fuzzy Hash: 93123cf7b7da28845296a778695a34f9ae7968dfa7e72d2685fd09fde09bf652
                                                                                                                                                                                                                                                        • Instruction Fuzzy Hash: 4C1142706457015EE340BFA66E52B6A36A4D725708F40413FF609AF3D1D77A2C448B9E
                                                                                                                                                                                                                                                        Function 00463118 Relevance: 10.8, APIs: 3, Strings: 3, Instructions: 273COMMON
                                                                                                                                                                                                                                                        Download Yara Rule
                                                                                                                                                                                                                                                        APIs
                                                                                                                                                                                                                                                        • LoadCursorA.USER32(00000000,00007F02), ref: 0046321C
                                                                                                                                                                                                                                                        • SetCursor.USER32(00000000,00000000,00007F02,00000000,004632B1), ref: 00463222
                                                                                                                                                                                                                                                        • SetCursor.USER32(?,00463299,00007F02,00000000,004632B1), ref: 0046328C
                                                                                                                                                                                                                                                        Strings
                                                                                                                                                                                                                                                        Memory Dump Source
                                                                                                                                                                                                                                                        • Source File: 00000001.00000002.2793245300.0000000000401000.00000020.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                                                                                                                        • Associated: 00000001.00000002.2793219234.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                                                                                                                                                                                                        • Associated: 00000001.00000002.2793346997.0000000000499000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                                                                                                                                                                                                        • Associated: 00000001.00000002.2793378529.000000000049A000.00000008.00000001.01000000.00000004.sdmpDownload File
                                                                                                                                                                                                                                                        • Associated: 00000001.00000002.2793416768.000000000049B000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                                                                                                                                                                                                        • Associated: 00000001.00000002.2793448951.00000000004AB000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                                                                                                                                                                                                        Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                                        • Snapshot File: hcaresult_1_2_400000_chica-pc-shield-1-75-0-1300-en-win.jbxd
                                                                                                                                                                                                                                                        Similarity
                                                                                                                                                                                                                                                        • API ID: Cursor$Load
                                                                                                                                                                                                                                                        • String ID: $ $Internal error: Item already expanding
                                                                                                                                                                                                                                                        • API String ID: 1675784387-1948079669
                                                                                                                                                                                                                                                        • Opcode ID: d6abcfe13bbf9e478e2ac3749bb31cb32d16938431ae96ca9092eb1d8a5228c9
                                                                                                                                                                                                                                                        • Instruction ID: 9c63b88249a6b2a043d95d6a291c06ea88b324d4d5646231a91c330f02ea7575
                                                                                                                                                                                                                                                        • Opcode Fuzzy Hash: d6abcfe13bbf9e478e2ac3749bb31cb32d16938431ae96ca9092eb1d8a5228c9
                                                                                                                                                                                                                                                        • Instruction Fuzzy Hash: D6B1A130A00284DFD711DF65C585B9ABBF4AF04305F1484AEE8459B792EB7CEE44CB5A
                                                                                                                                                                                                                                                        Function 00453D30 Relevance: 10.7, APIs: 1, Strings: 5, Instructions: 225COMMON
                                                                                                                                                                                                                                                        Download Yara Rule
                                                                                                                                                                                                                                                        APIs
                                                                                                                                                                                                                                                        • WritePrivateProfileStringA.KERNEL32(00000000,00000000,00000000,00000000), ref: 00453E17
                                                                                                                                                                                                                                                        Strings
                                                                                                                                                                                                                                                        Memory Dump Source
                                                                                                                                                                                                                                                        • Source File: 00000001.00000002.2793245300.0000000000401000.00000020.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                                                                                                                        • Associated: 00000001.00000002.2793219234.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                                                                                                                                                                                                        • Associated: 00000001.00000002.2793346997.0000000000499000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                                                                                                                                                                                                        • Associated: 00000001.00000002.2793378529.000000000049A000.00000008.00000001.01000000.00000004.sdmpDownload File
                                                                                                                                                                                                                                                        • Associated: 00000001.00000002.2793416768.000000000049B000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                                                                                                                                                                                                        • Associated: 00000001.00000002.2793448951.00000000004AB000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                                                                                                                                                                                                        Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                                        • Snapshot File: hcaresult_1_2_400000_chica-pc-shield-1-75-0-1300-en-win.jbxd
                                                                                                                                                                                                                                                        Similarity
                                                                                                                                                                                                                                                        • API ID: PrivateProfileStringWrite
                                                                                                                                                                                                                                                        • String ID: .tmp$MoveFileEx$NUL$WININIT.INI$[rename]
                                                                                                                                                                                                                                                        • API String ID: 390214022-3304407042
                                                                                                                                                                                                                                                        • Opcode ID: 3a7f67efcd7e81dadc528b9d15263cd5cedffac5342d4ba97c059f53dc3f2af1
                                                                                                                                                                                                                                                        • Instruction ID: 4c4b1d7f09994941c57eaafc4db68242d6a3f6c21ecd3f2b5b8f846a746055a2
                                                                                                                                                                                                                                                        • Opcode Fuzzy Hash: 3a7f67efcd7e81dadc528b9d15263cd5cedffac5342d4ba97c059f53dc3f2af1
                                                                                                                                                                                                                                                        • Instruction Fuzzy Hash: 40911434E002099BDB01EFA5D842BDEB7F5AF4874AF608466E90077392D7786E49CB58
                                                                                                                                                                                                                                                        Function 00408720 Relevance: 10.7, APIs: 1, Strings: 5, Instructions: 167COMMON
                                                                                                                                                                                                                                                        Download Yara Rule
                                                                                                                                                                                                                                                        APIs
                                                                                                                                                                                                                                                        • GetSystemDefaultLCID.KERNEL32(00000000,00408968,?,?,?,?,00000000,00000000,00000000,?,0040996F,00000000,00409982), ref: 0040873A
                                                                                                                                                                                                                                                          • Part of subcall function 00408568: GetLocaleInfoA.KERNEL32(?,00000044,?,00000100,0049B4C0,00000001,?,00408633,?,00000000,00408712), ref: 00408586
                                                                                                                                                                                                                                                          • Part of subcall function 004085B4: GetLocaleInfoA.KERNEL32(00000000,0000000F,?,00000002,0000002C,?,?,00000000,004087B6,?,?,?,00000000,00408968), ref: 004085C7
                                                                                                                                                                                                                                                        Strings
                                                                                                                                                                                                                                                        Memory Dump Source
                                                                                                                                                                                                                                                        • Source File: 00000001.00000002.2793245300.0000000000401000.00000020.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                                                                                                                        • Associated: 00000001.00000002.2793219234.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                                                                                                                                                                                                        • Associated: 00000001.00000002.2793346997.0000000000499000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                                                                                                                                                                                                        • Associated: 00000001.00000002.2793378529.000000000049A000.00000008.00000001.01000000.00000004.sdmpDownload File
                                                                                                                                                                                                                                                        • Associated: 00000001.00000002.2793416768.000000000049B000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                                                                                                                                                                                                        • Associated: 00000001.00000002.2793448951.00000000004AB000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                                                                                                                                                                                                        Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                                        • Snapshot File: hcaresult_1_2_400000_chica-pc-shield-1-75-0-1300-en-win.jbxd
                                                                                                                                                                                                                                                        Similarity
                                                                                                                                                                                                                                                        • API ID: InfoLocale$DefaultSystem
                                                                                                                                                                                                                                                        • String ID: AMPM$:mm$:mm:ss$m/d/yy$mmmm d, yyyy
                                                                                                                                                                                                                                                        • API String ID: 1044490935-665933166
                                                                                                                                                                                                                                                        • Opcode ID: 1aa54b825be0663a048d9151eb266916599812ed65bca77d997a641661a7f1c7
                                                                                                                                                                                                                                                        • Instruction ID: 5c6fde8006682913ecab3173e7335377554a92ac61a87523d81808753b4ec1a9
                                                                                                                                                                                                                                                        • Opcode Fuzzy Hash: 1aa54b825be0663a048d9151eb266916599812ed65bca77d997a641661a7f1c7
                                                                                                                                                                                                                                                        • Instruction Fuzzy Hash: 7D516C24B00108ABDB01FBA69E4169EB7A9DB94308F50C07FA181BB3C3CE3DDA05975D
                                                                                                                                                                                                                                                        Function 004116F4 Relevance: 10.7, APIs: 4, Strings: 2, Instructions: 158windowCOMMON
                                                                                                                                                                                                                                                        Download Yara Rule
                                                                                                                                                                                                                                                        APIs
                                                                                                                                                                                                                                                        • GetVersion.KERNEL32(00000000,004118F9), ref: 0041178C
                                                                                                                                                                                                                                                        • InsertMenuItemA.USER32(?,000000FF,00000001,0000002C), ref: 0041184A
                                                                                                                                                                                                                                                          • Part of subcall function 00411AAC: CreatePopupMenu.USER32 ref: 00411AC6
                                                                                                                                                                                                                                                        • InsertMenuA.USER32(?,000000FF,?,?,00000000), ref: 004118D6
                                                                                                                                                                                                                                                          • Part of subcall function 00411AAC: CreateMenu.USER32 ref: 00411AD0
                                                                                                                                                                                                                                                        • InsertMenuA.USER32(?,000000FF,?,00000000,00000000), ref: 004118BD
                                                                                                                                                                                                                                                        Strings
                                                                                                                                                                                                                                                        Memory Dump Source
                                                                                                                                                                                                                                                        • Source File: 00000001.00000002.2793245300.0000000000401000.00000020.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                                                                                                                        • Associated: 00000001.00000002.2793219234.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                                                                                                                                                                                                        • Associated: 00000001.00000002.2793346997.0000000000499000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                                                                                                                                                                                                        • Associated: 00000001.00000002.2793378529.000000000049A000.00000008.00000001.01000000.00000004.sdmpDownload File
                                                                                                                                                                                                                                                        • Associated: 00000001.00000002.2793416768.000000000049B000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                                                                                                                                                                                                        • Associated: 00000001.00000002.2793448951.00000000004AB000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                                                                                                                                                                                                        Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                                        • Snapshot File: hcaresult_1_2_400000_chica-pc-shield-1-75-0-1300-en-win.jbxd
                                                                                                                                                                                                                                                        Similarity
                                                                                                                                                                                                                                                        • API ID: Menu$Insert$Create$ItemPopupVersion
                                                                                                                                                                                                                                                        • String ID: ,$?
                                                                                                                                                                                                                                                        • API String ID: 2359071979-2308483597
                                                                                                                                                                                                                                                        • Opcode ID: 1956e794d50847aa48f090e1e974dc612a96ae6ee68340223bb9305f49f23e04
                                                                                                                                                                                                                                                        • Instruction ID: ecf66c9774bccec907b621c371347452b74b7622051e058d8a4a73451c3e974f
                                                                                                                                                                                                                                                        • Opcode Fuzzy Hash: 1956e794d50847aa48f090e1e974dc612a96ae6ee68340223bb9305f49f23e04
                                                                                                                                                                                                                                                        • Instruction Fuzzy Hash: D7510674A00245ABDB10EF6ADC816EA7BF9AF09304B11857BF904E73A6D738DD41CB58
                                                                                                                                                                                                                                                        Function 0041BE63 Relevance: 10.7, APIs: 7, Instructions: 153windowCOMMON
                                                                                                                                                                                                                                                        Download Yara Rule
                                                                                                                                                                                                                                                        APIs
                                                                                                                                                                                                                                                        • GetObjectA.GDI32(?,00000018,?), ref: 0041BF28
                                                                                                                                                                                                                                                        • GetObjectA.GDI32(?,00000018,?), ref: 0041BF37
                                                                                                                                                                                                                                                        • GetBitmapBits.GDI32(?,?,?), ref: 0041BF88
                                                                                                                                                                                                                                                        • GetBitmapBits.GDI32(?,?,?), ref: 0041BF96
                                                                                                                                                                                                                                                        • DeleteObject.GDI32(?), ref: 0041BF9F
                                                                                                                                                                                                                                                        • DeleteObject.GDI32(?), ref: 0041BFA8
                                                                                                                                                                                                                                                        • CreateIcon.USER32(00400000,?,?,?,?,?,?), ref: 0041BFC5
                                                                                                                                                                                                                                                        Memory Dump Source
                                                                                                                                                                                                                                                        • Source File: 00000001.00000002.2793245300.0000000000401000.00000020.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                                                                                                                        • Associated: 00000001.00000002.2793219234.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                                                                                                                                                                                                        • Associated: 00000001.00000002.2793346997.0000000000499000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                                                                                                                                                                                                        • Associated: 00000001.00000002.2793378529.000000000049A000.00000008.00000001.01000000.00000004.sdmpDownload File
                                                                                                                                                                                                                                                        • Associated: 00000001.00000002.2793416768.000000000049B000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                                                                                                                                                                                                        • Associated: 00000001.00000002.2793448951.00000000004AB000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                                                                                                                                                                                                        Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                                        • Snapshot File: hcaresult_1_2_400000_chica-pc-shield-1-75-0-1300-en-win.jbxd
                                                                                                                                                                                                                                                        Similarity
                                                                                                                                                                                                                                                        • API ID: Object$BitmapBitsDelete$CreateIcon
                                                                                                                                                                                                                                                        • String ID:
                                                                                                                                                                                                                                                        • API String ID: 1030595962-0
                                                                                                                                                                                                                                                        • Opcode ID: dabea464bc85c36b4411cc83672e19ff5768c85fc4c65aec36842f1966395034
                                                                                                                                                                                                                                                        • Instruction ID: 74cae3b7aa7aab4ce12a2fbd062d204c5c4082198076ec6df892ad84fd278e80
                                                                                                                                                                                                                                                        • Opcode Fuzzy Hash: dabea464bc85c36b4411cc83672e19ff5768c85fc4c65aec36842f1966395034
                                                                                                                                                                                                                                                        • Instruction Fuzzy Hash: 6A510671A002199FCB10DFA9C9819EEB7F9EF48314B11416AF914E7395D738AD41CB68
                                                                                                                                                                                                                                                        Function 0041CED8 Relevance: 10.7, APIs: 7, Instructions: 152windowCOMMON
                                                                                                                                                                                                                                                        Download Yara Rule
                                                                                                                                                                                                                                                        APIs
                                                                                                                                                                                                                                                        • SetStretchBltMode.GDI32(00000000,00000003), ref: 0041CEFE
                                                                                                                                                                                                                                                        • GetDeviceCaps.GDI32(00000000,00000026), ref: 0041CF1D
                                                                                                                                                                                                                                                        • SelectPalette.GDI32(?,?,00000001), ref: 0041CF83
                                                                                                                                                                                                                                                        • RealizePalette.GDI32(?), ref: 0041CF92
                                                                                                                                                                                                                                                        • StretchBlt.GDI32(00000000,?,?,?,?,?,00000000,00000000,00000000,?,?), ref: 0041CFFC
                                                                                                                                                                                                                                                        • StretchDIBits.GDI32(?,?,?,?,?,00000000,00000000,00000000,?,?,?,00000000,?), ref: 0041D03A
                                                                                                                                                                                                                                                        • SelectPalette.GDI32(?,?,00000001), ref: 0041D05F
                                                                                                                                                                                                                                                        Memory Dump Source
                                                                                                                                                                                                                                                        • Source File: 00000001.00000002.2793245300.0000000000401000.00000020.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                                                                                                                        • Associated: 00000001.00000002.2793219234.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                                                                                                                                                                                                        • Associated: 00000001.00000002.2793346997.0000000000499000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                                                                                                                                                                                                        • Associated: 00000001.00000002.2793378529.000000000049A000.00000008.00000001.01000000.00000004.sdmpDownload File
                                                                                                                                                                                                                                                        • Associated: 00000001.00000002.2793416768.000000000049B000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                                                                                                                                                                                                        • Associated: 00000001.00000002.2793448951.00000000004AB000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                                                                                                                                                                                                        Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                                        • Snapshot File: hcaresult_1_2_400000_chica-pc-shield-1-75-0-1300-en-win.jbxd
                                                                                                                                                                                                                                                        Similarity
                                                                                                                                                                                                                                                        • API ID: PaletteStretch$Select$BitsCapsDeviceModeRealize
                                                                                                                                                                                                                                                        • String ID:
                                                                                                                                                                                                                                                        • API String ID: 2222416421-0
                                                                                                                                                                                                                                                        • Opcode ID: 005477d534ded6a1333eb88360c51d017015bb26bfeda877011d4b02ad3af21b
                                                                                                                                                                                                                                                        • Instruction ID: 4b814cf558339e083a7fb5ccd56fb4ffad9fd0a27a4bfdacf16c2dd2476febac
                                                                                                                                                                                                                                                        • Opcode Fuzzy Hash: 005477d534ded6a1333eb88360c51d017015bb26bfeda877011d4b02ad3af21b
                                                                                                                                                                                                                                                        • Instruction Fuzzy Hash: D2515EB0604200AFDB14DFA8C985F9BBBE9EF08304F10459AB549DB292C778ED81CB58
                                                                                                                                                                                                                                                        Function 004571B4 Relevance: 10.6, APIs: 5, Strings: 1, Instructions: 103windowCOMMON
                                                                                                                                                                                                                                                        Download Yara Rule
                                                                                                                                                                                                                                                        APIs
                                                                                                                                                                                                                                                        • SendMessageA.USER32(00000000,?,?), ref: 00457206
                                                                                                                                                                                                                                                          • Part of subcall function 0042427C: GetWindowTextA.USER32(?,?,00000100), ref: 0042429C
                                                                                                                                                                                                                                                          • Part of subcall function 0041EEA4: GetCurrentThreadId.KERNEL32 ref: 0041EEF3
                                                                                                                                                                                                                                                          • Part of subcall function 0041EEA4: EnumThreadWindows.USER32(00000000,0041EE54,00000000), ref: 0041EEF9
                                                                                                                                                                                                                                                          • Part of subcall function 004242C4: SetWindowTextA.USER32(?,00000000), ref: 004242DC
                                                                                                                                                                                                                                                        • GetMessageA.USER32(?,00000000,00000000,00000000), ref: 0045726D
                                                                                                                                                                                                                                                        • TranslateMessage.USER32(?), ref: 0045728B
                                                                                                                                                                                                                                                        • DispatchMessageA.USER32(?), ref: 00457294
                                                                                                                                                                                                                                                        Strings
                                                                                                                                                                                                                                                        Memory Dump Source
                                                                                                                                                                                                                                                        • Source File: 00000001.00000002.2793245300.0000000000401000.00000020.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                                                                                                                        • Associated: 00000001.00000002.2793219234.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                                                                                                                                                                                                        • Associated: 00000001.00000002.2793346997.0000000000499000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                                                                                                                                                                                                        • Associated: 00000001.00000002.2793378529.000000000049A000.00000008.00000001.01000000.00000004.sdmpDownload File
                                                                                                                                                                                                                                                        • Associated: 00000001.00000002.2793416768.000000000049B000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                                                                                                                                                                                                        • Associated: 00000001.00000002.2793448951.00000000004AB000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                                                                                                                                                                                                        Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                                        • Snapshot File: hcaresult_1_2_400000_chica-pc-shield-1-75-0-1300-en-win.jbxd
                                                                                                                                                                                                                                                        Similarity
                                                                                                                                                                                                                                                        • API ID: Message$TextThreadWindow$CurrentDispatchEnumSendTranslateWindows
                                                                                                                                                                                                                                                        • String ID: [Paused]
                                                                                                                                                                                                                                                        • API String ID: 1007367021-4230553315
                                                                                                                                                                                                                                                        • Opcode ID: d02ef8ab2bf39247f1fe84a4d4970361fc03c061cec3499ad24772e3637fd057
                                                                                                                                                                                                                                                        • Instruction ID: 59d40607b048d5b57409de994e913315237add37533dbcd11464ac15b97af71d
                                                                                                                                                                                                                                                        • Opcode Fuzzy Hash: d02ef8ab2bf39247f1fe84a4d4970361fc03c061cec3499ad24772e3637fd057
                                                                                                                                                                                                                                                        • Instruction Fuzzy Hash: 8731CA309082449EDB11DBB5EC81BDE7BB8DB49314F5540B7F800E7292D67C9949CB69
                                                                                                                                                                                                                                                        Function 0046B2F8 Relevance: 10.6, APIs: 5, Strings: 1, Instructions: 99sleepCOMMON
                                                                                                                                                                                                                                                        Download Yara Rule
                                                                                                                                                                                                                                                        APIs
                                                                                                                                                                                                                                                        • GetCursor.USER32(00000000,0046B437), ref: 0046B3B4
                                                                                                                                                                                                                                                        • LoadCursorA.USER32(00000000,00007F02), ref: 0046B3C2
                                                                                                                                                                                                                                                        • SetCursor.USER32(00000000,00000000,00007F02,00000000,0046B437), ref: 0046B3C8
                                                                                                                                                                                                                                                        • Sleep.KERNEL32(000002EE,00000000,00000000,00007F02,00000000,0046B437), ref: 0046B3D2
                                                                                                                                                                                                                                                        • SetCursor.USER32(00000000,000002EE,00000000,00000000,00007F02,00000000,0046B437), ref: 0046B3D8
                                                                                                                                                                                                                                                        Strings
                                                                                                                                                                                                                                                        Memory Dump Source
                                                                                                                                                                                                                                                        • Source File: 00000001.00000002.2793245300.0000000000401000.00000020.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                                                                                                                        • Associated: 00000001.00000002.2793219234.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                                                                                                                                                                                                        • Associated: 00000001.00000002.2793346997.0000000000499000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                                                                                                                                                                                                        • Associated: 00000001.00000002.2793378529.000000000049A000.00000008.00000001.01000000.00000004.sdmpDownload File
                                                                                                                                                                                                                                                        • Associated: 00000001.00000002.2793416768.000000000049B000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                                                                                                                                                                                                        • Associated: 00000001.00000002.2793448951.00000000004AB000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                                                                                                                                                                                                        Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                                        • Snapshot File: hcaresult_1_2_400000_chica-pc-shield-1-75-0-1300-en-win.jbxd
                                                                                                                                                                                                                                                        Similarity
                                                                                                                                                                                                                                                        • API ID: Cursor$LoadSleep
                                                                                                                                                                                                                                                        • String ID: CheckPassword
                                                                                                                                                                                                                                                        • API String ID: 4023313301-1302249611
                                                                                                                                                                                                                                                        • Opcode ID: 44b8382409f936438604d225ef89184371de59a866ae62e55b9f5dcfd9756c82
                                                                                                                                                                                                                                                        • Instruction ID: b09255d9a7c611b0bfc089710c17667b12f0d593a5b55614b79a89e9649d4142
                                                                                                                                                                                                                                                        • Opcode Fuzzy Hash: 44b8382409f936438604d225ef89184371de59a866ae62e55b9f5dcfd9756c82
                                                                                                                                                                                                                                                        • Instruction Fuzzy Hash: 0F3163347402449FD711EF69C889F9E7BE0EB45308F5580B6B844DB3A2D778AE80CB99
                                                                                                                                                                                                                                                        Function 004777F4 Relevance: 10.6, APIs: 4, Strings: 2, Instructions: 92windowCOMMON
                                                                                                                                                                                                                                                        Download Yara Rule
                                                                                                                                                                                                                                                        APIs
                                                                                                                                                                                                                                                          • Part of subcall function 0047771C: GetWindowThreadProcessId.USER32(00000000), ref: 00477724
                                                                                                                                                                                                                                                          • Part of subcall function 0047771C: GetModuleHandleA.KERNEL32(user32.dll,AllowSetForegroundWindow,00000000,?,?,0047781B,0049C0A4,00000000), ref: 00477737
                                                                                                                                                                                                                                                          • Part of subcall function 0047771C: GetProcAddress.KERNEL32(00000000,user32.dll), ref: 0047773D
                                                                                                                                                                                                                                                        • SendMessageA.USER32(00000000,0000004A,00000000,00477BAE), ref: 00477829
                                                                                                                                                                                                                                                        • GetTickCount.KERNEL32 ref: 0047786E
                                                                                                                                                                                                                                                        • GetTickCount.KERNEL32 ref: 00477878
                                                                                                                                                                                                                                                        • MsgWaitForMultipleObjects.USER32(00000000,00000000,00000000,0000000A,000000FF), ref: 004778CD
                                                                                                                                                                                                                                                        Strings
                                                                                                                                                                                                                                                        • CallSpawnServer: Unexpected status: %d, xrefs: 004778B6
                                                                                                                                                                                                                                                        • CallSpawnServer: Unexpected response: $%x, xrefs: 0047785E
                                                                                                                                                                                                                                                        Memory Dump Source
                                                                                                                                                                                                                                                        • Source File: 00000001.00000002.2793245300.0000000000401000.00000020.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                                                                                                                        • Associated: 00000001.00000002.2793219234.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                                                                                                                                                                                                        • Associated: 00000001.00000002.2793346997.0000000000499000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                                                                                                                                                                                                        • Associated: 00000001.00000002.2793378529.000000000049A000.00000008.00000001.01000000.00000004.sdmpDownload File
                                                                                                                                                                                                                                                        • Associated: 00000001.00000002.2793416768.000000000049B000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                                                                                                                                                                                                        • Associated: 00000001.00000002.2793448951.00000000004AB000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                                                                                                                                                                                                        Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                                        • Snapshot File: hcaresult_1_2_400000_chica-pc-shield-1-75-0-1300-en-win.jbxd
                                                                                                                                                                                                                                                        Similarity
                                                                                                                                                                                                                                                        • API ID: CountTick$AddressHandleMessageModuleMultipleObjectsProcProcessSendThreadWaitWindow
                                                                                                                                                                                                                                                        • String ID: CallSpawnServer: Unexpected response: $%x$CallSpawnServer: Unexpected status: %d
                                                                                                                                                                                                                                                        • API String ID: 613034392-3771334282
                                                                                                                                                                                                                                                        • Opcode ID: ca880343a386001ff40cbe570b9ef123517aa43358773809a55ead1e01c0fa0a
                                                                                                                                                                                                                                                        • Instruction ID: 299670a9d8cbc3645b3f78b49a497e4fea958f91e042c3b01241e910438e05bb
                                                                                                                                                                                                                                                        • Opcode Fuzzy Hash: ca880343a386001ff40cbe570b9ef123517aa43358773809a55ead1e01c0fa0a
                                                                                                                                                                                                                                                        • Instruction Fuzzy Hash: 2431D674F042149BDB10EBB9C8867EEB6E49F04314F90807AB548EB392D67C4D01CB9D
                                                                                                                                                                                                                                                        Function 0045965C Relevance: 10.6, APIs: 1, Strings: 5, Instructions: 86libraryloaderCOMMON
                                                                                                                                                                                                                                                        Download Yara Rule
                                                                                                                                                                                                                                                        APIs
                                                                                                                                                                                                                                                        • GetProcAddress.KERNEL32(626D6573,CreateAssemblyCache), ref: 00459717
                                                                                                                                                                                                                                                        Strings
                                                                                                                                                                                                                                                        • Fusion.dll, xrefs: 004596B7
                                                                                                                                                                                                                                                        • CreateAssemblyCache, xrefs: 0045970E
                                                                                                                                                                                                                                                        • .NET Framework CreateAssemblyCache function failed, xrefs: 0045973A
                                                                                                                                                                                                                                                        • Failed to load .NET Framework DLL "%s", xrefs: 004596FC
                                                                                                                                                                                                                                                        • Failed to get address of .NET Framework CreateAssemblyCache function, xrefs: 00459722
                                                                                                                                                                                                                                                        Memory Dump Source
                                                                                                                                                                                                                                                        • Source File: 00000001.00000002.2793245300.0000000000401000.00000020.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                                                                                                                        • Associated: 00000001.00000002.2793219234.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                                                                                                                                                                                                        • Associated: 00000001.00000002.2793346997.0000000000499000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                                                                                                                                                                                                        • Associated: 00000001.00000002.2793378529.000000000049A000.00000008.00000001.01000000.00000004.sdmpDownload File
                                                                                                                                                                                                                                                        • Associated: 00000001.00000002.2793416768.000000000049B000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                                                                                                                                                                                                        • Associated: 00000001.00000002.2793448951.00000000004AB000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                                                                                                                                                                                                        Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                                        • Snapshot File: hcaresult_1_2_400000_chica-pc-shield-1-75-0-1300-en-win.jbxd
                                                                                                                                                                                                                                                        Similarity
                                                                                                                                                                                                                                                        • API ID: AddressProc
                                                                                                                                                                                                                                                        • String ID: .NET Framework CreateAssemblyCache function failed$CreateAssemblyCache$Failed to get address of .NET Framework CreateAssemblyCache function$Failed to load .NET Framework DLL "%s"$Fusion.dll
                                                                                                                                                                                                                                                        • API String ID: 190572456-3990135632
                                                                                                                                                                                                                                                        • Opcode ID: 4c41a785560e20bd7f4efb213984261e3dc167c4566bd066bbc2c635501a0dfa
                                                                                                                                                                                                                                                        • Instruction ID: 558248bdb3bf595e2e3e39b0d8ee8dc7338ab5379a9da9f0630157063a96258d
                                                                                                                                                                                                                                                        • Opcode Fuzzy Hash: 4c41a785560e20bd7f4efb213984261e3dc167c4566bd066bbc2c635501a0dfa
                                                                                                                                                                                                                                                        • Instruction Fuzzy Hash: 1A318870E10605EBCB10EFA5C88169EB7B8EF48315F50857BE814E7382DB389E08C799
                                                                                                                                                                                                                                                        Function 0041C148 Relevance: 10.6, APIs: 7, Instructions: 70windowCOMMON
                                                                                                                                                                                                                                                        Download Yara Rule
                                                                                                                                                                                                                                                        APIs
                                                                                                                                                                                                                                                          • Part of subcall function 0041C048: GetObjectA.GDI32(?,00000018), ref: 0041C055
                                                                                                                                                                                                                                                        • GetFocus.USER32 ref: 0041C168
                                                                                                                                                                                                                                                        • GetDC.USER32(?), ref: 0041C174
                                                                                                                                                                                                                                                        • SelectPalette.GDI32(?,?,00000000), ref: 0041C195
                                                                                                                                                                                                                                                        • RealizePalette.GDI32(?), ref: 0041C1A1
                                                                                                                                                                                                                                                        • GetDIBits.GDI32(?,?,00000000,?,?,?,00000000), ref: 0041C1B8
                                                                                                                                                                                                                                                        • SelectPalette.GDI32(?,00000000,00000000), ref: 0041C1E0
                                                                                                                                                                                                                                                        • ReleaseDC.USER32(?,?), ref: 0041C1ED
                                                                                                                                                                                                                                                        Memory Dump Source
                                                                                                                                                                                                                                                        • Source File: 00000001.00000002.2793245300.0000000000401000.00000020.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                                                                                                                        • Associated: 00000001.00000002.2793219234.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                                                                                                                                                                                                        • Associated: 00000001.00000002.2793346997.0000000000499000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                                                                                                                                                                                                        • Associated: 00000001.00000002.2793378529.000000000049A000.00000008.00000001.01000000.00000004.sdmpDownload File
                                                                                                                                                                                                                                                        • Associated: 00000001.00000002.2793416768.000000000049B000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                                                                                                                                                                                                        • Associated: 00000001.00000002.2793448951.00000000004AB000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                                                                                                                                                                                                        Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                                        • Snapshot File: hcaresult_1_2_400000_chica-pc-shield-1-75-0-1300-en-win.jbxd
                                                                                                                                                                                                                                                        Similarity
                                                                                                                                                                                                                                                        • API ID: Palette$Select$BitsFocusObjectRealizeRelease
                                                                                                                                                                                                                                                        • String ID:
                                                                                                                                                                                                                                                        • API String ID: 3303097818-0
                                                                                                                                                                                                                                                        • Opcode ID: 26117fda3ddcda01a6cc84f42a4f6ec069d0e010bd6cdd98afb854c6c7779a8d
                                                                                                                                                                                                                                                        • Instruction ID: 25a0b6576c779426e59073023ceed4ef49f3845c1b310514cd4f08ef327de147
                                                                                                                                                                                                                                                        • Opcode Fuzzy Hash: 26117fda3ddcda01a6cc84f42a4f6ec069d0e010bd6cdd98afb854c6c7779a8d
                                                                                                                                                                                                                                                        • Instruction Fuzzy Hash: 49116D71A44604BFDF10DBE9CC81FAFB7FCEB48700F50486AB518E7281DA7899008B28
                                                                                                                                                                                                                                                        Function 00418C54 Relevance: 10.6, APIs: 7, Instructions: 67COMMON
                                                                                                                                                                                                                                                        Download Yara Rule
                                                                                                                                                                                                                                                        APIs
                                                                                                                                                                                                                                                        • GetSystemMetrics.USER32(0000000E), ref: 00418C70
                                                                                                                                                                                                                                                        • GetSystemMetrics.USER32(0000000D), ref: 00418C78
                                                                                                                                                                                                                                                        • 6F522980.COMCTL32(00000000,0000000D,00000000,0000000E,00000001,00000001,00000001,00000000), ref: 00418C7E
                                                                                                                                                                                                                                                          • Part of subcall function 004107F8: 6F51C400.COMCTL32(0049B628,000000FF,00000000,00418CAC,00000000,00418D08,?,00000000,0000000D,00000000,0000000E,00000001,00000001,00000001,00000000), ref: 004107FC
                                                                                                                                                                                                                                                        • 6F58CB00.COMCTL32(0049B628,00000000,00000000,00000000,00000000,00418D08,?,00000000,0000000D,00000000,0000000E,00000001,00000001,00000001,00000000), ref: 00418CCE
                                                                                                                                                                                                                                                        • 6F58C740.COMCTL32(00000000,?,0049B628,00000000,00000000,00000000,00000000,00418D08,?,00000000,0000000D,00000000,0000000E,00000001,00000001,00000001), ref: 00418CD9
                                                                                                                                                                                                                                                        • 6F58CB00.COMCTL32(0049B628,00000001,?,?,00000000,?,0049B628,00000000,00000000,00000000,00000000,00418D08,?,00000000,0000000D,00000000), ref: 00418CEC
                                                                                                                                                                                                                                                        • 6F520860.COMCTL32(0049B628,00418D0F,?,00000000,?,0049B628,00000000,00000000,00000000,00000000,00418D08,?,00000000,0000000D,00000000,0000000E), ref: 00418D02
                                                                                                                                                                                                                                                        Memory Dump Source
                                                                                                                                                                                                                                                        • Source File: 00000001.00000002.2793245300.0000000000401000.00000020.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                                                                                                                        • Associated: 00000001.00000002.2793219234.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                                                                                                                                                                                                        • Associated: 00000001.00000002.2793346997.0000000000499000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                                                                                                                                                                                                        • Associated: 00000001.00000002.2793378529.000000000049A000.00000008.00000001.01000000.00000004.sdmpDownload File
                                                                                                                                                                                                                                                        • Associated: 00000001.00000002.2793416768.000000000049B000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                                                                                                                                                                                                        • Associated: 00000001.00000002.2793448951.00000000004AB000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                                                                                                                                                                                                        Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                                        • Snapshot File: hcaresult_1_2_400000_chica-pc-shield-1-75-0-1300-en-win.jbxd
                                                                                                                                                                                                                                                        Similarity
                                                                                                                                                                                                                                                        • API ID: MetricsSystem$C400C740F520860F522980
                                                                                                                                                                                                                                                        • String ID:
                                                                                                                                                                                                                                                        • API String ID: 2856677924-0
                                                                                                                                                                                                                                                        • Opcode ID: e2c7fe5230f8d2f143d47c0d6a7892a097693e1c100db4317caf46c6149257f7
                                                                                                                                                                                                                                                        • Instruction ID: f48c8f8e6a400555c090207229051c9eae11b8a9b20c4da93df477ea8fa1a9e8
                                                                                                                                                                                                                                                        • Opcode Fuzzy Hash: e2c7fe5230f8d2f143d47c0d6a7892a097693e1c100db4317caf46c6149257f7
                                                                                                                                                                                                                                                        • Instruction Fuzzy Hash: 6B112475744204BBDB50EBA9EC82FAD73F8DB08704F504066B514EB2C1DAB9AD808759
                                                                                                                                                                                                                                                        Function 004837BC Relevance: 10.6, APIs: 1, Strings: 5, Instructions: 61registryCOMMON
                                                                                                                                                                                                                                                        Download Yara Rule
                                                                                                                                                                                                                                                        APIs
                                                                                                                                                                                                                                                          • Part of subcall function 0042DE1C: RegOpenKeyExA.ADVAPI32(80000002,System\CurrentControlSet\Control\Windows,37H,?,00000001,?,?,00483733,?,00000001,00000000), ref: 0042DE38
                                                                                                                                                                                                                                                        • RegCloseKey.ADVAPI32(?,?,00000001,00000000,00000000,00483874), ref: 00483859
                                                                                                                                                                                                                                                        Strings
                                                                                                                                                                                                                                                        Memory Dump Source
                                                                                                                                                                                                                                                        • Source File: 00000001.00000002.2793245300.0000000000401000.00000020.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                                                                                                                        • Associated: 00000001.00000002.2793219234.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                                                                                                                                                                                                        • Associated: 00000001.00000002.2793346997.0000000000499000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                                                                                                                                                                                                        • Associated: 00000001.00000002.2793378529.000000000049A000.00000008.00000001.01000000.00000004.sdmpDownload File
                                                                                                                                                                                                                                                        • Associated: 00000001.00000002.2793416768.000000000049B000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                                                                                                                                                                                                        • Associated: 00000001.00000002.2793448951.00000000004AB000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                                                                                                                                                                                                        Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                                        • Snapshot File: hcaresult_1_2_400000_chica-pc-shield-1-75-0-1300-en-win.jbxd
                                                                                                                                                                                                                                                        Similarity
                                                                                                                                                                                                                                                        • API ID: CloseOpen
                                                                                                                                                                                                                                                        • String ID: LanmanNT$ProductType$ServerNT$System\CurrentControlSet\Control\ProductOptions$WinNT
                                                                                                                                                                                                                                                        • API String ID: 47109696-2530820420
                                                                                                                                                                                                                                                        • Opcode ID: 3ad13a19f6e4c10b8ef41cf1365920aabe65a3cc38594f05f2e38bb50b4e5b67
                                                                                                                                                                                                                                                        • Instruction ID: 1dfcf6bb9fe641fa61e52870c2eb081b504a015dbdcc7d4aeb9825b5cf210b35
                                                                                                                                                                                                                                                        • Opcode Fuzzy Hash: 3ad13a19f6e4c10b8ef41cf1365920aabe65a3cc38594f05f2e38bb50b4e5b67
                                                                                                                                                                                                                                                        • Instruction Fuzzy Hash: CD118E30B04204AADB10FF658C51B5EBAE9DB45B09F61487AB800E7281EB78DB05975D
                                                                                                                                                                                                                                                        Function 004950E4 Relevance: 10.6, APIs: 5, Strings: 1, Instructions: 57COMMON
                                                                                                                                                                                                                                                        Download Yara Rule
                                                                                                                                                                                                                                                        APIs
                                                                                                                                                                                                                                                        • GetDC.USER32(00000000), ref: 004950F5
                                                                                                                                                                                                                                                          • Part of subcall function 0041A1E8: CreateFontIndirectA.GDI32(?), ref: 0041A2A7
                                                                                                                                                                                                                                                        • SelectObject.GDI32(00000000,00000000), ref: 00495117
                                                                                                                                                                                                                                                        • GetTextExtentPointA.GDI32(00000000,ABCDEFGHIJKLMNOPQRSTUVWXYZabcdefghijklmnopqrstuvwxyz,00000034,00495695), ref: 0049512B
                                                                                                                                                                                                                                                        • GetTextMetricsA.GDI32(00000000,?), ref: 0049514D
                                                                                                                                                                                                                                                        • ReleaseDC.USER32(00000000,00000000), ref: 0049516A
                                                                                                                                                                                                                                                        Strings
                                                                                                                                                                                                                                                        • ABCDEFGHIJKLMNOPQRSTUVWXYZabcdefghijklmnopqrstuvwxyz, xrefs: 00495122
                                                                                                                                                                                                                                                        Memory Dump Source
                                                                                                                                                                                                                                                        • Source File: 00000001.00000002.2793245300.0000000000401000.00000020.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                                                                                                                        • Associated: 00000001.00000002.2793219234.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                                                                                                                                                                                                        • Associated: 00000001.00000002.2793346997.0000000000499000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                                                                                                                                                                                                        • Associated: 00000001.00000002.2793378529.000000000049A000.00000008.00000001.01000000.00000004.sdmpDownload File
                                                                                                                                                                                                                                                        • Associated: 00000001.00000002.2793416768.000000000049B000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                                                                                                                                                                                                        • Associated: 00000001.00000002.2793448951.00000000004AB000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                                                                                                                                                                                                        Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                                        • Snapshot File: hcaresult_1_2_400000_chica-pc-shield-1-75-0-1300-en-win.jbxd
                                                                                                                                                                                                                                                        Similarity
                                                                                                                                                                                                                                                        • API ID: Text$CreateExtentFontIndirectMetricsObjectPointReleaseSelect
                                                                                                                                                                                                                                                        • String ID: ABCDEFGHIJKLMNOPQRSTUVWXYZabcdefghijklmnopqrstuvwxyz
                                                                                                                                                                                                                                                        • API String ID: 2948443157-222967699
                                                                                                                                                                                                                                                        • Opcode ID: 5badb62f71b3d99971882b4f0678e1772bdc8b17f624e945f1c31b5db279baf8
                                                                                                                                                                                                                                                        • Instruction ID: 0df81e417f092862c4a6b10bc5b85ed6f3f433902ba426d4dc320704c2e31f18
                                                                                                                                                                                                                                                        • Opcode Fuzzy Hash: 5badb62f71b3d99971882b4f0678e1772bdc8b17f624e945f1c31b5db279baf8
                                                                                                                                                                                                                                                        • Instruction Fuzzy Hash: F5012176A04708BFDB15DBA9CC42F5EB7ECDB48704F614476F604E7291D678AE008B68
                                                                                                                                                                                                                                                        Function 0041B462 Relevance: 10.6, APIs: 7, Instructions: 57windowCOMMON
                                                                                                                                                                                                                                                        Download Yara Rule
                                                                                                                                                                                                                                                        APIs
                                                                                                                                                                                                                                                        • SelectObject.GDI32(00000000,?), ref: 0041B470
                                                                                                                                                                                                                                                        • SelectObject.GDI32(?,00000000), ref: 0041B47F
                                                                                                                                                                                                                                                        • StretchBlt.GDI32(?,00000000,00000000,0000000B,?,00000000,00000000,00000000,?,?,00CC0020), ref: 0041B4AB
                                                                                                                                                                                                                                                        • SelectObject.GDI32(00000000,00000000), ref: 0041B4B9
                                                                                                                                                                                                                                                        • SelectObject.GDI32(?,00000000), ref: 0041B4C7
                                                                                                                                                                                                                                                        • DeleteDC.GDI32(00000000), ref: 0041B4D0
                                                                                                                                                                                                                                                        • DeleteDC.GDI32(?), ref: 0041B4D9
                                                                                                                                                                                                                                                        Memory Dump Source
                                                                                                                                                                                                                                                        • Source File: 00000001.00000002.2793245300.0000000000401000.00000020.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                                                                                                                        • Associated: 00000001.00000002.2793219234.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                                                                                                                                                                                                        • Associated: 00000001.00000002.2793346997.0000000000499000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                                                                                                                                                                                                        • Associated: 00000001.00000002.2793378529.000000000049A000.00000008.00000001.01000000.00000004.sdmpDownload File
                                                                                                                                                                                                                                                        • Associated: 00000001.00000002.2793416768.000000000049B000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                                                                                                                                                                                                        • Associated: 00000001.00000002.2793448951.00000000004AB000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                                                                                                                                                                                                        Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                                        • Snapshot File: hcaresult_1_2_400000_chica-pc-shield-1-75-0-1300-en-win.jbxd
                                                                                                                                                                                                                                                        Similarity
                                                                                                                                                                                                                                                        • API ID: ObjectSelect$Delete$Stretch
                                                                                                                                                                                                                                                        • String ID:
                                                                                                                                                                                                                                                        • API String ID: 1458357782-0
                                                                                                                                                                                                                                                        • Opcode ID: 8542cbb8adbe0fd8af4a730cfe3faeef428ae57c020086fb9cb954466ea4b08d
                                                                                                                                                                                                                                                        • Instruction ID: 052e9154069abc57648b404522aaf552eddfcc6d95cd3388d63b7ef9ce004286
                                                                                                                                                                                                                                                        • Opcode Fuzzy Hash: 8542cbb8adbe0fd8af4a730cfe3faeef428ae57c020086fb9cb954466ea4b08d
                                                                                                                                                                                                                                                        • Instruction Fuzzy Hash: 7B115C72E40619ABDB10DAD9DC86FEFB7BCEF08704F144555B614F7282C678AC418BA8
                                                                                                                                                                                                                                                        Function 00423394 Relevance: 10.6, APIs: 7, Instructions: 56threadwindowCOMMON
                                                                                                                                                                                                                                                        Download Yara Rule
                                                                                                                                                                                                                                                        APIs
                                                                                                                                                                                                                                                        • GetCursorPos.USER32 ref: 004233AF
                                                                                                                                                                                                                                                        • WindowFromPoint.USER32(?,?), ref: 004233BC
                                                                                                                                                                                                                                                        • GetWindowThreadProcessId.USER32(00000000,00000000), ref: 004233CA
                                                                                                                                                                                                                                                        • GetCurrentThreadId.KERNEL32 ref: 004233D1
                                                                                                                                                                                                                                                        • SendMessageA.USER32(00000000,00000084,?,?), ref: 004233EA
                                                                                                                                                                                                                                                        • SendMessageA.USER32(00000000,00000020,00000000,00000000), ref: 00423401
                                                                                                                                                                                                                                                        • SetCursor.USER32(00000000), ref: 00423413
                                                                                                                                                                                                                                                        Memory Dump Source
                                                                                                                                                                                                                                                        • Source File: 00000001.00000002.2793245300.0000000000401000.00000020.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                                                                                                                        • Associated: 00000001.00000002.2793219234.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                                                                                                                                                                                                        • Associated: 00000001.00000002.2793346997.0000000000499000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                                                                                                                                                                                                        • Associated: 00000001.00000002.2793378529.000000000049A000.00000008.00000001.01000000.00000004.sdmpDownload File
                                                                                                                                                                                                                                                        • Associated: 00000001.00000002.2793416768.000000000049B000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                                                                                                                                                                                                        • Associated: 00000001.00000002.2793448951.00000000004AB000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                                                                                                                                                                                                        Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                                        • Snapshot File: hcaresult_1_2_400000_chica-pc-shield-1-75-0-1300-en-win.jbxd
                                                                                                                                                                                                                                                        Similarity
                                                                                                                                                                                                                                                        • API ID: CursorMessageSendThreadWindow$CurrentFromPointProcess
                                                                                                                                                                                                                                                        • String ID:
                                                                                                                                                                                                                                                        • API String ID: 1770779139-0
                                                                                                                                                                                                                                                        • Opcode ID: 134875e674979cd567c136abb418dc525a6250aa5b529fa10794d0eebf3240cc
                                                                                                                                                                                                                                                        • Instruction ID: 22bb490dc700fc35bbf8fe9eba0271ced42fa0644d0760cf779c582944844a3d
                                                                                                                                                                                                                                                        • Opcode Fuzzy Hash: 134875e674979cd567c136abb418dc525a6250aa5b529fa10794d0eebf3240cc
                                                                                                                                                                                                                                                        • Instruction Fuzzy Hash: BA01D4223046103AD6217B755D82E2F26E8DB85B15F50407FF504BB283DA3D9D11937D
                                                                                                                                                                                                                                                        Function 00494F08 Relevance: 10.5, APIs: 3, Strings: 3, Instructions: 47libraryloaderCOMMON
                                                                                                                                                                                                                                                        Download Yara Rule
                                                                                                                                                                                                                                                        APIs
                                                                                                                                                                                                                                                        • GetModuleHandleA.KERNEL32(user32.dll), ref: 00494F18
                                                                                                                                                                                                                                                        • GetProcAddress.KERNEL32(00000000,MonitorFromRect), ref: 00494F25
                                                                                                                                                                                                                                                        • GetProcAddress.KERNEL32(00000000,GetMonitorInfoA), ref: 00494F32
                                                                                                                                                                                                                                                        Strings
                                                                                                                                                                                                                                                        Memory Dump Source
                                                                                                                                                                                                                                                        • Source File: 00000001.00000002.2793245300.0000000000401000.00000020.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                                                                                                                        • Associated: 00000001.00000002.2793219234.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                                                                                                                                                                                                        • Associated: 00000001.00000002.2793346997.0000000000499000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                                                                                                                                                                                                        • Associated: 00000001.00000002.2793378529.000000000049A000.00000008.00000001.01000000.00000004.sdmpDownload File
                                                                                                                                                                                                                                                        • Associated: 00000001.00000002.2793416768.000000000049B000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                                                                                                                                                                                                        • Associated: 00000001.00000002.2793448951.00000000004AB000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                                                                                                                                                                                                        Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                                        • Snapshot File: hcaresult_1_2_400000_chica-pc-shield-1-75-0-1300-en-win.jbxd
                                                                                                                                                                                                                                                        Similarity
                                                                                                                                                                                                                                                        • API ID: AddressProc$HandleModule
                                                                                                                                                                                                                                                        • String ID: GetMonitorInfoA$MonitorFromRect$user32.dll
                                                                                                                                                                                                                                                        • API String ID: 667068680-2254406584
                                                                                                                                                                                                                                                        • Opcode ID: 37909b725e6a52ee00d16a74014c96465fb066db26e4bf6f46264368631e9446
                                                                                                                                                                                                                                                        • Instruction ID: 2f2711a2512f7fb170870be193f04cf16a3e8db421c69f418f1b662089c325dd
                                                                                                                                                                                                                                                        • Opcode Fuzzy Hash: 37909b725e6a52ee00d16a74014c96465fb066db26e4bf6f46264368631e9446
                                                                                                                                                                                                                                                        • Instruction Fuzzy Hash: 4DF0F652B45B1A26EA2065668C41E7B698CCBC5774F040137BD44A7386E95C8D0242FD
                                                                                                                                                                                                                                                        Function 0045D060 Relevance: 10.5, APIs: 3, Strings: 3, Instructions: 34libraryloaderCOMMON
                                                                                                                                                                                                                                                        Download Yara Rule
                                                                                                                                                                                                                                                        APIs
                                                                                                                                                                                                                                                        • GetProcAddress.KERNEL32(00000000,ISCryptGetVersion), ref: 0045D069
                                                                                                                                                                                                                                                        • GetProcAddress.KERNEL32(00000000,ArcFourInit), ref: 0045D079
                                                                                                                                                                                                                                                        • GetProcAddress.KERNEL32(00000000,ArcFourCrypt), ref: 0045D089
                                                                                                                                                                                                                                                        Strings
                                                                                                                                                                                                                                                        Memory Dump Source
                                                                                                                                                                                                                                                        • Source File: 00000001.00000002.2793245300.0000000000401000.00000020.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                                                                                                                        • Associated: 00000001.00000002.2793219234.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                                                                                                                                                                                                        • Associated: 00000001.00000002.2793346997.0000000000499000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                                                                                                                                                                                                        • Associated: 00000001.00000002.2793378529.000000000049A000.00000008.00000001.01000000.00000004.sdmpDownload File
                                                                                                                                                                                                                                                        • Associated: 00000001.00000002.2793416768.000000000049B000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                                                                                                                                                                                                        • Associated: 00000001.00000002.2793448951.00000000004AB000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                                                                                                                                                                                                        Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                                        • Snapshot File: hcaresult_1_2_400000_chica-pc-shield-1-75-0-1300-en-win.jbxd
                                                                                                                                                                                                                                                        Similarity
                                                                                                                                                                                                                                                        • API ID: AddressProc
                                                                                                                                                                                                                                                        • String ID: ArcFourCrypt$ArcFourInit$ISCryptGetVersion
                                                                                                                                                                                                                                                        • API String ID: 190572456-508647305
                                                                                                                                                                                                                                                        • Opcode ID: 5122bc98b4243edee483dbd362e818e6acc0399cd5465a234f2a44048f9c1fe5
                                                                                                                                                                                                                                                        • Instruction ID: 3f16491fd0632e8a02841724fbace7a68b5b3961c1e73dc4b9133e40a6f013db
                                                                                                                                                                                                                                                        • Opcode Fuzzy Hash: 5122bc98b4243edee483dbd362e818e6acc0399cd5465a234f2a44048f9c1fe5
                                                                                                                                                                                                                                                        • Instruction Fuzzy Hash: 93F012B0980701DBE728EFB6BCC57263695EBE571AF14C137A414911E2D7780459CF1D
                                                                                                                                                                                                                                                        Function 0045D560 Relevance: 10.5, APIs: 3, Strings: 3, Instructions: 33libraryloaderCOMMON
                                                                                                                                                                                                                                                        Download Yara Rule
                                                                                                                                                                                                                                                        APIs
                                                                                                                                                                                                                                                        • GetProcAddress.KERNEL32(00000000,BZ2_bzDecompressInit), ref: 0045D569
                                                                                                                                                                                                                                                        • GetProcAddress.KERNEL32(00000000,BZ2_bzDecompress), ref: 0045D579
                                                                                                                                                                                                                                                        • GetProcAddress.KERNEL32(00000000,BZ2_bzDecompressEnd), ref: 0045D589
                                                                                                                                                                                                                                                        Strings
                                                                                                                                                                                                                                                        Memory Dump Source
                                                                                                                                                                                                                                                        • Source File: 00000001.00000002.2793245300.0000000000401000.00000020.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                                                                                                                        • Associated: 00000001.00000002.2793219234.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                                                                                                                                                                                                        • Associated: 00000001.00000002.2793346997.0000000000499000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                                                                                                                                                                                                        • Associated: 00000001.00000002.2793378529.000000000049A000.00000008.00000001.01000000.00000004.sdmpDownload File
                                                                                                                                                                                                                                                        • Associated: 00000001.00000002.2793416768.000000000049B000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                                                                                                                                                                                                        • Associated: 00000001.00000002.2793448951.00000000004AB000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                                                                                                                                                                                                        Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                                        • Snapshot File: hcaresult_1_2_400000_chica-pc-shield-1-75-0-1300-en-win.jbxd
                                                                                                                                                                                                                                                        Similarity
                                                                                                                                                                                                                                                        • API ID: AddressProc
                                                                                                                                                                                                                                                        • String ID: BZ2_bzDecompress$BZ2_bzDecompressEnd$BZ2_bzDecompressInit
                                                                                                                                                                                                                                                        • API String ID: 190572456-212574377
                                                                                                                                                                                                                                                        • Opcode ID: 32367f3f71a88edad6cb0c18a1faf3f35cd26c2391eb0080ad94b90b0e942293
                                                                                                                                                                                                                                                        • Instruction ID: 7482b4c4bf9fc4dc9e9e03776ed9023a769b21f625f1bb01c5bf02fa64bb1e85
                                                                                                                                                                                                                                                        • Opcode Fuzzy Hash: 32367f3f71a88edad6cb0c18a1faf3f35cd26c2391eb0080ad94b90b0e942293
                                                                                                                                                                                                                                                        • Instruction Fuzzy Hash: 08F0D0B0D01704EBE725EFB69CC772636959F6431AF10843BAA0E55362E6784489CF2C
                                                                                                                                                                                                                                                        Function 0042EA1C Relevance: 10.5, APIs: 4, Strings: 2, Instructions: 30libraryloaderwindowCOMMON
                                                                                                                                                                                                                                                        Download Yara Rule
                                                                                                                                                                                                                                                        APIs
                                                                                                                                                                                                                                                        • GetModuleHandleA.KERNEL32(user32.dll,ChangeWindowMessageFilterEx,00000004,00499934,004570C9,0045746C,00457020,00000000,00000B06,00000000,00000000,00000001,00000000,00000002,00000000,00480E10), ref: 0042EA35
                                                                                                                                                                                                                                                        • GetProcAddress.KERNEL32(00000000,user32.dll), ref: 0042EA3B
                                                                                                                                                                                                                                                        • InterlockedExchange.KERNEL32(0049B668,00000001), ref: 0042EA4C
                                                                                                                                                                                                                                                          • Part of subcall function 0042E9AC: GetModuleHandleA.KERNEL32(user32.dll,ChangeWindowMessageFilter,?,0042EA70,00000004,00499934,004570C9,0045746C,00457020,00000000,00000B06,00000000,00000000,00000001,00000000,00000002), ref: 0042E9C2
                                                                                                                                                                                                                                                          • Part of subcall function 0042E9AC: GetProcAddress.KERNEL32(00000000,user32.dll), ref: 0042E9C8
                                                                                                                                                                                                                                                          • Part of subcall function 0042E9AC: InterlockedExchange.KERNEL32(0049B660,00000001), ref: 0042E9D9
                                                                                                                                                                                                                                                        • ChangeWindowMessageFilterEx.USER32(00000000,?,00000001,00000000,00000004,00499934,004570C9,0045746C,00457020,00000000,00000B06,00000000,00000000,00000001,00000000,00000002), ref: 0042EA60
                                                                                                                                                                                                                                                        Strings
                                                                                                                                                                                                                                                        Memory Dump Source
                                                                                                                                                                                                                                                        • Source File: 00000001.00000002.2793245300.0000000000401000.00000020.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                                                                                                                        • Associated: 00000001.00000002.2793219234.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                                                                                                                                                                                                        • Associated: 00000001.00000002.2793346997.0000000000499000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                                                                                                                                                                                                        • Associated: 00000001.00000002.2793378529.000000000049A000.00000008.00000001.01000000.00000004.sdmpDownload File
                                                                                                                                                                                                                                                        • Associated: 00000001.00000002.2793416768.000000000049B000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                                                                                                                                                                                                        • Associated: 00000001.00000002.2793448951.00000000004AB000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                                                                                                                                                                                                        Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                                        • Snapshot File: hcaresult_1_2_400000_chica-pc-shield-1-75-0-1300-en-win.jbxd
                                                                                                                                                                                                                                                        Similarity
                                                                                                                                                                                                                                                        • API ID: AddressExchangeHandleInterlockedModuleProc$ChangeFilterMessageWindow
                                                                                                                                                                                                                                                        • String ID: ChangeWindowMessageFilterEx$user32.dll
                                                                                                                                                                                                                                                        • API String ID: 142928637-2676053874
                                                                                                                                                                                                                                                        • Opcode ID: 2e6935975283b392abf6eb535232e6e33c7297ce4864da2c850d0b2669d54df9
                                                                                                                                                                                                                                                        • Instruction ID: 20967f7a279d57b19857f2ad39d34e10c6be6de8430a8d3efc5b40b14e24a4c3
                                                                                                                                                                                                                                                        • Opcode Fuzzy Hash: 2e6935975283b392abf6eb535232e6e33c7297ce4864da2c850d0b2669d54df9
                                                                                                                                                                                                                                                        • Instruction Fuzzy Hash: 99E092A1741B20EAEA10B7B67C86FAA2658EB1076DF500037F100A51F1C3BD1C80CE9E
                                                                                                                                                                                                                                                        Function 0044C7DC Relevance: 10.5, APIs: 3, Strings: 3, Instructions: 28libraryloaderCOMMON
                                                                                                                                                                                                                                                        Download Yara Rule
                                                                                                                                                                                                                                                        APIs
                                                                                                                                                                                                                                                        • LoadLibraryA.KERNEL32(oleacc.dll,?,0044F089), ref: 0044C7EB
                                                                                                                                                                                                                                                        • GetProcAddress.KERNEL32(00000000,LresultFromObject), ref: 0044C7FC
                                                                                                                                                                                                                                                        • GetProcAddress.KERNEL32(00000000,CreateStdAccessibleObject), ref: 0044C80C
                                                                                                                                                                                                                                                        Strings
                                                                                                                                                                                                                                                        Memory Dump Source
                                                                                                                                                                                                                                                        • Source File: 00000001.00000002.2793245300.0000000000401000.00000020.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                                                                                                                        • Associated: 00000001.00000002.2793219234.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                                                                                                                                                                                                        • Associated: 00000001.00000002.2793346997.0000000000499000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                                                                                                                                                                                                        • Associated: 00000001.00000002.2793378529.000000000049A000.00000008.00000001.01000000.00000004.sdmpDownload File
                                                                                                                                                                                                                                                        • Associated: 00000001.00000002.2793416768.000000000049B000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                                                                                                                                                                                                        • Associated: 00000001.00000002.2793448951.00000000004AB000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                                                                                                                                                                                                        Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                                        • Snapshot File: hcaresult_1_2_400000_chica-pc-shield-1-75-0-1300-en-win.jbxd
                                                                                                                                                                                                                                                        Similarity
                                                                                                                                                                                                                                                        • API ID: AddressProc$LibraryLoad
                                                                                                                                                                                                                                                        • String ID: CreateStdAccessibleObject$LresultFromObject$oleacc.dll
                                                                                                                                                                                                                                                        • API String ID: 2238633743-1050967733
                                                                                                                                                                                                                                                        • Opcode ID: 46df6f242ffea6dadd9b95a3969ee6b07dfd2bdc83798fbb48fe9be8034c654b
                                                                                                                                                                                                                                                        • Instruction ID: d6497c9818d993b67a5702c7731996643d684f189bbd4b702b1f6e54e13363b7
                                                                                                                                                                                                                                                        • Opcode Fuzzy Hash: 46df6f242ffea6dadd9b95a3969ee6b07dfd2bdc83798fbb48fe9be8034c654b
                                                                                                                                                                                                                                                        • Instruction Fuzzy Hash: 50F0DA70282305CAE750BBB5FDD57263694E3A470AF18277BE841551A2C7B94844CB8C
                                                                                                                                                                                                                                                        Function 004787A8 Relevance: 10.5, APIs: 3, Strings: 3, Instructions: 14libraryloaderCOMMON
                                                                                                                                                                                                                                                        Download Yara Rule
                                                                                                                                                                                                                                                        APIs
                                                                                                                                                                                                                                                        • GetModuleHandleA.KERNEL32(kernel32.dll,?,00498804), ref: 004787AE
                                                                                                                                                                                                                                                        • GetProcAddress.KERNEL32(00000000,VerSetConditionMask), ref: 004787BB
                                                                                                                                                                                                                                                        • GetProcAddress.KERNEL32(00000000,VerifyVersionInfoW), ref: 004787CB
                                                                                                                                                                                                                                                        Strings
                                                                                                                                                                                                                                                        Memory Dump Source
                                                                                                                                                                                                                                                        • Source File: 00000001.00000002.2793245300.0000000000401000.00000020.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                                                                                                                        • Associated: 00000001.00000002.2793219234.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                                                                                                                                                                                                        • Associated: 00000001.00000002.2793346997.0000000000499000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                                                                                                                                                                                                        • Associated: 00000001.00000002.2793378529.000000000049A000.00000008.00000001.01000000.00000004.sdmpDownload File
                                                                                                                                                                                                                                                        • Associated: 00000001.00000002.2793416768.000000000049B000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                                                                                                                                                                                                        • Associated: 00000001.00000002.2793448951.00000000004AB000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                                                                                                                                                                                                        Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                                        • Snapshot File: hcaresult_1_2_400000_chica-pc-shield-1-75-0-1300-en-win.jbxd
                                                                                                                                                                                                                                                        Similarity
                                                                                                                                                                                                                                                        • API ID: AddressProc$HandleModule
                                                                                                                                                                                                                                                        • String ID: VerSetConditionMask$VerifyVersionInfoW$kernel32.dll
                                                                                                                                                                                                                                                        • API String ID: 667068680-222143506
                                                                                                                                                                                                                                                        • Opcode ID: e5a812b49ea658e27832845ac616033cc340e8eedd8302905143a2296aa88e52
                                                                                                                                                                                                                                                        • Instruction ID: 13b8254b67659438ed938111a26cc9552f559048ccc0a884e9908eb0bf6ec68f
                                                                                                                                                                                                                                                        • Opcode Fuzzy Hash: e5a812b49ea658e27832845ac616033cc340e8eedd8302905143a2296aa88e52
                                                                                                                                                                                                                                                        • Instruction Fuzzy Hash: 91C0C9F02C0701EA9604B7F11CCA97B2988C550724330843F704EA6183D97C0C104A2C
                                                                                                                                                                                                                                                        Function 0041B508 Relevance: 9.1, APIs: 6, Instructions: 113windowCOMMON
                                                                                                                                                                                                                                                        Download Yara Rule
                                                                                                                                                                                                                                                        APIs
                                                                                                                                                                                                                                                        • GetFocus.USER32 ref: 0041B57E
                                                                                                                                                                                                                                                        • GetDC.USER32(?), ref: 0041B58A
                                                                                                                                                                                                                                                        • GetDeviceCaps.GDI32(?,00000068), ref: 0041B5A6
                                                                                                                                                                                                                                                        • GetSystemPaletteEntries.GDI32(?,00000000,00000008,?), ref: 0041B5C3
                                                                                                                                                                                                                                                        • GetSystemPaletteEntries.GDI32(?,00000000,00000008,?), ref: 0041B5DA
                                                                                                                                                                                                                                                        • ReleaseDC.USER32(?,?), ref: 0041B626
                                                                                                                                                                                                                                                        Memory Dump Source
                                                                                                                                                                                                                                                        • Source File: 00000001.00000002.2793245300.0000000000401000.00000020.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                                                                                                                        • Associated: 00000001.00000002.2793219234.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                                                                                                                                                                                                        • Associated: 00000001.00000002.2793346997.0000000000499000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                                                                                                                                                                                                        • Associated: 00000001.00000002.2793378529.000000000049A000.00000008.00000001.01000000.00000004.sdmpDownload File
                                                                                                                                                                                                                                                        • Associated: 00000001.00000002.2793416768.000000000049B000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                                                                                                                                                                                                        • Associated: 00000001.00000002.2793448951.00000000004AB000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                                                                                                                                                                                                        Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                                        • Snapshot File: hcaresult_1_2_400000_chica-pc-shield-1-75-0-1300-en-win.jbxd
                                                                                                                                                                                                                                                        Similarity
                                                                                                                                                                                                                                                        • API ID: EntriesPaletteSystem$CapsDeviceFocusRelease
                                                                                                                                                                                                                                                        • String ID:
                                                                                                                                                                                                                                                        • API String ID: 2502006586-0
                                                                                                                                                                                                                                                        • Opcode ID: e956e6ae92597662ed98b2f51c6b506043ab8b509e5ceb21f610fa5f8f95298e
                                                                                                                                                                                                                                                        • Instruction ID: 1753bd22f5710d4f749a3cf2d8329d0f84e6490acb09e3fae29671003709e3a5
                                                                                                                                                                                                                                                        • Opcode Fuzzy Hash: e956e6ae92597662ed98b2f51c6b506043ab8b509e5ceb21f610fa5f8f95298e
                                                                                                                                                                                                                                                        • Instruction Fuzzy Hash: D0410631A04258AFDF10DFA9C885AAFBBB4EF59704F1484AAF500EB351D3389D51CBA5
                                                                                                                                                                                                                                                        Function 0045CF24 Relevance: 9.1, APIs: 2, Strings: 4, Instructions: 73COMMON
                                                                                                                                                                                                                                                        Download Yara Rule
                                                                                                                                                                                                                                                        APIs
                                                                                                                                                                                                                                                        • SetLastError.KERNEL32(00000057,00000000,0045CFF0,?,?,?,?,00000000), ref: 0045CF8F
                                                                                                                                                                                                                                                        • SetLastError.KERNEL32(00000000,00000002,?,?,?,0045D05C,?,00000000,0045CFF0,?,?,?,?,00000000), ref: 0045CFCE
                                                                                                                                                                                                                                                        Strings
                                                                                                                                                                                                                                                        Memory Dump Source
                                                                                                                                                                                                                                                        • Source File: 00000001.00000002.2793245300.0000000000401000.00000020.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                                                                                                                        • Associated: 00000001.00000002.2793219234.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                                                                                                                                                                                                        • Associated: 00000001.00000002.2793346997.0000000000499000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                                                                                                                                                                                                        • Associated: 00000001.00000002.2793378529.000000000049A000.00000008.00000001.01000000.00000004.sdmpDownload File
                                                                                                                                                                                                                                                        • Associated: 00000001.00000002.2793416768.000000000049B000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                                                                                                                                                                                                        • Associated: 00000001.00000002.2793448951.00000000004AB000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                                                                                                                                                                                                        Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                                        • Snapshot File: hcaresult_1_2_400000_chica-pc-shield-1-75-0-1300-en-win.jbxd
                                                                                                                                                                                                                                                        Similarity
                                                                                                                                                                                                                                                        • API ID: ErrorLast
                                                                                                                                                                                                                                                        • String ID: CLASSES_ROOT$CURRENT_USER$MACHINE$USERS
                                                                                                                                                                                                                                                        • API String ID: 1452528299-1580325520
                                                                                                                                                                                                                                                        • Opcode ID: 4ef202734eb69f455ac95b516f6f86e02e7b7125310c898b2e6da52e821c2096
                                                                                                                                                                                                                                                        • Instruction ID: 88e29fb2def42a8f1dba447adddccd7e0868d31b9061dd0ea12196a4fe5e9a7f
                                                                                                                                                                                                                                                        • Opcode Fuzzy Hash: 4ef202734eb69f455ac95b516f6f86e02e7b7125310c898b2e6da52e821c2096
                                                                                                                                                                                                                                                        • Instruction Fuzzy Hash: BE11D536604304BFDB21DB91C981B9AB6AEDB4471AF608077AD00A62C3D63C9F0BD52D
                                                                                                                                                                                                                                                        Function 0041BD8C Relevance: 9.1, APIs: 6, Instructions: 71COMMON
                                                                                                                                                                                                                                                        Download Yara Rule
                                                                                                                                                                                                                                                        APIs
                                                                                                                                                                                                                                                        • GetSystemMetrics.USER32(0000000B), ref: 0041BDD5
                                                                                                                                                                                                                                                        • GetSystemMetrics.USER32(0000000C), ref: 0041BDDF
                                                                                                                                                                                                                                                        • GetDC.USER32(00000000), ref: 0041BDE9
                                                                                                                                                                                                                                                        • GetDeviceCaps.GDI32(00000000,0000000E), ref: 0041BE10
                                                                                                                                                                                                                                                        • GetDeviceCaps.GDI32(00000000,0000000C), ref: 0041BE1D
                                                                                                                                                                                                                                                        • ReleaseDC.USER32(00000000,00000000), ref: 0041BE56
                                                                                                                                                                                                                                                        Memory Dump Source
                                                                                                                                                                                                                                                        • Source File: 00000001.00000002.2793245300.0000000000401000.00000020.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                                                                                                                        • Associated: 00000001.00000002.2793219234.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                                                                                                                                                                                                        • Associated: 00000001.00000002.2793346997.0000000000499000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                                                                                                                                                                                                        • Associated: 00000001.00000002.2793378529.000000000049A000.00000008.00000001.01000000.00000004.sdmpDownload File
                                                                                                                                                                                                                                                        • Associated: 00000001.00000002.2793416768.000000000049B000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                                                                                                                                                                                                        • Associated: 00000001.00000002.2793448951.00000000004AB000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                                                                                                                                                                                                        Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                                        • Snapshot File: hcaresult_1_2_400000_chica-pc-shield-1-75-0-1300-en-win.jbxd
                                                                                                                                                                                                                                                        Similarity
                                                                                                                                                                                                                                                        • API ID: CapsDeviceMetricsSystem$Release
                                                                                                                                                                                                                                                        • String ID:
                                                                                                                                                                                                                                                        • API String ID: 447804332-0
                                                                                                                                                                                                                                                        • Opcode ID: 3bdc6123dd6674b0137b7fef1a93c0b96d54f33e4692062cf67464f69f8f60e7
                                                                                                                                                                                                                                                        • Instruction ID: d5b995c8e3894394b735eabd433659eae54025482fea58e306a85006fdca5b97
                                                                                                                                                                                                                                                        • Opcode Fuzzy Hash: 3bdc6123dd6674b0137b7fef1a93c0b96d54f33e4692062cf67464f69f8f60e7
                                                                                                                                                                                                                                                        • Instruction Fuzzy Hash: E5212A74E04648AFEB00EFA9C941BEEB7B4EB48714F10846AF514B7690D7785940CB69
                                                                                                                                                                                                                                                        Function 0047E2A0 Relevance: 9.1, APIs: 6, Instructions: 57COMMON
                                                                                                                                                                                                                                                        Download Yara Rule
                                                                                                                                                                                                                                                        APIs
                                                                                                                                                                                                                                                        • GetWindowLongA.USER32(?,000000EC), ref: 0047E2AE
                                                                                                                                                                                                                                                        • SetWindowPos.USER32(?,00000000,00000000,00000000,00000000,00000000,00000097,?,000000EC,?,0046CC21), ref: 0047E2D4
                                                                                                                                                                                                                                                        • GetWindowLongA.USER32(?,000000EC), ref: 0047E2E4
                                                                                                                                                                                                                                                        • SetWindowLongA.USER32(?,000000EC,00000000), ref: 0047E305
                                                                                                                                                                                                                                                        • ShowWindow.USER32(?,00000005,?,000000EC,00000000,?,000000EC,?,00000000,00000000,00000000,00000000,00000000,00000097,?,000000EC), ref: 0047E319
                                                                                                                                                                                                                                                        • SetWindowPos.USER32(?,00000000,00000000,00000000,00000000,00000000,00000057,?,000000EC,00000000,?,000000EC,?,00000000,00000000,00000000), ref: 0047E335
                                                                                                                                                                                                                                                        Memory Dump Source
                                                                                                                                                                                                                                                        • Source File: 00000001.00000002.2793245300.0000000000401000.00000020.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                                                                                                                        • Associated: 00000001.00000002.2793219234.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                                                                                                                                                                                                        • Associated: 00000001.00000002.2793346997.0000000000499000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                                                                                                                                                                                                        • Associated: 00000001.00000002.2793378529.000000000049A000.00000008.00000001.01000000.00000004.sdmpDownload File
                                                                                                                                                                                                                                                        • Associated: 00000001.00000002.2793416768.000000000049B000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                                                                                                                                                                                                        • Associated: 00000001.00000002.2793448951.00000000004AB000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                                                                                                                                                                                                        Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                                        • Snapshot File: hcaresult_1_2_400000_chica-pc-shield-1-75-0-1300-en-win.jbxd
                                                                                                                                                                                                                                                        Similarity
                                                                                                                                                                                                                                                        • API ID: Window$Long$Show
                                                                                                                                                                                                                                                        • String ID:
                                                                                                                                                                                                                                                        • API String ID: 3609083571-0
                                                                                                                                                                                                                                                        • Opcode ID: c0826670ad78713e181474d501df874fd0f745b2ec8bbce53d2eee60c18809f6
                                                                                                                                                                                                                                                        • Instruction ID: 60d3dee66aadba5e252eefcbf840e4ecab1b58808db24c68cc1e2a9bf0f2e662
                                                                                                                                                                                                                                                        • Opcode Fuzzy Hash: c0826670ad78713e181474d501df874fd0f745b2ec8bbce53d2eee60c18809f6
                                                                                                                                                                                                                                                        • Instruction Fuzzy Hash: 7C0112B5641210ABE700D769DE41F6637DCAB1C324F0947A6BA55DF3E3C778E8408B49
                                                                                                                                                                                                                                                        Function 0041B270 Relevance: 9.0, APIs: 6, Instructions: 43COMMON
                                                                                                                                                                                                                                                        Download Yara Rule
                                                                                                                                                                                                                                                        APIs
                                                                                                                                                                                                                                                          • Part of subcall function 0041A6E0: CreateBrushIndirect.GDI32 ref: 0041A74B
                                                                                                                                                                                                                                                        • UnrealizeObject.GDI32(00000000), ref: 0041B27C
                                                                                                                                                                                                                                                        • SelectObject.GDI32(?,00000000), ref: 0041B28E
                                                                                                                                                                                                                                                        • SetBkColor.GDI32(?,00000000), ref: 0041B2B1
                                                                                                                                                                                                                                                        • SetBkMode.GDI32(?,00000002), ref: 0041B2BC
                                                                                                                                                                                                                                                        • SetBkColor.GDI32(?,00000000), ref: 0041B2D7
                                                                                                                                                                                                                                                        • SetBkMode.GDI32(?,00000001), ref: 0041B2E2
                                                                                                                                                                                                                                                          • Part of subcall function 0041A058: GetSysColor.USER32(?), ref: 0041A062
                                                                                                                                                                                                                                                        Memory Dump Source
                                                                                                                                                                                                                                                        • Source File: 00000001.00000002.2793245300.0000000000401000.00000020.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                                                                                                                        • Associated: 00000001.00000002.2793219234.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                                                                                                                                                                                                        • Associated: 00000001.00000002.2793346997.0000000000499000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                                                                                                                                                                                                        • Associated: 00000001.00000002.2793378529.000000000049A000.00000008.00000001.01000000.00000004.sdmpDownload File
                                                                                                                                                                                                                                                        • Associated: 00000001.00000002.2793416768.000000000049B000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                                                                                                                                                                                                        • Associated: 00000001.00000002.2793448951.00000000004AB000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                                                                                                                                                                                                        Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                                        • Snapshot File: hcaresult_1_2_400000_chica-pc-shield-1-75-0-1300-en-win.jbxd
                                                                                                                                                                                                                                                        Similarity
                                                                                                                                                                                                                                                        • API ID: Color$ModeObject$BrushCreateIndirectSelectUnrealize
                                                                                                                                                                                                                                                        • String ID:
                                                                                                                                                                                                                                                        • API String ID: 3527656728-0
                                                                                                                                                                                                                                                        • Opcode ID: 90af7722afa79acc590a6ee3060039fb524340e2cf7ce152cccbdcb584e8dbde
                                                                                                                                                                                                                                                        • Instruction ID: d03b18a2b949c207061bd18b8e5d47ed8ce294e6be165222704fda36eef26a4f
                                                                                                                                                                                                                                                        • Opcode Fuzzy Hash: 90af7722afa79acc590a6ee3060039fb524340e2cf7ce152cccbdcb584e8dbde
                                                                                                                                                                                                                                                        • Instruction Fuzzy Hash: 56F0CD756015009BDE00FFAAD9CBE4B3B989F043097048496B908DF187CA3CD8649B3A
                                                                                                                                                                                                                                                        Function 0049793C Relevance: 8.8, APIs: 1, Strings: 4, Instructions: 97COMMON
                                                                                                                                                                                                                                                        Download Yara Rule
                                                                                                                                                                                                                                                        APIs
                                                                                                                                                                                                                                                          • Part of subcall function 004242C4: SetWindowTextA.USER32(?,00000000), ref: 004242DC
                                                                                                                                                                                                                                                        • ShowWindow.USER32(?,00000005,00000000,00497BA1,?,?,00000000), ref: 00497972
                                                                                                                                                                                                                                                          • Part of subcall function 0042D8C4: GetSystemDirectoryA.KERNEL32(?,00000104), ref: 0042D8D7
                                                                                                                                                                                                                                                          • Part of subcall function 004072A8: SetCurrentDirectoryA.KERNEL32(00000000,?,0049799A,00000000,00497B6D,?,?,00000005,00000000,00497BA1,?,?,00000000), ref: 004072B3
                                                                                                                                                                                                                                                          • Part of subcall function 0042D44C: GetModuleFileNameA.KERNEL32(00000000,?,00000104,00000000,0042D4DA,?,?,?,00000001,?,0045607E,00000000,004560E6), ref: 0042D481
                                                                                                                                                                                                                                                        Strings
                                                                                                                                                                                                                                                        Memory Dump Source
                                                                                                                                                                                                                                                        • Source File: 00000001.00000002.2793245300.0000000000401000.00000020.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                                                                                                                        • Associated: 00000001.00000002.2793219234.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                                                                                                                                                                                                        • Associated: 00000001.00000002.2793346997.0000000000499000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                                                                                                                                                                                                        • Associated: 00000001.00000002.2793378529.000000000049A000.00000008.00000001.01000000.00000004.sdmpDownload File
                                                                                                                                                                                                                                                        • Associated: 00000001.00000002.2793416768.000000000049B000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                                                                                                                                                                                                        • Associated: 00000001.00000002.2793448951.00000000004AB000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                                                                                                                                                                                                        Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                                        • Snapshot File: hcaresult_1_2_400000_chica-pc-shield-1-75-0-1300-en-win.jbxd
                                                                                                                                                                                                                                                        Similarity
                                                                                                                                                                                                                                                        • API ID: DirectoryWindow$CurrentFileModuleNameShowSystemText
                                                                                                                                                                                                                                                        • String ID: .dat$.msg$IMsg$Uninstall
                                                                                                                                                                                                                                                        • API String ID: 3312786188-1660910688
                                                                                                                                                                                                                                                        • Opcode ID: b1a1a4bda46f742705bd28c9d29f731ae9e6b69b046183db0b8c254b1b2955ff
                                                                                                                                                                                                                                                        • Instruction ID: 07af27bb9797314682f3501d6ac3c866b0c61c961df02ccbdaec41a0fce40d49
                                                                                                                                                                                                                                                        • Opcode Fuzzy Hash: b1a1a4bda46f742705bd28c9d29f731ae9e6b69b046183db0b8c254b1b2955ff
                                                                                                                                                                                                                                                        • Instruction Fuzzy Hash: 04313034A10214AFCB00EF65DC9295E7BB5FB89718F918576F410A7351D738BD058B58
                                                                                                                                                                                                                                                        Function 0042EAA8 Relevance: 8.8, APIs: 3, Strings: 2, Instructions: 49libraryloaderCOMMON
                                                                                                                                                                                                                                                        Download Yara Rule
                                                                                                                                                                                                                                                        APIs
                                                                                                                                                                                                                                                        • GetModuleHandleA.KERNEL32(user32.dll,ShutdownBlockReasonCreate), ref: 0042EADA
                                                                                                                                                                                                                                                        • GetProcAddress.KERNEL32(00000000,user32.dll), ref: 0042EAE0
                                                                                                                                                                                                                                                        • MultiByteToWideChar.KERNEL32(00000000,00000000,00000000,00000000,?,00000FFF,00000000,user32.dll,ShutdownBlockReasonCreate), ref: 0042EB09
                                                                                                                                                                                                                                                        Strings
                                                                                                                                                                                                                                                        Memory Dump Source
                                                                                                                                                                                                                                                        • Source File: 00000001.00000002.2793245300.0000000000401000.00000020.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                                                                                                                        • Associated: 00000001.00000002.2793219234.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                                                                                                                                                                                                        • Associated: 00000001.00000002.2793346997.0000000000499000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                                                                                                                                                                                                        • Associated: 00000001.00000002.2793378529.000000000049A000.00000008.00000001.01000000.00000004.sdmpDownload File
                                                                                                                                                                                                                                                        • Associated: 00000001.00000002.2793416768.000000000049B000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                                                                                                                                                                                                        • Associated: 00000001.00000002.2793448951.00000000004AB000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                                                                                                                                                                                                        Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                                        • Snapshot File: hcaresult_1_2_400000_chica-pc-shield-1-75-0-1300-en-win.jbxd
                                                                                                                                                                                                                                                        Similarity
                                                                                                                                                                                                                                                        • API ID: AddressByteCharHandleModuleMultiProcWide
                                                                                                                                                                                                                                                        • String ID: ShutdownBlockReasonCreate$user32.dll
                                                                                                                                                                                                                                                        • API String ID: 828529508-2866557904
                                                                                                                                                                                                                                                        • Opcode ID: abd48416efe8c38b471d8fa4e8d7df9e86f36f64705d4ddad357e346b5b094ef
                                                                                                                                                                                                                                                        • Instruction ID: 7e091cf0cf0c4dae12ae48626bdfb721f4796128e550bb25d34418d77cfbcdd5
                                                                                                                                                                                                                                                        • Opcode Fuzzy Hash: abd48416efe8c38b471d8fa4e8d7df9e86f36f64705d4ddad357e346b5b094ef
                                                                                                                                                                                                                                                        • Instruction Fuzzy Hash: 70F0C8D034061136E620B57F5C82F7B598C8F94759F140436B109E62C2D96CA905426E
                                                                                                                                                                                                                                                        Function 0042E9AC Relevance: 8.8, APIs: 3, Strings: 2, Instructions: 20libraryloaderCOMMON
                                                                                                                                                                                                                                                        Download Yara Rule
                                                                                                                                                                                                                                                        APIs
                                                                                                                                                                                                                                                        • GetModuleHandleA.KERNEL32(user32.dll,ChangeWindowMessageFilter,?,0042EA70,00000004,00499934,004570C9,0045746C,00457020,00000000,00000B06,00000000,00000000,00000001,00000000,00000002), ref: 0042E9C2
                                                                                                                                                                                                                                                        • GetProcAddress.KERNEL32(00000000,user32.dll), ref: 0042E9C8
                                                                                                                                                                                                                                                        • InterlockedExchange.KERNEL32(0049B660,00000001), ref: 0042E9D9
                                                                                                                                                                                                                                                        Strings
                                                                                                                                                                                                                                                        Memory Dump Source
                                                                                                                                                                                                                                                        • Source File: 00000001.00000002.2793245300.0000000000401000.00000020.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                                                                                                                        • Associated: 00000001.00000002.2793219234.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                                                                                                                                                                                                        • Associated: 00000001.00000002.2793346997.0000000000499000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                                                                                                                                                                                                        • Associated: 00000001.00000002.2793378529.000000000049A000.00000008.00000001.01000000.00000004.sdmpDownload File
                                                                                                                                                                                                                                                        • Associated: 00000001.00000002.2793416768.000000000049B000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                                                                                                                                                                                                        • Associated: 00000001.00000002.2793448951.00000000004AB000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                                                                                                                                                                                                        Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                                        • Snapshot File: hcaresult_1_2_400000_chica-pc-shield-1-75-0-1300-en-win.jbxd
                                                                                                                                                                                                                                                        Similarity
                                                                                                                                                                                                                                                        • API ID: AddressExchangeHandleInterlockedModuleProc
                                                                                                                                                                                                                                                        • String ID: ChangeWindowMessageFilter$user32.dll
                                                                                                                                                                                                                                                        • API String ID: 3478007392-2498399450
                                                                                                                                                                                                                                                        • Opcode ID: 3254194633b527647525dea76c004eb0f33bc99a9c522dc813bf1be520244ffe
                                                                                                                                                                                                                                                        • Instruction ID: c922fa4e85abb1c6873f36dcd01b6443d81c66d6c3501223796626af46e79b09
                                                                                                                                                                                                                                                        • Opcode Fuzzy Hash: 3254194633b527647525dea76c004eb0f33bc99a9c522dc813bf1be520244ffe
                                                                                                                                                                                                                                                        • Instruction Fuzzy Hash: 5CE0ECB2740324EADA103B627E8AF663558E724B19F50043BF001751F1C7FD1C80CA9E
                                                                                                                                                                                                                                                        Function 0047771C Relevance: 8.8, APIs: 3, Strings: 2, Instructions: 19libraryloaderthreadCOMMON
                                                                                                                                                                                                                                                        Download Yara Rule
                                                                                                                                                                                                                                                        APIs
                                                                                                                                                                                                                                                        • GetWindowThreadProcessId.USER32(00000000), ref: 00477724
                                                                                                                                                                                                                                                        • GetModuleHandleA.KERNEL32(user32.dll,AllowSetForegroundWindow,00000000,?,?,0047781B,0049C0A4,00000000), ref: 00477737
                                                                                                                                                                                                                                                        • GetProcAddress.KERNEL32(00000000,user32.dll), ref: 0047773D
                                                                                                                                                                                                                                                        Strings
                                                                                                                                                                                                                                                        Memory Dump Source
                                                                                                                                                                                                                                                        • Source File: 00000001.00000002.2793245300.0000000000401000.00000020.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                                                                                                                        • Associated: 00000001.00000002.2793219234.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                                                                                                                                                                                                        • Associated: 00000001.00000002.2793346997.0000000000499000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                                                                                                                                                                                                        • Associated: 00000001.00000002.2793378529.000000000049A000.00000008.00000001.01000000.00000004.sdmpDownload File
                                                                                                                                                                                                                                                        • Associated: 00000001.00000002.2793416768.000000000049B000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                                                                                                                                                                                                        • Associated: 00000001.00000002.2793448951.00000000004AB000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                                                                                                                                                                                                        Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                                        • Snapshot File: hcaresult_1_2_400000_chica-pc-shield-1-75-0-1300-en-win.jbxd
                                                                                                                                                                                                                                                        Similarity
                                                                                                                                                                                                                                                        • API ID: AddressHandleModuleProcProcessThreadWindow
                                                                                                                                                                                                                                                        • String ID: AllowSetForegroundWindow$user32.dll
                                                                                                                                                                                                                                                        • API String ID: 1782028327-3855017861
                                                                                                                                                                                                                                                        • Opcode ID: 9cbf605bf7fb62c6fa6eed3a813332d63d01b072d47f223b934acc6204d32a91
                                                                                                                                                                                                                                                        • Instruction ID: b8998b5b11308705bea9eb0f8ec6baab65f192f364a037d5a2b195a8f22c602c
                                                                                                                                                                                                                                                        • Opcode Fuzzy Hash: 9cbf605bf7fb62c6fa6eed3a813332d63d01b072d47f223b934acc6204d32a91
                                                                                                                                                                                                                                                        • Instruction Fuzzy Hash: 3ED0C7A0648701A9D91473F54D86F6F325C9944758794C43B7404F218ADA7CFC009A7D
                                                                                                                                                                                                                                                        Function 00416C2C Relevance: 7.6, APIs: 5, Instructions: 104COMMON
                                                                                                                                                                                                                                                        Download Yara Rule
                                                                                                                                                                                                                                                        APIs
                                                                                                                                                                                                                                                        • BeginPaint.USER32(00000000,?), ref: 00416C52
                                                                                                                                                                                                                                                        • SaveDC.GDI32(?), ref: 00416C83
                                                                                                                                                                                                                                                        • ExcludeClipRect.GDI32(?,?,?,?,?,?,00000000,00416D45), ref: 00416CE4
                                                                                                                                                                                                                                                        • RestoreDC.GDI32(?,?), ref: 00416D0B
                                                                                                                                                                                                                                                        • EndPaint.USER32(00000000,?,00416D4C,00000000,00416D45), ref: 00416D3F
                                                                                                                                                                                                                                                        Memory Dump Source
                                                                                                                                                                                                                                                        • Source File: 00000001.00000002.2793245300.0000000000401000.00000020.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                                                                                                                        • Associated: 00000001.00000002.2793219234.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                                                                                                                                                                                                        • Associated: 00000001.00000002.2793346997.0000000000499000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                                                                                                                                                                                                        • Associated: 00000001.00000002.2793378529.000000000049A000.00000008.00000001.01000000.00000004.sdmpDownload File
                                                                                                                                                                                                                                                        • Associated: 00000001.00000002.2793416768.000000000049B000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                                                                                                                                                                                                        • Associated: 00000001.00000002.2793448951.00000000004AB000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                                                                                                                                                                                                        Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                                        • Snapshot File: hcaresult_1_2_400000_chica-pc-shield-1-75-0-1300-en-win.jbxd
                                                                                                                                                                                                                                                        Similarity
                                                                                                                                                                                                                                                        • API ID: Paint$BeginClipExcludeRectRestoreSave
                                                                                                                                                                                                                                                        • String ID:
                                                                                                                                                                                                                                                        • API String ID: 3808407030-0
                                                                                                                                                                                                                                                        • Opcode ID: ad781fe6fb59047a66b80eb53a3f65b2019eba16d1c733f202b60e39d660354f
                                                                                                                                                                                                                                                        • Instruction ID: 8164e3b37c2b38cc39b91ef4074089abf19b8963c3e0e5cbd12a4ce3d65b1abe
                                                                                                                                                                                                                                                        • Opcode Fuzzy Hash: ad781fe6fb59047a66b80eb53a3f65b2019eba16d1c733f202b60e39d660354f
                                                                                                                                                                                                                                                        • Instruction Fuzzy Hash: A1415070A002049FCB14DBA9C585FAA77F9FF48304F1540AEE8459B362D778DD81CB58
                                                                                                                                                                                                                                                        Function 00414800 Relevance: 7.6, APIs: 5, Instructions: 102COMMON
                                                                                                                                                                                                                                                        Download Yara Rule
                                                                                                                                                                                                                                                        APIs
                                                                                                                                                                                                                                                        Memory Dump Source
                                                                                                                                                                                                                                                        • Source File: 00000001.00000002.2793245300.0000000000401000.00000020.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                                                                                                                        • Associated: 00000001.00000002.2793219234.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                                                                                                                                                                                                        • Associated: 00000001.00000002.2793346997.0000000000499000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                                                                                                                                                                                                        • Associated: 00000001.00000002.2793378529.000000000049A000.00000008.00000001.01000000.00000004.sdmpDownload File
                                                                                                                                                                                                                                                        • Associated: 00000001.00000002.2793416768.000000000049B000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                                                                                                                                                                                                        • Associated: 00000001.00000002.2793448951.00000000004AB000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                                                                                                                                                                                                        Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                                        • Snapshot File: hcaresult_1_2_400000_chica-pc-shield-1-75-0-1300-en-win.jbxd
                                                                                                                                                                                                                                                        Similarity
                                                                                                                                                                                                                                                        • API ID:
                                                                                                                                                                                                                                                        • String ID:
                                                                                                                                                                                                                                                        • API String ID:
                                                                                                                                                                                                                                                        • Opcode ID: b6913cb722474124f75cff2ee5949f067bbdde1b56a592e148b6496e85af3d5a
                                                                                                                                                                                                                                                        • Instruction ID: a833d86c80f2fb81cba799e3b93fc1891ddf3ebdd98a67124a25423b7ab76754
                                                                                                                                                                                                                                                        • Opcode Fuzzy Hash: b6913cb722474124f75cff2ee5949f067bbdde1b56a592e148b6496e85af3d5a
                                                                                                                                                                                                                                                        • Instruction Fuzzy Hash: 563132746057809FC320EF69C984B9BB7E8AF89354F04491EF9D5C3752C638E8818F19
                                                                                                                                                                                                                                                        Function 004297CC Relevance: 7.6, APIs: 5, Instructions: 83windowCOMMON
                                                                                                                                                                                                                                                        Download Yara Rule
                                                                                                                                                                                                                                                        APIs
                                                                                                                                                                                                                                                        • SendMessageA.USER32(00000000,000000BB,?,00000000), ref: 00429808
                                                                                                                                                                                                                                                        • SendMessageA.USER32(00000000,000000BB,?,00000000), ref: 00429837
                                                                                                                                                                                                                                                        • SendMessageA.USER32(00000000,000000C1,00000000,00000000), ref: 00429853
                                                                                                                                                                                                                                                        • SendMessageA.USER32(00000000,000000B1,00000000,00000000), ref: 0042987E
                                                                                                                                                                                                                                                        • SendMessageA.USER32(00000000,000000C2,00000000,00000000), ref: 0042989C
                                                                                                                                                                                                                                                        Memory Dump Source
                                                                                                                                                                                                                                                        • Source File: 00000001.00000002.2793245300.0000000000401000.00000020.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                                                                                                                        • Associated: 00000001.00000002.2793219234.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                                                                                                                                                                                                        • Associated: 00000001.00000002.2793346997.0000000000499000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                                                                                                                                                                                                        • Associated: 00000001.00000002.2793378529.000000000049A000.00000008.00000001.01000000.00000004.sdmpDownload File
                                                                                                                                                                                                                                                        • Associated: 00000001.00000002.2793416768.000000000049B000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                                                                                                                                                                                                        • Associated: 00000001.00000002.2793448951.00000000004AB000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                                                                                                                                                                                                        Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                                        • Snapshot File: hcaresult_1_2_400000_chica-pc-shield-1-75-0-1300-en-win.jbxd
                                                                                                                                                                                                                                                        Similarity
                                                                                                                                                                                                                                                        • API ID: MessageSend
                                                                                                                                                                                                                                                        • String ID:
                                                                                                                                                                                                                                                        • API String ID: 3850602802-0
                                                                                                                                                                                                                                                        • Opcode ID: fd8aa0ec1b973ae6aaefd16540d6ee8dc1d02e84f7fa614f966329f354bb3efc
                                                                                                                                                                                                                                                        • Instruction ID: 8b65b0e689063cc909dba6714575951256d1ad54ff8cece17fd29570ea6901c2
                                                                                                                                                                                                                                                        • Opcode Fuzzy Hash: fd8aa0ec1b973ae6aaefd16540d6ee8dc1d02e84f7fa614f966329f354bb3efc
                                                                                                                                                                                                                                                        • Instruction Fuzzy Hash: 6E219D707107057BEB10AB62DC82F5B7AECAB41708F54443EB501AB2D2DFB8AE418228
                                                                                                                                                                                                                                                        Function 0041BBB8 Relevance: 7.6, APIs: 5, Instructions: 83windowCOMMON
                                                                                                                                                                                                                                                        Download Yara Rule
                                                                                                                                                                                                                                                        APIs
                                                                                                                                                                                                                                                        • GetSystemMetrics.USER32(0000000B), ref: 0041BBCA
                                                                                                                                                                                                                                                        • GetSystemMetrics.USER32(0000000C), ref: 0041BBD4
                                                                                                                                                                                                                                                        • GetDC.USER32(00000000), ref: 0041BC12
                                                                                                                                                                                                                                                        • CreateDIBitmap.GDI32(00000000,?,00000004,?,?,00000000), ref: 0041BC59
                                                                                                                                                                                                                                                        • DeleteObject.GDI32(00000000), ref: 0041BC9A
                                                                                                                                                                                                                                                        Memory Dump Source
                                                                                                                                                                                                                                                        • Source File: 00000001.00000002.2793245300.0000000000401000.00000020.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                                                                                                                        • Associated: 00000001.00000002.2793219234.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                                                                                                                                                                                                        • Associated: 00000001.00000002.2793346997.0000000000499000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                                                                                                                                                                                                        • Associated: 00000001.00000002.2793378529.000000000049A000.00000008.00000001.01000000.00000004.sdmpDownload File
                                                                                                                                                                                                                                                        • Associated: 00000001.00000002.2793416768.000000000049B000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                                                                                                                                                                                                        • Associated: 00000001.00000002.2793448951.00000000004AB000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                                                                                                                                                                                                        Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                                        • Snapshot File: hcaresult_1_2_400000_chica-pc-shield-1-75-0-1300-en-win.jbxd
                                                                                                                                                                                                                                                        Similarity
                                                                                                                                                                                                                                                        • API ID: MetricsSystem$BitmapCreateDeleteObject
                                                                                                                                                                                                                                                        • String ID:
                                                                                                                                                                                                                                                        • API String ID: 1095203571-0
                                                                                                                                                                                                                                                        • Opcode ID: d6ecec59309c4539c21f746b1d4641e0a999657a412e1d938322a226e3514674
                                                                                                                                                                                                                                                        • Instruction ID: 2a907a32995036c4e239f44386a828d3a2f1e7d44945ead90e55d18394f4d4ff
                                                                                                                                                                                                                                                        • Opcode Fuzzy Hash: d6ecec59309c4539c21f746b1d4641e0a999657a412e1d938322a226e3514674
                                                                                                                                                                                                                                                        • Instruction Fuzzy Hash: 5D315C70E00208EFDB04DFA5C941AAEB7F5EB48700F2084AAF514AB781D7789E40DB98
                                                                                                                                                                                                                                                        Function 004734B4 Relevance: 7.6, APIs: 2, Strings: 3, Instructions: 71COMMON
                                                                                                                                                                                                                                                        Download Yara Rule
                                                                                                                                                                                                                                                        APIs
                                                                                                                                                                                                                                                          • Part of subcall function 0045CF24: SetLastError.KERNEL32(00000057,00000000,0045CFF0,?,?,?,?,00000000), ref: 0045CF8F
                                                                                                                                                                                                                                                        • GetLastError.KERNEL32(00000000,00000000,00000000,00473588,?,?,0049C1DC,00000000), ref: 00473541
                                                                                                                                                                                                                                                        • GetLastError.KERNEL32(00000000,00000000,00000000,00473588,?,?,0049C1DC,00000000), ref: 00473557
                                                                                                                                                                                                                                                        Strings
                                                                                                                                                                                                                                                        • Could not set permissions on the registry key because it currently does not exist., xrefs: 0047354B
                                                                                                                                                                                                                                                        • Failed to set permissions on registry key (%d)., xrefs: 00473568
                                                                                                                                                                                                                                                        • Setting permissions on registry key: %s\%s, xrefs: 00473506
                                                                                                                                                                                                                                                        Memory Dump Source
                                                                                                                                                                                                                                                        • Source File: 00000001.00000002.2793245300.0000000000401000.00000020.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                                                                                                                        • Associated: 00000001.00000002.2793219234.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                                                                                                                                                                                                        • Associated: 00000001.00000002.2793346997.0000000000499000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                                                                                                                                                                                                        • Associated: 00000001.00000002.2793378529.000000000049A000.00000008.00000001.01000000.00000004.sdmpDownload File
                                                                                                                                                                                                                                                        • Associated: 00000001.00000002.2793416768.000000000049B000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                                                                                                                                                                                                        • Associated: 00000001.00000002.2793448951.00000000004AB000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                                                                                                                                                                                                        Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                                        • Snapshot File: hcaresult_1_2_400000_chica-pc-shield-1-75-0-1300-en-win.jbxd
                                                                                                                                                                                                                                                        Similarity
                                                                                                                                                                                                                                                        • API ID: ErrorLast
                                                                                                                                                                                                                                                        • String ID: Could not set permissions on the registry key because it currently does not exist.$Failed to set permissions on registry key (%d).$Setting permissions on registry key: %s\%s
                                                                                                                                                                                                                                                        • API String ID: 1452528299-4018462623
                                                                                                                                                                                                                                                        • Opcode ID: cda487bc8e154a0ad9ae216a04a88865d7cb43f012aef9407592f0032e7bcf89
                                                                                                                                                                                                                                                        • Instruction ID: 2212a5860512eb316d0a76154e76f7c63462165614e358f3f9a9decbb378d4da
                                                                                                                                                                                                                                                        • Opcode Fuzzy Hash: cda487bc8e154a0ad9ae216a04a88865d7cb43f012aef9407592f0032e7bcf89
                                                                                                                                                                                                                                                        • Instruction Fuzzy Hash: DF217470A042446FCB00DFAAC4816EEBBE9DB49315F50817AE408E7392D7785A058B6D
                                                                                                                                                                                                                                                        Function 00403CA4 Relevance: 7.6, APIs: 5, Instructions: 55memoryCOMMON
                                                                                                                                                                                                                                                        Download Yara Rule
                                                                                                                                                                                                                                                        APIs
                                                                                                                                                                                                                                                        • MultiByteToWideChar.KERNEL32(00000000,00000000,00000000,00000000,?,00000400), ref: 00403CDE
                                                                                                                                                                                                                                                        • SysAllocStringLen.OLEAUT32(?,00000000), ref: 00403CE9
                                                                                                                                                                                                                                                        • MultiByteToWideChar.KERNEL32(00000000,00000000,?,00000000,00000000,00000000), ref: 00403CFC
                                                                                                                                                                                                                                                        • SysAllocStringLen.OLEAUT32(00000000,00000000), ref: 00403D06
                                                                                                                                                                                                                                                        • MultiByteToWideChar.KERNEL32(00000000,00000000,?,00000000,00000000,00000000,00000000,00000000,?,00000000,00000000,00000000), ref: 00403D15
                                                                                                                                                                                                                                                        Memory Dump Source
                                                                                                                                                                                                                                                        • Source File: 00000001.00000002.2793245300.0000000000401000.00000020.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                                                                                                                        • Associated: 00000001.00000002.2793219234.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                                                                                                                                                                                                        • Associated: 00000001.00000002.2793346997.0000000000499000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                                                                                                                                                                                                        • Associated: 00000001.00000002.2793378529.000000000049A000.00000008.00000001.01000000.00000004.sdmpDownload File
                                                                                                                                                                                                                                                        • Associated: 00000001.00000002.2793416768.000000000049B000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                                                                                                                                                                                                        • Associated: 00000001.00000002.2793448951.00000000004AB000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                                                                                                                                                                                                        Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                                        • Snapshot File: hcaresult_1_2_400000_chica-pc-shield-1-75-0-1300-en-win.jbxd
                                                                                                                                                                                                                                                        Similarity
                                                                                                                                                                                                                                                        • API ID: ByteCharMultiWide$AllocString
                                                                                                                                                                                                                                                        • String ID:
                                                                                                                                                                                                                                                        • API String ID: 262959230-0
                                                                                                                                                                                                                                                        • Opcode ID: dcd45591e65b03bd276bb2a5b0fabad56ebf76f0c081827c2345b0a7b763a240
                                                                                                                                                                                                                                                        • Instruction ID: 657f84db466bd1c54801a2b30447fc2084338491f8142acf58a262d5883cef98
                                                                                                                                                                                                                                                        • Opcode Fuzzy Hash: dcd45591e65b03bd276bb2a5b0fabad56ebf76f0c081827c2345b0a7b763a240
                                                                                                                                                                                                                                                        • Instruction Fuzzy Hash: FCF0A4917442043BF21025A65C43F6B198CCB82B9BF50053FB704FA1D2D87C9D04427D
                                                                                                                                                                                                                                                        Function 004143E0 Relevance: 7.6, APIs: 5, Instructions: 51windowCOMMON
                                                                                                                                                                                                                                                        Download Yara Rule
                                                                                                                                                                                                                                                        APIs
                                                                                                                                                                                                                                                        • SelectPalette.GDI32(00000000,00000000,00000000), ref: 00414419
                                                                                                                                                                                                                                                        • RealizePalette.GDI32(00000000), ref: 00414421
                                                                                                                                                                                                                                                        • SelectPalette.GDI32(00000000,00000000,00000001), ref: 00414435
                                                                                                                                                                                                                                                        • RealizePalette.GDI32(00000000), ref: 0041443B
                                                                                                                                                                                                                                                        • ReleaseDC.USER32(00000000,00000000), ref: 00414446
                                                                                                                                                                                                                                                        Memory Dump Source
                                                                                                                                                                                                                                                        • Source File: 00000001.00000002.2793245300.0000000000401000.00000020.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                                                                                                                        • Associated: 00000001.00000002.2793219234.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                                                                                                                                                                                                        • Associated: 00000001.00000002.2793346997.0000000000499000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                                                                                                                                                                                                        • Associated: 00000001.00000002.2793378529.000000000049A000.00000008.00000001.01000000.00000004.sdmpDownload File
                                                                                                                                                                                                                                                        • Associated: 00000001.00000002.2793416768.000000000049B000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                                                                                                                                                                                                        • Associated: 00000001.00000002.2793448951.00000000004AB000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                                                                                                                                                                                                        Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                                        • Snapshot File: hcaresult_1_2_400000_chica-pc-shield-1-75-0-1300-en-win.jbxd
                                                                                                                                                                                                                                                        Similarity
                                                                                                                                                                                                                                                        • API ID: Palette$RealizeSelect$Release
                                                                                                                                                                                                                                                        • String ID:
                                                                                                                                                                                                                                                        • API String ID: 2261976640-0
                                                                                                                                                                                                                                                        • Opcode ID: c9c8aa66f6917016d7555c0ac5b3df2d15848593dde74026b2272496f15e705b
                                                                                                                                                                                                                                                        • Instruction ID: 3cc421e061c7a323c9855e33cbe13bf4890882f9e8533d15179bd5f7679f66d2
                                                                                                                                                                                                                                                        • Opcode Fuzzy Hash: c9c8aa66f6917016d7555c0ac5b3df2d15848593dde74026b2272496f15e705b
                                                                                                                                                                                                                                                        • Instruction Fuzzy Hash: A2018F7520C3806AE600A63D8C85A9F6BED9FCA718F15446EF495DB282DA7AC8018765
                                                                                                                                                                                                                                                        Function 00424CE0 Relevance: 7.2, APIs: 3, Strings: 1, Instructions: 190COMMON
                                                                                                                                                                                                                                                        Download Yara Rule
                                                                                                                                                                                                                                                        APIs
                                                                                                                                                                                                                                                          • Part of subcall function 0041F074: GetActiveWindow.USER32 ref: 0041F077
                                                                                                                                                                                                                                                          • Part of subcall function 0041F074: GetCurrentThreadId.KERNEL32 ref: 0041F08C
                                                                                                                                                                                                                                                          • Part of subcall function 0041F074: EnumThreadWindows.USER32(00000000,Function_0001F050), ref: 0041F092
                                                                                                                                                                                                                                                          • Part of subcall function 004231A8: GetSystemMetrics.USER32(00000000), ref: 004231AA
                                                                                                                                                                                                                                                        • OffsetRect.USER32(?,?,?), ref: 00424DC9
                                                                                                                                                                                                                                                        • DrawTextA.USER32(00000000,00000000,000000FF,?,00000C10), ref: 00424E8C
                                                                                                                                                                                                                                                        • OffsetRect.USER32(?,?,?), ref: 00424E9D
                                                                                                                                                                                                                                                          • Part of subcall function 00423564: GetCurrentThreadId.KERNEL32 ref: 00423579
                                                                                                                                                                                                                                                          • Part of subcall function 00423564: SetWindowsHookExA.USER32(00000003,00423520,00000000,00000000), ref: 00423589
                                                                                                                                                                                                                                                          • Part of subcall function 00423564: CreateThread.KERNEL32(00000000,000003E8,004234D0,00000000,00000000), ref: 004235AD
                                                                                                                                                                                                                                                          • Part of subcall function 00424B2C: SetTimer.USER32(00000000,00000001,?,004234B4), ref: 00424B47
                                                                                                                                                                                                                                                        Strings
                                                                                                                                                                                                                                                        Memory Dump Source
                                                                                                                                                                                                                                                        • Source File: 00000001.00000002.2793245300.0000000000401000.00000020.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                                                                                                                        • Associated: 00000001.00000002.2793219234.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                                                                                                                                                                                                        • Associated: 00000001.00000002.2793346997.0000000000499000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                                                                                                                                                                                                        • Associated: 00000001.00000002.2793378529.000000000049A000.00000008.00000001.01000000.00000004.sdmpDownload File
                                                                                                                                                                                                                                                        • Associated: 00000001.00000002.2793416768.000000000049B000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                                                                                                                                                                                                        • Associated: 00000001.00000002.2793448951.00000000004AB000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                                                                                                                                                                                                        Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                                        • Snapshot File: hcaresult_1_2_400000_chica-pc-shield-1-75-0-1300-en-win.jbxd
                                                                                                                                                                                                                                                        Similarity
                                                                                                                                                                                                                                                        • API ID: Thread$CurrentOffsetRectWindows$ActiveCreateDrawEnumHookMetricsSystemTextTimerWindow
                                                                                                                                                                                                                                                        • String ID: vLB
                                                                                                                                                                                                                                                        • API String ID: 1477829881-1797516613
                                                                                                                                                                                                                                                        • Opcode ID: 2df939a64c7159e98cf11afb118bbc7b4d896149ced45f0655bbb58e5441d69a
                                                                                                                                                                                                                                                        • Instruction ID: 1a85cd152e58b5c2614c87f396891e2b5808bef0cf689969089b0637ec596c27
                                                                                                                                                                                                                                                        • Opcode Fuzzy Hash: 2df939a64c7159e98cf11afb118bbc7b4d896149ced45f0655bbb58e5441d69a
                                                                                                                                                                                                                                                        • Instruction Fuzzy Hash: C5812675A003188FCB14DFA8D880ADEBBF4FF88314F50416AE905AB296E738AD45CF44
                                                                                                                                                                                                                                                        Function 00406FA4 Relevance: 7.2, APIs: 3, Strings: 1, Instructions: 156shareCOMMON
                                                                                                                                                                                                                                                        Download Yara Rule
                                                                                                                                                                                                                                                        APIs
                                                                                                                                                                                                                                                        • WNetGetUniversalNameA.MPR(00000000,00000001,?,00000400), ref: 00407003
                                                                                                                                                                                                                                                        • WNetOpenEnumA.MPR(00000001,00000001,00000000,00000000,?), ref: 0040707D
                                                                                                                                                                                                                                                        • WNetEnumResourceA.MPR(?,FFFFFFFF,?,?), ref: 004070D5
                                                                                                                                                                                                                                                        Strings
                                                                                                                                                                                                                                                        Memory Dump Source
                                                                                                                                                                                                                                                        • Source File: 00000001.00000002.2793245300.0000000000401000.00000020.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                                                                                                                        • Associated: 00000001.00000002.2793219234.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                                                                                                                                                                                                        • Associated: 00000001.00000002.2793346997.0000000000499000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                                                                                                                                                                                                        • Associated: 00000001.00000002.2793378529.000000000049A000.00000008.00000001.01000000.00000004.sdmpDownload File
                                                                                                                                                                                                                                                        • Associated: 00000001.00000002.2793416768.000000000049B000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                                                                                                                                                                                                        • Associated: 00000001.00000002.2793448951.00000000004AB000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                                                                                                                                                                                                        Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                                        • Snapshot File: hcaresult_1_2_400000_chica-pc-shield-1-75-0-1300-en-win.jbxd
                                                                                                                                                                                                                                                        Similarity
                                                                                                                                                                                                                                                        • API ID: Enum$NameOpenResourceUniversal
                                                                                                                                                                                                                                                        • String ID: Z
                                                                                                                                                                                                                                                        • API String ID: 3604996873-1505515367
                                                                                                                                                                                                                                                        • Opcode ID: be1b99f2bddbcac53fb01ab14e5f8b9dccc9852fe0acc0d184f115cb4eb08e63
                                                                                                                                                                                                                                                        • Instruction ID: 78f4b6eea80f90a9c0d6dbacb1000d6f5057f9b0a0312f2c839bfa0eabc808a5
                                                                                                                                                                                                                                                        • Opcode Fuzzy Hash: be1b99f2bddbcac53fb01ab14e5f8b9dccc9852fe0acc0d184f115cb4eb08e63
                                                                                                                                                                                                                                                        • Instruction Fuzzy Hash: 14516470E04208AFDB11DF95C951AAFBBB9EF09304F1045BAE500BB3D1D778AE458B5A
                                                                                                                                                                                                                                                        Function 0044CFC0 Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 126COMMON
                                                                                                                                                                                                                                                        Download Yara Rule
                                                                                                                                                                                                                                                        APIs
                                                                                                                                                                                                                                                        • SetRectEmpty.USER32(?), ref: 0044D04E
                                                                                                                                                                                                                                                        • DrawTextA.USER32(00000000,00000000,00000000,?,00000D20), ref: 0044D079
                                                                                                                                                                                                                                                        • DrawTextA.USER32(00000000,00000000,00000000,00000000,00000800), ref: 0044D101
                                                                                                                                                                                                                                                        Strings
                                                                                                                                                                                                                                                        Memory Dump Source
                                                                                                                                                                                                                                                        • Source File: 00000001.00000002.2793245300.0000000000401000.00000020.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                                                                                                                        • Associated: 00000001.00000002.2793219234.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                                                                                                                                                                                                        • Associated: 00000001.00000002.2793346997.0000000000499000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                                                                                                                                                                                                        • Associated: 00000001.00000002.2793378529.000000000049A000.00000008.00000001.01000000.00000004.sdmpDownload File
                                                                                                                                                                                                                                                        • Associated: 00000001.00000002.2793416768.000000000049B000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                                                                                                                                                                                                        • Associated: 00000001.00000002.2793448951.00000000004AB000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                                                                                                                                                                                                        Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                                        • Snapshot File: hcaresult_1_2_400000_chica-pc-shield-1-75-0-1300-en-win.jbxd
                                                                                                                                                                                                                                                        Similarity
                                                                                                                                                                                                                                                        • API ID: DrawText$EmptyRect
                                                                                                                                                                                                                                                        • String ID:
                                                                                                                                                                                                                                                        • API String ID: 182455014-2867612384
                                                                                                                                                                                                                                                        • Opcode ID: 5a0539bf68205d97078423fcc454010b69767de64c7ecc47099b95a490b229f7
                                                                                                                                                                                                                                                        • Instruction ID: ac611c4ae9e9b4e435f74cd3b872a097dcdbbef8ea8fa2dc8c743a2ef399c877
                                                                                                                                                                                                                                                        • Opcode Fuzzy Hash: 5a0539bf68205d97078423fcc454010b69767de64c7ecc47099b95a490b229f7
                                                                                                                                                                                                                                                        • Instruction Fuzzy Hash: 18517171E00248AFDB11DFA5C885BDEBBF8BF48308F18447AE845EB252D7789945CB64
                                                                                                                                                                                                                                                        Function 0042EF74 Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 106COMMON
                                                                                                                                                                                                                                                        Download Yara Rule
                                                                                                                                                                                                                                                        APIs
                                                                                                                                                                                                                                                        • GetDC.USER32(00000000), ref: 0042EF9E
                                                                                                                                                                                                                                                          • Part of subcall function 0041A1E8: CreateFontIndirectA.GDI32(?), ref: 0041A2A7
                                                                                                                                                                                                                                                        • SelectObject.GDI32(?,00000000), ref: 0042EFC1
                                                                                                                                                                                                                                                        • ReleaseDC.USER32(00000000,?), ref: 0042F0A0
                                                                                                                                                                                                                                                        Strings
                                                                                                                                                                                                                                                        Memory Dump Source
                                                                                                                                                                                                                                                        • Source File: 00000001.00000002.2793245300.0000000000401000.00000020.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                                                                                                                        • Associated: 00000001.00000002.2793219234.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                                                                                                                                                                                                        • Associated: 00000001.00000002.2793346997.0000000000499000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                                                                                                                                                                                                        • Associated: 00000001.00000002.2793378529.000000000049A000.00000008.00000001.01000000.00000004.sdmpDownload File
                                                                                                                                                                                                                                                        • Associated: 00000001.00000002.2793416768.000000000049B000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                                                                                                                                                                                                        • Associated: 00000001.00000002.2793448951.00000000004AB000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                                                                                                                                                                                                        Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                                        • Snapshot File: hcaresult_1_2_400000_chica-pc-shield-1-75-0-1300-en-win.jbxd
                                                                                                                                                                                                                                                        Similarity
                                                                                                                                                                                                                                                        • API ID: CreateFontIndirectObjectReleaseSelect
                                                                                                                                                                                                                                                        • String ID: ...\
                                                                                                                                                                                                                                                        • API String ID: 3133960002-983595016
                                                                                                                                                                                                                                                        • Opcode ID: 70ac47cd1f24a616d7e2b727f260b13144e8c57b91404e99c31ef123f2268bbd
                                                                                                                                                                                                                                                        • Instruction ID: de545d42c11d103cbad381cc3223c2b5efa9fdb4a6e9ae4bb0445229962d8c70
                                                                                                                                                                                                                                                        • Opcode Fuzzy Hash: 70ac47cd1f24a616d7e2b727f260b13144e8c57b91404e99c31ef123f2268bbd
                                                                                                                                                                                                                                                        • Instruction Fuzzy Hash: 5A316370B00128AFDB11EB96D841BAEB7F8EB09348F90447BE410A7392D7785E49CA59
                                                                                                                                                                                                                                                        Function 004538BC Relevance: 7.1, APIs: 2, Strings: 2, Instructions: 100fileCOMMON
                                                                                                                                                                                                                                                        Download Yara Rule
                                                                                                                                                                                                                                                        APIs
                                                                                                                                                                                                                                                        • CreateFileA.KERNEL32(00000000,C0000000,00000000,00000000,00000002,00000080,00000000,.tmp,004969FD,_iu,?,00000000,004539F6), ref: 004539AB
                                                                                                                                                                                                                                                        • CloseHandle.KERNEL32(00000000,00000000,C0000000,00000000,00000000,00000002,00000080,00000000,.tmp,004969FD,_iu,?,00000000,004539F6), ref: 004539BB
                                                                                                                                                                                                                                                        Strings
                                                                                                                                                                                                                                                        Memory Dump Source
                                                                                                                                                                                                                                                        • Source File: 00000001.00000002.2793245300.0000000000401000.00000020.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                                                                                                                        • Associated: 00000001.00000002.2793219234.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                                                                                                                                                                                                        • Associated: 00000001.00000002.2793346997.0000000000499000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                                                                                                                                                                                                        • Associated: 00000001.00000002.2793378529.000000000049A000.00000008.00000001.01000000.00000004.sdmpDownload File
                                                                                                                                                                                                                                                        • Associated: 00000001.00000002.2793416768.000000000049B000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                                                                                                                                                                                                        • Associated: 00000001.00000002.2793448951.00000000004AB000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                                                                                                                                                                                                        Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                                        • Snapshot File: hcaresult_1_2_400000_chica-pc-shield-1-75-0-1300-en-win.jbxd
                                                                                                                                                                                                                                                        Similarity
                                                                                                                                                                                                                                                        • API ID: CloseCreateFileHandle
                                                                                                                                                                                                                                                        • String ID: .tmp$_iu
                                                                                                                                                                                                                                                        • API String ID: 3498533004-10593223
                                                                                                                                                                                                                                                        • Opcode ID: a2d893cb34534329417986e6c0829fc9ea942bfffc95fd4fb28473f4c8c7566b
                                                                                                                                                                                                                                                        • Instruction ID: c819285d1904897ee35e15112b57b1097950df4cd651dd5525fdc5768647a91e
                                                                                                                                                                                                                                                        • Opcode Fuzzy Hash: a2d893cb34534329417986e6c0829fc9ea942bfffc95fd4fb28473f4c8c7566b
                                                                                                                                                                                                                                                        • Instruction Fuzzy Hash: 6531C5B0A00249ABCB11EFA5D842B9EBBB4AF44345F20453AF810B73C2D7785F058B69
                                                                                                                                                                                                                                                        Function 00416410 Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 89registryCOMMON
                                                                                                                                                                                                                                                        Download Yara Rule
                                                                                                                                                                                                                                                        APIs
                                                                                                                                                                                                                                                        • GetClassInfoA.USER32(00400000,?,?), ref: 0041647F
                                                                                                                                                                                                                                                        • UnregisterClassA.USER32(?,00400000), ref: 004164AB
                                                                                                                                                                                                                                                        • RegisterClassA.USER32(?), ref: 004164CE
                                                                                                                                                                                                                                                        Strings
                                                                                                                                                                                                                                                        Memory Dump Source
                                                                                                                                                                                                                                                        • Source File: 00000001.00000002.2793245300.0000000000401000.00000020.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                                                                                                                        • Associated: 00000001.00000002.2793219234.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                                                                                                                                                                                                        • Associated: 00000001.00000002.2793346997.0000000000499000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                                                                                                                                                                                                        • Associated: 00000001.00000002.2793378529.000000000049A000.00000008.00000001.01000000.00000004.sdmpDownload File
                                                                                                                                                                                                                                                        • Associated: 00000001.00000002.2793416768.000000000049B000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                                                                                                                                                                                                        • Associated: 00000001.00000002.2793448951.00000000004AB000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                                                                                                                                                                                                        Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                                        • Snapshot File: hcaresult_1_2_400000_chica-pc-shield-1-75-0-1300-en-win.jbxd
                                                                                                                                                                                                                                                        Similarity
                                                                                                                                                                                                                                                        • API ID: Class$InfoRegisterUnregister
                                                                                                                                                                                                                                                        • String ID: @
                                                                                                                                                                                                                                                        • API String ID: 3749476976-2766056989
                                                                                                                                                                                                                                                        • Opcode ID: 5b42dbe956ccb297a4347149b64d01d8291e8cf711d902875b0d5c2af7b22291
                                                                                                                                                                                                                                                        • Instruction ID: c77080f262680b7bd3c4c6a37e0a11d074b1995aa9dd52ebf92fb76dd285a693
                                                                                                                                                                                                                                                        • Opcode Fuzzy Hash: 5b42dbe956ccb297a4347149b64d01d8291e8cf711d902875b0d5c2af7b22291
                                                                                                                                                                                                                                                        • Instruction Fuzzy Hash: B8316D702042409BD720EF69C981B9B77E5AB89308F04457FF949DB392DB39DD44CB6A
                                                                                                                                                                                                                                                        Function 00497DF0 Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 83COMMON
                                                                                                                                                                                                                                                        Download Yara Rule
                                                                                                                                                                                                                                                        APIs
                                                                                                                                                                                                                                                        • GetFileAttributesA.KERNEL32(00000000,00498740,00000000,00497EE6,?,?,00000000,0049B628), ref: 00497E60
                                                                                                                                                                                                                                                        • SetFileAttributesA.KERNEL32(00000000,00000000,00000000,00498740,00000000,00497EE6,?,?,00000000,0049B628), ref: 00497E89
                                                                                                                                                                                                                                                        • MoveFileExA.KERNEL32(00000000,00000000,00000001(MOVEFILE_REPLACE_EXISTING)), ref: 00497EA2
                                                                                                                                                                                                                                                        Strings
                                                                                                                                                                                                                                                        Memory Dump Source
                                                                                                                                                                                                                                                        • Source File: 00000001.00000002.2793245300.0000000000401000.00000020.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                                                                                                                        • Associated: 00000001.00000002.2793219234.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                                                                                                                                                                                                        • Associated: 00000001.00000002.2793346997.0000000000499000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                                                                                                                                                                                                        • Associated: 00000001.00000002.2793378529.000000000049A000.00000008.00000001.01000000.00000004.sdmpDownload File
                                                                                                                                                                                                                                                        • Associated: 00000001.00000002.2793416768.000000000049B000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                                                                                                                                                                                                        • Associated: 00000001.00000002.2793448951.00000000004AB000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                                                                                                                                                                                                        Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                                        • Snapshot File: hcaresult_1_2_400000_chica-pc-shield-1-75-0-1300-en-win.jbxd
                                                                                                                                                                                                                                                        Similarity
                                                                                                                                                                                                                                                        • API ID: File$Attributes$Move
                                                                                                                                                                                                                                                        • String ID: isRS-%.3u.tmp
                                                                                                                                                                                                                                                        • API String ID: 3839737484-3657609586
                                                                                                                                                                                                                                                        • Opcode ID: 3cfb3d6793791d97cf74a4285948bf1fe76c54a9dc4c52927cfc271f3ab244fc
                                                                                                                                                                                                                                                        • Instruction ID: adb9c33aafbf080cac665bc5299f23723db0aa29d84535d7a5ab6b838e12ed56
                                                                                                                                                                                                                                                        • Opcode Fuzzy Hash: 3cfb3d6793791d97cf74a4285948bf1fe76c54a9dc4c52927cfc271f3ab244fc
                                                                                                                                                                                                                                                        • Instruction Fuzzy Hash: 97214171E14219AFCF10EFA9C881AAFBBB8EF48314F50457BB414B72D1D6389E018B59
                                                                                                                                                                                                                                                        Function 00456AD4 Relevance: 7.1, APIs: 2, Strings: 2, Instructions: 65registryCOMMON
                                                                                                                                                                                                                                                        Download Yara Rule
                                                                                                                                                                                                                                                        APIs
                                                                                                                                                                                                                                                          • Part of subcall function 0042C804: GetFullPathNameA.KERNEL32(00000000,00001000,?), ref: 0042C828
                                                                                                                                                                                                                                                          • Part of subcall function 00403CA4: MultiByteToWideChar.KERNEL32(00000000,00000000,00000000,00000000,?,00000400), ref: 00403CDE
                                                                                                                                                                                                                                                          • Part of subcall function 00403CA4: SysAllocStringLen.OLEAUT32(?,00000000), ref: 00403CE9
                                                                                                                                                                                                                                                        • LoadTypeLib.OLEAUT32(00000000,00000000), ref: 00456B28
                                                                                                                                                                                                                                                        • RegisterTypeLib.OLEAUT32(00000000,00000000,00000000), ref: 00456B55
                                                                                                                                                                                                                                                        Strings
                                                                                                                                                                                                                                                        Memory Dump Source
                                                                                                                                                                                                                                                        • Source File: 00000001.00000002.2793245300.0000000000401000.00000020.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                                                                                                                        • Associated: 00000001.00000002.2793219234.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                                                                                                                                                                                                        • Associated: 00000001.00000002.2793346997.0000000000499000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                                                                                                                                                                                                        • Associated: 00000001.00000002.2793378529.000000000049A000.00000008.00000001.01000000.00000004.sdmpDownload File
                                                                                                                                                                                                                                                        • Associated: 00000001.00000002.2793416768.000000000049B000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                                                                                                                                                                                                        • Associated: 00000001.00000002.2793448951.00000000004AB000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                                                                                                                                                                                                        Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                                        • Snapshot File: hcaresult_1_2_400000_chica-pc-shield-1-75-0-1300-en-win.jbxd
                                                                                                                                                                                                                                                        Similarity
                                                                                                                                                                                                                                                        • API ID: Type$AllocByteCharFullLoadMultiNamePathRegisterStringWide
                                                                                                                                                                                                                                                        • String ID: LoadTypeLib$RegisterTypeLib
                                                                                                                                                                                                                                                        • API String ID: 1312246647-2435364021
                                                                                                                                                                                                                                                        • Opcode ID: eeeb73eb9e9504d9a603f7ad8e3db9460b595fe7816c0dbb2ccb17ac3d1093e1
                                                                                                                                                                                                                                                        • Instruction ID: 47a1d4ca4f4f91c66d019980732f736a11ff2a8de3fe636bef365ffac313579d
                                                                                                                                                                                                                                                        • Opcode Fuzzy Hash: eeeb73eb9e9504d9a603f7ad8e3db9460b595fe7816c0dbb2ccb17ac3d1093e1
                                                                                                                                                                                                                                                        • Instruction Fuzzy Hash: E4118470B00614AFDB01EFA6CD51E5EB7ADEB89705F5184B6BC04D3652DA38AE04CA14
                                                                                                                                                                                                                                                        Function 0045702C Relevance: 7.1, APIs: 2, Strings: 2, Instructions: 60windowCOMMON
                                                                                                                                                                                                                                                        Download Yara Rule
                                                                                                                                                                                                                                                        APIs
                                                                                                                                                                                                                                                        • SendMessageA.USER32(00000000,00000B06,00000000,00000000), ref: 00457046
                                                                                                                                                                                                                                                        • SendMessageA.USER32(00000000,00000B00,00000000,00000000), ref: 004570E3
                                                                                                                                                                                                                                                        Strings
                                                                                                                                                                                                                                                        • Cannot debug. Debugger version ($%.8x) does not match Setup version ($%.8x), xrefs: 00457072
                                                                                                                                                                                                                                                        • Failed to create DebugClientWnd, xrefs: 004570AC
                                                                                                                                                                                                                                                        Memory Dump Source
                                                                                                                                                                                                                                                        • Source File: 00000001.00000002.2793245300.0000000000401000.00000020.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                                                                                                                        • Associated: 00000001.00000002.2793219234.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                                                                                                                                                                                                        • Associated: 00000001.00000002.2793346997.0000000000499000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                                                                                                                                                                                                        • Associated: 00000001.00000002.2793378529.000000000049A000.00000008.00000001.01000000.00000004.sdmpDownload File
                                                                                                                                                                                                                                                        • Associated: 00000001.00000002.2793416768.000000000049B000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                                                                                                                                                                                                        • Associated: 00000001.00000002.2793448951.00000000004AB000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                                                                                                                                                                                                        Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                                        • Snapshot File: hcaresult_1_2_400000_chica-pc-shield-1-75-0-1300-en-win.jbxd
                                                                                                                                                                                                                                                        Similarity
                                                                                                                                                                                                                                                        • API ID: MessageSend
                                                                                                                                                                                                                                                        • String ID: Cannot debug. Debugger version ($%.8x) does not match Setup version ($%.8x)$Failed to create DebugClientWnd
                                                                                                                                                                                                                                                        • API String ID: 3850602802-3720027226
                                                                                                                                                                                                                                                        • Opcode ID: 8e8f673caedfc7feff7eb7bdb190f376ea76f8ae9785284cd58aa93e224da2ea
                                                                                                                                                                                                                                                        • Instruction ID: 04aa4b2c7eb1c454b5cba22971c1bbc1ea6d27c9adf2600e91ea5852dc491812
                                                                                                                                                                                                                                                        • Opcode Fuzzy Hash: 8e8f673caedfc7feff7eb7bdb190f376ea76f8ae9785284cd58aa93e224da2ea
                                                                                                                                                                                                                                                        • Instruction Fuzzy Hash: 7B11C4706082405BD310AB689C86B5F7BD89B55719F04403AFA849B3C3D7794818C7AA
                                                                                                                                                                                                                                                        Function 00478274 Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 55windowkeyboardCOMMON
                                                                                                                                                                                                                                                        Download Yara Rule
                                                                                                                                                                                                                                                        APIs
                                                                                                                                                                                                                                                          • Part of subcall function 004242C4: SetWindowTextA.USER32(?,00000000), ref: 004242DC
                                                                                                                                                                                                                                                        • GetFocus.USER32 ref: 004782DF
                                                                                                                                                                                                                                                        • GetKeyState.USER32(0000007A), ref: 004782F1
                                                                                                                                                                                                                                                        • WaitMessage.USER32(?,00000000,00478318,?,00000000,0047833F,?,?,00000001,00000000,?,?,?,0047FF4A,00000000,00480E10), ref: 004782FB
                                                                                                                                                                                                                                                        Strings
                                                                                                                                                                                                                                                        Memory Dump Source
                                                                                                                                                                                                                                                        • Source File: 00000001.00000002.2793245300.0000000000401000.00000020.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                                                                                                                        • Associated: 00000001.00000002.2793219234.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                                                                                                                                                                                                        • Associated: 00000001.00000002.2793346997.0000000000499000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                                                                                                                                                                                                        • Associated: 00000001.00000002.2793378529.000000000049A000.00000008.00000001.01000000.00000004.sdmpDownload File
                                                                                                                                                                                                                                                        • Associated: 00000001.00000002.2793416768.000000000049B000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                                                                                                                                                                                                        • Associated: 00000001.00000002.2793448951.00000000004AB000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                                                                                                                                                                                                        Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                                        • Snapshot File: hcaresult_1_2_400000_chica-pc-shield-1-75-0-1300-en-win.jbxd
                                                                                                                                                                                                                                                        Similarity
                                                                                                                                                                                                                                                        • API ID: FocusMessageStateTextWaitWindow
                                                                                                                                                                                                                                                        • String ID: Wnd=$%x
                                                                                                                                                                                                                                                        • API String ID: 1381870634-2927251529
                                                                                                                                                                                                                                                        • Opcode ID: df58875bdccc8777564035cf34c4fc2cc577789563157b56a5e7999ca7c4e77b
                                                                                                                                                                                                                                                        • Instruction ID: 4fb3cd641778419160d589020729a47525b6cf65933b1fda4e748d396c294bb6
                                                                                                                                                                                                                                                        • Opcode Fuzzy Hash: df58875bdccc8777564035cf34c4fc2cc577789563157b56a5e7999ca7c4e77b
                                                                                                                                                                                                                                                        • Instruction Fuzzy Hash: AC11E730A44644AFCB01EF69CC4699E77F8EB48B04B5184BEF808E7681CB396900CA69
                                                                                                                                                                                                                                                        Function 0046E4E8 Relevance: 7.0, APIs: 2, Strings: 2, Instructions: 46timeCOMMON
                                                                                                                                                                                                                                                        Download Yara Rule
                                                                                                                                                                                                                                                        APIs
                                                                                                                                                                                                                                                        • FileTimeToLocalFileTime.KERNEL32(?), ref: 0046E4F0
                                                                                                                                                                                                                                                        • FileTimeToSystemTime.KERNEL32(?,?,?), ref: 0046E4FF
                                                                                                                                                                                                                                                        Strings
                                                                                                                                                                                                                                                        Memory Dump Source
                                                                                                                                                                                                                                                        • Source File: 00000001.00000002.2793245300.0000000000401000.00000020.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                                                                                                                        • Associated: 00000001.00000002.2793219234.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                                                                                                                                                                                                        • Associated: 00000001.00000002.2793346997.0000000000499000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                                                                                                                                                                                                        • Associated: 00000001.00000002.2793378529.000000000049A000.00000008.00000001.01000000.00000004.sdmpDownload File
                                                                                                                                                                                                                                                        • Associated: 00000001.00000002.2793416768.000000000049B000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                                                                                                                                                                                                        • Associated: 00000001.00000002.2793448951.00000000004AB000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                                                                                                                                                                                                        Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                                        • Snapshot File: hcaresult_1_2_400000_chica-pc-shield-1-75-0-1300-en-win.jbxd
                                                                                                                                                                                                                                                        Similarity
                                                                                                                                                                                                                                                        • API ID: Time$File$LocalSystem
                                                                                                                                                                                                                                                        • String ID: %.4u-%.2u-%.2u %.2u:%.2u:%.2u.%.3u$(invalid)
                                                                                                                                                                                                                                                        • API String ID: 1748579591-1013271723
                                                                                                                                                                                                                                                        • Opcode ID: 3b65440f4752fc442d4002421b0f6f5f27c9f0dfaf9e9fe9353c18bfa240ec72
                                                                                                                                                                                                                                                        • Instruction ID: 59800965179ea38ef94c82185105b35681c727fa36521559545391a6b8d853c9
                                                                                                                                                                                                                                                        • Opcode Fuzzy Hash: 3b65440f4752fc442d4002421b0f6f5f27c9f0dfaf9e9fe9353c18bfa240ec72
                                                                                                                                                                                                                                                        • Instruction Fuzzy Hash: 2211F8A440C3909AD340DF6AC44432BBAE4AB89708F44496EF9C8D6381F779C948DB67
                                                                                                                                                                                                                                                        Function 00453F76 Relevance: 7.0, APIs: 2, Strings: 2, Instructions: 43fileCOMMON
                                                                                                                                                                                                                                                        Download Yara Rule
                                                                                                                                                                                                                                                        APIs
                                                                                                                                                                                                                                                        • SetFileAttributesA.KERNEL32(00000000,00000020), ref: 00453F83
                                                                                                                                                                                                                                                          • Part of subcall function 00406F50: DeleteFileA.KERNEL32(00000000,0049B628,004982D1,00000000,00498326,?,?,00000005,?,00000000,00000000,00000000,Inno-Setup-RegSvr-Mutex,?,00000005,00000000), ref: 00406F5B
                                                                                                                                                                                                                                                        • MoveFileA.KERNEL32(00000000,00000000), ref: 00453FA8
                                                                                                                                                                                                                                                          • Part of subcall function 0045349C: GetLastError.KERNEL32(00000000,00454031,00000005,00000000,00454066,?,?,00000000,0049B628,00000004,00000000,00000000,00000000,?,00497F85,00000000), ref: 0045349F
                                                                                                                                                                                                                                                        Strings
                                                                                                                                                                                                                                                        Memory Dump Source
                                                                                                                                                                                                                                                        • Source File: 00000001.00000002.2793245300.0000000000401000.00000020.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                                                                                                                        • Associated: 00000001.00000002.2793219234.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                                                                                                                                                                                                        • Associated: 00000001.00000002.2793346997.0000000000499000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                                                                                                                                                                                                        • Associated: 00000001.00000002.2793378529.000000000049A000.00000008.00000001.01000000.00000004.sdmpDownload File
                                                                                                                                                                                                                                                        • Associated: 00000001.00000002.2793416768.000000000049B000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                                                                                                                                                                                                        • Associated: 00000001.00000002.2793448951.00000000004AB000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                                                                                                                                                                                                        Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                                        • Snapshot File: hcaresult_1_2_400000_chica-pc-shield-1-75-0-1300-en-win.jbxd
                                                                                                                                                                                                                                                        Similarity
                                                                                                                                                                                                                                                        • API ID: File$AttributesDeleteErrorLastMove
                                                                                                                                                                                                                                                        • String ID: DeleteFile$MoveFile
                                                                                                                                                                                                                                                        • API String ID: 3024442154-139070271
                                                                                                                                                                                                                                                        • Opcode ID: c1e186276644241f0c7331fda0e10dfc1a351e9ccd8aa74ec051a1bdf32146c9
                                                                                                                                                                                                                                                        • Instruction ID: b5871bee3d194af1fa843ac656f6d820fc0ba16d57580c91db5694710367c43f
                                                                                                                                                                                                                                                        • Opcode Fuzzy Hash: c1e186276644241f0c7331fda0e10dfc1a351e9ccd8aa74ec051a1bdf32146c9
                                                                                                                                                                                                                                                        • Instruction Fuzzy Hash: AEF062716142045BD701FBA2D84266EA7ECDB8435EF60443BB900BB6C3DA3C9E094529
                                                                                                                                                                                                                                                        Function 0045923C Relevance: 7.0, APIs: 1, Strings: 3, Instructions: 39registryCOMMON
                                                                                                                                                                                                                                                        Download Yara Rule
                                                                                                                                                                                                                                                        APIs
                                                                                                                                                                                                                                                          • Part of subcall function 0042DE1C: RegOpenKeyExA.ADVAPI32(80000002,System\CurrentControlSet\Control\Windows,37H,?,00000001,?,?,00483733,?,00000001,00000000), ref: 0042DE38
                                                                                                                                                                                                                                                        • RegCloseKey.ADVAPI32(00000000,00000000,00000001,00000000,?,00000000,?,00000002,00459379,00000000,00459531,?,00000000,00000000,00000000), ref: 00459289
                                                                                                                                                                                                                                                        Strings
                                                                                                                                                                                                                                                        Memory Dump Source
                                                                                                                                                                                                                                                        • Source File: 00000001.00000002.2793245300.0000000000401000.00000020.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                                                                                                                        • Associated: 00000001.00000002.2793219234.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                                                                                                                                                                                                        • Associated: 00000001.00000002.2793346997.0000000000499000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                                                                                                                                                                                                        • Associated: 00000001.00000002.2793378529.000000000049A000.00000008.00000001.01000000.00000004.sdmpDownload File
                                                                                                                                                                                                                                                        • Associated: 00000001.00000002.2793416768.000000000049B000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                                                                                                                                                                                                        • Associated: 00000001.00000002.2793448951.00000000004AB000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                                                                                                                                                                                                        Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                                        • Snapshot File: hcaresult_1_2_400000_chica-pc-shield-1-75-0-1300-en-win.jbxd
                                                                                                                                                                                                                                                        Similarity
                                                                                                                                                                                                                                                        • API ID: CloseOpen
                                                                                                                                                                                                                                                        • String ID: .NET Framework not found$InstallRoot$SOFTWARE\Microsoft\.NETFramework
                                                                                                                                                                                                                                                        • API String ID: 47109696-2631785700
                                                                                                                                                                                                                                                        • Opcode ID: 75219cf9845bb2cf9b324263233030eee3a43bc23f5af8ce4b2695e1a657a985
                                                                                                                                                                                                                                                        • Instruction ID: b8cf81f510f5016daab1000a250b557ec77191f8025d1475bfe98ce45a5795d7
                                                                                                                                                                                                                                                        • Opcode Fuzzy Hash: 75219cf9845bb2cf9b324263233030eee3a43bc23f5af8ce4b2695e1a657a985
                                                                                                                                                                                                                                                        • Instruction Fuzzy Hash: A6F0AF31300110EBC710EB9AD885B5E7298DB95356F50453BF984CB263C67CCC468B6D
                                                                                                                                                                                                                                                        Function 00483714 Relevance: 7.0, APIs: 2, Strings: 2, Instructions: 39registryCOMMON
                                                                                                                                                                                                                                                        Download Yara Rule
                                                                                                                                                                                                                                                        APIs
                                                                                                                                                                                                                                                          • Part of subcall function 0042DE1C: RegOpenKeyExA.ADVAPI32(80000002,System\CurrentControlSet\Control\Windows,37H,?,00000001,?,?,00483733,?,00000001,00000000), ref: 0042DE38
                                                                                                                                                                                                                                                        • RegQueryValueExA.ADVAPI32(?,CSDVersion,00000000,?,?,?,?,00000001,00000000), ref: 00483755
                                                                                                                                                                                                                                                        • RegCloseKey.ADVAPI32(?,?,CSDVersion,00000000,?,?,?,?,00000001,00000000), ref: 00483778
                                                                                                                                                                                                                                                        Strings
                                                                                                                                                                                                                                                        • System\CurrentControlSet\Control\Windows, xrefs: 00483722
                                                                                                                                                                                                                                                        • CSDVersion, xrefs: 0048374C
                                                                                                                                                                                                                                                        Memory Dump Source
                                                                                                                                                                                                                                                        • Source File: 00000001.00000002.2793245300.0000000000401000.00000020.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                                                                                                                        • Associated: 00000001.00000002.2793219234.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                                                                                                                                                                                                        • Associated: 00000001.00000002.2793346997.0000000000499000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                                                                                                                                                                                                        • Associated: 00000001.00000002.2793378529.000000000049A000.00000008.00000001.01000000.00000004.sdmpDownload File
                                                                                                                                                                                                                                                        • Associated: 00000001.00000002.2793416768.000000000049B000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                                                                                                                                                                                                        • Associated: 00000001.00000002.2793448951.00000000004AB000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                                                                                                                                                                                                        Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                                        • Snapshot File: hcaresult_1_2_400000_chica-pc-shield-1-75-0-1300-en-win.jbxd
                                                                                                                                                                                                                                                        Similarity
                                                                                                                                                                                                                                                        • API ID: CloseOpenQueryValue
                                                                                                                                                                                                                                                        • String ID: CSDVersion$System\CurrentControlSet\Control\Windows
                                                                                                                                                                                                                                                        • API String ID: 3677997916-1910633163
                                                                                                                                                                                                                                                        • Opcode ID: a43054236d00ebe64f13c76161d678db23357086e471883f50eee9bec3e1ddf0
                                                                                                                                                                                                                                                        • Instruction ID: 473048f5e98eb31a87ee19f4d6f0e18d0c02793fb4f6cf55b6386f241b3b3c83
                                                                                                                                                                                                                                                        • Opcode Fuzzy Hash: a43054236d00ebe64f13c76161d678db23357086e471883f50eee9bec3e1ddf0
                                                                                                                                                                                                                                                        • Instruction Fuzzy Hash: 2CF036F5A40208A6DF10EAD58C45BDFB3BC9B04705F108567E510E7280E778DB048B59
                                                                                                                                                                                                                                                        Function 0042D8F0 Relevance: 7.0, APIs: 2, Strings: 2, Instructions: 27libraryloaderCOMMON
                                                                                                                                                                                                                                                        Download Yara Rule
                                                                                                                                                                                                                                                        APIs
                                                                                                                                                                                                                                                        • GetModuleHandleA.KERNEL32(kernel32.dll,GetSystemWow64DirectoryA,?,00453B5A,00000000,00453BFD,?,?,00000000,00000000,00000000,00000000,00000000,?,00453FED,00000000), ref: 0042D90A
                                                                                                                                                                                                                                                        • GetProcAddress.KERNEL32(00000000,kernel32.dll), ref: 0042D910
                                                                                                                                                                                                                                                        Strings
                                                                                                                                                                                                                                                        Memory Dump Source
                                                                                                                                                                                                                                                        • Source File: 00000001.00000002.2793245300.0000000000401000.00000020.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                                                                                                                        • Associated: 00000001.00000002.2793219234.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                                                                                                                                                                                                        • Associated: 00000001.00000002.2793346997.0000000000499000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                                                                                                                                                                                                        • Associated: 00000001.00000002.2793378529.000000000049A000.00000008.00000001.01000000.00000004.sdmpDownload File
                                                                                                                                                                                                                                                        • Associated: 00000001.00000002.2793416768.000000000049B000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                                                                                                                                                                                                        • Associated: 00000001.00000002.2793448951.00000000004AB000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                                                                                                                                                                                                        Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                                        • Snapshot File: hcaresult_1_2_400000_chica-pc-shield-1-75-0-1300-en-win.jbxd
                                                                                                                                                                                                                                                        Similarity
                                                                                                                                                                                                                                                        • API ID: AddressHandleModuleProc
                                                                                                                                                                                                                                                        • String ID: GetSystemWow64DirectoryA$kernel32.dll
                                                                                                                                                                                                                                                        • API String ID: 1646373207-4063490227
                                                                                                                                                                                                                                                        • Opcode ID: c1d4cb9903a355352fec54d7d7fc42ff69d50386832f09f5f28b98c1c912cee1
                                                                                                                                                                                                                                                        • Instruction ID: 657275fb9dfacbe144619f02b172540cf2f0c5a6f4252bec6bd03a25d2dd35a2
                                                                                                                                                                                                                                                        • Opcode Fuzzy Hash: c1d4cb9903a355352fec54d7d7fc42ff69d50386832f09f5f28b98c1c912cee1
                                                                                                                                                                                                                                                        • Instruction Fuzzy Hash: A5E0DFE0B40B0122D70032BA1C82B6B108D4B84728F90053B3894E62D6DDBCD9840A6D
                                                                                                                                                                                                                                                        Function 0042EB54 Relevance: 7.0, APIs: 2, Strings: 2, Instructions: 23libraryloaderCOMMON
                                                                                                                                                                                                                                                        Download Yara Rule
                                                                                                                                                                                                                                                        APIs
                                                                                                                                                                                                                                                        • GetModuleHandleA.KERNEL32(user32.dll,ShutdownBlockReasonDestroy,?,00000000,0042EAD0), ref: 0042EB62
                                                                                                                                                                                                                                                        • GetProcAddress.KERNEL32(00000000,user32.dll), ref: 0042EB68
                                                                                                                                                                                                                                                        Strings
                                                                                                                                                                                                                                                        Memory Dump Source
                                                                                                                                                                                                                                                        • Source File: 00000001.00000002.2793245300.0000000000401000.00000020.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                                                                                                                        • Associated: 00000001.00000002.2793219234.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                                                                                                                                                                                                        • Associated: 00000001.00000002.2793346997.0000000000499000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                                                                                                                                                                                                        • Associated: 00000001.00000002.2793378529.000000000049A000.00000008.00000001.01000000.00000004.sdmpDownload File
                                                                                                                                                                                                                                                        • Associated: 00000001.00000002.2793416768.000000000049B000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                                                                                                                                                                                                        • Associated: 00000001.00000002.2793448951.00000000004AB000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                                                                                                                                                                                                        Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                                        • Snapshot File: hcaresult_1_2_400000_chica-pc-shield-1-75-0-1300-en-win.jbxd
                                                                                                                                                                                                                                                        Similarity
                                                                                                                                                                                                                                                        • API ID: AddressHandleModuleProc
                                                                                                                                                                                                                                                        • String ID: ShutdownBlockReasonDestroy$user32.dll
                                                                                                                                                                                                                                                        • API String ID: 1646373207-260599015
                                                                                                                                                                                                                                                        • Opcode ID: 88ce12e330a2fc51ece58c284b54de3a76b504cb94a4c995bd1a3fb2c6ea0693
                                                                                                                                                                                                                                                        • Instruction ID: e1ec077e445c8734ae54db5ffdd633522f5c412f0b7fee52e54de0d29bb4c321
                                                                                                                                                                                                                                                        • Opcode Fuzzy Hash: 88ce12e330a2fc51ece58c284b54de3a76b504cb94a4c995bd1a3fb2c6ea0693
                                                                                                                                                                                                                                                        • Instruction Fuzzy Hash: A2D0C793311732665D10B1F73CD1EAB058C891527935404B7F515E5641D55DEC1115AD
                                                                                                                                                                                                                                                        Function 0044F744 Relevance: 7.0, APIs: 2, Strings: 2, Instructions: 16libraryloaderCOMMON
                                                                                                                                                                                                                                                        Download Yara Rule
                                                                                                                                                                                                                                                        APIs
                                                                                                                                                                                                                                                        • GetModuleHandleA.KERNEL32(user32.dll,NotifyWinEvent,004987D2), ref: 0044F77F
                                                                                                                                                                                                                                                        • GetProcAddress.KERNEL32(00000000,user32.dll), ref: 0044F785
                                                                                                                                                                                                                                                        Strings
                                                                                                                                                                                                                                                        Memory Dump Source
                                                                                                                                                                                                                                                        • Source File: 00000001.00000002.2793245300.0000000000401000.00000020.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                                                                                                                        • Associated: 00000001.00000002.2793219234.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                                                                                                                                                                                                        • Associated: 00000001.00000002.2793346997.0000000000499000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                                                                                                                                                                                                        • Associated: 00000001.00000002.2793378529.000000000049A000.00000008.00000001.01000000.00000004.sdmpDownload File
                                                                                                                                                                                                                                                        • Associated: 00000001.00000002.2793416768.000000000049B000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                                                                                                                                                                                                        • Associated: 00000001.00000002.2793448951.00000000004AB000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                                                                                                                                                                                                        Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                                        • Snapshot File: hcaresult_1_2_400000_chica-pc-shield-1-75-0-1300-en-win.jbxd
                                                                                                                                                                                                                                                        Similarity
                                                                                                                                                                                                                                                        • API ID: AddressHandleModuleProc
                                                                                                                                                                                                                                                        • String ID: NotifyWinEvent$user32.dll
                                                                                                                                                                                                                                                        • API String ID: 1646373207-597752486
                                                                                                                                                                                                                                                        • Opcode ID: f97c3de5cacafbf63d36e16939e29d51eb7e912e87a0fb2b79f6fc39cd446e20
                                                                                                                                                                                                                                                        • Instruction ID: 5e946f17392c81a4f172a46fe169fb9a1f72c9003761a5edf28bd31acc2f1150
                                                                                                                                                                                                                                                        • Opcode Fuzzy Hash: f97c3de5cacafbf63d36e16939e29d51eb7e912e87a0fb2b79f6fc39cd446e20
                                                                                                                                                                                                                                                        • Instruction Fuzzy Hash: 59E012F0E417049AFF00BBB57B86B1A3A90E764719B00057FF414A6292DB7C481C4F9D
                                                                                                                                                                                                                                                        Function 00498548 Relevance: 7.0, APIs: 2, Strings: 2, Instructions: 9libraryloaderCOMMON
                                                                                                                                                                                                                                                        Download Yara Rule
                                                                                                                                                                                                                                                        APIs
                                                                                                                                                                                                                                                        • GetModuleHandleA.KERNEL32(user32.dll,DisableProcessWindowsGhosting,00498828,00000001,00000000,0049884C), ref: 00498552
                                                                                                                                                                                                                                                        • GetProcAddress.KERNEL32(00000000,user32.dll), ref: 00498558
                                                                                                                                                                                                                                                        Strings
                                                                                                                                                                                                                                                        Memory Dump Source
                                                                                                                                                                                                                                                        • Source File: 00000001.00000002.2793245300.0000000000401000.00000020.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                                                                                                                        • Associated: 00000001.00000002.2793219234.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                                                                                                                                                                                                        • Associated: 00000001.00000002.2793346997.0000000000499000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                                                                                                                                                                                                        • Associated: 00000001.00000002.2793378529.000000000049A000.00000008.00000001.01000000.00000004.sdmpDownload File
                                                                                                                                                                                                                                                        • Associated: 00000001.00000002.2793416768.000000000049B000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                                                                                                                                                                                                        • Associated: 00000001.00000002.2793448951.00000000004AB000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                                                                                                                                                                                                        Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                                        • Snapshot File: hcaresult_1_2_400000_chica-pc-shield-1-75-0-1300-en-win.jbxd
                                                                                                                                                                                                                                                        Similarity
                                                                                                                                                                                                                                                        • API ID: AddressHandleModuleProc
                                                                                                                                                                                                                                                        • String ID: DisableProcessWindowsGhosting$user32.dll
                                                                                                                                                                                                                                                        • API String ID: 1646373207-834958232
                                                                                                                                                                                                                                                        • Opcode ID: db518bae8a1cf5760848bd95fc6cdfcd790772d70ebb0fe4026802486380d2e4
                                                                                                                                                                                                                                                        • Instruction ID: a30757b807d51f5124d599aa2c3f03a0cb1e1ebc6983b00e9b0dd3032a1cc0b0
                                                                                                                                                                                                                                                        • Opcode Fuzzy Hash: db518bae8a1cf5760848bd95fc6cdfcd790772d70ebb0fe4026802486380d2e4
                                                                                                                                                                                                                                                        • Instruction Fuzzy Hash: 74B002C06417067CDD5072FA0D46B5B484848527BD716047F3814E51C6DD6C8D19593D
                                                                                                                                                                                                                                                        Function 004644CC Relevance: 7.0, APIs: 2, Strings: 2, Instructions: 8libraryloaderCOMMON
                                                                                                                                                                                                                                                        Download Yara Rule
                                                                                                                                                                                                                                                        APIs
                                                                                                                                                                                                                                                          • Part of subcall function 0044B658: LoadLibraryA.KERNEL32(uxtheme.dll,?,0044F775,004987D2), ref: 0044B67F
                                                                                                                                                                                                                                                          • Part of subcall function 0044B658: GetProcAddress.KERNEL32(00000000,OpenThemeData), ref: 0044B697
                                                                                                                                                                                                                                                          • Part of subcall function 0044B658: GetProcAddress.KERNEL32(00000000,CloseThemeData), ref: 0044B6A9
                                                                                                                                                                                                                                                          • Part of subcall function 0044B658: GetProcAddress.KERNEL32(00000000,DrawThemeBackground), ref: 0044B6BB
                                                                                                                                                                                                                                                          • Part of subcall function 0044B658: GetProcAddress.KERNEL32(00000000,DrawThemeText), ref: 0044B6CD
                                                                                                                                                                                                                                                          • Part of subcall function 0044B658: GetProcAddress.KERNEL32(00000000,GetThemeBackgroundContentRect), ref: 0044B6DF
                                                                                                                                                                                                                                                          • Part of subcall function 0044B658: GetProcAddress.KERNEL32(00000000,GetThemeBackgroundContentRect), ref: 0044B6F1
                                                                                                                                                                                                                                                          • Part of subcall function 0044B658: GetProcAddress.KERNEL32(00000000,GetThemePartSize), ref: 0044B703
                                                                                                                                                                                                                                                          • Part of subcall function 0044B658: GetProcAddress.KERNEL32(00000000,GetThemeTextExtent), ref: 0044B715
                                                                                                                                                                                                                                                          • Part of subcall function 0044B658: GetProcAddress.KERNEL32(00000000,GetThemeTextMetrics), ref: 0044B727
                                                                                                                                                                                                                                                          • Part of subcall function 0044B658: GetProcAddress.KERNEL32(00000000,GetThemeBackgroundRegion), ref: 0044B739
                                                                                                                                                                                                                                                          • Part of subcall function 0044B658: GetProcAddress.KERNEL32(00000000,HitTestThemeBackground), ref: 0044B74B
                                                                                                                                                                                                                                                          • Part of subcall function 0044B658: GetProcAddress.KERNEL32(00000000,DrawThemeEdge), ref: 0044B75D
                                                                                                                                                                                                                                                          • Part of subcall function 0044B658: GetProcAddress.KERNEL32(00000000,DrawThemeIcon), ref: 0044B76F
                                                                                                                                                                                                                                                          • Part of subcall function 0044B658: GetProcAddress.KERNEL32(00000000,IsThemePartDefined), ref: 0044B781
                                                                                                                                                                                                                                                          • Part of subcall function 0044B658: GetProcAddress.KERNEL32(00000000,IsThemeBackgroundPartiallyTransparent), ref: 0044B793
                                                                                                                                                                                                                                                          • Part of subcall function 0044B658: GetProcAddress.KERNEL32(00000000,GetThemeColor), ref: 0044B7A5
                                                                                                                                                                                                                                                          • Part of subcall function 0044B658: GetProcAddress.KERNEL32(00000000,GetThemeMetric), ref: 0044B7B7
                                                                                                                                                                                                                                                        • LoadLibraryA.KERNEL32(shell32.dll,SHPathPrepareForWriteA,004987FA), ref: 004644DB
                                                                                                                                                                                                                                                        • GetProcAddress.KERNEL32(00000000,shell32.dll), ref: 004644E1
                                                                                                                                                                                                                                                        Strings
                                                                                                                                                                                                                                                        Memory Dump Source
                                                                                                                                                                                                                                                        • Source File: 00000001.00000002.2793245300.0000000000401000.00000020.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                                                                                                                        • Associated: 00000001.00000002.2793219234.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                                                                                                                                                                                                        • Associated: 00000001.00000002.2793346997.0000000000499000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                                                                                                                                                                                                        • Associated: 00000001.00000002.2793378529.000000000049A000.00000008.00000001.01000000.00000004.sdmpDownload File
                                                                                                                                                                                                                                                        • Associated: 00000001.00000002.2793416768.000000000049B000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                                                                                                                                                                                                        • Associated: 00000001.00000002.2793448951.00000000004AB000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                                                                                                                                                                                                        Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                                        • Snapshot File: hcaresult_1_2_400000_chica-pc-shield-1-75-0-1300-en-win.jbxd
                                                                                                                                                                                                                                                        Similarity
                                                                                                                                                                                                                                                        • API ID: AddressProc$LibraryLoad
                                                                                                                                                                                                                                                        • String ID: SHPathPrepareForWriteA$shell32.dll
                                                                                                                                                                                                                                                        • API String ID: 2238633743-2683653824
                                                                                                                                                                                                                                                        • Opcode ID: c01632fc0f5b33953d3d614069ff975302c210d2ed533638465c2bab93595346
                                                                                                                                                                                                                                                        • Instruction ID: d75953ebaa51f3cdf10b42b062242e5a2adabc3e146697bf4f9864d78fb0a240
                                                                                                                                                                                                                                                        • Opcode Fuzzy Hash: c01632fc0f5b33953d3d614069ff975302c210d2ed533638465c2bab93595346
                                                                                                                                                                                                                                                        • Instruction Fuzzy Hash: B8B092D4681741AAC9007BB2185BA0F6E4894A0B19750463B310971083EF7C44204A5E
                                                                                                                                                                                                                                                        Function 0047D1D0 Relevance: 6.2, APIs: 4, Instructions: 195fileCOMMON
                                                                                                                                                                                                                                                        Download Yara Rule
                                                                                                                                                                                                                                                        APIs
                                                                                                                                                                                                                                                        • FindNextFileA.KERNEL32(000000FF,?,00000000,0047D344,?,?,?,?,00000000,0047D499,?,?,?,00000000,?,0047D5A8), ref: 0047D320
                                                                                                                                                                                                                                                        • FindClose.KERNEL32(000000FF,0047D34B,0047D344,?,?,?,?,00000000,0047D499,?,?,?,00000000,?,0047D5A8,00000000), ref: 0047D33E
                                                                                                                                                                                                                                                        Memory Dump Source
                                                                                                                                                                                                                                                        • Source File: 00000001.00000002.2793245300.0000000000401000.00000020.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                                                                                                                        • Associated: 00000001.00000002.2793219234.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                                                                                                                                                                                                        • Associated: 00000001.00000002.2793346997.0000000000499000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                                                                                                                                                                                                        • Associated: 00000001.00000002.2793378529.000000000049A000.00000008.00000001.01000000.00000004.sdmpDownload File
                                                                                                                                                                                                                                                        • Associated: 00000001.00000002.2793416768.000000000049B000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                                                                                                                                                                                                        • Associated: 00000001.00000002.2793448951.00000000004AB000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                                                                                                                                                                                                        Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                                        • Snapshot File: hcaresult_1_2_400000_chica-pc-shield-1-75-0-1300-en-win.jbxd
                                                                                                                                                                                                                                                        Similarity
                                                                                                                                                                                                                                                        • API ID: Find$CloseFileNext
                                                                                                                                                                                                                                                        • String ID:
                                                                                                                                                                                                                                                        • API String ID: 2066263336-0
                                                                                                                                                                                                                                                        • Opcode ID: b5f0d664076e7aa74699ab92f955e394473f8998aa43bac9dc352ff6593dcf8a
                                                                                                                                                                                                                                                        • Instruction ID: 0ecb69b5ed511d6fc0c0aa51fe2fcddc3f4b96abf7b679f4d8a8bcc6758ee249
                                                                                                                                                                                                                                                        • Opcode Fuzzy Hash: b5f0d664076e7aa74699ab92f955e394473f8998aa43bac9dc352ff6593dcf8a
                                                                                                                                                                                                                                                        • Instruction Fuzzy Hash: 65812B70D0424D9FCF11DF95CC41ADEBBB9EF49304F5080AAE808A7291D639AA46CF59
                                                                                                                                                                                                                                                        Function 00475488 Relevance: 6.1, APIs: 1, Strings: 3, Instructions: 114COMMON
                                                                                                                                                                                                                                                        Download Yara Rule
                                                                                                                                                                                                                                                        APIs
                                                                                                                                                                                                                                                          • Part of subcall function 0042EE30: GetTickCount.KERNEL32 ref: 0042EE36
                                                                                                                                                                                                                                                          • Part of subcall function 0042EC88: MoveFileExA.KERNEL32(00000000,00000000,00000001(MOVEFILE_REPLACE_EXISTING)), ref: 0042ECBD
                                                                                                                                                                                                                                                        • GetLastError.KERNEL32(00000000,004755FD,?,?,0049C1DC,00000000), ref: 004754E6
                                                                                                                                                                                                                                                        Strings
                                                                                                                                                                                                                                                        Memory Dump Source
                                                                                                                                                                                                                                                        • Source File: 00000001.00000002.2793245300.0000000000401000.00000020.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                                                                                                                        • Associated: 00000001.00000002.2793219234.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                                                                                                                                                                                                        • Associated: 00000001.00000002.2793346997.0000000000499000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                                                                                                                                                                                                        • Associated: 00000001.00000002.2793378529.000000000049A000.00000008.00000001.01000000.00000004.sdmpDownload File
                                                                                                                                                                                                                                                        • Associated: 00000001.00000002.2793416768.000000000049B000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                                                                                                                                                                                                        • Associated: 00000001.00000002.2793448951.00000000004AB000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                                                                                                                                                                                                        Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                                        • Snapshot File: hcaresult_1_2_400000_chica-pc-shield-1-75-0-1300-en-win.jbxd
                                                                                                                                                                                                                                                        Similarity
                                                                                                                                                                                                                                                        • API ID: CountErrorFileLastMoveTick
                                                                                                                                                                                                                                                        • String ID: $LoggedMsgBox returned an unexpected value. Assuming Cancel.$MoveFileEx
                                                                                                                                                                                                                                                        • API String ID: 2406187244-2685451598
                                                                                                                                                                                                                                                        • Opcode ID: da84384ebc6fe045fbdefd9db643ba981601fc1c42c9890ab0328962f6cf6e5c
                                                                                                                                                                                                                                                        • Instruction ID: 70c19203dce3efc737256e844b71bd63d15af5515763618ac70b615c3304bc0c
                                                                                                                                                                                                                                                        • Opcode Fuzzy Hash: da84384ebc6fe045fbdefd9db643ba981601fc1c42c9890ab0328962f6cf6e5c
                                                                                                                                                                                                                                                        • Instruction Fuzzy Hash: 3541B370E006099BCB10EFA5D882AEE77B5EF48315F508537E408BF395D7789A05CBA9
                                                                                                                                                                                                                                                        Function 00413CF8 Relevance: 6.1, APIs: 4, Instructions: 107COMMON
                                                                                                                                                                                                                                                        Download Yara Rule
                                                                                                                                                                                                                                                        APIs
                                                                                                                                                                                                                                                        • GetDesktopWindow.USER32 ref: 00413D46
                                                                                                                                                                                                                                                        • GetDesktopWindow.USER32 ref: 00413DFE
                                                                                                                                                                                                                                                          • Part of subcall function 00418EC0: 6F58C6F0.COMCTL32(?,00000000,00413FC3,00000000,004140D3,?,?,0049B628), ref: 00418EDC
                                                                                                                                                                                                                                                          • Part of subcall function 00418EC0: ShowCursor.USER32(00000001,?,00000000,00413FC3,00000000,004140D3,?,?,0049B628), ref: 00418EF9
                                                                                                                                                                                                                                                        • SetCursor.USER32(00000000,?,?,?,?,00413AF3,00000000,00413B06), ref: 00413E3C
                                                                                                                                                                                                                                                        Memory Dump Source
                                                                                                                                                                                                                                                        • Source File: 00000001.00000002.2793245300.0000000000401000.00000020.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                                                                                                                        • Associated: 00000001.00000002.2793219234.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                                                                                                                                                                                                        • Associated: 00000001.00000002.2793346997.0000000000499000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                                                                                                                                                                                                        • Associated: 00000001.00000002.2793378529.000000000049A000.00000008.00000001.01000000.00000004.sdmpDownload File
                                                                                                                                                                                                                                                        • Associated: 00000001.00000002.2793416768.000000000049B000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                                                                                                                                                                                                        • Associated: 00000001.00000002.2793448951.00000000004AB000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                                                                                                                                                                                                        Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                                        • Snapshot File: hcaresult_1_2_400000_chica-pc-shield-1-75-0-1300-en-win.jbxd
                                                                                                                                                                                                                                                        Similarity
                                                                                                                                                                                                                                                        • API ID: CursorDesktopWindow$Show
                                                                                                                                                                                                                                                        • String ID:
                                                                                                                                                                                                                                                        • API String ID: 2074268717-0
                                                                                                                                                                                                                                                        • Opcode ID: 48e3412c1a46991eea637d4b1b247886da5b7466a2ee9d80c19fa9edf3c8b710
                                                                                                                                                                                                                                                        • Instruction ID: d0219f8535474b9b7e790bb207accfb6dce16a9ac66decbe361331da1304c66b
                                                                                                                                                                                                                                                        • Opcode Fuzzy Hash: 48e3412c1a46991eea637d4b1b247886da5b7466a2ee9d80c19fa9edf3c8b710
                                                                                                                                                                                                                                                        • Instruction Fuzzy Hash: 91412C75600210AFC710DF2AFA84B56B7E1EB65329B16817BE405CB365DB38DD81CF98
                                                                                                                                                                                                                                                        Function 00408A54 Relevance: 6.1, APIs: 4, Instructions: 95windowCOMMON
                                                                                                                                                                                                                                                        Download Yara Rule
                                                                                                                                                                                                                                                        APIs
                                                                                                                                                                                                                                                        • GetModuleFileNameA.KERNEL32(00400000,?,00000100), ref: 00408A75
                                                                                                                                                                                                                                                        • LoadStringA.USER32(00400000,0000FF9E,?,00000040), ref: 00408AE4
                                                                                                                                                                                                                                                        • LoadStringA.USER32(00400000,0000FF9F,?,00000040), ref: 00408B7F
                                                                                                                                                                                                                                                        • MessageBoxA.USER32(00000000,?,?,00002010), ref: 00408BBE
                                                                                                                                                                                                                                                        Memory Dump Source
                                                                                                                                                                                                                                                        • Source File: 00000001.00000002.2793245300.0000000000401000.00000020.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                                                                                                                        • Associated: 00000001.00000002.2793219234.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                                                                                                                                                                                                        • Associated: 00000001.00000002.2793346997.0000000000499000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                                                                                                                                                                                                        • Associated: 00000001.00000002.2793378529.000000000049A000.00000008.00000001.01000000.00000004.sdmpDownload File
                                                                                                                                                                                                                                                        • Associated: 00000001.00000002.2793416768.000000000049B000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                                                                                                                                                                                                        • Associated: 00000001.00000002.2793448951.00000000004AB000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                                                                                                                                                                                                        Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                                        • Snapshot File: hcaresult_1_2_400000_chica-pc-shield-1-75-0-1300-en-win.jbxd
                                                                                                                                                                                                                                                        Similarity
                                                                                                                                                                                                                                                        • API ID: LoadString$FileMessageModuleName
                                                                                                                                                                                                                                                        • String ID:
                                                                                                                                                                                                                                                        • API String ID: 704749118-0
                                                                                                                                                                                                                                                        • Opcode ID: ede814ba8b2c905ab74f80468cae56b5ab65d73ed59c96bbcc76a4520df8398d
                                                                                                                                                                                                                                                        • Instruction ID: 7d65b0a5aa49ad722f3f3263bbe29e3330acee4661d9e2153cfe083702b22da2
                                                                                                                                                                                                                                                        • Opcode Fuzzy Hash: ede814ba8b2c905ab74f80468cae56b5ab65d73ed59c96bbcc76a4520df8398d
                                                                                                                                                                                                                                                        • Instruction Fuzzy Hash: 1F3123716083849AD370EB65C945BDF77D89B85704F40483FB6C8E72D1EB7859048B6B
                                                                                                                                                                                                                                                        Function 0044E8C4 Relevance: 6.1, APIs: 4, Instructions: 83windowCOMMON
                                                                                                                                                                                                                                                        Download Yara Rule
                                                                                                                                                                                                                                                        APIs
                                                                                                                                                                                                                                                        • SendMessageA.USER32(00000000,000001A1,?,00000000), ref: 0044E90D
                                                                                                                                                                                                                                                          • Part of subcall function 0044CF50: SendMessageA.USER32(00000000,000001A0,?,00000000), ref: 0044CF82
                                                                                                                                                                                                                                                        • InvalidateRect.USER32(00000000,00000000,00000001,00000000,000001A1,?,00000000), ref: 0044E991
                                                                                                                                                                                                                                                          • Part of subcall function 0042BBB4: SendMessageA.USER32(00000000,0000018E,00000000,00000000), ref: 0042BBC8
                                                                                                                                                                                                                                                        • IsRectEmpty.USER32(?), ref: 0044E953
                                                                                                                                                                                                                                                        • ScrollWindowEx.USER32(00000000,00000000,00000000,?,00000000,00000000,00000000,00000006), ref: 0044E976
                                                                                                                                                                                                                                                        Memory Dump Source
                                                                                                                                                                                                                                                        • Source File: 00000001.00000002.2793245300.0000000000401000.00000020.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                                                                                                                        • Associated: 00000001.00000002.2793219234.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                                                                                                                                                                                                        • Associated: 00000001.00000002.2793346997.0000000000499000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                                                                                                                                                                                                        • Associated: 00000001.00000002.2793378529.000000000049A000.00000008.00000001.01000000.00000004.sdmpDownload File
                                                                                                                                                                                                                                                        • Associated: 00000001.00000002.2793416768.000000000049B000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                                                                                                                                                                                                        • Associated: 00000001.00000002.2793448951.00000000004AB000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                                                                                                                                                                                                        Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                                        • Snapshot File: hcaresult_1_2_400000_chica-pc-shield-1-75-0-1300-en-win.jbxd
                                                                                                                                                                                                                                                        Similarity
                                                                                                                                                                                                                                                        • API ID: MessageSend$Rect$EmptyInvalidateScrollWindow
                                                                                                                                                                                                                                                        • String ID:
                                                                                                                                                                                                                                                        • API String ID: 855768636-0
                                                                                                                                                                                                                                                        • Opcode ID: 10250a0395981283fcc4a80b9eeb98fbc28641a3a135837a5077055f07d53bc9
                                                                                                                                                                                                                                                        • Instruction ID: f7bad605b8f68185b4e834990bb8ca2287257270a928060092b59a923d315d7c
                                                                                                                                                                                                                                                        • Opcode Fuzzy Hash: 10250a0395981283fcc4a80b9eeb98fbc28641a3a135837a5077055f07d53bc9
                                                                                                                                                                                                                                                        • Instruction Fuzzy Hash: E5114A71B0030067E650BA7B8C86B5B76C9AB88748F15083FB545EB387DE7DDD094299
                                                                                                                                                                                                                                                        Function 00495500 Relevance: 6.1, APIs: 4, Instructions: 81COMMON
                                                                                                                                                                                                                                                        Download Yara Rule
                                                                                                                                                                                                                                                        APIs
                                                                                                                                                                                                                                                        • OffsetRect.USER32(?,?,00000000), ref: 00495564
                                                                                                                                                                                                                                                        • OffsetRect.USER32(?,00000000,?), ref: 0049557F
                                                                                                                                                                                                                                                        • OffsetRect.USER32(?,?,00000000), ref: 00495599
                                                                                                                                                                                                                                                        • OffsetRect.USER32(?,00000000,?), ref: 004955B4
                                                                                                                                                                                                                                                        Memory Dump Source
                                                                                                                                                                                                                                                        • Source File: 00000001.00000002.2793245300.0000000000401000.00000020.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                                                                                                                        • Associated: 00000001.00000002.2793219234.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                                                                                                                                                                                                        • Associated: 00000001.00000002.2793346997.0000000000499000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                                                                                                                                                                                                        • Associated: 00000001.00000002.2793378529.000000000049A000.00000008.00000001.01000000.00000004.sdmpDownload File
                                                                                                                                                                                                                                                        • Associated: 00000001.00000002.2793416768.000000000049B000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                                                                                                                                                                                                        • Associated: 00000001.00000002.2793448951.00000000004AB000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                                                                                                                                                                                                        Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                                        • Snapshot File: hcaresult_1_2_400000_chica-pc-shield-1-75-0-1300-en-win.jbxd
                                                                                                                                                                                                                                                        Similarity
                                                                                                                                                                                                                                                        • API ID: OffsetRect
                                                                                                                                                                                                                                                        • String ID:
                                                                                                                                                                                                                                                        • API String ID: 177026234-0
                                                                                                                                                                                                                                                        • Opcode ID: 9137781dfa6337e8ef3f3b3b287e2de4796ba48f716e12dd1c164c0340d14a45
                                                                                                                                                                                                                                                        • Instruction ID: 8a93a1a85cbb2b193f638f7d5e23572cc2bb20d35705657c91cc813c58603f6c
                                                                                                                                                                                                                                                        • Opcode Fuzzy Hash: 9137781dfa6337e8ef3f3b3b287e2de4796ba48f716e12dd1c164c0340d14a45
                                                                                                                                                                                                                                                        • Instruction Fuzzy Hash: 4821B0B6700701AFCB00DE69CD85E6BB7EAEFC4350F258A2AF544C728AD638ED048751
                                                                                                                                                                                                                                                        Function 00417218 Relevance: 6.1, APIs: 4, Instructions: 72COMMON
                                                                                                                                                                                                                                                        Download Yara Rule
                                                                                                                                                                                                                                                        APIs
                                                                                                                                                                                                                                                        • GetCursorPos.USER32 ref: 00417260
                                                                                                                                                                                                                                                        • SetCursor.USER32(00000000), ref: 004172A3
                                                                                                                                                                                                                                                        • GetLastActivePopup.USER32(?), ref: 004172CD
                                                                                                                                                                                                                                                        • GetForegroundWindow.USER32(?), ref: 004172D4
                                                                                                                                                                                                                                                        Memory Dump Source
                                                                                                                                                                                                                                                        • Source File: 00000001.00000002.2793245300.0000000000401000.00000020.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                                                                                                                        • Associated: 00000001.00000002.2793219234.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                                                                                                                                                                                                        • Associated: 00000001.00000002.2793346997.0000000000499000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                                                                                                                                                                                                        • Associated: 00000001.00000002.2793378529.000000000049A000.00000008.00000001.01000000.00000004.sdmpDownload File
                                                                                                                                                                                                                                                        • Associated: 00000001.00000002.2793416768.000000000049B000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                                                                                                                                                                                                        • Associated: 00000001.00000002.2793448951.00000000004AB000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                                                                                                                                                                                                        Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                                        • Snapshot File: hcaresult_1_2_400000_chica-pc-shield-1-75-0-1300-en-win.jbxd
                                                                                                                                                                                                                                                        Similarity
                                                                                                                                                                                                                                                        • API ID: Cursor$ActiveForegroundLastPopupWindow
                                                                                                                                                                                                                                                        • String ID:
                                                                                                                                                                                                                                                        • API String ID: 1959210111-0
                                                                                                                                                                                                                                                        • Opcode ID: fc3dc682e35aefc43ebed10bef0119cbd363a2e2ef148f8fcda91412316ed339
                                                                                                                                                                                                                                                        • Instruction ID: de3f0dc6b436800086b9427ec8ddd2ec86eeedce3a35093462374e80c8eda50e
                                                                                                                                                                                                                                                        • Opcode Fuzzy Hash: fc3dc682e35aefc43ebed10bef0119cbd363a2e2ef148f8fcda91412316ed339
                                                                                                                                                                                                                                                        • Instruction Fuzzy Hash: C52183313086118AD720AFA9E945AE733F1EF44754B0544ABF8558B352DB3DDC82CB9E
                                                                                                                                                                                                                                                        Function 004951B8 Relevance: 6.1, APIs: 4, Instructions: 59COMMON
                                                                                                                                                                                                                                                        Download Yara Rule
                                                                                                                                                                                                                                                        APIs
                                                                                                                                                                                                                                                        • MulDiv.KERNEL32(8B500000,00000008,?), ref: 004951CD
                                                                                                                                                                                                                                                        • MulDiv.KERNEL32(50142444,00000008,?), ref: 004951E1
                                                                                                                                                                                                                                                        • MulDiv.KERNEL32(F7035BE8,00000008,?), ref: 004951F5
                                                                                                                                                                                                                                                        • MulDiv.KERNEL32(8BF88BFF,00000008,?), ref: 00495213
                                                                                                                                                                                                                                                        Memory Dump Source
                                                                                                                                                                                                                                                        • Source File: 00000001.00000002.2793245300.0000000000401000.00000020.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                                                                                                                        • Associated: 00000001.00000002.2793219234.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                                                                                                                                                                                                        • Associated: 00000001.00000002.2793346997.0000000000499000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                                                                                                                                                                                                        • Associated: 00000001.00000002.2793378529.000000000049A000.00000008.00000001.01000000.00000004.sdmpDownload File
                                                                                                                                                                                                                                                        • Associated: 00000001.00000002.2793416768.000000000049B000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                                                                                                                                                                                                        • Associated: 00000001.00000002.2793448951.00000000004AB000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                                                                                                                                                                                                        Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                                        • Snapshot File: hcaresult_1_2_400000_chica-pc-shield-1-75-0-1300-en-win.jbxd
                                                                                                                                                                                                                                                        Similarity
                                                                                                                                                                                                                                                        • API ID:
                                                                                                                                                                                                                                                        • String ID:
                                                                                                                                                                                                                                                        • API String ID:
                                                                                                                                                                                                                                                        • Opcode ID: b0bc83cb44cddb6cfb83e9cff79c84a8c4632dee95d4fc6912c32f85648e17c5
                                                                                                                                                                                                                                                        • Instruction ID: a792722bc063b548a051c88181bbb06e8db95fe2d05683568d4c98e59dc11981
                                                                                                                                                                                                                                                        • Opcode Fuzzy Hash: b0bc83cb44cddb6cfb83e9cff79c84a8c4632dee95d4fc6912c32f85648e17c5
                                                                                                                                                                                                                                                        • Instruction Fuzzy Hash: 95112E72605504ABCB40DFE9C8C4D9B7BECEF8D324B2441AAF908DB242D634ED408F68
                                                                                                                                                                                                                                                        Function 0041F480 Relevance: 6.1, APIs: 4, Instructions: 56registryCOMMON
                                                                                                                                                                                                                                                        Download Yara Rule
                                                                                                                                                                                                                                                        APIs
                                                                                                                                                                                                                                                        • GetClassInfoA.USER32(00400000,0041F470,?), ref: 0041F4A1
                                                                                                                                                                                                                                                        • UnregisterClassA.USER32(0041F470,00400000), ref: 0041F4CA
                                                                                                                                                                                                                                                        • RegisterClassA.USER32(00499598), ref: 0041F4D4
                                                                                                                                                                                                                                                        • SetWindowLongA.USER32(00000000,000000FC,00000000), ref: 0041F50F
                                                                                                                                                                                                                                                        Memory Dump Source
                                                                                                                                                                                                                                                        • Source File: 00000001.00000002.2793245300.0000000000401000.00000020.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                                                                                                                        • Associated: 00000001.00000002.2793219234.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                                                                                                                                                                                                        • Associated: 00000001.00000002.2793346997.0000000000499000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                                                                                                                                                                                                        • Associated: 00000001.00000002.2793378529.000000000049A000.00000008.00000001.01000000.00000004.sdmpDownload File
                                                                                                                                                                                                                                                        • Associated: 00000001.00000002.2793416768.000000000049B000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                                                                                                                                                                                                        • Associated: 00000001.00000002.2793448951.00000000004AB000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                                                                                                                                                                                                        Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                                        • Snapshot File: hcaresult_1_2_400000_chica-pc-shield-1-75-0-1300-en-win.jbxd
                                                                                                                                                                                                                                                        Similarity
                                                                                                                                                                                                                                                        • API ID: Class$InfoLongRegisterUnregisterWindow
                                                                                                                                                                                                                                                        • String ID:
                                                                                                                                                                                                                                                        • API String ID: 4025006896-0
                                                                                                                                                                                                                                                        • Opcode ID: 2789f09181fedf2aa8f29be774d1bfe7920984f559ea6f8e8637ed1726722249
                                                                                                                                                                                                                                                        • Instruction ID: 7a0dc659497f48f9aad4428a0df7724adcaf244520b53866b591a9b3b5545ee4
                                                                                                                                                                                                                                                        • Opcode Fuzzy Hash: 2789f09181fedf2aa8f29be774d1bfe7920984f559ea6f8e8637ed1726722249
                                                                                                                                                                                                                                                        • Instruction Fuzzy Hash: F6011B72240104AADA10EBACED81E9B33999729314B11423BB615E72A2D6399C558BAC
                                                                                                                                                                                                                                                        Function 0040D010 Relevance: 6.1, APIs: 4, Instructions: 51COMMON
                                                                                                                                                                                                                                                        Download Yara Rule
                                                                                                                                                                                                                                                        APIs
                                                                                                                                                                                                                                                        • FindResourceA.KERNEL32(00400000,?,00000000), ref: 0040D027
                                                                                                                                                                                                                                                        • LoadResource.KERNEL32(00400000,72756F73,0040A7C8,00400000,00000001,00000000,?,0040CF84,00000000,?,00000000,?,?,0047C6AC,0000000A,00000000), ref: 0040D041
                                                                                                                                                                                                                                                        • SizeofResource.KERNEL32(00400000,72756F73,00400000,72756F73,0040A7C8,00400000,00000001,00000000,?,0040CF84,00000000,?,00000000,?,?,0047C6AC), ref: 0040D05B
                                                                                                                                                                                                                                                        • LockResource.KERNEL32(74536563,00000000,00400000,72756F73,00400000,72756F73,0040A7C8,00400000,00000001,00000000,?,0040CF84,00000000,?,00000000,?), ref: 0040D065
                                                                                                                                                                                                                                                        Memory Dump Source
                                                                                                                                                                                                                                                        • Source File: 00000001.00000002.2793245300.0000000000401000.00000020.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                                                                                                                        • Associated: 00000001.00000002.2793219234.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                                                                                                                                                                                                        • Associated: 00000001.00000002.2793346997.0000000000499000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                                                                                                                                                                                                        • Associated: 00000001.00000002.2793378529.000000000049A000.00000008.00000001.01000000.00000004.sdmpDownload File
                                                                                                                                                                                                                                                        • Associated: 00000001.00000002.2793416768.000000000049B000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                                                                                                                                                                                                        • Associated: 00000001.00000002.2793448951.00000000004AB000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                                                                                                                                                                                                        Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                                        • Snapshot File: hcaresult_1_2_400000_chica-pc-shield-1-75-0-1300-en-win.jbxd
                                                                                                                                                                                                                                                        Similarity
                                                                                                                                                                                                                                                        • API ID: Resource$FindLoadLockSizeof
                                                                                                                                                                                                                                                        • String ID:
                                                                                                                                                                                                                                                        • API String ID: 3473537107-0
                                                                                                                                                                                                                                                        • Opcode ID: f701ce4f04cb0ebdd1143b5585c75acb70ffd029a82b31343d3be87257736b7b
                                                                                                                                                                                                                                                        • Instruction ID: ce77ce8360aa458f47a01e9b0563465317cd85cc21d7bcd45488e041df035c61
                                                                                                                                                                                                                                                        • Opcode Fuzzy Hash: f701ce4f04cb0ebdd1143b5585c75acb70ffd029a82b31343d3be87257736b7b
                                                                                                                                                                                                                                                        • Instruction Fuzzy Hash: 49F04F726056046F9B14EE59A881D5B77ECDE88268310013AF908E7286DA38DD018B68
                                                                                                                                                                                                                                                        Function 0047047C Relevance: 6.0, APIs: 1, Strings: 3, Instructions: 41COMMON
                                                                                                                                                                                                                                                        Download Yara Rule
                                                                                                                                                                                                                                                        APIs
                                                                                                                                                                                                                                                        • GetLastError.KERNEL32(?,00000000), ref: 004704CD
                                                                                                                                                                                                                                                        Strings
                                                                                                                                                                                                                                                        • Unsetting NTFS compression on file: %s, xrefs: 004704B3
                                                                                                                                                                                                                                                        • Setting NTFS compression on file: %s, xrefs: 0047049B
                                                                                                                                                                                                                                                        • Failed to set NTFS compression state (%d)., xrefs: 004704DE
                                                                                                                                                                                                                                                        Memory Dump Source
                                                                                                                                                                                                                                                        • Source File: 00000001.00000002.2793245300.0000000000401000.00000020.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                                                                                                                        • Associated: 00000001.00000002.2793219234.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                                                                                                                                                                                                        • Associated: 00000001.00000002.2793346997.0000000000499000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                                                                                                                                                                                                        • Associated: 00000001.00000002.2793378529.000000000049A000.00000008.00000001.01000000.00000004.sdmpDownload File
                                                                                                                                                                                                                                                        • Associated: 00000001.00000002.2793416768.000000000049B000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                                                                                                                                                                                                        • Associated: 00000001.00000002.2793448951.00000000004AB000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                                                                                                                                                                                                        Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                                        • Snapshot File: hcaresult_1_2_400000_chica-pc-shield-1-75-0-1300-en-win.jbxd
                                                                                                                                                                                                                                                        Similarity
                                                                                                                                                                                                                                                        • API ID: ErrorLast
                                                                                                                                                                                                                                                        • String ID: Failed to set NTFS compression state (%d).$Setting NTFS compression on file: %s$Unsetting NTFS compression on file: %s
                                                                                                                                                                                                                                                        • API String ID: 1452528299-3038984924
                                                                                                                                                                                                                                                        • Opcode ID: 5e0f8f86fed6f9f7c39952bf00c87fcf13d0ad593fcc8ac6b3cdcf0c83175ddc
                                                                                                                                                                                                                                                        • Instruction ID: e8b0162e57f804c2a30ba352f90a9bf92a8ca3f223517a7017406bd44fdcfcee
                                                                                                                                                                                                                                                        • Opcode Fuzzy Hash: 5e0f8f86fed6f9f7c39952bf00c87fcf13d0ad593fcc8ac6b3cdcf0c83175ddc
                                                                                                                                                                                                                                                        • Instruction Fuzzy Hash: A3018B70D19288A6CF04D7EDA4412EDBBF59F4D314F44C1EFA459E7342DB790A088BAA
                                                                                                                                                                                                                                                        Function 0046FCD0 Relevance: 6.0, APIs: 1, Strings: 3, Instructions: 41COMMON
                                                                                                                                                                                                                                                        Download Yara Rule
                                                                                                                                                                                                                                                        APIs
                                                                                                                                                                                                                                                        • GetLastError.KERNEL32(00000000,00000000), ref: 0046FD21
                                                                                                                                                                                                                                                        Strings
                                                                                                                                                                                                                                                        • Failed to set NTFS compression state (%d)., xrefs: 0046FD32
                                                                                                                                                                                                                                                        • Unsetting NTFS compression on directory: %s, xrefs: 0046FD07
                                                                                                                                                                                                                                                        • Setting NTFS compression on directory: %s, xrefs: 0046FCEF
                                                                                                                                                                                                                                                        Memory Dump Source
                                                                                                                                                                                                                                                        • Source File: 00000001.00000002.2793245300.0000000000401000.00000020.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                                                                                                                        • Associated: 00000001.00000002.2793219234.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                                                                                                                                                                                                        • Associated: 00000001.00000002.2793346997.0000000000499000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                                                                                                                                                                                                        • Associated: 00000001.00000002.2793378529.000000000049A000.00000008.00000001.01000000.00000004.sdmpDownload File
                                                                                                                                                                                                                                                        • Associated: 00000001.00000002.2793416768.000000000049B000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                                                                                                                                                                                                        • Associated: 00000001.00000002.2793448951.00000000004AB000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                                                                                                                                                                                                        Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                                        • Snapshot File: hcaresult_1_2_400000_chica-pc-shield-1-75-0-1300-en-win.jbxd
                                                                                                                                                                                                                                                        Similarity
                                                                                                                                                                                                                                                        • API ID: ErrorLast
                                                                                                                                                                                                                                                        • String ID: Failed to set NTFS compression state (%d).$Setting NTFS compression on directory: %s$Unsetting NTFS compression on directory: %s
                                                                                                                                                                                                                                                        • API String ID: 1452528299-1392080489
                                                                                                                                                                                                                                                        • Opcode ID: 74cb5a7a130cb38d20d52844b97610ff045e975bde4c2f4f670a11906ade5ca5
                                                                                                                                                                                                                                                        • Instruction ID: 0b62ff5e67c42b10e7bcd1c73b0a381227d0d173acf9807972347256283fcfef
                                                                                                                                                                                                                                                        • Opcode Fuzzy Hash: 74cb5a7a130cb38d20d52844b97610ff045e975bde4c2f4f670a11906ade5ca5
                                                                                                                                                                                                                                                        • Instruction Fuzzy Hash: A1016730E0825856CB04DBADA4412EDBBF49F0D304F5481FFE896D7242EB791A0D879B
                                                                                                                                                                                                                                                        Function 00455D9C Relevance: 6.0, APIs: 4, Instructions: 41registrywindowCOMMON
                                                                                                                                                                                                                                                        Download Yara Rule
                                                                                                                                                                                                                                                        APIs
                                                                                                                                                                                                                                                          • Part of subcall function 0042DE1C: RegOpenKeyExA.ADVAPI32(80000002,System\CurrentControlSet\Control\Windows,37H,?,00000001,?,?,00483733,?,00000001,00000000), ref: 0042DE38
                                                                                                                                                                                                                                                        • RegDeleteValueA.ADVAPI32(?,00000000,00000082,00000002,00000000,?,?,00000000,0045B686,?,?,?,?,?,00000000,0045B6AD), ref: 00455DD8
                                                                                                                                                                                                                                                        • RegCloseKey.ADVAPI32(00000000,?,00000000,00000082,00000002,00000000,?,?,00000000,0045B686,?,?,?,?,?,00000000), ref: 00455DE1
                                                                                                                                                                                                                                                        • RemoveFontResourceA.GDI32(00000000), ref: 00455DEE
                                                                                                                                                                                                                                                        • SendNotifyMessageA.USER32(0000FFFF,0000001D,00000000,00000000), ref: 00455E02
                                                                                                                                                                                                                                                        Memory Dump Source
                                                                                                                                                                                                                                                        • Source File: 00000001.00000002.2793245300.0000000000401000.00000020.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                                                                                                                        • Associated: 00000001.00000002.2793219234.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                                                                                                                                                                                                        • Associated: 00000001.00000002.2793346997.0000000000499000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                                                                                                                                                                                                        • Associated: 00000001.00000002.2793378529.000000000049A000.00000008.00000001.01000000.00000004.sdmpDownload File
                                                                                                                                                                                                                                                        • Associated: 00000001.00000002.2793416768.000000000049B000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                                                                                                                                                                                                        • Associated: 00000001.00000002.2793448951.00000000004AB000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                                                                                                                                                                                                        Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                                        • Snapshot File: hcaresult_1_2_400000_chica-pc-shield-1-75-0-1300-en-win.jbxd
                                                                                                                                                                                                                                                        Similarity
                                                                                                                                                                                                                                                        • API ID: CloseDeleteFontMessageNotifyOpenRemoveResourceSendValue
                                                                                                                                                                                                                                                        • String ID:
                                                                                                                                                                                                                                                        • API String ID: 4283692357-0
                                                                                                                                                                                                                                                        • Opcode ID: 02238595bac7234ebad497e510db0fe89aaf88b5be50f9c34004e14bcf4398aa
                                                                                                                                                                                                                                                        • Instruction ID: 71ccc6c4ad223293e5fa71c014565a1ca4f3f808124b73c5b0663eb55104ffd2
                                                                                                                                                                                                                                                        • Opcode Fuzzy Hash: 02238595bac7234ebad497e510db0fe89aaf88b5be50f9c34004e14bcf4398aa
                                                                                                                                                                                                                                                        • Instruction Fuzzy Hash: 57F0BEB174070036EA10B6BAAC4BF2B26CC8F54745F10883ABA00EF2C3D97CDC04962D
                                                                                                                                                                                                                                                        Function 00477D8C Relevance: 6.0, APIs: 4, Instructions: 31COMMON
                                                                                                                                                                                                                                                        Download Yara Rule
                                                                                                                                                                                                                                                        APIs
                                                                                                                                                                                                                                                        • GetCurrentProcess.KERNEL32(00000008,?,?,?,00000001,00000000,00000002,00000000,00480E10,?,?,?,?,?,004988BB,00000000), ref: 00477D95
                                                                                                                                                                                                                                                        • OpenProcessToken.ADVAPI32(00000000,00000008,?,?,?,00000001,00000000,00000002,00000000,00480E10,?,?,?,?,?,004988BB), ref: 00477D9B
                                                                                                                                                                                                                                                        • GetTokenInformation.ADVAPI32(00000008,00000012(TokenIntegrityLevel),00000000,00000004,00000008,00000000,00000008,?,?,?,00000001,00000000,00000002,00000000,00480E10), ref: 00477DBD
                                                                                                                                                                                                                                                        • CloseHandle.KERNEL32(00000000,00000008,TokenIntegrityLevel,00000000,00000004,00000008,00000000,00000008,?,?,?,00000001,00000000,00000002,00000000,00480E10), ref: 00477DCE
                                                                                                                                                                                                                                                        Memory Dump Source
                                                                                                                                                                                                                                                        • Source File: 00000001.00000002.2793245300.0000000000401000.00000020.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                                                                                                                        • Associated: 00000001.00000002.2793219234.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                                                                                                                                                                                                        • Associated: 00000001.00000002.2793346997.0000000000499000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                                                                                                                                                                                                        • Associated: 00000001.00000002.2793378529.000000000049A000.00000008.00000001.01000000.00000004.sdmpDownload File
                                                                                                                                                                                                                                                        • Associated: 00000001.00000002.2793416768.000000000049B000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                                                                                                                                                                                                        • Associated: 00000001.00000002.2793448951.00000000004AB000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                                                                                                                                                                                                        Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                                        • Snapshot File: hcaresult_1_2_400000_chica-pc-shield-1-75-0-1300-en-win.jbxd
                                                                                                                                                                                                                                                        Similarity
                                                                                                                                                                                                                                                        • API ID: ProcessToken$CloseCurrentHandleInformationOpen
                                                                                                                                                                                                                                                        • String ID:
                                                                                                                                                                                                                                                        • API String ID: 215268677-0
                                                                                                                                                                                                                                                        • Opcode ID: ced138171f4e7b37df63f6d60c59300768d0a071be6b50addf64793bfa5aa8eb
                                                                                                                                                                                                                                                        • Instruction ID: 987b79840f0c52b8959c6360de64ddcb26e084bfbcaebf84e1f469c58c485e10
                                                                                                                                                                                                                                                        • Opcode Fuzzy Hash: ced138171f4e7b37df63f6d60c59300768d0a071be6b50addf64793bfa5aa8eb
                                                                                                                                                                                                                                                        • Instruction Fuzzy Hash: A7F037616443007BD600E6B58D81E6B77DCEF44354F04883ABE94C71C1D678D8089766
                                                                                                                                                                                                                                                        Function 00424240 Relevance: 6.0, APIs: 4, Instructions: 26windowCOMMON
                                                                                                                                                                                                                                                        Download Yara Rule
                                                                                                                                                                                                                                                        APIs
                                                                                                                                                                                                                                                        • GetLastActivePopup.USER32(?), ref: 0042424C
                                                                                                                                                                                                                                                        • IsWindowVisible.USER32(?), ref: 0042425D
                                                                                                                                                                                                                                                        • IsWindowEnabled.USER32(?), ref: 00424267
                                                                                                                                                                                                                                                        • SetForegroundWindow.USER32(?), ref: 00424271
                                                                                                                                                                                                                                                        Memory Dump Source
                                                                                                                                                                                                                                                        • Source File: 00000001.00000002.2793245300.0000000000401000.00000020.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                                                                                                                        • Associated: 00000001.00000002.2793219234.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                                                                                                                                                                                                        • Associated: 00000001.00000002.2793346997.0000000000499000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                                                                                                                                                                                                        • Associated: 00000001.00000002.2793378529.000000000049A000.00000008.00000001.01000000.00000004.sdmpDownload File
                                                                                                                                                                                                                                                        • Associated: 00000001.00000002.2793416768.000000000049B000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                                                                                                                                                                                                        • Associated: 00000001.00000002.2793448951.00000000004AB000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                                                                                                                                                                                                        Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                                        • Snapshot File: hcaresult_1_2_400000_chica-pc-shield-1-75-0-1300-en-win.jbxd
                                                                                                                                                                                                                                                        Similarity
                                                                                                                                                                                                                                                        • API ID: Window$ActiveEnabledForegroundLastPopupVisible
                                                                                                                                                                                                                                                        • String ID:
                                                                                                                                                                                                                                                        • API String ID: 2280970139-0
                                                                                                                                                                                                                                                        • Opcode ID: ba19c83180c847f7cc1a799de6a6bd3f59fb62ceb1b1ee1cbd3621cddb0aa8ae
                                                                                                                                                                                                                                                        • Instruction ID: 2c5ff33fc315f6eb6fab431e1453bcb0e66c5aaaa6596e28cc8dc28fd0b03a53
                                                                                                                                                                                                                                                        • Opcode Fuzzy Hash: ba19c83180c847f7cc1a799de6a6bd3f59fb62ceb1b1ee1cbd3621cddb0aa8ae
                                                                                                                                                                                                                                                        • Instruction Fuzzy Hash: C7E0EC61B02672D6AE31FA7B2881A9F518C9D45BE434641EBBC04FB38ADB2CDC1141BD
                                                                                                                                                                                                                                                        Function 00479DA0 Relevance: 5.5, APIs: 1, Strings: 2, Instructions: 210registryCOMMON
                                                                                                                                                                                                                                                        Download Yara Rule
                                                                                                                                                                                                                                                        APIs
                                                                                                                                                                                                                                                        • RegCloseKey.ADVAPI32(?,?,?,?,00000001,00000000,00000000,0047B689,?,00000000,00000000,00000001,00000000,0047A03D,?,00000000), ref: 0047A001
                                                                                                                                                                                                                                                        Strings
                                                                                                                                                                                                                                                        • Cannot access a 64-bit key in a "reg" constant on this version of Windows, xrefs: 00479E75
                                                                                                                                                                                                                                                        • Failed to parse "reg" constant, xrefs: 0047A008
                                                                                                                                                                                                                                                        Memory Dump Source
                                                                                                                                                                                                                                                        • Source File: 00000001.00000002.2793245300.0000000000401000.00000020.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                                                                                                                        • Associated: 00000001.00000002.2793219234.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                                                                                                                                                                                                        • Associated: 00000001.00000002.2793346997.0000000000499000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                                                                                                                                                                                                        • Associated: 00000001.00000002.2793378529.000000000049A000.00000008.00000001.01000000.00000004.sdmpDownload File
                                                                                                                                                                                                                                                        • Associated: 00000001.00000002.2793416768.000000000049B000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                                                                                                                                                                                                        • Associated: 00000001.00000002.2793448951.00000000004AB000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                                                                                                                                                                                                        Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                                        • Snapshot File: hcaresult_1_2_400000_chica-pc-shield-1-75-0-1300-en-win.jbxd
                                                                                                                                                                                                                                                        Similarity
                                                                                                                                                                                                                                                        • API ID: Close
                                                                                                                                                                                                                                                        • String ID: Cannot access a 64-bit key in a "reg" constant on this version of Windows$Failed to parse "reg" constant
                                                                                                                                                                                                                                                        • API String ID: 3535843008-1938159461
                                                                                                                                                                                                                                                        • Opcode ID: cb5963443985b101f90e6459e9d92d1a207c50e5c3b3050293cb341093ee1cc6
                                                                                                                                                                                                                                                        • Instruction ID: b9da291a702a23f9cca087d797e0ae80727d0787199f86d639bf183e32c29431
                                                                                                                                                                                                                                                        • Opcode Fuzzy Hash: cb5963443985b101f90e6459e9d92d1a207c50e5c3b3050293cb341093ee1cc6
                                                                                                                                                                                                                                                        • Instruction Fuzzy Hash: 85813E74E00148AFCB10DFA5C481ADEBBF9AF48315F50857AE814B7391DB38AE05CB99
                                                                                                                                                                                                                                                        Function 0046CAE4 Relevance: 5.3, APIs: 1, Strings: 2, Instructions: 89COMMON
                                                                                                                                                                                                                                                        Download Yara Rule
                                                                                                                                                                                                                                                        Strings
                                                                                                                                                                                                                                                        • Failed to proceed to next wizard page; showing wizard., xrefs: 0046CC10
                                                                                                                                                                                                                                                        • Failed to proceed to next wizard page; aborting., xrefs: 0046CBFC
                                                                                                                                                                                                                                                        Memory Dump Source
                                                                                                                                                                                                                                                        • Source File: 00000001.00000002.2793245300.0000000000401000.00000020.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                                                                                                                        • Associated: 00000001.00000002.2793219234.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                                                                                                                                                                                                        • Associated: 00000001.00000002.2793346997.0000000000499000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                                                                                                                                                                                                        • Associated: 00000001.00000002.2793378529.000000000049A000.00000008.00000001.01000000.00000004.sdmpDownload File
                                                                                                                                                                                                                                                        • Associated: 00000001.00000002.2793416768.000000000049B000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                                                                                                                                                                                                        • Associated: 00000001.00000002.2793448951.00000000004AB000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                                                                                                                                                                                                        Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                                        • Snapshot File: hcaresult_1_2_400000_chica-pc-shield-1-75-0-1300-en-win.jbxd
                                                                                                                                                                                                                                                        Similarity
                                                                                                                                                                                                                                                        • API ID:
                                                                                                                                                                                                                                                        • String ID: Failed to proceed to next wizard page; aborting.$Failed to proceed to next wizard page; showing wizard.
                                                                                                                                                                                                                                                        • API String ID: 0-1974262853
                                                                                                                                                                                                                                                        • Opcode ID: 33d594b63624b6580e6ea1335757c9c73b02cf19a18a2f29770ba97ccefe4596
                                                                                                                                                                                                                                                        • Instruction ID: 02609ddebc2f72e37b130453db8fbd0a4ca28e8a7b44a7fb2411c0886f03fee3
                                                                                                                                                                                                                                                        • Opcode Fuzzy Hash: 33d594b63624b6580e6ea1335757c9c73b02cf19a18a2f29770ba97ccefe4596
                                                                                                                                                                                                                                                        • Instruction Fuzzy Hash: 0A31AF30604244DFD711EB99E9CABA977E5EB05704F5400BBF448AB392D7787E80CB5A
                                                                                                                                                                                                                                                        Function 00450168 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 78windowCOMMON
                                                                                                                                                                                                                                                        Download Yara Rule
                                                                                                                                                                                                                                                        APIs
                                                                                                                                                                                                                                                        • SendMessageA.USER32(00000000,0000044B,00000000,?), ref: 004501FD
                                                                                                                                                                                                                                                        • ShellExecuteA.SHELL32(00000000,open,00000000,00000000,00000000,00000001), ref: 0045022E
                                                                                                                                                                                                                                                        Strings
                                                                                                                                                                                                                                                        Memory Dump Source
                                                                                                                                                                                                                                                        • Source File: 00000001.00000002.2793245300.0000000000401000.00000020.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                                                                                                                        • Associated: 00000001.00000002.2793219234.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                                                                                                                                                                                                        • Associated: 00000001.00000002.2793346997.0000000000499000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                                                                                                                                                                                                        • Associated: 00000001.00000002.2793378529.000000000049A000.00000008.00000001.01000000.00000004.sdmpDownload File
                                                                                                                                                                                                                                                        • Associated: 00000001.00000002.2793416768.000000000049B000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                                                                                                                                                                                                        • Associated: 00000001.00000002.2793448951.00000000004AB000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                                                                                                                                                                                                        Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                                        • Snapshot File: hcaresult_1_2_400000_chica-pc-shield-1-75-0-1300-en-win.jbxd
                                                                                                                                                                                                                                                        Similarity
                                                                                                                                                                                                                                                        • API ID: ExecuteMessageSendShell
                                                                                                                                                                                                                                                        • String ID: open
                                                                                                                                                                                                                                                        • API String ID: 812272486-2758837156
                                                                                                                                                                                                                                                        • Opcode ID: fa29d62d9780523739d4a743ba00ec1ee44d09b31dd3b91501b045b0696864e0
                                                                                                                                                                                                                                                        • Instruction ID: 7f57506e0c07b49dd0b520b237e7736b759e9f4ed638734fb0c833ac5abbff07
                                                                                                                                                                                                                                                        • Opcode Fuzzy Hash: fa29d62d9780523739d4a743ba00ec1ee44d09b31dd3b91501b045b0696864e0
                                                                                                                                                                                                                                                        • Instruction Fuzzy Hash: A1216074E00204AFDB10DFA9C896B9EBBF8EB44705F1081BAB404E7292D678DE45CA59
                                                                                                                                                                                                                                                        Function 00455290 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 77COMMON
                                                                                                                                                                                                                                                        Download Yara Rule
                                                                                                                                                                                                                                                        APIs
                                                                                                                                                                                                                                                        • ShellExecuteEx.SHELL32(0000003C), ref: 0045532C
                                                                                                                                                                                                                                                        • GetLastError.KERNEL32(0000003C,00000000,00455375,?,?,?), ref: 0045533D
                                                                                                                                                                                                                                                          • Part of subcall function 0042D8C4: GetSystemDirectoryA.KERNEL32(?,00000104), ref: 0042D8D7
                                                                                                                                                                                                                                                        Strings
                                                                                                                                                                                                                                                        Memory Dump Source
                                                                                                                                                                                                                                                        • Source File: 00000001.00000002.2793245300.0000000000401000.00000020.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                                                                                                                        • Associated: 00000001.00000002.2793219234.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                                                                                                                                                                                                        • Associated: 00000001.00000002.2793346997.0000000000499000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                                                                                                                                                                                                        • Associated: 00000001.00000002.2793378529.000000000049A000.00000008.00000001.01000000.00000004.sdmpDownload File
                                                                                                                                                                                                                                                        • Associated: 00000001.00000002.2793416768.000000000049B000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                                                                                                                                                                                                        • Associated: 00000001.00000002.2793448951.00000000004AB000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                                                                                                                                                                                                        Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                                        • Snapshot File: hcaresult_1_2_400000_chica-pc-shield-1-75-0-1300-en-win.jbxd
                                                                                                                                                                                                                                                        Similarity
                                                                                                                                                                                                                                                        • API ID: DirectoryErrorExecuteLastShellSystem
                                                                                                                                                                                                                                                        • String ID: <
                                                                                                                                                                                                                                                        • API String ID: 893404051-4251816714
                                                                                                                                                                                                                                                        • Opcode ID: e3c2aaf8164fd08d9067a555fb6a2966218db55df2f6cf118cfb9f904223115b
                                                                                                                                                                                                                                                        • Instruction ID: 92df0b2f1231c5c49ece4c570041ef31d6ed92e86db86b93cafb864a5026e18c
                                                                                                                                                                                                                                                        • Opcode Fuzzy Hash: e3c2aaf8164fd08d9067a555fb6a2966218db55df2f6cf118cfb9f904223115b
                                                                                                                                                                                                                                                        • Instruction Fuzzy Hash: 172167B0600609ABDB10EF65C8926AE7BE8AF44355F54403AFC44E7291D7789E49CB98
                                                                                                                                                                                                                                                        Function 00402584 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 70COMMON
                                                                                                                                                                                                                                                        Download Yara Rule
                                                                                                                                                                                                                                                        APIs
                                                                                                                                                                                                                                                        • RtlEnterCriticalSection.KERNEL32(0049B420,00000000,)), ref: 004025C7
                                                                                                                                                                                                                                                        • RtlLeaveCriticalSection.KERNEL32(0049B420,0040263D), ref: 00402630
                                                                                                                                                                                                                                                          • Part of subcall function 004019CC: RtlInitializeCriticalSection.KERNEL32(0049B420,00000000,00401A82,?,?,0040222E,02188000,?,00000000,?,?,00401C49,00401C5E,00401DA2), ref: 004019E2
                                                                                                                                                                                                                                                          • Part of subcall function 004019CC: RtlEnterCriticalSection.KERNEL32(0049B420,0049B420,00000000,00401A82,?,?,0040222E,02188000,?,00000000,?,?,00401C49,00401C5E,00401DA2), ref: 004019F5
                                                                                                                                                                                                                                                          • Part of subcall function 004019CC: LocalAlloc.KERNEL32(00000000,00000FF8,0049B420,00000000,00401A82,?,?,0040222E,02188000,?,00000000,?,?,00401C49,00401C5E,00401DA2), ref: 00401A1F
                                                                                                                                                                                                                                                          • Part of subcall function 004019CC: RtlLeaveCriticalSection.KERNEL32(0049B420,00401A89,00000000,00401A82,?,?,0040222E,02188000,?,00000000,?,?,00401C49,00401C5E,00401DA2), ref: 00401A7C
                                                                                                                                                                                                                                                        Strings
                                                                                                                                                                                                                                                        Memory Dump Source
                                                                                                                                                                                                                                                        • Source File: 00000001.00000002.2793245300.0000000000401000.00000020.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                                                                                                                        • Associated: 00000001.00000002.2793219234.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                                                                                                                                                                                                        • Associated: 00000001.00000002.2793346997.0000000000499000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                                                                                                                                                                                                        • Associated: 00000001.00000002.2793378529.000000000049A000.00000008.00000001.01000000.00000004.sdmpDownload File
                                                                                                                                                                                                                                                        • Associated: 00000001.00000002.2793416768.000000000049B000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                                                                                                                                                                                                        • Associated: 00000001.00000002.2793448951.00000000004AB000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                                                                                                                                                                                                        Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                                        • Snapshot File: hcaresult_1_2_400000_chica-pc-shield-1-75-0-1300-en-win.jbxd
                                                                                                                                                                                                                                                        Similarity
                                                                                                                                                                                                                                                        • API ID: CriticalSection$EnterLeave$AllocInitializeLocal
                                                                                                                                                                                                                                                        • String ID: )
                                                                                                                                                                                                                                                        • API String ID: 2227675388-1084416617
                                                                                                                                                                                                                                                        • Opcode ID: afc8f00caf7b780c94fc6e1267ef13ed48609c58ab26d4177af9a59a858bbbef
                                                                                                                                                                                                                                                        • Instruction ID: 77bd95ba853a3ee3b707a504883d316aad751082ca23ba06a0d8aa2ba3da16af
                                                                                                                                                                                                                                                        • Opcode Fuzzy Hash: afc8f00caf7b780c94fc6e1267ef13ed48609c58ab26d4177af9a59a858bbbef
                                                                                                                                                                                                                                                        • Instruction Fuzzy Hash: E11104317042046FEB15AB796F5962B6AD4D795758B24087FF404F33D2DABD8C02929C
                                                                                                                                                                                                                                                        Function 0049670A Relevance: 5.3, APIs: 1, Strings: 2, Instructions: 66COMMON
                                                                                                                                                                                                                                                        Download Yara Rule
                                                                                                                                                                                                                                                        APIs
                                                                                                                                                                                                                                                        • SetWindowPos.USER32(?,00000000,00000000,00000000,00000000,00000000,00000097), ref: 00496745
                                                                                                                                                                                                                                                        Strings
                                                                                                                                                                                                                                                        Memory Dump Source
                                                                                                                                                                                                                                                        • Source File: 00000001.00000002.2793245300.0000000000401000.00000020.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                                                                                                                        • Associated: 00000001.00000002.2793219234.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                                                                                                                                                                                                        • Associated: 00000001.00000002.2793346997.0000000000499000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                                                                                                                                                                                                        • Associated: 00000001.00000002.2793378529.000000000049A000.00000008.00000001.01000000.00000004.sdmpDownload File
                                                                                                                                                                                                                                                        • Associated: 00000001.00000002.2793416768.000000000049B000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                                                                                                                                                                                                        • Associated: 00000001.00000002.2793448951.00000000004AB000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                                                                                                                                                                                                        Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                                        • Snapshot File: hcaresult_1_2_400000_chica-pc-shield-1-75-0-1300-en-win.jbxd
                                                                                                                                                                                                                                                        Similarity
                                                                                                                                                                                                                                                        • API ID: Window
                                                                                                                                                                                                                                                        • String ID: /INITPROCWND=$%x $@
                                                                                                                                                                                                                                                        • API String ID: 2353593579-4169826103
                                                                                                                                                                                                                                                        • Opcode ID: ec0b8c3c988b4aa81f0fa7791b97a6f6051cb1d68697a70d3fd13d46f88cc7e3
                                                                                                                                                                                                                                                        • Instruction ID: 7a141039dda579af08b5e6fdd7feeb5da9df03d9f9889a7a9c69f07b885fae46
                                                                                                                                                                                                                                                        • Opcode Fuzzy Hash: ec0b8c3c988b4aa81f0fa7791b97a6f6051cb1d68697a70d3fd13d46f88cc7e3
                                                                                                                                                                                                                                                        • Instruction Fuzzy Hash: 0111A531A043488FDF01DBA4D851BAE7BE8EB48318F5284BBE404E7291D73C9905CA58
                                                                                                                                                                                                                                                        Function 00447414 Relevance: 5.3, APIs: 1, Strings: 2, Instructions: 64COMMON
                                                                                                                                                                                                                                                        Download Yara Rule
                                                                                                                                                                                                                                                        APIs
                                                                                                                                                                                                                                                          • Part of subcall function 00403CA4: MultiByteToWideChar.KERNEL32(00000000,00000000,00000000,00000000,?,00000400), ref: 00403CDE
                                                                                                                                                                                                                                                          • Part of subcall function 00403CA4: SysAllocStringLen.OLEAUT32(?,00000000), ref: 00403CE9
                                                                                                                                                                                                                                                        • SysFreeString.OLEAUT32(?), ref: 004474C6
                                                                                                                                                                                                                                                        Strings
                                                                                                                                                                                                                                                        Memory Dump Source
                                                                                                                                                                                                                                                        • Source File: 00000001.00000002.2793245300.0000000000401000.00000020.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                                                                                                                        • Associated: 00000001.00000002.2793219234.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                                                                                                                                                                                                        • Associated: 00000001.00000002.2793346997.0000000000499000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                                                                                                                                                                                                        • Associated: 00000001.00000002.2793378529.000000000049A000.00000008.00000001.01000000.00000004.sdmpDownload File
                                                                                                                                                                                                                                                        • Associated: 00000001.00000002.2793416768.000000000049B000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                                                                                                                                                                                                        • Associated: 00000001.00000002.2793448951.00000000004AB000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                                                                                                                                                                                                        Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                                        • Snapshot File: hcaresult_1_2_400000_chica-pc-shield-1-75-0-1300-en-win.jbxd
                                                                                                                                                                                                                                                        Similarity
                                                                                                                                                                                                                                                        • API ID: String$AllocByteCharFreeMultiWide
                                                                                                                                                                                                                                                        • String ID: NIL Interface Exception$Unknown Method
                                                                                                                                                                                                                                                        • API String ID: 3952431833-1023667238
                                                                                                                                                                                                                                                        • Opcode ID: fbec47f95d8ced89ede3bb4e447c9bec3a7dd321ad16f48a8b96cd6aab7145c6
                                                                                                                                                                                                                                                        • Instruction ID: eb0132878ffe7144b3db707554455947565e11d0cdd4dc78092451a8fec87e99
                                                                                                                                                                                                                                                        • Opcode Fuzzy Hash: fbec47f95d8ced89ede3bb4e447c9bec3a7dd321ad16f48a8b96cd6aab7145c6
                                                                                                                                                                                                                                                        • Instruction Fuzzy Hash: 8011B9706082089FEB10DFA58C52A6EBBBCEB09704F91407AF504F7681D77C9D01CB69
                                                                                                                                                                                                                                                        Function 00495F7C Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 59processCOMMON
                                                                                                                                                                                                                                                        Download Yara Rule
                                                                                                                                                                                                                                                        APIs
                                                                                                                                                                                                                                                        • CreateProcessA.KERNEL32(00000000,00000000,00000000,00000000,00000000,00000000,00000000,00000000,00000044,000000FC,?,00496044,?,00496038,00000000,0049601F), ref: 00495FEA
                                                                                                                                                                                                                                                        • CloseHandle.KERNEL32(00496084,00000000,00000000,00000000,00000000,00000000,00000000,00000000,00000000,00000044,000000FC,?,00496044,?,00496038,00000000), ref: 00496001
                                                                                                                                                                                                                                                          • Part of subcall function 00495ED4: GetLastError.KERNEL32(00000000,00495F6C,?,?,?,?), ref: 00495EF8
                                                                                                                                                                                                                                                        Strings
                                                                                                                                                                                                                                                        Memory Dump Source
                                                                                                                                                                                                                                                        • Source File: 00000001.00000002.2793245300.0000000000401000.00000020.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                                                                                                                        • Associated: 00000001.00000002.2793219234.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                                                                                                                                                                                                        • Associated: 00000001.00000002.2793346997.0000000000499000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                                                                                                                                                                                                        • Associated: 00000001.00000002.2793378529.000000000049A000.00000008.00000001.01000000.00000004.sdmpDownload File
                                                                                                                                                                                                                                                        • Associated: 00000001.00000002.2793416768.000000000049B000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                                                                                                                                                                                                        • Associated: 00000001.00000002.2793448951.00000000004AB000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                                                                                                                                                                                                        Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                                        • Snapshot File: hcaresult_1_2_400000_chica-pc-shield-1-75-0-1300-en-win.jbxd
                                                                                                                                                                                                                                                        Similarity
                                                                                                                                                                                                                                                        • API ID: CloseCreateErrorHandleLastProcess
                                                                                                                                                                                                                                                        • String ID: D
                                                                                                                                                                                                                                                        • API String ID: 3798668922-2746444292
                                                                                                                                                                                                                                                        • Opcode ID: e05c694224b5543a0b1caa8416f95522950e10165cfd4008cc05a56571bf4433
                                                                                                                                                                                                                                                        • Instruction ID: 6120f854a9747ac2d7a22113b9c0a9586d171a1b8bc238317803a43bf85d79ed
                                                                                                                                                                                                                                                        • Opcode Fuzzy Hash: e05c694224b5543a0b1caa8416f95522950e10165cfd4008cc05a56571bf4433
                                                                                                                                                                                                                                                        • Instruction Fuzzy Hash: AA01A1B0604648AFDF14DBA6CD82E9EBBACDF08714F61007AB504E7281E6785E048A28
                                                                                                                                                                                                                                                        Function 00497BE4 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 33COMMON
                                                                                                                                                                                                                                                        Download Yara Rule
                                                                                                                                                                                                                                                        APIs
                                                                                                                                                                                                                                                          • Part of subcall function 0047CC20: FreeLibrary.KERNEL32(00000000,0048157B), ref: 0047CC36
                                                                                                                                                                                                                                                          • Part of subcall function 0047C8F0: GetTickCount.KERNEL32 ref: 0047C93A
                                                                                                                                                                                                                                                          • Part of subcall function 0045716C: SendMessageA.USER32(00000000,00000B01,00000000,00000000), ref: 0045718B
                                                                                                                                                                                                                                                        • GetCurrentProcess.KERNEL32(00000001,?,?,?,?,0049853B), ref: 00497C39
                                                                                                                                                                                                                                                        • TerminateProcess.KERNEL32(00000000,00000001,?,?,?,?,0049853B), ref: 00497C3F
                                                                                                                                                                                                                                                        Strings
                                                                                                                                                                                                                                                        • Detected restart. Removing temporary directory., xrefs: 00497BF3
                                                                                                                                                                                                                                                        Memory Dump Source
                                                                                                                                                                                                                                                        • Source File: 00000001.00000002.2793245300.0000000000401000.00000020.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                                                                                                                        • Associated: 00000001.00000002.2793219234.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                                                                                                                                                                                                        • Associated: 00000001.00000002.2793346997.0000000000499000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                                                                                                                                                                                                        • Associated: 00000001.00000002.2793378529.000000000049A000.00000008.00000001.01000000.00000004.sdmpDownload File
                                                                                                                                                                                                                                                        • Associated: 00000001.00000002.2793416768.000000000049B000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                                                                                                                                                                                                        • Associated: 00000001.00000002.2793448951.00000000004AB000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                                                                                                                                                                                                        Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                                        • Snapshot File: hcaresult_1_2_400000_chica-pc-shield-1-75-0-1300-en-win.jbxd
                                                                                                                                                                                                                                                        Similarity
                                                                                                                                                                                                                                                        • API ID: Process$CountCurrentFreeLibraryMessageSendTerminateTick
                                                                                                                                                                                                                                                        • String ID: Detected restart. Removing temporary directory.
                                                                                                                                                                                                                                                        • API String ID: 1717587489-3199836293
                                                                                                                                                                                                                                                        • Opcode ID: 9125a2873bd2436d1015a5dc6f845bf9a7d81bf413d74833c3e8d23694f035ae
                                                                                                                                                                                                                                                        • Instruction ID: d17374ea43c2dea7e7337f0f5ab0ca4281604cba40593c00ffa5d5932da2e1ee
                                                                                                                                                                                                                                                        • Opcode Fuzzy Hash: 9125a2873bd2436d1015a5dc6f845bf9a7d81bf413d74833c3e8d23694f035ae
                                                                                                                                                                                                                                                        • Instruction Fuzzy Hash: E4E02B7121C6403DDA0277B67C569573F4CD745B6C761487BF90881652C52E5814D63D
                                                                                                                                                                                                                                                        Function 00403344 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 9COMMON
                                                                                                                                                                                                                                                        Download Yara Rule
                                                                                                                                                                                                                                                        APIs
                                                                                                                                                                                                                                                        • GetModuleHandleA.KERNEL32(00000000,00498796), ref: 0040334B
                                                                                                                                                                                                                                                        • GetCommandLineA.KERNEL32(00000000,00498796), ref: 00403356
                                                                                                                                                                                                                                                        Strings
                                                                                                                                                                                                                                                        Memory Dump Source
                                                                                                                                                                                                                                                        • Source File: 00000001.00000002.2793245300.0000000000401000.00000020.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                                                                                                                        • Associated: 00000001.00000002.2793219234.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                                                                                                                                                                                                        • Associated: 00000001.00000002.2793346997.0000000000499000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                                                                                                                                                                                                        • Associated: 00000001.00000002.2793378529.000000000049A000.00000008.00000001.01000000.00000004.sdmpDownload File
                                                                                                                                                                                                                                                        • Associated: 00000001.00000002.2793416768.000000000049B000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                                                                                                                                                                                                        • Associated: 00000001.00000002.2793448951.00000000004AB000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                                                                                                                                                                                                        Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                                        • Snapshot File: hcaresult_1_2_400000_chica-pc-shield-1-75-0-1300-en-win.jbxd
                                                                                                                                                                                                                                                        Similarity
                                                                                                                                                                                                                                                        • API ID: CommandHandleLineModule
                                                                                                                                                                                                                                                        • String ID: P7i
                                                                                                                                                                                                                                                        • API String ID: 2123368496-932482666
                                                                                                                                                                                                                                                        • Opcode ID: 48b45b62bccbc2a8e5daf731e4078a894a727d510552ebcfe8024faf6b9ab272
                                                                                                                                                                                                                                                        • Instruction ID: ff8fa06d391bd0b31f892a344b3e95d40f530220570fde7b1ba7fad45aeb04f1
                                                                                                                                                                                                                                                        • Opcode Fuzzy Hash: 48b45b62bccbc2a8e5daf731e4078a894a727d510552ebcfe8024faf6b9ab272
                                                                                                                                                                                                                                                        • Instruction Fuzzy Hash: 45C002609013058AD754AF7579467162A94D751349F80447FF114BA3E1D77C82055BDD
                                                                                                                                                                                                                                                        Function 00455674 Relevance: 5.0, APIs: 4, Instructions: 45sleepCOMMON
                                                                                                                                                                                                                                                        Download Yara Rule
                                                                                                                                                                                                                                                        APIs
                                                                                                                                                                                                                                                        Memory Dump Source
                                                                                                                                                                                                                                                        • Source File: 00000001.00000002.2793245300.0000000000401000.00000020.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                                                                                                                        • Associated: 00000001.00000002.2793219234.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                                                                                                                                                                                                        • Associated: 00000001.00000002.2793346997.0000000000499000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                                                                                                                                                                                                        • Associated: 00000001.00000002.2793378529.000000000049A000.00000008.00000001.01000000.00000004.sdmpDownload File
                                                                                                                                                                                                                                                        • Associated: 00000001.00000002.2793416768.000000000049B000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                                                                                                                                                                                                        • Associated: 00000001.00000002.2793448951.00000000004AB000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                                                                                                                                                                                                        Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                                        • Snapshot File: hcaresult_1_2_400000_chica-pc-shield-1-75-0-1300-en-win.jbxd
                                                                                                                                                                                                                                                        Similarity
                                                                                                                                                                                                                                                        • API ID: ErrorLastSleep
                                                                                                                                                                                                                                                        • String ID:
                                                                                                                                                                                                                                                        • API String ID: 1458359878-0
                                                                                                                                                                                                                                                        • Opcode ID: 15fc397b82897e753cc9d2ffcfedac1196e644d16077d741085952ba6e0ec603
                                                                                                                                                                                                                                                        • Instruction ID: f31041694d7e6b08a2ea33ec2b58b28b25921f40701f973673b956735a8b67d8
                                                                                                                                                                                                                                                        • Opcode Fuzzy Hash: 15fc397b82897e753cc9d2ffcfedac1196e644d16077d741085952ba6e0ec603
                                                                                                                                                                                                                                                        • Instruction Fuzzy Hash: 42F02B32705F58A78B21B56A889157FB2A8DB81366750012BFC0CD7313C878CC058BBC

                                                                                                                                                                                                                                                        Execution Graph

                                                                                                                                                                                                                                                        Execution Coverage:2.5%
                                                                                                                                                                                                                                                        Dynamic/Decrypted Code Coverage:0%
                                                                                                                                                                                                                                                        Signature Coverage:2%
                                                                                                                                                                                                                                                        Total number of Nodes:2000
                                                                                                                                                                                                                                                        Total number of Limit Nodes:176
                                                                                                                                                                                                                                                        execution_graph 109346 6bb57bb0 109364 6bb51e90 109346->109364 109348 6bb57c20 RegOpenKeyExW 109350 6bb57c83 RegQueryValueExW 109348->109350 109351 6bb57c52 109348->109351 109354 6bb57cb0 RegCloseKey 109350->109354 109355 6bb57cdf RegCloseKey 109350->109355 109378 6bb51fa0 52 API calls 2 library calls 109351->109378 109379 6bb51fa0 52 API calls 2 library calls 109354->109379 109356 6bb57d00 109355->109356 109356->109356 109380 6bb51fa0 52 API calls 2 library calls 109356->109380 109357 6bb57c6e 109363 6bb57d2c 109357->109363 109381 6bb9b53b 109357->109381 109362 6bb57d51 109387 6bb9ae8f 109363->109387 109365 6bb51ea5 109364->109365 109366 6bb51eaf 109364->109366 109407 6bbb1350 46 API calls 2 library calls 109365->109407 109368 6bb51edc 109366->109368 109369 6bb51ebf 109366->109369 109371 6bb51eee 109368->109371 109410 6bbb1303 46 API calls 2 library calls 109368->109410 109408 6bb520a0 46 API calls 2 library calls 109369->109408 109377 6bb51eff __expandlocale 109371->109377 109395 6bb52200 109371->109395 109372 6bb51ec9 109409 6bb520a0 46 API calls 2 library calls 109372->109409 109376 6bb51ed3 109376->109348 109377->109348 109378->109357 109379->109357 109380->109357 109382 6bb9c25b 109381->109382 109383 6bb9c293 109382->109383 109384 6bb9c266 RtlFreeHeap 109382->109384 109383->109363 109384->109383 109385 6bb9c27b 109384->109385 109448 6bb9dc8e 45 API calls __getptd_noexit 109385->109448 109388 6bb9ae99 IsDebuggerPresent 109387->109388 109389 6bb9ae97 109387->109389 109449 6bba101f 109388->109449 109389->109362 109392 6bb9c09c SetUnhandledExceptionFilter UnhandledExceptionFilter 109393 6bb9c0c1 GetCurrentProcess TerminateProcess 109392->109393 109394 6bb9c0b9 __call_reportfault 109392->109394 109393->109362 109394->109393 109397 6bb52240 109395->109397 109396 6bb52287 109400 6bb5228e __expandlocale 109396->109400 109422 6bb9af37 45 API calls std::exception::_Copy_str 109396->109422 109397->109396 109397->109400 109411 6bb9b5ab 109397->109411 109400->109377 109402 6bb52317 109400->109402 109404 6bb9b53b std::ios_base::_Ios_base_dtor 46 API calls 109400->109404 109401 6bb522a5 109423 6bb9cc0f RaiseException 109401->109423 109402->109377 109404->109402 109405 6bb522ba 109424 6bb52380 51 API calls 3 library calls 109405->109424 109407->109366 109408->109372 109409->109376 109410->109371 109414 6bb9b5b5 _malloc 109411->109414 109413 6bb9b5cf 109413->109396 109414->109413 109418 6bb9b5d1 std::exception::exception 109414->109418 109425 6bb9c134 109414->109425 109415 6bb9b60f 109440 6bb9aff7 45 API calls std::exception::operator= 109415->109440 109417 6bb9b619 109441 6bb9cc0f RaiseException 109417->109441 109418->109415 109439 6bb9b524 50 API calls __cinit 109418->109439 109421 6bb9b62a 109422->109401 109423->109405 109424->109400 109426 6bb9c1b1 _malloc 109425->109426 109432 6bb9c142 _malloc 109425->109432 109447 6bb9dc8e 45 API calls __getptd_noexit 109426->109447 109429 6bb9c170 RtlAllocateHeap 109429->109432 109438 6bb9c1a9 109429->109438 109431 6bb9c19d 109445 6bb9dc8e 45 API calls __getptd_noexit 109431->109445 109432->109429 109432->109431 109435 6bb9c19b 109432->109435 109436 6bb9c14d 109432->109436 109446 6bb9dc8e 45 API calls __getptd_noexit 109435->109446 109436->109432 109442 6bb9df00 45 API calls __NMSG_WRITE 109436->109442 109443 6bb9dd51 45 API calls 6 library calls 109436->109443 109444 6bb9c537 GetModuleHandleW GetProcAddress ExitProcess ___crtCorExitProcess 109436->109444 109438->109414 109439->109415 109440->109417 109441->109421 109442->109436 109443->109436 109445->109435 109446->109438 109447->109438 109448->109383 109449->109392 109450 6f85c500 109465 6f853280 109450->109465 109452 6f85c56b RegOpenKeyExW 109454 6f85c5b4 RegQueryValueExW 109452->109454 109455 6f85c5a1 109452->109455 109457 6f85c5e5 RegCloseKey 109454->109457 109458 6f85c5dd RegCloseKey 109454->109458 109479 6f853430 109455->109479 109457->109455 109458->109455 109460 6f85c619 109461 6f85c62a 109460->109461 109489 6f89076b 109460->109489 109495 6f890061 109461->109495 109464 6f85c650 109466 6f853293 109465->109466 109467 6f85329d 109465->109467 109515 6f88f682 46 API calls 2 library calls 109466->109515 109469 6f8532c6 109467->109469 109470 6f8532a9 109467->109470 109472 6f8532d8 109469->109472 109518 6f88f635 46 API calls 2 library calls 109469->109518 109516 6f853520 46 API calls 2 library calls 109470->109516 109478 6f8532ea _memmove 109472->109478 109503 6f8536c0 109472->109503 109473 6f8532b4 109517 6f853520 46 API calls 2 library calls 109473->109517 109477 6f8532bd 109477->109452 109478->109452 109480 6f853483 109479->109480 109484 6f85343c 109479->109484 109481 6f853495 109480->109481 109556 6f88f635 46 API calls 2 library calls 109480->109556 109483 6f8536c0 52 API calls 109481->109483 109486 6f8534a7 _memmove 109481->109486 109483->109486 109484->109480 109485 6f853463 109484->109485 109487 6f853280 52 API calls 109485->109487 109486->109460 109488 6f85347e 109487->109488 109488->109460 109490 6f8922d5 109489->109490 109491 6f89230d 109490->109491 109492 6f8922e0 RtlFreeHeap 109490->109492 109491->109461 109492->109491 109493 6f8922f5 109492->109493 109557 6f89257e 45 API calls __getptd_noexit 109493->109557 109496 6f890069 109495->109496 109497 6f89006b IsDebuggerPresent 109495->109497 109496->109464 109558 6f89e17a 109497->109558 109500 6f894834 SetUnhandledExceptionFilter UnhandledExceptionFilter 109501 6f894859 GetCurrentProcess TerminateProcess 109500->109501 109502 6f894851 __call_reportfault 109500->109502 109501->109464 109502->109501 109505 6f8536fe 109503->109505 109504 6f853745 109510 6f85374c _memmove 109504->109510 109530 6f890109 45 API calls std::exception::_Copy_str 109504->109530 109505->109504 109505->109510 109519 6f8907c7 109505->109519 109508 6f853763 109531 6f8924f0 RaiseException 109508->109531 109509 6f8537d0 109509->109478 109510->109478 109510->109509 109512 6f89076b _Fac_tidy 46 API calls 109510->109512 109512->109509 109513 6f853778 109532 6f8538b0 51 API calls 3 library calls 109513->109532 109515->109467 109516->109473 109517->109477 109518->109472 109520 6f8907d1 _malloc 109519->109520 109522 6f8907eb 109520->109522 109526 6f8907ed std::exception::exception 109520->109526 109533 6f8932a4 109520->109533 109522->109504 109523 6f89082b 109548 6f8901b5 45 API calls std::exception::operator= 109523->109548 109525 6f890835 109549 6f8924f0 RaiseException 109525->109549 109526->109523 109547 6f890754 50 API calls __cinit 109526->109547 109529 6f890846 109530->109508 109531->109513 109532->109510 109534 6f893321 _malloc 109533->109534 109537 6f8932b2 _malloc 109533->109537 109555 6f89257e 45 API calls __getptd_noexit 109534->109555 109535 6f8932bd 109535->109537 109550 6f89cee1 45 API calls __NMSG_WRITE 109535->109550 109551 6f89cd32 45 API calls 6 library calls 109535->109551 109552 6f8959a7 GetModuleHandleW GetProcAddress ExitProcess ___crtCorExitProcess 109535->109552 109537->109535 109539 6f8932e0 RtlAllocateHeap 109537->109539 109542 6f89330d 109537->109542 109545 6f89330b 109537->109545 109539->109537 109540 6f893319 109539->109540 109540->109520 109553 6f89257e 45 API calls __getptd_noexit 109542->109553 109554 6f89257e 45 API calls __getptd_noexit 109545->109554 109547->109523 109548->109525 109549->109529 109550->109535 109551->109535 109553->109545 109554->109540 109555->109540 109556->109481 109557->109491 109558->109500 109559 6f858200 109560 6f858230 109559->109560 109563 6f858235 109559->109563 109573 6f8583c0 52 API calls 3 library calls 109560->109573 109562 6f85825b 109564 6f85828b 109562->109564 109574 6f857ba0 109562->109574 109563->109562 109565 6f8907c7 std::locale::_Init 51 API calls 109563->109565 109566 6f858254 109565->109566 109566->109562 109568 6f8582b2 109566->109568 109582 6f890109 45 API calls std::exception::_Copy_str 109568->109582 109570 6f8582c8 109583 6f8924f0 RaiseException 109570->109583 109572 6f8582df 109573->109563 109575 6f857bff 109574->109575 109581 6f857c44 109574->109581 109576 6f857c11 109575->109576 109584 6f88f635 46 API calls 2 library calls 109575->109584 109585 6f858140 51 API calls 3 library calls 109576->109585 109579 6f857c18 109586 6f859240 52 API calls 109579->109586 109581->109564 109582->109570 109583->109572 109584->109576 109585->109579 109586->109581 109587 6bb6edb0 109590 6bb6edd0 109587->109590 109589 6bb6edbf 109591 6bb9b5ab std::locale::_Init 51 API calls 109590->109591 109592 6bb6ee0a 109591->109592 109608 6bb56270 109592->109608 109596 6bb6ee79 GetFileSizeEx 109597 6bb6ef26 CloseHandle 109596->109597 109601 6bb6ee8d 109596->109601 109617 6bb65da0 109597->109617 109599 6bb6ee61 109599->109589 109600 6bb6ef1f 109600->109597 109601->109597 109601->109600 109602 6bb6eeb3 109601->109602 109611 6bb6ed40 109602->109611 109604 6bb6eebe ReadFile 109605 6bb6ef17 CloseHandle 109604->109605 109606 6bb6eed9 CloseHandle 109604->109606 109605->109599 109616 6bb6ed10 _memmove 109606->109616 109609 6bb9b5ab std::locale::_Init 51 API calls 109608->109609 109610 6bb562a7 CreateFileW 109609->109610 109610->109596 109610->109599 109612 6bb6ed73 109611->109612 109613 6bb6ed53 _memmove 109611->109613 109612->109613 109618 6bb6f110 52 API calls std::_Xinvalid_argument 109612->109618 109613->109604 109615 6bb6ed80 _memset 109615->109604 109616->109599 109617->109599 109618->109615 109619 6bb9b97f 109620 6bb9b98a 109619->109620 109621 6bb9b98f 109619->109621 109633 6bb9ee61 GetSystemTimeAsFileTime GetCurrentProcessId GetCurrentThreadId GetTickCount QueryPerformanceCounter 109620->109633 109625 6bb9b889 109621->109625 109624 6bb9b99d 109626 6bb9b895 _setlocale 109625->109626 109627 6bb9b932 _setlocale 109626->109627 109631 6bb9b8e2 ___DllMainCRTStartup 109626->109631 109634 6bb9b725 109626->109634 109627->109624 109629 6bb9b912 109629->109627 109630 6bb9b725 __CRT_INIT@12 112 API calls 109629->109630 109630->109627 109631->109627 109631->109629 109632 6bb9b725 __CRT_INIT@12 112 API calls 109631->109632 109632->109629 109633->109621 109635 6bb9b731 _setlocale 109634->109635 109636 6bb9b739 109635->109636 109637 6bb9b7b3 109635->109637 109682 6bb9ecbf HeapCreate 109636->109682 109639 6bb9b7b9 109637->109639 109640 6bb9b814 109637->109640 109645 6bb9b7d7 109639->109645 109652 6bb9b742 _setlocale 109639->109652 109761 6bb9c7bb 109639->109761 109641 6bb9b819 109640->109641 109642 6bb9b872 109640->109642 109771 6bb9e126 TlsGetValue TlsSetValue 109641->109771 109642->109652 109780 6bb9e42a 57 API calls __freefls@4 109642->109780 109643 6bb9b73e 109643->109652 109683 6bb9e498 GetModuleHandleW 109643->109683 109646 6bb9b7eb 109645->109646 109767 6bb9e858 46 API calls _free 109645->109767 109770 6bb9b7fe 48 API calls __mtterm 109646->109770 109647 6bb9b81e 109772 6bb9c3ed 109647->109772 109652->109631 109655 6bb9b74e __RTC_Initialize 109656 6bb9b752 109655->109656 109661 6bb9b75e GetCommandLineA 109655->109661 109764 6bb9ecdd HeapDestroy 109656->109764 109657 6bb9b7e1 109768 6bb9e177 48 API calls _free 109657->109768 109660 6bb9b7e6 109769 6bb9ecdd HeapDestroy 109660->109769 109702 6bb9ebdc GetEnvironmentStringsW 109661->109702 109667 6bb9b84f 109778 6bb9e1b4 45 API calls 4 library calls 109667->109778 109668 6bb9b866 109779 6bb9c25b 45 API calls __filbuf 109668->109779 109672 6bb9b77c 109765 6bb9e177 48 API calls _free 109672->109765 109673 6bb9b856 GetCurrentThreadId 109673->109652 109677 6bb9b79c 109677->109652 109766 6bb9e858 46 API calls _free 109677->109766 109682->109643 109684 6bb9e4ac 109683->109684 109685 6bb9e4b5 GetProcAddress GetProcAddress GetProcAddress GetProcAddress 109683->109685 109781 6bb9e177 48 API calls _free 109684->109781 109686 6bb9e4ff TlsAlloc 109685->109686 109690 6bb9e54d TlsSetValue 109686->109690 109691 6bb9e60e 109686->109691 109689 6bb9e4b1 109689->109655 109690->109691 109692 6bb9e55e __init_pointers 109690->109692 109691->109655 109782 6bba11c4 InitializeCriticalSectionAndSpinCount 109692->109782 109694 6bb9e609 109784 6bb9e177 48 API calls _free 109694->109784 109696 6bb9e5a2 109696->109694 109697 6bb9c3ed __calloc_crt 45 API calls 109696->109697 109698 6bb9e5d1 109697->109698 109698->109694 109699 6bb9e5ee 109698->109699 109783 6bb9e1b4 45 API calls 4 library calls 109699->109783 109701 6bb9e5f6 GetCurrentThreadId 109701->109691 109703 6bb9ebf8 WideCharToMultiByte 109702->109703 109704 6bb9b76e 109702->109704 109706 6bb9ec2d 109703->109706 109707 6bb9ec65 FreeEnvironmentStringsW 109703->109707 109715 6bb9e613 GetStartupInfoW 109704->109715 109785 6bb9c3a8 45 API calls _malloc 109706->109785 109707->109704 109709 6bb9ec33 109709->109707 109710 6bb9ec3b WideCharToMultiByte 109709->109710 109711 6bb9ec59 FreeEnvironmentStringsW 109710->109711 109712 6bb9ec4d 109710->109712 109711->109704 109786 6bb9c25b 45 API calls __filbuf 109712->109786 109714 6bb9ec55 109714->109711 109716 6bb9c3ed __calloc_crt 45 API calls 109715->109716 109717 6bb9e631 109716->109717 109719 6bb9c3ed __calloc_crt 45 API calls 109717->109719 109721 6bb9b778 109717->109721 109723 6bb9e726 109717->109723 109724 6bb9e7a6 109717->109724 109718 6bb9e7dc GetStdHandle 109718->109724 109719->109717 109720 6bb9e840 SetHandleCount 109720->109721 109721->109672 109728 6bb9eb21 109721->109728 109722 6bb9e7ee GetFileType 109722->109724 109723->109724 109725 6bb9e75d InitializeCriticalSectionAndSpinCount 109723->109725 109726 6bb9e752 GetFileType 109723->109726 109724->109718 109724->109720 109724->109722 109727 6bb9e814 InitializeCriticalSectionAndSpinCount 109724->109727 109725->109721 109725->109723 109726->109723 109726->109725 109727->109721 109727->109724 109729 6bb9eb3b GetModuleFileNameA 109728->109729 109730 6bb9eb36 109728->109730 109732 6bb9eb62 109729->109732 109793 6bba8292 73 API calls __setmbcp 109730->109793 109787 6bb9e987 109732->109787 109735 6bb9b788 109735->109677 109741 6bb9e8ab 109735->109741 109736 6bb9eb9e 109794 6bb9c3a8 45 API calls _malloc 109736->109794 109738 6bb9eba4 109738->109735 109739 6bb9e987 _parse_cmdline 55 API calls 109738->109739 109740 6bb9ebbe 109739->109740 109740->109735 109742 6bb9e8b4 109741->109742 109744 6bb9e8b9 _strlen 109741->109744 109796 6bba8292 73 API calls __setmbcp 109742->109796 109745 6bb9c3ed __calloc_crt 45 API calls 109744->109745 109748 6bb9b791 109744->109748 109751 6bb9e8ee _strlen 109745->109751 109746 6bb9e93d 109798 6bb9c25b 45 API calls __filbuf 109746->109798 109748->109677 109757 6bb9c5b8 109748->109757 109749 6bb9c3ed __calloc_crt 45 API calls 109749->109751 109750 6bb9e963 109799 6bb9c25b 45 API calls __filbuf 109750->109799 109751->109746 109751->109748 109751->109749 109751->109750 109754 6bb9e97a 109751->109754 109797 6bb9c0d5 45 API calls __filbuf 109751->109797 109800 6bb9dbea 10 API calls __call_reportfault 109754->109800 109756 6bb9e986 109758 6bb9c5c6 __initterm_e __initp_misc_cfltcvt_tab __IsNonwritableInCurrentImage 109757->109758 109760 6bb9c605 __IsNonwritableInCurrentImage 109758->109760 109801 6bb9b524 50 API calls __cinit 109758->109801 109760->109677 109802 6bb9c64f 109761->109802 109763 6bb9c7c6 109763->109645 109764->109652 109765->109656 109766->109672 109767->109657 109768->109660 109769->109646 109770->109652 109771->109647 109774 6bb9c3f6 109772->109774 109775 6bb9b82a 109774->109775 109776 6bb9c414 Sleep 109774->109776 109820 6bba1027 109774->109820 109775->109652 109775->109667 109775->109668 109777 6bb9c429 109776->109777 109777->109774 109777->109775 109778->109673 109779->109652 109780->109652 109781->109689 109782->109696 109783->109701 109784->109691 109785->109709 109786->109714 109789 6bb9e9a6 109787->109789 109791 6bb9ea13 109789->109791 109795 6bba9056 55 API calls x_ismbbtype_l 109789->109795 109790 6bb9eb11 109790->109735 109790->109736 109791->109790 109792 6bba9056 55 API calls _parse_cmdline 109791->109792 109792->109791 109793->109729 109794->109738 109795->109789 109796->109744 109797->109751 109798->109748 109799->109748 109800->109756 109801->109760 109803 6bb9c65b _setlocale 109802->109803 109815 6bba133e 45 API calls 2 library calls 109803->109815 109806 6bb9c75a 109807 6bb9c789 _setlocale 109806->109807 109817 6bba1265 LeaveCriticalSection 109806->109817 109807->109763 109809 6bb9c771 109810 6bb9c77a 109809->109810 109818 6bb9c537 GetModuleHandleW GetProcAddress ExitProcess ___crtCorExitProcess 109809->109818 109812 6bb9c787 109810->109812 109819 6bba1265 LeaveCriticalSection 109810->109819 109812->109763 109814 6bb9c662 __init_pointers 109816 6bb9c77a LeaveCriticalSection _doexit 109814->109816 109815->109814 109816->109806 109817->109809 109819->109812 109821 6bba1033 109820->109821 109825 6bba104e _malloc 109820->109825 109822 6bba103f 109821->109822 109821->109825 109828 6bb9dc8e 45 API calls __getptd_noexit 109822->109828 109824 6bba1061 HeapAlloc 109824->109825 109827 6bba1088 109824->109827 109825->109824 109825->109827 109826 6bba1044 109826->109774 109827->109774 109828->109826 109829 6bb950f0 109877 6bb9518f _memmove 109829->109877 109830 6bb95b8c 109833 6bb9ae8f __expandlocale 5 API calls 109830->109833 109831 6bb841d0 52 API calls 109831->109877 109832 6bb95a75 109838 6bb95b2f 109832->109838 109922 6bb552f0 46 API calls 2 library calls 109832->109922 109836 6bb95baf 109833->109836 109835 6bb959d6 109835->109832 109839 6bb54fc0 52 API calls 109835->109839 109837 6bb87100 52 API calls 109837->109877 109838->109830 109923 6bb552f0 46 API calls 2 library calls 109838->109923 109841 6bb95a11 109839->109841 109916 6bb71a40 90 API calls 3 library calls 109841->109916 109842 6bb95a61 109842->109832 109918 6bb94000 52 API calls 109842->109918 109843 6bb846c0 52 API calls 109843->109877 109845 6bb95a49 109917 6bb9cc0f RaiseException 109845->109917 109847 6bb95a7a 109919 6bbb1350 46 API calls 2 library calls 109847->109919 109850 6bb95a84 109851 6bb54fc0 52 API calls 109850->109851 109854 6bb95ab1 109851->109854 109852 6bb94000 52 API calls 109852->109877 109853 6bb84410 52 API calls 109853->109877 109920 6bb71a40 90 API calls 3 library calls 109854->109920 109856 6bb93df0 52 API calls 109856->109877 109859 6bb8f580 52 API calls 109859->109877 109860 6bb9594f 109899 6bb54fc0 109860->109899 109861 6bb95ae9 109921 6bb9cc0f RaiseException 109861->109921 109864 6bb959cc 109915 6bbb1303 46 API calls 2 library calls 109864->109915 109865 6bb9b524 50 API calls __cinit 109865->109877 109866 6bb9597c 109913 6bb71a40 90 API calls 3 library calls 109866->109913 109869 6bb959b4 109914 6bb9cc0f RaiseException 109869->109914 109871 6bb840e0 52 API calls 109871->109877 109874 6bb6f5f0 52 API calls 109874->109877 109877->109831 109877->109832 109877->109835 109877->109837 109877->109842 109877->109843 109877->109847 109877->109850 109877->109852 109877->109853 109877->109856 109877->109859 109877->109860 109877->109864 109877->109865 109877->109871 109877->109874 109878 6bb6f770 52 API calls 109877->109878 109879 6bb9b53b 46 API calls std::ios_base::_Ios_base_dtor 109877->109879 109880 6bb55370 109877->109880 109894 6bb8f660 52 API calls 109877->109894 109895 6bb83fe0 46 API calls std::ios_base::_Ios_base_dtor 109877->109895 109896 6bb96590 90 API calls 2 library calls 109877->109896 109897 6bb7ad60 52 API calls 109877->109897 109898 6bb7f0a0 52 API calls 2 library calls 109877->109898 109878->109877 109879->109877 109881 6bb553ad 109880->109881 109882 6bb553fb 109881->109882 109883 6bb9b5ab std::locale::_Init 51 API calls 109881->109883 109888 6bb553f6 __expandlocale 109881->109888 109924 6bb9af37 45 API calls std::exception::_Copy_str 109882->109924 109886 6bb553ef 109883->109886 109885 6bb5547b 109885->109877 109886->109882 109886->109888 109887 6bb5540e 109925 6bb9cc0f RaiseException 109887->109925 109888->109885 109889 6bb9b53b std::ios_base::_Ios_base_dtor 46 API calls 109888->109889 109889->109885 109891 6bb55423 109926 6bb56030 51 API calls 3 library calls 109891->109926 109893 6bb5543d 109893->109877 109894->109877 109895->109877 109896->109877 109897->109877 109898->109877 109900 6bb55025 109899->109900 109903 6bb54fcc 109899->109903 109901 6bb55039 109900->109901 109929 6bbb1303 46 API calls 2 library calls 109900->109929 109904 6bb55370 52 API calls 109901->109904 109910 6bb5504c __expandlocale 109901->109910 109903->109900 109905 6bb54ff2 109903->109905 109904->109910 109906 6bb54ff7 109905->109906 109907 6bb5500e 109905->109907 109927 6bb55110 52 API calls 2 library calls 109906->109927 109928 6bb55110 52 API calls 2 library calls 109907->109928 109910->109866 109911 6bb55009 109911->109866 109912 6bb55020 109912->109866 109913->109869 109914->109864 109915->109835 109916->109845 109917->109842 109918->109832 109919->109850 109920->109861 109921->109832 109922->109838 109923->109830 109924->109887 109925->109891 109926->109893 109927->109911 109928->109912 109929->109901 109930 5b8390 109931 5b83b4 109930->109931 109934 5b83be 109930->109934 109948 5e6abc 46 API calls 2 library calls 109931->109948 109932 5b83fd 109934->109932 109936 5b8520 109934->109936 109937 5b8558 109936->109937 109940 5b8562 109936->109940 109957 5e6abc 46 API calls 2 library calls 109937->109957 109939 5b85d2 109939->109932 109940->109939 109949 5b8670 109940->109949 109944 5b859f 109944->109939 109959 5b8350 46 API calls _Fac_tidy 109944->109959 109946 5b85ca 109960 5e7ab1 46 API calls __fclose_nolock 109946->109960 109948->109934 109950 5b8679 109949->109950 109951 5b8585 109949->109951 109952 5b8694 109950->109952 109961 5e7b0d 109950->109961 109958 5b97c0 46 API calls 2 library calls 109951->109958 109952->109951 109972 5e758d 45 API calls std::exception::_Copy_str 109952->109972 109955 5b86b0 109973 5e8536 RaiseException 109955->109973 109957->109940 109958->109944 109959->109946 109960->109939 109962 5e7b17 _malloc 109961->109962 109964 5e7b31 109962->109964 109965 5e7b33 std::exception::exception 109962->109965 109974 5e9fe7 109962->109974 109964->109952 109966 5e7b71 109965->109966 109988 5e7dd9 109965->109988 109991 5e7639 45 API calls std::exception::operator= 109966->109991 109968 5e7b7b 109992 5e8536 RaiseException 109968->109992 109971 5e7b8c 109972->109955 109973->109951 109975 5ea064 _malloc 109974->109975 109977 5e9ff5 _malloc 109974->109977 110000 5e85c4 45 API calls __getptd_noexit 109975->110000 109976 5ea000 109976->109977 109993 5ed024 45 API calls 2 library calls 109976->109993 109994 5ece75 45 API calls 7 library calls 109976->109994 109995 5ec99c 109976->109995 109977->109976 109980 5ea023 RtlAllocateHeap 109977->109980 109983 5ea050 109977->109983 109986 5ea04e 109977->109986 109980->109977 109981 5ea05c 109980->109981 109981->109962 109998 5e85c4 45 API calls __getptd_noexit 109983->109998 109999 5e85c4 45 API calls __getptd_noexit 109986->109999 110005 5e7d9d 109988->110005 109990 5e7de6 109990->109966 109991->109968 109992->109971 109993->109976 109994->109976 110001 5ec971 GetModuleHandleW 109995->110001 109998->109986 109999->109981 110000->109981 110002 5ec99a ExitProcess 110001->110002 110003 5ec985 GetProcAddress 110001->110003 110003->110002 110004 5ec995 110003->110004 110004->110002 110006 5e7da9 __lseeki64 110005->110006 110013 5ec9b4 110006->110013 110012 5e7dca __lseeki64 110012->109990 110030 5f0ec4 110013->110030 110015 5e7dae 110016 5e7cb6 110015->110016 110017 5e7ccd 110016->110017 110018 5e7d36 110017->110018 110039 5ec93e 46 API calls __fclose_nolock 110017->110039 110027 5e7dd3 110018->110027 110020 5e7cf6 110020->110018 110021 5e7d20 110020->110021 110022 5e7d11 110020->110022 110021->110018 110024 5e7d1a 110021->110024 110040 5eb379 49 API calls __realloc_crt 110022->110040 110024->110018 110024->110021 110041 5eb379 49 API calls __realloc_crt 110024->110041 110026 5e7d30 110026->110018 110042 5ec9bd 110027->110042 110031 5f0eec EnterCriticalSection 110030->110031 110032 5f0ed9 110030->110032 110031->110015 110037 5f0e02 45 API calls 9 library calls 110032->110037 110034 5f0edf 110034->110031 110038 5ecc3e 45 API calls 3 library calls 110034->110038 110037->110034 110039->110020 110040->110024 110041->110026 110045 5f0deb LeaveCriticalSection 110042->110045 110044 5e7dd8 110044->110012 110045->110044 110046 6f857b10 110047 6f857b19 110046->110047 110048 6f857b1b GetFileAttributesW 110046->110048 110047->110048 110050 6f857b27 110048->110050 110051 6f857b61 110048->110051 110049 6f857b4d GetLastError 110049->110051 110052 6f857b5a GetLastError 110049->110052 110050->110049 110053 6f857b49 110050->110053 110052->110051 110054 6f86b1d0 110055 6f86b207 110054->110055 110064 6f86ccb0 110055->110064 110058 6f86b220 110155 6f86d040 52 API calls 2 library calls 110058->110155 110061 6f86b230 110063 6f86b237 110061->110063 110156 6f86d040 52 API calls 2 library calls 110061->110156 110070 6f86cd03 110064->110070 110066 6f890061 ___getlocaleinfo 5 API calls 110067 6f86b215 110066->110067 110067->110058 110072 6f86b370 110067->110072 110068 6f86cd67 CompareFileTime 110068->110070 110071 6f86cd8a 110068->110071 110069 6f89076b _Fac_tidy 46 API calls 110069->110070 110070->110068 110070->110069 110070->110071 110157 6f85fa00 110070->110157 110071->110066 110073 6f86b3e7 110072->110073 110074 6f86b3bc 110072->110074 110181 6f86bd60 110073->110181 110387 6f86d470 52 API calls 110074->110387 110077 6f86b3c7 110077->110073 110388 6f86bca0 46 API calls _Fac_tidy 110077->110388 110155->110061 110156->110061 110158 6f85fa5c 110157->110158 110165 6f861ed0 110158->110165 110161 6f853280 52 API calls 110162 6f85fa7c GetFileAttributesExW 110161->110162 110164 6f85fa9c 110162->110164 110164->110070 110173 6f861ff0 110165->110173 110167 6f890061 ___getlocaleinfo 5 API calls 110169 6f85fa69 110167->110169 110169->110161 110170 6f89076b 46 API calls _Fac_tidy 110171 6f861f0d _memmove 110170->110171 110171->110170 110172 6f861fba 110171->110172 110180 6f862060 85 API calls ___getlocaleinfo 110171->110180 110172->110167 110174 6f861ffd GetFileVersionInfoSizeW 110173->110174 110175 6f861ffb 110173->110175 110176 6f86200f 110174->110176 110177 6f862013 110174->110177 110175->110174 110176->110171 110178 6f86202b GetFileVersionInfoW 110177->110178 110179 6f86203a 110177->110179 110178->110179 110179->110171 110180->110171 110393 6f8630e0 46 API calls _memmove 110181->110393 110183 6f86bdb2 110394 6f86d880 56 API calls 2 library calls 110183->110394 110185 6f86bdbe 110186 6f853280 52 API calls 110185->110186 110187 6f86be12 110186->110187 110188 6f853430 52 API calls 110187->110188 110189 6f86be39 110188->110189 110395 6f86cf50 52 API calls 2 library calls 110189->110395 110191 6f86be50 110396 6f863390 52 API calls 2 library calls 110191->110396 110193 6f86be5b 110194 6f86be70 110193->110194 110195 6f89076b _Fac_tidy 46 API calls 110193->110195 110397 6f863830 110194->110397 110195->110194 110198 6f86beb3 110200 6f86bedd 110198->110200 110402 6f853370 46 API calls _Fac_tidy 110198->110402 110199 6f89076b _Fac_tidy 46 API calls 110199->110198 110202 6f86bf01 110200->110202 110203 6f89076b _Fac_tidy 46 API calls 110200->110203 110204 6f86bf34 110202->110204 110206 6f89076b _Fac_tidy 46 API calls 110202->110206 110203->110202 110403 6f86d960 52 API calls 110204->110403 110205 6f86bed3 110208 6f89076b _Fac_tidy 46 API calls 110205->110208 110206->110204 110208->110200 110209 6f86bf43 110210 6f853280 52 API calls 110209->110210 110211 6f86bf94 110210->110211 110212 6f853430 52 API calls 110211->110212 110213 6f86bfbb 110212->110213 110404 6f86cf50 52 API calls 2 library calls 110213->110404 110215 6f86bfd4 110405 6f863390 52 API calls 2 library calls 110215->110405 110217 6f86bfdf 110218 6f86bff4 110217->110218 110219 6f89076b _Fac_tidy 46 API calls 110217->110219 110220 6f863830 46 API calls 110218->110220 110219->110218 110221 6f86c02a 110220->110221 110222 6f86c038 110221->110222 110223 6f89076b _Fac_tidy 46 API calls 110221->110223 110224 6f86c062 110222->110224 110406 6f853370 46 API calls _Fac_tidy 110222->110406 110223->110222 110225 6f86c086 110224->110225 110227 6f89076b _Fac_tidy 46 API calls 110224->110227 110228 6f86c0b9 110225->110228 110230 6f89076b _Fac_tidy 46 API calls 110225->110230 110227->110225 110407 6f86d990 110228->110407 110229 6f86c058 110232 6f89076b _Fac_tidy 46 API calls 110229->110232 110230->110228 110232->110224 110234 6f853280 52 API calls 110235 6f86c119 110234->110235 110236 6f853430 52 API calls 110235->110236 110237 6f86c140 110236->110237 110420 6f86cf50 52 API calls 2 library calls 110237->110420 110239 6f86c159 110421 6f863390 52 API calls 2 library calls 110239->110421 110241 6f86c164 110242 6f86c179 110241->110242 110243 6f89076b _Fac_tidy 46 API calls 110241->110243 110244 6f863830 46 API calls 110242->110244 110243->110242 110245 6f86c1af 110244->110245 110246 6f86c1bd 110245->110246 110247 6f89076b _Fac_tidy 46 API calls 110245->110247 110248 6f86c1e7 110246->110248 110422 6f853370 46 API calls _Fac_tidy 110246->110422 110247->110246 110249 6f86c20b 110248->110249 110251 6f89076b _Fac_tidy 46 API calls 110248->110251 110252 6f86c23e 110249->110252 110255 6f89076b _Fac_tidy 46 API calls 110249->110255 110251->110249 110423 6f86da70 110252->110423 110253 6f86c1dd 110254 6f89076b _Fac_tidy 46 API calls 110253->110254 110254->110248 110255->110252 110387->110077 110388->110077 110393->110183 110394->110185 110395->110191 110396->110193 110398 6f863915 110397->110398 110400 6f863863 110397->110400 110398->110198 110398->110199 110400->110398 110401 6f89076b 46 API calls _Fac_tidy 110400->110401 110482 6f863690 110400->110482 110401->110400 110402->110205 110403->110209 110404->110215 110405->110217 110406->110229 110408 6f853430 52 API calls 110407->110408 110409 6f86d9e9 110408->110409 110487 6f857a20 SHGetFolderPathW 110409->110487 110411 6f86d9fb 110498 6f853910 110411->110498 110414 6f86da25 110416 6f86da4b 110414->110416 110417 6f89076b _Fac_tidy 46 API calls 110414->110417 110415 6f89076b _Fac_tidy 46 API calls 110415->110414 110418 6f890061 ___getlocaleinfo 5 API calls 110416->110418 110417->110416 110419 6f86c0c8 110418->110419 110419->110234 110420->110239 110421->110241 110422->110253 110424 6f86d990 53 API calls 110423->110424 110425 6f86dab0 110424->110425 110426 6f853910 52 API calls 110425->110426 110427 6f86dac5 110426->110427 110428 6f86dad9 110427->110428 110430 6f89076b _Fac_tidy 46 API calls 110427->110430 110429 6f890061 ___getlocaleinfo 5 API calls 110428->110429 110431 6f86c24d 110429->110431 110430->110428 110483 6f863830 46 API calls 110482->110483 110484 6f8636cc 110483->110484 110485 6f8636d8 110484->110485 110486 6f89076b _Fac_tidy 46 API calls 110484->110486 110485->110400 110486->110485 110488 6f857aa1 110487->110488 110489 6f857a63 110487->110489 110490 6f853280 52 API calls 110488->110490 110492 6f853430 52 API calls 110489->110492 110491 6f857ab3 110490->110491 110493 6f890061 ___getlocaleinfo 5 API calls 110491->110493 110494 6f857a89 110492->110494 110495 6f857ac4 110493->110495 110496 6f890061 ___getlocaleinfo 5 API calls 110494->110496 110495->110411 110497 6f857a9a 110496->110497 110497->110411 110499 6f853922 110498->110499 110499->110499 110504 6f853b30 110499->110504 110501 6f85393b 110520 6f853210 110501->110520 110503 6f853955 110503->110414 110503->110415 110505 6f853b95 110504->110505 110508 6f853b3f 110504->110508 110506 6f853bab 110505->110506 110526 6f88f635 46 API calls 2 library calls 110505->110526 110509 6f853bc9 110506->110509 110513 6f853bd8 _memmove 110506->110513 110527 6f88f635 46 API calls 2 library calls 110506->110527 110508->110505 110512 6f853b66 110508->110512 110511 6f8536c0 52 API calls 110509->110511 110509->110513 110511->110513 110514 6f853b80 110512->110514 110515 6f853b6b 110512->110515 110513->110501 110525 6f853a40 52 API calls 2 library calls 110514->110525 110524 6f853a40 52 API calls 2 library calls 110515->110524 110518 6f853b7a 110518->110501 110519 6f853b8f 110519->110501 110521 6f853214 110520->110521 110522 6f853222 _memmove 110520->110522 110521->110522 110523 6f89076b _Fac_tidy 46 API calls 110521->110523 110522->110503 110523->110522 110524->110518 110525->110519 110526->110506 110527->110509 110667 6f869690 110668 6f869715 110667->110668 110669 6f8696ba 110667->110669 110670 6f8907c7 std::locale::_Init 51 API calls 110669->110670 110671 6f8696d3 110670->110671 110672 6f8696fe 110671->110672 110675 6f86b040 InitializeCriticalSection 110671->110675 110676 6f86da70 53 API calls 110675->110676 110677 6f86b0d9 110676->110677 110678 6f853210 46 API calls 110677->110678 110679 6f86b0e7 110678->110679 110680 6f86b0fd 110679->110680 110681 6f89076b _Fac_tidy 46 API calls 110679->110681 110682 6f86b370 150 API calls 110680->110682 110681->110680 110683 6f86b107 110682->110683 110684 6f890061 ___getlocaleinfo 5 API calls 110683->110684 110685 6f8696e9 110684->110685 110686 6f863a90 110687 6f863adb 110686->110687 110688 6f863af8 110686->110688 110708 6f85e1f0 68 API calls 110687->110708 110709 6f861cf0 58 API calls 110688->110709 110691 6f863ae7 110704 6f8624b0 46 API calls 2 library calls 110691->110704 110693 6f863b30 110694 6f863b59 110693->110694 110696 6f89076b _Fac_tidy 46 API calls 110693->110696 110695 6f863b88 110694->110695 110697 6f89076b _Fac_tidy 46 API calls 110694->110697 110702 6f863ba1 110695->110702 110705 6f863a70 110695->110705 110696->110694 110697->110695 110698 6f863bee 110700 6f890061 ___getlocaleinfo 5 API calls 110698->110700 110701 6f863c0e 110700->110701 110702->110698 110703 6f89076b _Fac_tidy 46 API calls 110702->110703 110703->110698 110704->110693 110710 6f864810 110705->110710 110708->110691 110709->110691 110717 6f88e7c0 89 API calls 110710->110717 110712 6f86485b 110718 6f8648b0 110712->110718 110716 6f863a80 110716->110702 110717->110712 110742 6f8744f0 110718->110742 110722 6f864925 110768 6f874660 90 API calls 4 library calls 110722->110768 110724 6f86493c 110769 6f864ae0 110724->110769 110728 6f86495b 110740 6f86499a 110728->110740 110829 6f877ba0 47 API calls 110728->110829 110730 6f8649b4 110733 6f890061 ___getlocaleinfo 5 API calls 110730->110733 110731 6f864988 110734 6f89076b _Fac_tidy 46 API calls 110731->110734 110736 6f864872 110733->110736 110737 6f864991 110734->110737 110735 6f8649ae 110738 6f89076b _Fac_tidy 46 API calls 110735->110738 110741 6f864390 48 API calls std::ios_base::_Ios_base_dtor 110736->110741 110739 6f89076b _Fac_tidy 46 API calls 110737->110739 110738->110730 110739->110740 110740->110730 110830 6f87e290 46 API calls _Fac_tidy 110740->110830 110741->110716 110743 6f8907c7 std::locale::_Init 51 API calls 110742->110743 110744 6f874521 110743->110744 110746 6f87453c 110744->110746 110831 6f87e070 110744->110831 110756 6f874563 110746->110756 110863 6f87e290 46 API calls _Fac_tidy 110746->110863 110747 6f8907c7 std::locale::_Init 51 API calls 110750 6f87456f 110747->110750 110749 6f87459d 110753 6f864914 110749->110753 110864 6f877ba0 47 API calls 110749->110864 110750->110749 110752 6f8907c7 std::locale::_Init 51 API calls 110750->110752 110751 6f87455d 110754 6f89076b _Fac_tidy 46 API calls 110751->110754 110755 6f874592 110752->110755 110767 6f879a60 51 API calls 3 library calls 110753->110767 110754->110756 110755->110749 110757 6f874628 110755->110757 110756->110747 110865 6f890109 45 API calls std::exception::_Copy_str 110757->110865 110760 6f8745f6 110762 6f89076b _Fac_tidy 46 API calls 110760->110762 110761 6f87463a 110866 6f8924f0 RaiseException 110761->110866 110764 6f8745ff 110762->110764 110766 6f89076b _Fac_tidy 46 API calls 110764->110766 110765 6f874651 110766->110753 110767->110722 110768->110724 110770 6f864c02 110769->110770 110771 6f864b6e 110769->110771 110773 6f864d81 110770->110773 110918 6f879fa0 52 API calls 2 library calls 110770->110918 110902 6f8650b0 110771->110902 110775 6f864fb3 110773->110775 110930 6f879fa0 52 API calls 2 library calls 110773->110930 110938 6f862dc0 110775->110938 110778 6f853280 52 API calls 110779 6f864bb8 110778->110779 110783 6f864bd7 110779->110783 110785 6f89076b _Fac_tidy 46 API calls 110779->110785 110917 6f863040 46 API calls _Fac_tidy 110783->110917 110785->110783 110786 6f863830 46 API calls 110788 6f864ff3 110786->110788 110789 6f89076b _Fac_tidy 46 API calls 110788->110789 110797 6f865002 110788->110797 110789->110797 110790 6f890061 ___getlocaleinfo 5 API calls 110793 6f864949 110790->110793 110791 6f865050 110795 6f89076b _Fac_tidy 46 API calls 110791->110795 110798 6f864bfb 110791->110798 110792 6f865047 110794 6f89076b _Fac_tidy 46 API calls 110792->110794 110828 6f879c30 52 API calls _Fac_tidy 110793->110828 110794->110791 110795->110798 110796 6f864d71 110800 6f89076b _Fac_tidy 46 API calls 110796->110800 110797->110791 110797->110792 110802 6f89076b _Fac_tidy 46 API calls 110797->110802 110798->110790 110799 6f864d55 110928 6f874280 90 API calls 2 library calls 110799->110928 110800->110773 110801 6f864fad 110803 6f89076b _Fac_tidy 46 API calls 110801->110803 110802->110797 110803->110775 110805 6f864f91 110936 6f874280 90 API calls 2 library calls 110805->110936 110806 6f864ae0 92 API calls 110823 6f864c1e 110806->110823 110807 6f864ae0 92 API calls 110827 6f864da4 110807->110827 110808 6f864d60 110929 6f8924f0 RaiseException 110808->110929 110812 6f864f9c 110937 6f8924f0 RaiseException 110812->110937 110813 6f864f75 110934 6f874280 90 API calls 2 library calls 110813->110934 110815 6f8650b0 92 API calls 110815->110827 110816 6f863830 46 API calls 110816->110823 110818 6f864f80 110935 6f8924f0 RaiseException 110818->110935 110823->110796 110823->110799 110823->110806 110823->110816 110824 6f89076b 46 API calls _Fac_tidy 110823->110824 110919 6f87a110 52 API calls 2 library calls 110823->110919 110920 6f863500 110823->110920 110927 6f853370 46 API calls _Fac_tidy 110823->110927 110824->110823 110825 6f89076b 46 API calls _Fac_tidy 110825->110827 110826 6f863830 46 API calls 110826->110827 110827->110801 110827->110805 110827->110807 110827->110813 110827->110815 110827->110825 110827->110826 110931 6f87a110 52 API calls 2 library calls 110827->110931 110932 6f863160 52 API calls std::locale::_Init 110827->110932 110933 6f863390 52 API calls 2 library calls 110827->110933 110828->110728 110829->110731 110830->110735 110867 6f88ba50 110831->110867 110834 6f8907c7 std::locale::_Init 51 API calls 110835 6f87e0b2 110834->110835 110836 6f87e223 110835->110836 110837 6f8907c7 std::locale::_Init 51 API calls 110835->110837 110882 6f890109 45 API calls std::exception::_Copy_str 110836->110882 110839 6f87e0ec 110837->110839 110841 6f87e1fa 110839->110841 110844 6f8907c7 std::locale::_Init 51 API calls 110839->110844 110840 6f87e235 110883 6f8924f0 RaiseException 110840->110883 110896 6f890109 45 API calls std::exception::_Copy_str 110841->110896 110847 6f87e123 110844->110847 110845 6f87e24c 110884 6f87f3e0 110845->110884 110846 6f87e20c 110897 6f8924f0 RaiseException 110846->110897 110850 6f87e1d1 110847->110850 110854 6f8907c7 std::locale::_Init 51 API calls 110847->110854 110894 6f890109 45 API calls std::exception::_Copy_str 110850->110894 110852 6f89076b _Fac_tidy 46 API calls 110855 6f87e25e 110852->110855 110857 6f87e16f 110854->110857 110855->110746 110856 6f87e1e3 110895 6f8924f0 RaiseException 110856->110895 110859 6f87e176 110857->110859 110892 6f890109 45 API calls std::exception::_Copy_str 110857->110892 110859->110746 110861 6f87e1ba 110893 6f8924f0 RaiseException 110861->110893 110863->110751 110864->110760 110865->110761 110866->110765 110868 6f8907c7 std::locale::_Init 51 API calls 110867->110868 110869 6f88baad 110868->110869 110870 6f88bc3c 110869->110870 110881 6f88bab8 110869->110881 110900 6f890109 45 API calls std::exception::_Copy_str 110870->110900 110872 6f88bc4e 110901 6f8924f0 RaiseException 110872->110901 110874 6f88bc19 110875 6f890061 ___getlocaleinfo 5 API calls 110874->110875 110877 6f87e0a0 110875->110877 110876 6f88bc65 110877->110834 110879 6f88bbce 110879->110874 110899 6f88c070 52 API calls 110879->110899 110881->110874 110881->110879 110898 6f875160 88 API calls 110881->110898 110882->110840 110883->110845 110887 6f87f493 110884->110887 110890 6f87f3f2 110884->110890 110885 6f87f4bb 110886 6f87e256 110885->110886 110888 6f89076b _Fac_tidy 46 API calls 110885->110888 110886->110852 110887->110885 110889 6f89076b _Fac_tidy 46 API calls 110887->110889 110888->110886 110889->110887 110890->110887 110891 6f89076b 46 API calls _Fac_tidy 110890->110891 110891->110890 110892->110861 110893->110850 110894->110856 110895->110841 110896->110846 110897->110836 110898->110881 110899->110874 110900->110872 110901->110876 110959 6f869220 52 API calls 2 library calls 110902->110959 110904 6f865112 110905 6f865131 110904->110905 110963 6f8646c0 90 API calls 2 library calls 110904->110963 110910 6f8651b8 110905->110910 110965 6f856530 52 API calls 2 library calls 110905->110965 110907 6f865122 110964 6f8924f0 RaiseException 110907->110964 110960 6f862150 110910->110960 110913 6f8651d8 110915 6f890061 ___getlocaleinfo 5 API calls 110913->110915 110914 6f89076b _Fac_tidy 46 API calls 110914->110913 110916 6f864b80 110915->110916 110916->110778 110917->110798 110918->110823 110919->110823 110921 6f8907c7 std::locale::_Init 51 API calls 110920->110921 110922 6f86353a 110921->110922 110923 6f863557 110922->110923 110924 6f862dc0 52 API calls 110922->110924 110986 6f8635b0 52 API calls __CxxThrowException@8 110923->110986 110924->110923 110926 6f86356d 110926->110823 110927->110823 110928->110808 110929->110796 110930->110827 110931->110827 110932->110827 110933->110827 110934->110818 110935->110805 110936->110812 110937->110801 110987 6f8634d0 110938->110987 110941 6f853280 52 API calls 110942 6f862e47 110941->110942 110943 6f862e5d 110942->110943 110944 6f89076b _Fac_tidy 46 API calls 110942->110944 110990 6f863590 110943->110990 110944->110943 110947 6f862e8f 110958 6f862eda 110947->110958 110994 6f853370 46 API calls _Fac_tidy 110947->110994 110950 6f862ed0 110954 6f89076b _Fac_tidy 46 API calls 110950->110954 110951 6f862efa 110956 6f890061 ___getlocaleinfo 5 API calls 110951->110956 110952 6f862e86 110953 6f89076b _Fac_tidy 46 API calls 110952->110953 110953->110947 110954->110958 110955 6f863500 52 API calls 110955->110958 110957 6f862f1a 110956->110957 110957->110786 110958->110951 110958->110955 110959->110904 110966 6f8621b0 110960->110966 110963->110907 110964->110905 110965->110910 110967 6f8621f1 110966->110967 110981 6f8623c0 MultiByteToWideChar 110967->110981 110969 6f8621f9 110970 6f862202 110969->110970 110971 6f862220 110969->110971 110972 6f853430 52 API calls 110970->110972 110974 6f853430 52 API calls 110971->110974 110973 6f86221e 110972->110973 110975 6f890061 ___getlocaleinfo 5 API calls 110973->110975 110976 6f86225b 110974->110976 110977 6f862162 110975->110977 110978 6f853210 46 API calls 110976->110978 110977->110913 110977->110914 110979 6f862280 110978->110979 110979->110973 110980 6f89076b _Fac_tidy 46 API calls 110979->110980 110980->110973 110982 6f8623e7 110981->110982 110983 6f8623e3 110981->110983 110984 6f862401 MultiByteToWideChar 110982->110984 110983->110969 110985 6f862418 110984->110985 110985->110969 110986->110926 110988 6f853280 52 API calls 110987->110988 110989 6f862e33 110988->110989 110989->110941 110991 6f857ba0 52 API calls 110990->110991 110992 6f862e6f 110991->110992 110992->110947 110993 6f853370 46 API calls _Fac_tidy 110992->110993 110993->110952 110994->110950 110995 6bb8b760 111004 6bb8b9d0 110995->111004 110997 6bb8b7b0 110998 6bb9b53b std::ios_base::_Ios_base_dtor 46 API calls 110997->110998 110999 6bb8b7b9 110998->110999 111012 6bb8b960 110999->111012 111001 6bb8b7cb 111002 6bb9b53b std::ios_base::_Ios_base_dtor 46 API calls 111001->111002 111003 6bb8b7d7 111001->111003 111002->111003 111005 6bb8b9e3 111004->111005 111011 6bb8b9fa 111004->111011 111007 6bb8b9e7 111005->111007 111005->111011 111006 6bb8ba6e 111006->110997 111017 6bb8bd00 46 API calls std::ios_base::_Ios_base_dtor 111007->111017 111009 6bb8b9ec 111009->110997 111011->111006 111018 6bb8ba80 47 API calls 2 library calls 111011->111018 111013 6bb8b998 _memmove 111012->111013 111015 6bb8b973 111012->111015 111013->111001 111015->111013 111016 6bb9b53b std::ios_base::_Ios_base_dtor 46 API calls 111015->111016 111019 6bb81310 52 API calls std::ios_base::_Ios_base_dtor 111015->111019 111016->111015 111017->111009 111018->111011 111019->111015 111020 6f88ae90 111021 6f88afe7 111020->111021 111022 6f88aea0 111020->111022 111023 6f88aee8 111022->111023 111024 6f88aebb 111022->111024 111025 6f88af4b 111023->111025 111026 6f88af04 111023->111026 111024->111021 111059 6f88b190 52 API calls 111024->111059 111029 6f88af9b 111025->111029 111030 6f88af65 111025->111030 111061 6f88b1e0 52 API calls 111026->111061 111032 6f88afb0 111029->111032 111064 6f87f850 46 API calls 111029->111064 111063 6f88b1e0 52 API calls 111030->111063 111031 6f88aece 111060 6f87f850 46 API calls 111031->111060 111048 6f87f5b0 111032->111048 111033 6f88af14 111062 6f87f850 46 API calls 111033->111062 111039 6f88af78 111040 6f88b220 51 API calls 111039->111040 111045 6f88af8c 111040->111045 111041 6f88aedc 111042 6f88afa8 111046 6f89076b _Fac_tidy 46 API calls 111042->111046 111043 6f88afcf 111043->111021 111055 6f88b220 111043->111055 111044 6f88af20 111046->111032 111049 6f87f5c1 111048->111049 111050 6f87f5be 111048->111050 111051 6f87f5d3 111049->111051 111065 6f88f635 46 API calls 2 library calls 111049->111065 111050->111043 111066 6f87f8c0 111051->111066 111056 6f88b258 111055->111056 111057 6f88b2b7 111056->111057 111076 6f87f140 111056->111076 111057->111021 111059->111031 111060->111041 111061->111033 111062->111044 111063->111039 111064->111042 111065->111051 111067 6f87f5da 111066->111067 111068 6f87f8c9 111066->111068 111067->111043 111070 6f8907c7 std::locale::_Init 51 API calls 111068->111070 111071 6f87f8e0 111068->111071 111070->111071 111071->111067 111074 6f890109 45 API calls std::exception::_Copy_str 111071->111074 111072 6f87f8fc 111075 6f8924f0 RaiseException 111072->111075 111074->111072 111075->111067 111077 6f87f1e1 111076->111077 111078 6f87f1a2 111076->111078 111077->111056 111079 6f87f1b4 111078->111079 111088 6f88f635 46 API calls 2 library calls 111078->111088 111081 6f87f8c0 51 API calls 111079->111081 111082 6f87f1bb 111081->111082 111084 6f87ff10 111082->111084 111085 6f87ff50 111084->111085 111086 6f87ffb7 111085->111086 111087 6f87f140 51 API calls 111085->111087 111086->111077 111087->111085 111088->111079 111089 6f890ced 111090 6f890cf8 111089->111090 111091 6f890cfd 111089->111091 111103 6f898ac6 GetSystemTimeAsFileTime GetCurrentProcessId GetCurrentThreadId GetTickCount QueryPerformanceCounter 111090->111103 111095 6f890bf7 111091->111095 111094 6f890d0b 111096 6f890c03 __commit 111095->111096 111100 6f890ca0 __commit 111096->111100 111101 6f890c50 ___DllMainCRTStartup 111096->111101 111104 6f890a93 111096->111104 111098 6f890c80 111099 6f890a93 __CRT_INIT@12 112 API calls 111098->111099 111098->111100 111099->111100 111100->111094 111101->111098 111101->111100 111102 6f890a93 __CRT_INIT@12 112 API calls 111101->111102 111102->111098 111103->111091 111105 6f890a9f __commit 111104->111105 111106 6f890b21 111105->111106 111107 6f890aa7 111105->111107 111108 6f890b82 111106->111108 111109 6f890b27 111106->111109 111154 6f898924 HeapCreate 111107->111154 111111 6f890be0 111108->111111 111112 6f890b87 111108->111112 111116 6f890b45 111109->111116 111123 6f890ab0 __commit 111109->111123 111164 6f895c15 45 API calls _doexit 111109->111164 111111->111123 111173 6f89808f 57 API calls __freefls@4 111111->111173 111169 6f897d8b TlsGetValue TlsSetValue 111112->111169 111113 6f890aac 111115 6f890ab7 111113->111115 111113->111123 111155 6f8980fd 57 API calls 4 library calls 111115->111155 111121 6f890b59 111116->111121 111165 6f8984bd 46 API calls _free 111116->111165 111118 6f890b8c 111170 6f894543 45 API calls __calloc_crt 111118->111170 111168 6f890b6c 48 API calls __mtterm 111121->111168 111123->111101 111125 6f890abc __RTC_Initialize 111127 6f890ac0 111125->111127 111133 6f890acc GetCommandLineA 111125->111133 111156 6f898942 HeapDestroy 111127->111156 111128 6f890b4f 111166 6f897ddc 48 API calls _free 111128->111166 111131 6f890ac5 111131->111123 111132 6f890b54 111167 6f898942 HeapDestroy 111132->111167 111157 6f898841 50 API calls 2 library calls 111133->111157 111136 6f890adc 111158 6f898278 52 API calls __calloc_crt 111136->111158 111138 6f890b98 111138->111123 111140 6f890bbd 111138->111140 111141 6f890bd4 111138->111141 111139 6f890ae6 111143 6f890aea 111139->111143 111160 6f898786 74 API calls 3 library calls 111139->111160 111171 6f897e19 45 API calls 4 library calls 111140->111171 111172 6f8922d5 45 API calls __commit 111141->111172 111159 6f897ddc 48 API calls _free 111143->111159 111145 6f890bc4 GetCurrentThreadId 111145->111123 111148 6f890af6 111149 6f890b0a 111148->111149 111161 6f898510 73 API calls 6 library calls 111148->111161 111149->111131 111163 6f8984bd 46 API calls _free 111149->111163 111152 6f890aff 111152->111149 111162 6f895a28 50 API calls 4 library calls 111152->111162 111154->111113 111155->111125 111156->111131 111157->111136 111158->111139 111159->111127 111160->111148 111161->111152 111162->111149 111163->111143 111164->111116 111165->111128 111166->111132 111167->111121 111168->111123 111169->111118 111170->111138 111171->111145 111172->111131 111173->111123 111174 6bb5bb50 111175 6bb5bb9c 111174->111175 111176 6bb5bbc6 111174->111176 111440 6bb5d990 52 API calls 111175->111440 111257 6bb5c480 111176->111257 111179 6bb5bba8 111179->111176 111441 6bb5c3c0 46 API calls std::ios_base::_Ios_base_dtor 111179->111441 111446 6bb5a3c0 46 API calls _memmove 111257->111446 111259 6bb5c4ce 111447 6bb5dbe0 56 API calls 2 library calls 111259->111447 111261 6bb5c4da 111262 6bb51e90 52 API calls 111261->111262 111263 6bb5c535 111262->111263 111448 6bb51fa0 52 API calls 2 library calls 111263->111448 111265 6bb5c55c 111449 6bb5d460 52 API calls 2 library calls 111265->111449 111267 6bb5c57e 111450 6bb5a670 52 API calls 3 library calls 111267->111450 111269 6bb5c589 111270 6bb5c59e 111269->111270 111271 6bb9b53b std::ios_base::_Ios_base_dtor 46 API calls 111269->111271 111451 6bb5a2d0 46 API calls std::ios_base::_Ios_base_dtor 111270->111451 111271->111270 111273 6bb5c5c0 111274 6bb5c5e1 111273->111274 111275 6bb9b53b std::ios_base::_Ios_base_dtor 46 API calls 111273->111275 111452 6bb5dcc0 52 API calls 111274->111452 111275->111274 111277 6bb5c5f0 111278 6bb51e90 52 API calls 111277->111278 111279 6bb5c648 111278->111279 111453 6bb51fa0 52 API calls 2 library calls 111279->111453 111281 6bb5c66f 111454 6bb5d460 52 API calls 2 library calls 111281->111454 111283 6bb5c68a 111455 6bb5a670 52 API calls 3 library calls 111283->111455 111285 6bb5c695 111286 6bb5c6a5 111285->111286 111288 6bb9b53b std::ios_base::_Ios_base_dtor 46 API calls 111285->111288 111456 6bb5a2d0 46 API calls std::ios_base::_Ios_base_dtor 111286->111456 111288->111286 111289 6bb5c6c8 111290 6bb5c6e9 111289->111290 111291 6bb9b53b std::ios_base::_Ios_base_dtor 46 API calls 111289->111291 111457 6bb5dcf0 53 API calls 2 library calls 111290->111457 111291->111290 111293 6bb5c6f8 111294 6bb51e90 52 API calls 111293->111294 111295 6bb5c752 111294->111295 111458 6bb51fa0 52 API calls 2 library calls 111295->111458 111297 6bb5c779 111459 6bb5d460 52 API calls 2 library calls 111297->111459 111299 6bb5c79d 111460 6bb5a670 52 API calls 3 library calls 111299->111460 111301 6bb5c7a8 111302 6bb5c7b8 111301->111302 111303 6bb9b53b std::ios_base::_Ios_base_dtor 46 API calls 111301->111303 111461 6bb5a2d0 46 API calls std::ios_base::_Ios_base_dtor 111302->111461 111303->111302 111305 6bb5c7db 111306 6bb5c7fc 111305->111306 111307 6bb9b53b std::ios_base::_Ios_base_dtor 46 API calls 111305->111307 111462 6bb5ddd0 53 API calls 2 library calls 111306->111462 111307->111306 111309 6bb5c80b 111310 6bb51e90 52 API calls 111309->111310 111311 6bb5c863 111310->111311 111463 6bb51fa0 52 API calls 2 library calls 111311->111463 111313 6bb5c88a 111464 6bb5d460 52 API calls 2 library calls 111313->111464 111315 6bb5c8a3 111465 6bb5a670 52 API calls 3 library calls 111315->111465 111317 6bb5c8ae 111318 6bb9b53b std::ios_base::_Ios_base_dtor 46 API calls 111317->111318 111320 6bb5c8be 111317->111320 111318->111320 111466 6bb5a2d0 46 API calls std::ios_base::_Ios_base_dtor 111320->111466 111321 6bb5c8e1 111322 6bb5c902 111321->111322 111323 6bb9b53b std::ios_base::_Ios_base_dtor 46 API calls 111321->111323 111467 6bb5cf70 111322->111467 111323->111322 111326 6bb5cf70 91 API calls 111327 6bb5c91d 111326->111327 111492 6bb51fa0 52 API calls 2 library calls 111327->111492 111329 6bb5c93c 111493 6bb5d3b0 52 API calls 2 library calls 111329->111493 111331 6bb5c95a 111332 6bb5c977 111331->111332 111333 6bb9b53b std::ios_base::_Ios_base_dtor 46 API calls 111331->111333 111334 6bb5ca63 111332->111334 111494 6bb51fa0 52 API calls 2 library calls 111332->111494 111333->111332 111359 6bb5cb76 111334->111359 111499 6bb56670 52 API calls 111334->111499 111337 6bb5c9e5 111495 6bb51fa0 52 API calls 2 library calls 111337->111495 111338 6bb5ca88 111339 6bb51e90 52 API calls 111338->111339 111342 6bb5cad5 111339->111342 111341 6bb5ca0c 111496 6bb5d460 52 API calls 2 library calls 111341->111496 111500 6bb51fa0 52 API calls 2 library calls 111342->111500 111345 6bb5ca25 111497 6bb5a670 52 API calls 3 library calls 111345->111497 111346 6bb5cafc 111501 6bb5d460 52 API calls 2 library calls 111346->111501 111349 6bb5ca30 111352 6bb5ca40 111349->111352 111353 6bb9b53b std::ios_base::_Ios_base_dtor 46 API calls 111349->111353 111350 6bb5cb15 111502 6bb5a670 52 API calls 3 library calls 111350->111502 111498 6bb5a2d0 46 API calls std::ios_base::_Ios_base_dtor 111352->111498 111353->111352 111354 6bb5cb20 111356 6bb5cb35 111354->111356 111357 6bb9b53b std::ios_base::_Ios_base_dtor 46 API calls 111354->111357 111503 6bb5a2d0 46 API calls std::ios_base::_Ios_base_dtor 111356->111503 111357->111356 111504 6bb51fa0 52 API calls 2 library calls 111359->111504 111360 6bb5cb58 111360->111359 111364 6bb9b53b std::ios_base::_Ios_base_dtor 46 API calls 111360->111364 111362 6bb5cb97 111505 6bb5d3b0 52 API calls 2 library calls 111362->111505 111364->111359 111365 6bb5cbb2 111366 6bb5cbcb 111365->111366 111367 6bb9b53b std::ios_base::_Ios_base_dtor 46 API calls 111365->111367 111506 6bb51fa0 52 API calls 2 library calls 111366->111506 111367->111366 111369 6bb5cbfc 111507 6bb5d3b0 52 API calls 2 library calls 111369->111507 111371 6bb5cc17 111372 6bb5cc34 111371->111372 111373 6bb9b53b std::ios_base::_Ios_base_dtor 46 API calls 111371->111373 111374 6bb5cd25 111372->111374 111375 6bb51e90 52 API calls 111372->111375 111373->111372 111376 6bb5ce04 111374->111376 111379 6bb51e90 52 API calls 111374->111379 111377 6bb5cca7 111375->111377 111378 6bb5cebc 111376->111378 111516 6bb5a1c0 52 API calls 111376->111516 111508 6bb51fa0 52 API calls 2 library calls 111377->111508 111382 6bb5ced9 111378->111382 111387 6bb9b53b std::ios_base::_Ios_base_dtor 46 API calls 111378->111387 111380 6bb5cd86 111379->111380 111512 6bb51fa0 52 API calls 2 library calls 111380->111512 111385 6bb5cf0a 111382->111385 111389 6bb9b53b std::ios_base::_Ios_base_dtor 46 API calls 111382->111389 111384 6bb5ccce 111509 6bb5d460 52 API calls 2 library calls 111384->111509 111387->111382 111388 6bb5ce30 111517 6bb51fa0 52 API calls 2 library calls 111388->111517 111389->111385 111390 6bb5cdad 111440->111179 111441->111179 111446->111259 111447->111261 111448->111265 111449->111267 111450->111269 111451->111273 111452->111277 111453->111281 111454->111283 111455->111285 111456->111289 111457->111293 111458->111297 111459->111299 111460->111301 111461->111305 111462->111309 111463->111313 111464->111315 111465->111317 111466->111321 111521 6bb5dcc0 52 API calls 111467->111521 111469 6bb5cfb8 111470 6bb5cfc7 111469->111470 111522 6bb57020 111469->111522 111471 6bb5d195 111470->111471 111474 6bb9b53b std::ios_base::_Ios_base_dtor 46 API calls 111470->111474 111473 6bb9ae8f __expandlocale 5 API calls 111471->111473 111475 6bb5c911 111473->111475 111474->111471 111475->111326 111476 6bb5d128 111484 6bb5d14b 111476->111484 111570 6bb58840 46 API calls std::ios_base::_Ios_base_dtor 111476->111570 111477 6bb5d02c CharLowerW 111489 6bb5cfec 111477->111489 111479 6bb5d13e 111482 6bb9b53b std::ios_base::_Ios_base_dtor 46 API calls 111479->111482 111481 6bb51e90 52 API calls 111481->111489 111482->111484 111483 6bb5d16b 111485 6bb9b53b std::ios_base::_Ios_base_dtor 46 API calls 111483->111485 111484->111470 111571 6bb52a00 46 API calls std::ios_base::_Ios_base_dtor 111484->111571 111485->111470 111489->111476 111489->111477 111489->111481 111491 6bb9b53b std::ios_base::_Ios_base_dtor 46 API calls 111489->111491 111566 6bb52b80 52 API calls 111489->111566 111567 6bb5d460 52 API calls 2 library calls 111489->111567 111568 6bb5a670 52 API calls 3 library calls 111489->111568 111569 6bb5a2d0 46 API calls std::ios_base::_Ios_base_dtor 111489->111569 111491->111489 111492->111329 111493->111331 111494->111337 111495->111341 111496->111345 111497->111349 111498->111334 111499->111338 111500->111346 111501->111350 111502->111354 111503->111360 111504->111362 111505->111365 111506->111369 111507->111371 111508->111384 111512->111390 111516->111388 111521->111469 111523 6bb51e90 52 API calls 111522->111523 111524 6bb570b7 RegOpenKeyExW 111523->111524 111526 6bb570e5 111524->111526 111527 6bb5711f RegQueryInfoKeyW 111524->111527 111528 6bb581a0 52 API calls 111526->111528 111529 6bb57150 RegCloseKey 111527->111529 111561 6bb571b1 111527->111561 111530 6bb570ef 111528->111530 111531 6bb581a0 52 API calls 111529->111531 111591 6bb58280 52 API calls std::_Xinvalid_argument 111530->111591 111533 6bb57165 111531->111533 111592 6bb58280 52 API calls std::_Xinvalid_argument 111533->111592 111534 6bb57104 111537 6bb9b53b std::ios_base::_Ios_base_dtor 46 API calls 111534->111537 111538 6bb57115 111534->111538 111536 6bb5717a 111539 6bb5718b 111536->111539 111542 6bb9b53b std::ios_base::_Ios_base_dtor 46 API calls 111536->111542 111537->111538 111541 6bb9ae8f __expandlocale 5 API calls 111538->111541 111593 6bb56fc0 46 API calls std::ios_base::_Ios_base_dtor 111539->111593 111543 6bb574b7 111541->111543 111542->111539 111543->111489 111544 6bb57213 RegEnumValueW 111544->111561 111546 6bb573af 111548 6bb573cf RegCloseKey 111546->111548 111583 6bb581a0 111548->111583 111550 6bb51e90 52 API calls 111550->111561 111554 6bb57400 111555 6bb57411 111554->111555 111556 6bb9b53b std::ios_base::_Ios_base_dtor 46 API calls 111554->111556 111564 6bb57444 111555->111564 111595 6bb58840 46 API calls std::ios_base::_Ios_base_dtor 111555->111595 111556->111555 111558 6bb9b53b 46 API calls std::ios_base::_Ios_base_dtor 111558->111561 111559 6bb5743b 111563 6bb9b53b std::ios_base::_Ios_base_dtor 46 API calls 111559->111563 111560 6bb57487 111562 6bb9b53b std::ios_base::_Ios_base_dtor 46 API calls 111560->111562 111561->111544 111561->111546 111561->111550 111561->111558 111572 6bb57e00 85 API calls 2 library calls 111561->111572 111573 6bb51fa0 52 API calls 2 library calls 111561->111573 111574 6bb58350 111561->111574 111562->111538 111563->111564 111564->111538 111564->111560 111565 6bb9b53b std::ios_base::_Ios_base_dtor 46 API calls 111564->111565 111565->111564 111566->111489 111567->111489 111568->111489 111569->111489 111570->111479 111571->111483 111572->111561 111573->111561 111575 6bb5837d 111574->111575 111576 6bb583c9 111574->111576 111575->111576 111577 6bb58383 111575->111577 111578 6bb584c0 52 API calls 111576->111578 111581 6bb583a4 111576->111581 111577->111581 111596 6bb584c0 111577->111596 111578->111581 111579 6bb583f4 111579->111561 111581->111579 111602 6bb588a0 52 API calls 111581->111602 111584 6bb581ff 111583->111584 111590 6bb573eb 111583->111590 111585 6bb58211 111584->111585 111629 6bbb1303 46 API calls 2 library calls 111584->111629 111630 6bb56210 51 API calls 3 library calls 111585->111630 111588 6bb58218 111631 6bb58930 52 API calls 111588->111631 111594 6bb58280 52 API calls std::_Xinvalid_argument 111590->111594 111591->111534 111592->111536 111593->111538 111594->111554 111595->111559 111597 6bb584e4 111596->111597 111600 6bb584ee 111596->111600 111615 6bbb1303 46 API calls 2 library calls 111597->111615 111599 6bb5852d 111599->111581 111600->111599 111603 6bb58580 111600->111603 111602->111579 111604 6bb585c2 111603->111604 111605 6bb585b8 111603->111605 111611 6bb58636 111604->111611 111616 6bb58690 111604->111616 111624 6bbb1303 46 API calls 2 library calls 111605->111624 111610 6bb585ff 111610->111611 111626 6bb58840 46 API calls std::ios_base::_Ios_base_dtor 111610->111626 111611->111599 111613 6bb5862e 111614 6bb9b53b std::ios_base::_Ios_base_dtor 46 API calls 111613->111614 111614->111611 111615->111600 111617 6bb585e5 111616->111617 111618 6bb58699 111616->111618 111625 6bb58ad0 52 API calls 111617->111625 111619 6bb586b2 111618->111619 111620 6bb9b5ab std::locale::_Init 51 API calls 111618->111620 111619->111617 111627 6bb9af37 45 API calls std::exception::_Copy_str 111619->111627 111620->111619 111622 6bb586ce 111628 6bb9cc0f RaiseException 111622->111628 111624->111604 111625->111610 111626->111613 111627->111622 111628->111617 111629->111585 111630->111588 111631->111590 111684 6bb6ffd0 111685 6bb7006e 111684->111685 111686 6bb6fffa 111684->111686 111687 6bb9b5ab std::locale::_Init 51 API calls 111686->111687 111688 6bb70010 111687->111688 111689 6bb70019 CryptAcquireContextW 111688->111689 111690 6bb70038 111688->111690 111689->111690 111691 6bb70fd0 111694 6bb71e80 111691->111694 111701 6bb7ceb0 89 API calls 111694->111701 111696 6bb71ef8 111702 6bb71f60 111696->111702 111700 6bb70fe0 111701->111696 111730 6bb7bdd0 111702->111730 111706 6bb71fd4 111754 6bb87990 52 API calls 4 library calls 111706->111754 111708 6bb71fec 111755 6bb7bf40 90 API calls 4 library calls 111708->111755 111710 6bb72003 111756 6bb87ba0 46 API calls std::ios_base::_Ios_base_dtor 111710->111756 111712 6bb72011 111757 6bb721c0 92 API calls 3 library calls 111712->111757 111714 6bb7201e 111758 6bb81310 52 API calls std::ios_base::_Ios_base_dtor 111714->111758 111716 6bb72031 111717 6bb72073 111716->111717 111759 6bb7f160 47 API calls 111716->111759 111719 6bb7208d 111717->111719 111760 6bb85ba0 46 API calls std::ios_base::_Ios_base_dtor 111717->111760 111722 6bb9ae8f __expandlocale 5 API calls 111719->111722 111720 6bb72061 111723 6bb9b53b std::ios_base::_Ios_base_dtor 46 API calls 111720->111723 111726 6bb71f1e 111722->111726 111727 6bb7206a 111723->111727 111724 6bb72087 111725 6bb9b53b std::ios_base::_Ios_base_dtor 46 API calls 111724->111725 111725->111719 111729 6bb719a0 48 API calls std::ios_base::_Ios_base_dtor 111726->111729 111728 6bb9b53b std::ios_base::_Ios_base_dtor 46 API calls 111727->111728 111728->111717 111729->111700 111731 6bb9b5ab std::locale::_Init 51 API calls 111730->111731 111732 6bb7be05 111731->111732 111735 6bb7be22 111732->111735 111761 6bb859a0 111732->111761 111734 6bb9b5ab std::locale::_Init 51 API calls 111736 6bb7be53 111734->111736 111741 6bb7be46 111735->111741 111793 6bb85ba0 46 API calls std::ios_base::_Ios_base_dtor 111735->111793 111739 6bb9b5ab std::locale::_Init 51 API calls 111736->111739 111743 6bb7be7c 111736->111743 111738 6bb7be40 111740 6bb9b53b std::ios_base::_Ios_base_dtor 46 API calls 111738->111740 111742 6bb7be75 111739->111742 111740->111741 111741->111734 111742->111743 111794 6bb9af37 45 API calls std::exception::_Copy_str 111742->111794 111744 6bb71fc4 111743->111744 111796 6bb7f160 47 API calls 111743->111796 111753 6bb81140 52 API calls 4 library calls 111744->111753 111747 6bb7bf07 111749 6bb9b53b std::ios_base::_Ios_base_dtor 46 API calls 111747->111749 111748 6bb7beb9 111795 6bb9cc0f RaiseException 111748->111795 111751 6bb7bf10 111749->111751 111752 6bb9b53b std::ios_base::_Ios_base_dtor 46 API calls 111751->111752 111752->111744 111753->111706 111754->111708 111755->111710 111756->111712 111757->111714 111758->111716 111759->111720 111760->111724 111797 6bb93ab0 111761->111797 111764 6bb9b5ab std::locale::_Init 51 API calls 111765 6bb859e2 111764->111765 111766 6bb85b53 111765->111766 111767 6bb9b5ab std::locale::_Init 51 API calls 111765->111767 111817 6bb9af37 45 API calls std::exception::_Copy_str 111766->111817 111771 6bb85a1c 111767->111771 111769 6bb85b65 111818 6bb9cc0f RaiseException 111769->111818 111770 6bb85b2a 111815 6bb9af37 45 API calls std::exception::_Copy_str 111770->111815 111771->111770 111775 6bb9b5ab std::locale::_Init 51 API calls 111771->111775 111773 6bb85b7c 111819 6bb86cc0 46 API calls std::ios_base::_Ios_base_dtor 111773->111819 111777 6bb85a53 111775->111777 111781 6bb85b01 111777->111781 111784 6bb9b5ab std::locale::_Init 51 API calls 111777->111784 111778 6bb85b3c 111816 6bb9cc0f RaiseException 111778->111816 111779 6bb85b86 111782 6bb9b53b std::ios_base::_Ios_base_dtor 46 API calls 111779->111782 111813 6bb9af37 45 API calls std::exception::_Copy_str 111781->111813 111785 6bb85b8e 111782->111785 111787 6bb85a9f 111784->111787 111785->111735 111786 6bb85b13 111814 6bb9cc0f RaiseException 111786->111814 111789 6bb85aa6 111787->111789 111811 6bb9af37 45 API calls std::exception::_Copy_str 111787->111811 111789->111735 111791 6bb85aea 111812 6bb9cc0f RaiseException 111791->111812 111793->111738 111794->111748 111795->111743 111796->111747 111798 6bb9b5ab std::locale::_Init 51 API calls 111797->111798 111799 6bb93b0d 111798->111799 111800 6bb93c9b 111799->111800 111810 6bb93b18 111799->111810 111822 6bb9af37 45 API calls std::exception::_Copy_str 111800->111822 111802 6bb93cad 111823 6bb9cc0f RaiseException 111802->111823 111804 6bb93c78 111805 6bb9ae8f __expandlocale 5 API calls 111804->111805 111806 6bb859d0 111805->111806 111806->111764 111808 6bb93c2d 111808->111804 111821 6bb940d0 52 API calls 111808->111821 111810->111804 111810->111808 111820 6bb7ca00 88 API calls 111810->111820 111811->111791 111812->111781 111813->111786 111814->111770 111815->111778 111816->111766 111817->111769 111818->111773 111819->111779 111820->111810 111821->111804 111822->111802 111824 6f879d20 111825 6f8907c7 std::locale::_Init 51 API calls 111824->111825 111826 6f879d50 111825->111826 111827 6f8907c7 std::locale::_Init 51 API calls 111826->111827 111829 6f879d82 111826->111829 111828 6f879d7b 111827->111828 111828->111829 111849 6f890109 45 API calls std::exception::_Copy_str 111828->111849 111835 6f879def _memmove 111829->111835 111840 6f883880 111829->111840 111832 6f879db6 111850 6f8924f0 RaiseException 111832->111850 111836 6f879e71 111835->111836 111839 6f89076b _Fac_tidy 46 API calls 111835->111839 111851 6f87a4e0 46 API calls _Fac_tidy 111835->111851 111837 6f89076b _Fac_tidy 46 API calls 111837->111835 111839->111835 111852 6f883af0 111840->111852 111842 6f8838d0 111843 6f89076b _Fac_tidy 46 API calls 111842->111843 111844 6f8838d9 111843->111844 111860 6f883a80 111844->111860 111846 6f8838eb 111847 6f879de9 111846->111847 111848 6f89076b _Fac_tidy 46 API calls 111846->111848 111847->111837 111848->111847 111849->111832 111850->111829 111851->111835 111853 6f883b1a 111852->111853 111854 6f883b03 111852->111854 111856 6f883b8e 111853->111856 111866 6f883ba0 47 API calls 2 library calls 111853->111866 111854->111853 111855 6f883b07 111854->111855 111865 6f883e20 46 API calls _Fac_tidy 111855->111865 111856->111842 111858 6f883b0c 111858->111842 111861 6f883a93 111860->111861 111863 6f883ab8 _memmove 111860->111863 111861->111863 111864 6f89076b _Fac_tidy 46 API calls 111861->111864 111867 6f879c30 52 API calls _Fac_tidy 111861->111867 111863->111846 111864->111861 111865->111858 111866->111853 111867->111861 111868 6bb92ed0 111869 6bb93027 111868->111869 111870 6bb92ee0 111868->111870 111871 6bb92f28 111870->111871 111872 6bb92efb 111870->111872 111873 6bb92f8b 111871->111873 111874 6bb92f44 111871->111874 111872->111869 111907 6bb93250 52 API calls 111872->111907 111877 6bb92fdb 111873->111877 111878 6bb92fa5 111873->111878 111909 6bb932a0 52 API calls 111874->111909 111894 6bb92ff0 111877->111894 111912 6bb86ff0 46 API calls 111877->111912 111911 6bb932a0 52 API calls 111878->111911 111879 6bb92f0e 111908 6bb86ff0 46 API calls 111879->111908 111880 6bb92f54 111910 6bb86ff0 46 API calls 111880->111910 111882 6bb92fb8 111887 6bb8f920 51 API calls 111882->111887 111892 6bb92fcc 111887->111892 111888 6bb92f1c 111889 6bb92fe8 111893 6bb9b53b std::ios_base::_Ios_base_dtor 46 API calls 111889->111893 111890 6bb9300f 111890->111869 111903 6bb8f920 111890->111903 111891 6bb92f60 111893->111894 111896 6bb86e20 111894->111896 111897 6bb86e2e 111896->111897 111898 6bb86e31 111896->111898 111897->111890 111899 6bb86e43 111898->111899 111913 6bbb1303 46 API calls 2 library calls 111898->111913 111914 6bb87060 111899->111914 111904 6bb8f958 111903->111904 111905 6bb8f9b7 111904->111905 111924 6bb86ae0 111904->111924 111905->111869 111907->111879 111908->111888 111909->111880 111910->111891 111911->111882 111912->111889 111913->111899 111915 6bb87069 111914->111915 111916 6bb86e4a 111914->111916 111917 6bb87080 111915->111917 111918 6bb9b5ab std::locale::_Init 51 API calls 111915->111918 111916->111890 111917->111916 111922 6bb9af37 45 API calls std::exception::_Copy_str 111917->111922 111918->111917 111920 6bb8709c 111923 6bb9cc0f RaiseException 111920->111923 111922->111920 111923->111916 111925 6bb86b42 111924->111925 111931 6bb86b81 111924->111931 111926 6bb86b54 111925->111926 111936 6bbb1303 46 API calls 2 library calls 111925->111936 111928 6bb87060 51 API calls 111926->111928 111929 6bb86b5b 111928->111929 111932 6bb877c0 111929->111932 111931->111904 111933 6bb87800 111932->111933 111934 6bb87867 111933->111934 111935 6bb86ae0 51 API calls 111933->111935 111934->111931 111935->111933 111936->111926 111937 6f85e570 111953 6f85e400 111937->111953 111939 6f85e57c 111940 6f85e582 CryptCreateHash 111939->111940 111941 6f85e5c8 111939->111941 111940->111941 111942 6f85e59b CryptHashData 111940->111942 111944 6f85e5d0 CryptDeriveKey 111942->111944 111945 6f85e5bd CryptDestroyHash 111942->111945 111944->111945 111946 6f85e5ec 111944->111946 111945->111941 111960 6f85e4c0 52 API calls std::locale::_Init 111946->111960 111948 6f85e5f1 111949 6f85e621 CryptDecrypt 111948->111949 111950 6f85e603 CryptEncrypt 111948->111950 111951 6f85e638 CryptDestroyKey CryptDestroyHash 111949->111951 111950->111951 111952 6f85e659 111951->111952 111954 6f85e49e 111953->111954 111955 6f85e42a 111953->111955 111954->111939 111956 6f8907c7 std::locale::_Init 51 API calls 111955->111956 111957 6f85e440 111956->111957 111958 6f85e449 CryptAcquireContextW 111957->111958 111959 6f85e468 111957->111959 111958->111959 111959->111939 111960->111948 111961 6bb5a440 111972 6bb5a46e 111961->111972 111962 6bb55ed0 52 API calls 111963 6bb5a506 111962->111963 111964 6bb9b5ab std::locale::_Init 51 API calls 111963->111964 111965 6bb5a50d 111964->111965 111966 6bb5a514 111965->111966 111967 6bb5a579 111965->111967 111974 6bb5aa60 52 API calls __CxxThrowException@8 111966->111974 111975 6bb5aa60 52 API calls __CxxThrowException@8 111967->111975 111970 6bb5a541 111971 6bb5a582 111972->111962 111973 6bb5a562 111972->111973 111974->111970 111975->111971 111976 6f861a70 111979 6f861a90 111976->111979 111978 6f861a7f 111980 6f8907c7 std::locale::_Init 51 API calls 111979->111980 111981 6f861aca 111980->111981 111997 6f85e840 111981->111997 111985 6f861b39 GetFileSizeEx 111986 6f861be6 CloseHandle 111985->111986 111990 6f861b4d 111985->111990 112006 6f85e760 111986->112006 111988 6f861b21 111988->111978 111989 6f861bdf 111989->111986 111990->111986 111990->111989 111991 6f861b73 111990->111991 112000 6f861a00 111991->112000 111993 6f861b7e ReadFile 111994 6f861bd7 CloseHandle 111993->111994 111995 6f861b99 CloseHandle 111993->111995 111994->111988 112005 6f8619d0 _memmove 111995->112005 111998 6f8907c7 std::locale::_Init 51 API calls 111997->111998 111999 6f85e877 CreateFileW 111998->111999 111999->111985 111999->111988 112001 6f861a13 _memmove 112000->112001 112002 6f861a33 112000->112002 112001->111993 112002->112001 112007 6f861e70 52 API calls std::_Xinvalid_argument 112002->112007 112004 6f861a40 _memset 112004->111993 112005->111988 112006->111988 112007->112004 112008 6bb709c0 112009 6bb70a1c 112008->112009 112016 6bb70c10 112009->112016 112012 6bb51e90 52 API calls 112013 6bb70a3a GetFileAttributesExW 112012->112013 112015 6bb70a5a 112013->112015 112024 6bb70d30 112016->112024 112018 6bb9ae8f __expandlocale 5 API calls 112019 6bb70a29 112018->112019 112019->112012 112021 6bb70c4d _memmove 112022 6bb9b53b 46 API calls std::ios_base::_Ios_base_dtor 112021->112022 112023 6bb70cfa 112021->112023 112031 6bb70da0 85 API calls __expandlocale 112021->112031 112022->112021 112023->112018 112025 6bb70d3d GetFileVersionInfoSizeW 112024->112025 112026 6bb70d3b 112024->112026 112027 6bb70d4f 112025->112027 112028 6bb70d53 112025->112028 112026->112025 112027->112021 112029 6bb70d6b GetFileVersionInfoW 112028->112029 112030 6bb70d7a 112028->112030 112029->112030 112030->112021 112031->112021 112032 6f88cdf0 112046 6f88ce8b _memmove 112032->112046 112033 6f88d777 112038 6f88d831 112033->112038 112112 6f8567c0 46 API calls 2 library calls 112033->112112 112034 6f88d88e 112035 6f890061 ___getlocaleinfo 5 API calls 112034->112035 112036 6f88d8b1 112035->112036 112037 6f88d6d8 112037->112033 112104 6f856530 52 API calls 2 library calls 112037->112104 112038->112034 112113 6f8567c0 46 API calls 2 library calls 112038->112113 112042 6f88d713 112105 6f864430 90 API calls 3 library calls 112042->112105 112043 6f88d763 112043->112033 112107 6f88bfa0 52 API calls 112043->112107 112044 6f87cd90 52 API calls 112044->112046 112046->112033 112046->112037 112046->112043 112046->112044 112047 6f87cae0 52 API calls 112046->112047 112050 6f88d77c 112046->112050 112053 6f88d786 112046->112053 112054 6f8876a0 52 API calls 112046->112054 112055 6f87f960 52 API calls 112046->112055 112058 6f890754 50 API calls __cinit 112046->112058 112059 6f87c8a0 52 API calls 112046->112059 112065 6f88bd90 52 API calls 112046->112065 112066 6f88d651 112046->112066 112067 6f88d6ce 112046->112067 112076 6f88bfa0 52 API calls 112046->112076 112077 6f87c7b0 52 API calls 112046->112077 112078 6f867ef0 52 API calls 112046->112078 112081 6f868270 52 API calls 112046->112081 112082 6f89076b 46 API calls _Fac_tidy 112046->112082 112083 6f856840 112046->112083 112095 6f887780 52 API calls 112046->112095 112096 6f87c6b0 46 API calls _Fac_tidy 112046->112096 112097 6f88e2a0 90 API calls 2 library calls 112046->112097 112098 6f88c920 52 API calls 112046->112098 112099 6f877b00 52 API calls 2 library calls 112046->112099 112047->112046 112048 6f88d74b 112106 6f8924f0 RaiseException 112048->112106 112108 6f88f682 46 API calls 2 library calls 112050->112108 112109 6f856530 52 API calls 2 library calls 112053->112109 112054->112046 112055->112046 112057 6f88d7b3 112110 6f864430 90 API calls 3 library calls 112057->112110 112058->112046 112059->112046 112062 6f88d7eb 112111 6f8924f0 RaiseException 112062->112111 112065->112046 112100 6f856530 52 API calls 2 library calls 112066->112100 112103 6f88f635 46 API calls 2 library calls 112067->112103 112069 6f88d67e 112101 6f864430 90 API calls 3 library calls 112069->112101 112074 6f88d6b6 112102 6f8924f0 RaiseException 112074->112102 112076->112046 112077->112046 112078->112046 112081->112046 112082->112046 112084 6f85687d 112083->112084 112085 6f8568bf 112084->112085 112086 6f8907c7 std::locale::_Init 51 API calls 112084->112086 112088 6f8568c6 _memmove 112084->112088 112085->112088 112114 6f890109 45 API calls std::exception::_Copy_str 112085->112114 112086->112085 112088->112046 112089 6f85694b 112088->112089 112092 6f89076b _Fac_tidy 46 API calls 112088->112092 112089->112046 112090 6f8568de 112115 6f8924f0 RaiseException 112090->112115 112092->112089 112093 6f8568f3 112116 6f8569b0 51 API calls 3 library calls 112093->112116 112095->112046 112096->112046 112097->112046 112098->112046 112099->112046 112100->112069 112101->112074 112102->112067 112103->112037 112104->112042 112105->112048 112106->112043 112107->112033 112108->112053 112109->112057 112110->112062 112111->112033 112112->112038 112113->112034 112114->112090 112115->112093 112116->112088 112117 6f881b30 112155 6f87e3c0 112117->112155 112120 6f881b95 112160 6f858c50 112120->112160 112124 6f87e3c0 90 API calls 112152 6f881bb2 112124->112152 112125 6f881dc6 112194 6f856530 52 API calls 2 library calls 112125->112194 112127 6f881de6 112195 6f864430 90 API calls 3 library calls 112127->112195 112129 6f881e11 112196 6f8924f0 RaiseException 112129->112196 112131 6f881e29 112132 6f881e8c 112131->112132 112133 6f881e2e 112131->112133 112199 6f856530 52 API calls 2 library calls 112132->112199 112134 6f87e3c0 90 API calls 112133->112134 112136 6f881e36 112134->112136 112139 6f881e44 112136->112139 112197 6f87f360 46 API calls _Fac_tidy 112136->112197 112138 6f881ea8 112200 6f864430 90 API calls 3 library calls 112138->112200 112198 6f87eaf0 46 API calls _Fac_tidy 112139->112198 112141 6f881ec5 112201 6f8924f0 RaiseException 112141->112201 112146 6f881e4d 112148 6f890061 ___getlocaleinfo 5 API calls 112146->112148 112147 6f881edd 112149 6f881e83 112148->112149 112150 6f89076b 46 API calls _Fac_tidy 112150->112152 112151 6f87e3c0 90 API calls 112151->112152 112152->112125 112152->112131 112152->112133 112152->112150 112152->112151 112153 6f87f360 46 API calls 112152->112153 112154 6f880f90 90 API calls 112152->112154 112171 6f856620 112152->112171 112185 6f87fa40 112152->112185 112153->112152 112154->112152 112158 6f87e3c4 112155->112158 112156 6f87e414 112156->112120 112193 6f87f360 46 API calls _Fac_tidy 112156->112193 112158->112156 112202 6f87f360 46 API calls _Fac_tidy 112158->112202 112203 6f87e420 90 API calls 2 library calls 112158->112203 112161 6f858c75 112160->112161 112162 6f858c65 112160->112162 112164 6f8907c7 std::locale::_Init 51 API calls 112161->112164 112165 6f858ca0 112161->112165 112162->112161 112204 6f858d00 52 API calls 3 library calls 112162->112204 112166 6f858c99 112164->112166 112165->112124 112166->112165 112205 6f890109 45 API calls std::exception::_Copy_str 112166->112205 112168 6f858ce0 112206 6f8924f0 RaiseException 112168->112206 112170 6f858cf7 112172 6f856635 112171->112172 112173 6f85663f 112171->112173 112207 6f88f682 46 API calls 2 library calls 112172->112207 112175 6f85666c 112173->112175 112176 6f85664f 112173->112176 112178 6f85667b 112175->112178 112210 6f88f635 46 API calls 2 library calls 112175->112210 112208 6f8567c0 46 API calls 2 library calls 112176->112208 112182 6f856840 52 API calls 112178->112182 112184 6f85668c _memmove 112178->112184 112179 6f856659 112209 6f8567c0 46 API calls 2 library calls 112179->112209 112182->112184 112183 6f856663 112183->112152 112184->112152 112186 6f87fa9f 112185->112186 112192 6f87fae4 112185->112192 112187 6f87fab1 112186->112187 112211 6f88f635 46 API calls 2 library calls 112186->112211 112212 6f858140 51 API calls 3 library calls 112187->112212 112190 6f87fab8 112213 6f880050 52 API calls 112190->112213 112192->112152 112193->112120 112194->112127 112195->112129 112196->112131 112197->112139 112198->112146 112199->112138 112200->112141 112201->112147 112202->112158 112203->112158 112204->112161 112205->112168 112206->112170 112207->112173 112208->112179 112209->112183 112210->112178 112211->112187 112212->112190 112213->112192 112214 5e7f63 112254 5ecc60 112214->112254 112216 5e7f6f GetStartupInfoW 112217 5e7f83 HeapSetInformation 112216->112217 112219 5e7f8e 112216->112219 112217->112219 112255 5edede HeapCreate 112219->112255 112220 5e7fdc 112221 5e7fe7 112220->112221 112371 5e7f3a 45 API calls 3 library calls 112220->112371 112256 5edd63 GetModuleHandleW 112221->112256 112224 5e7fed 112225 5e7ff8 __RTC_Initialize 112224->112225 112372 5e7f3a 45 API calls 3 library calls 112224->112372 112275 5ed7d9 GetStartupInfoW 112225->112275 112229 5e8012 GetCommandLineA 112288 5ed742 GetEnvironmentStringsW 112229->112288 112236 5e8037 112314 5ed411 112236->112314 112239 5e803d 112240 5e8048 112239->112240 112375 5ecc3e 45 API calls 3 library calls 112239->112375 112334 5eca1d 112240->112334 112243 5e8050 112244 5e805b 112243->112244 112376 5ecc3e 45 API calls 3 library calls 112243->112376 112340 5ed3b2 112244->112340 112254->112216 112255->112220 112257 5edd77 112256->112257 112258 5edd80 GetProcAddress GetProcAddress GetProcAddress GetProcAddress 112256->112258 112378 5edab0 48 API calls _free 112257->112378 112260 5eddca TlsAlloc 112258->112260 112263 5ede18 TlsSetValue 112260->112263 112264 5eded9 112260->112264 112261 5edd7c 112261->112224 112263->112264 112265 5ede29 __init_pointers 112263->112265 112264->112224 112379 5f0d4a InitializeCriticalSectionAndSpinCount 112265->112379 112267 5eded4 112387 5edab0 48 API calls _free 112267->112387 112269 5ede6d 112269->112267 112380 5eb32d 112269->112380 112272 5edeb9 112386 5edaed 45 API calls 4 library calls 112272->112386 112274 5edec1 GetCurrentThreadId 112274->112264 112276 5eb32d __calloc_crt 45 API calls 112275->112276 112277 5ed7f7 112276->112277 112279 5eb32d __calloc_crt 45 API calls 112277->112279 112282 5ed8ec 112277->112282 112283 5e8006 112277->112283 112284 5ed96c 112277->112284 112278 5ed9a2 GetStdHandle 112278->112284 112279->112277 112280 5eda06 SetHandleCount 112280->112283 112281 5ed9b4 GetFileType 112281->112284 112282->112284 112285 5ed918 GetFileType 112282->112285 112286 5ed923 InitializeCriticalSectionAndSpinCount 112282->112286 112283->112229 112373 5ecc3e 45 API calls 3 library calls 112283->112373 112284->112278 112284->112280 112284->112281 112287 5ed9da InitializeCriticalSectionAndSpinCount 112284->112287 112285->112282 112285->112286 112286->112282 112286->112283 112287->112283 112287->112284 112289 5ed75e WideCharToMultiByte 112288->112289 112294 5e8022 112288->112294 112291 5ed7cb FreeEnvironmentStringsW 112289->112291 112292 5ed793 112289->112292 112291->112294 112397 5eb2e8 45 API calls _malloc 112292->112397 112301 5ed687 112294->112301 112295 5ed799 112295->112291 112296 5ed7a1 WideCharToMultiByte 112295->112296 112297 5ed7bf FreeEnvironmentStringsW 112296->112297 112298 5ed7b3 112296->112298 112297->112294 112398 5e83c8 45 API calls __fclose_nolock 112298->112398 112300 5ed7bb 112300->112297 112302 5ed69c 112301->112302 112303 5ed6a1 GetModuleFileNameA 112301->112303 112405 5f15bd 73 API calls __setmbcp 112302->112405 112305 5ed6c8 112303->112305 112399 5ed4ed 112305->112399 112308 5e802c 112308->112236 112374 5ecc3e 45 API calls 3 library calls 112308->112374 112309 5ed704 112406 5eb2e8 45 API calls _malloc 112309->112406 112311 5ed70a 112311->112308 112312 5ed4ed _parse_cmdline 55 API calls 112311->112312 112313 5ed724 112312->112313 112313->112308 112315 5ed41a 112314->112315 112317 5ed41f _strlen 112314->112317 112408 5f15bd 73 API calls __setmbcp 112315->112408 112318 5eb32d __calloc_crt 45 API calls 112317->112318 112321 5ed42d 112317->112321 112323 5ed454 _strlen 112318->112323 112319 5ed4a3 112410 5e83c8 45 API calls __fclose_nolock 112319->112410 112321->112239 112322 5eb32d __calloc_crt 45 API calls 112322->112323 112323->112319 112323->112321 112323->112322 112324 5ed4c9 112323->112324 112327 5ed4e0 112323->112327 112409 5eb657 45 API calls __fclose_nolock 112323->112409 112411 5e83c8 45 API calls __fclose_nolock 112324->112411 112412 5ec6d1 10 API calls __call_reportfault 112327->112412 112330 5ed4ec 112332 5ed579 112330->112332 112413 5f5cda 55 API calls x_ismbbtype_l 112330->112413 112331 5ed677 112331->112239 112332->112331 112333 5f5cda 55 API calls __wincmdln 112332->112333 112333->112332 112335 5eca2b __initterm_e __initp_misc_cfltcvt_tab __IsNonwritableInCurrentImage 112334->112335 112336 5e7dd9 __cinit 50 API calls 112335->112336 112338 5eca8a __IsNonwritableInCurrentImage 112335->112338 112337 5eca6a 112336->112337 112337->112338 112414 5e15e0 112337->112414 112338->112243 112341 5ed3c0 112340->112341 112343 5ed3c5 112340->112343 112487 5f15bd 73 API calls __setmbcp 112341->112487 112344 5e8061 112343->112344 112488 5f5cda 55 API calls x_ismbbtype_l 112343->112488 112346 5b3d10 112344->112346 112489 5b7640 112346->112489 112371->112221 112372->112225 112378->112261 112379->112269 112382 5eb336 112380->112382 112383 5eb373 112382->112383 112384 5eb354 Sleep 112382->112384 112388 5f35a4 112382->112388 112383->112267 112383->112272 112385 5eb369 112384->112385 112385->112382 112385->112383 112386->112274 112387->112264 112389 5f35b0 112388->112389 112394 5f35cb _malloc 112388->112394 112390 5f35bc 112389->112390 112389->112394 112396 5e85c4 45 API calls __getptd_noexit 112390->112396 112392 5f35de HeapAlloc 112392->112394 112395 5f3605 112392->112395 112393 5f35c1 112393->112382 112394->112392 112394->112395 112395->112382 112396->112393 112397->112295 112398->112300 112401 5ed50c 112399->112401 112402 5ed579 112401->112402 112407 5f5cda 55 API calls x_ismbbtype_l 112401->112407 112403 5ed677 112402->112403 112404 5f5cda 55 API calls __wincmdln 112402->112404 112403->112308 112403->112309 112404->112402 112405->112303 112406->112311 112407->112401 112408->112317 112409->112323 112410->112321 112411->112321 112412->112330 112413->112330 112415 5e7b0d std::_Mutex::_Mutex 51 API calls 112414->112415 112416 5e1615 112415->112416 112417 5e168c 112416->112417 112418 5e161c 112416->112418 112455 5e758d 45 API calls std::exception::_Copy_str 112417->112455 112431 5d1fb0 112418->112431 112421 5e169e 112456 5e8536 RaiseException 112421->112456 112425 5e16b5 112428 5e166c 112454 5e7ab1 46 API calls __fclose_nolock 112428->112454 112430 5e1676 112430->112337 112432 5d1fd5 112431->112432 112433 5d1fc5 112431->112433 112434 5d2000 112432->112434 112436 5e7b0d std::_Mutex::_Mutex 51 API calls 112432->112436 112433->112432 112457 5d2060 52 API calls 3 library calls 112433->112457 112442 5e1860 112434->112442 112437 5d1ff9 112436->112437 112437->112434 112458 5e758d 45 API calls std::exception::_Copy_str 112437->112458 112439 5d2040 112459 5e8536 RaiseException 112439->112459 112441 5d2057 112443 5e7b0d std::_Mutex::_Mutex 51 API calls 112442->112443 112444 5e189b 112443->112444 112445 5e1940 112444->112445 112450 5e18a6 112444->112450 112464 5e758d 45 API calls std::exception::_Copy_str 112445->112464 112447 5e194f 112465 5e8536 RaiseException 112447->112465 112449 5e1964 112460 5e1b70 112450->112460 112453 5d4000 46 API calls _Fac_tidy 112453->112428 112454->112430 112455->112421 112456->112425 112457->112432 112458->112439 112459->112441 112461 5e1b8e 112460->112461 112466 5e1f70 112461->112466 112463 5e1663 112463->112453 112464->112447 112465->112449 112467 5e1fa8 112466->112467 112468 5e1fde 112467->112468 112469 5e2130 112467->112469 112472 5e2061 112467->112472 112468->112472 112473 5e2490 112468->112473 112470 5d1fb0 52 API calls 112469->112470 112469->112472 112470->112469 112472->112463 112474 5e249e 112473->112474 112475 5e24b1 112473->112475 112474->112475 112484 5d2060 52 API calls 3 library calls 112474->112484 112477 5e24dc 112475->112477 112478 5e7b0d std::_Mutex::_Mutex 51 API calls 112475->112478 112477->112468 112479 5e24d5 112478->112479 112479->112477 112485 5e758d 45 API calls std::exception::_Copy_str 112479->112485 112481 5e2521 112486 5e8536 RaiseException 112481->112486 112483 5e2538 112484->112475 112485->112481 112486->112483 112487->112343 112488->112343 112519 5b75b0 _GetConfigParameter 112489->112519 112520 5b7600 112519->112520 112570 5b2dd0 112520->112570 112522 5b7619 112523 5e74e5 __ehhandler$?ConvertBSTRToString@_com_util@@YGPADPAG@Z 5 API calls 112522->112523 112524 5b762a 112523->112524 112525 5c3b30 112524->112525 112617 5c3920 112525->112617 112528 5b3470 52 API calls 112529 5c3b84 112528->112529 112530 5c3b98 112529->112530 112620 5e7ab1 46 API calls __fclose_nolock 112529->112620 112532 5e74e5 __ehhandler$?ConvertBSTRToString@_com_util@@YGPADPAG@Z 5 API calls 112530->112532 112533 5b7692 112532->112533 112534 5b3470 112533->112534 112535 5b3482 112534->112535 112535->112535 112655 5b3880 112535->112655 112537 5b349b 112671 5b2ac0 112537->112671 112539 5b34b5 112540 5b3690 112539->112540 112541 5b36ab 112540->112541 112542 5b36dd 112540->112542 112541->112542 112543 5b36b4 112541->112543 112680 5b3790 52 API calls 2 library calls 112542->112680 112571 5b2e23 112570->112571 112574 5b2ddc 112570->112574 112572 5b2e35 112571->112572 112608 5e6abc 46 API calls 2 library calls 112571->112608 112576 5b2e47 _memmove 112572->112576 112580 5b31f0 112572->112580 112574->112571 112577 5b2e03 112574->112577 112576->112522 112594 5b2b30 112577->112594 112579 5b2e1e 112579->112522 112581 5b322e 112580->112581 112582 5b3280 112581->112582 112584 5e7b0d std::_Mutex::_Mutex 51 API calls 112581->112584 112592 5b327c _memmove 112581->112592 112609 5e758d 45 API calls std::exception::_Copy_str 112582->112609 112586 5b3275 112584->112586 112585 5b3300 112585->112576 112586->112582 112586->112592 112587 5b3293 112610 5e8536 RaiseException 112587->112610 112590 5b32a8 112611 5b33c0 51 API calls 3 library calls 112590->112611 112592->112585 112612 5e7ab1 46 API calls __fclose_nolock 112592->112612 112593 5b32bd 112593->112576 112595 5b2b4d 112594->112595 112596 5b2b43 112594->112596 112598 5b2b59 112595->112598 112599 5b2b76 112595->112599 112613 5e6b09 46 API calls 2 library calls 112596->112613 112614 5b2ec0 46 API calls 2 library calls 112598->112614 112601 5b2b88 112599->112601 112616 5e6abc 46 API calls 2 library calls 112599->112616 112605 5b31f0 52 API calls 112601->112605 112606 5b2b9a _memmove 112601->112606 112602 5b2b64 112615 5b2ec0 46 API calls 2 library calls 112602->112615 112605->112606 112606->112579 112607 5b2b6d 112607->112579 112608->112572 112609->112587 112610->112590 112611->112593 112612->112585 112613->112595 112614->112602 112615->112607 112616->112601 112621 5e6820 112617->112621 112620->112530 112622 5b2dd0 52 API calls 112621->112622 112623 5e6879 112622->112623 112634 5e6900 112623->112634 112629 5e68af 112630 5e68d5 112629->112630 112653 5e7ab1 46 API calls __fclose_nolock 112629->112653 112632 5e74e5 __ehhandler$?ConvertBSTRToString@_com_util@@YGPADPAG@Z 5 API calls 112630->112632 112633 5c3931 112632->112633 112633->112528 112635 5b2dd0 52 API calls 112634->112635 112636 5e6886 112635->112636 112637 5bc860 112636->112637 112638 5b2b30 52 API calls 112637->112638 112639 5bc8cb RegOpenKeyExW 112638->112639 112641 5bc914 RegQueryValueExW 112639->112641 112642 5bc901 112639->112642 112644 5bc93d RegCloseKey 112641->112644 112645 5bc945 RegCloseKey 112641->112645 112646 5b2dd0 52 API calls 112642->112646 112644->112642 112645->112642 112647 5bc979 112646->112647 112648 5bc98a 112647->112648 112654 5e7ab1 46 API calls __fclose_nolock 112647->112654 112649 5e74e5 __ehhandler$?ConvertBSTRToString@_com_util@@YGPADPAG@Z 5 API calls 112648->112649 112651 5bc9b0 112649->112651 112651->112629 112652 5e7ab1 46 API calls __fclose_nolock 112651->112652 112652->112629 112653->112630 112654->112648 112656 5b38e5 112655->112656 112660 5b388f 112655->112660 112658 5b38fb 112656->112658 112677 5e6abc 46 API calls 2 library calls 112656->112677 112659 5b3919 112658->112659 112663 5b3928 _memmove 112658->112663 112678 5e6abc 46 API calls 2 library calls 112658->112678 112662 5b31f0 52 API calls 112659->112662 112659->112663 112660->112656 112664 5b38b6 112660->112664 112662->112663 112663->112537 112665 5b38bb 112664->112665 112666 5b38d0 112664->112666 112675 5b3790 52 API calls 2 library calls 112665->112675 112676 5b3790 52 API calls 2 library calls 112666->112676 112669 5b38ca 112669->112537 112670 5b38df 112670->112537 112672 5b2ac4 112671->112672 112674 5b2ad2 _memmove 112671->112674 112672->112674 112679 5e7ab1 46 API calls __fclose_nolock 112672->112679 112674->112539 112675->112669 112676->112670 112677->112658 112678->112659 112679->112674

                                                                                                                                                                                                                                                        Executed Functions

                                                                                                                                                                                                                                                        Function 005B3D10 Relevance: 36.9, APIs: 13, Strings: 8, Instructions: 121libraryloaderCOMMON
                                                                                                                                                                                                                                                        Download Yara Rule

                                                                                                                                                                                                                                                        Control-flow Graph

                                                                                                                                                                                                                                                        APIs
                                                                                                                                                                                                                                                        • GetVersion.KERNEL32(8CDAA9E8), ref: 005B3D56
                                                                                                                                                                                                                                                        • GetVersionExW.KERNEL32(?), ref: 005B3D92
                                                                                                                                                                                                                                                        • GetModuleHandleW.KERNEL32(kernel32.dll,GetNativeSystemInfo), ref: 005B3DA2
                                                                                                                                                                                                                                                        • GetProcAddress.KERNEL32(00000000), ref: 005B3DA9
                                                                                                                                                                                                                                                        • GetNativeSystemInfo.KERNELBASE(?), ref: 005B3DBF
                                                                                                                                                                                                                                                        • _LicenseIsValid@0.MBAM ref: 005B3E03
                                                                                                                                                                                                                                                        • _IsTrialActive@0.MBAMNET ref: 005B3E0D
                                                                                                                                                                                                                                                        • _SchedulerInstall@0.MBAM ref: 005B3E17
                                                                                                                                                                                                                                                        • _ProtectionInstall@0.MBAM ref: 005B3E1D
                                                                                                                                                                                                                                                        • _SchedulerUninstall@0.MBAM ref: 005B3E55
                                                                                                                                                                                                                                                        • _ProtectionUninstall@0.MBAM ref: 005B3E5B
                                                                                                                                                                                                                                                        • _SchedulerStop@0.MBAM ref: 005B3E75
                                                                                                                                                                                                                                                        • _ProtectionStop@0.MBAM ref: 005B3E7B
                                                                                                                                                                                                                                                        Strings
                                                                                                                                                                                                                                                        Memory Dump Source
                                                                                                                                                                                                                                                        • Source File: 0000000C.00000002.2567833069.00000000005B1000.00000020.00000001.01000000.00000014.sdmp, Offset: 005B0000, based on PE: true
                                                                                                                                                                                                                                                        • Associated: 0000000C.00000002.2567804101.00000000005B0000.00000002.00000001.01000000.00000014.sdmpDownload File
                                                                                                                                                                                                                                                        • Associated: 0000000C.00000002.2567917358.0000000000607000.00000002.00000001.01000000.00000014.sdmpDownload File
                                                                                                                                                                                                                                                        • Associated: 0000000C.00000002.2567985326.000000000061A000.00000004.00000001.01000000.00000014.sdmpDownload File
                                                                                                                                                                                                                                                        • Associated: 0000000C.00000002.2568018090.0000000000620000.00000002.00000001.01000000.00000014.sdmpDownload File
                                                                                                                                                                                                                                                        Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                                        • Snapshot File: hcaresult_12_2_5b0000_cpcsgui.jbxd
                                                                                                                                                                                                                                                        Similarity
                                                                                                                                                                                                                                                        • API ID: ProtectionScheduler$Install@0Stop@0Uninstall@0Version$Active@0AddressHandleInfoLicenseModuleNativeProcSystemTrialValid@0
                                                                                                                                                                                                                                                        • String ID: /install$/silent$/startalways$/starttray$/stop$/uninstall$GetNativeSystemInfo$kernel32.dll
                                                                                                                                                                                                                                                        • API String ID: 1298140389-106368322
                                                                                                                                                                                                                                                        • Opcode ID: a62653946a97668bee669645d741b72cb7e1ab70de02f9ec0e9368d70453f271
                                                                                                                                                                                                                                                        • Instruction ID: 2a9a1d93110458471af60ddd6e5653329d782725d108355ec731bb0f738317cb
                                                                                                                                                                                                                                                        • Opcode Fuzzy Hash: a62653946a97668bee669645d741b72cb7e1ab70de02f9ec0e9368d70453f271
                                                                                                                                                                                                                                                        • Instruction Fuzzy Hash: 51411B31A8424A9BD7149B75EC49BDF7FAABF14345F044166F806E2191EB31FB04CAA1
                                                                                                                                                                                                                                                        Function 6BB950F0 Relevance: 23.5, APIs: 6, Strings: 7, Instructions: 727COMMON
                                                                                                                                                                                                                                                        Download Yara Rule
                                                                                                                                                                                                                                                        APIs
                                                                                                                                                                                                                                                        • _memmove.LIBCMT ref: 6BB9563B
                                                                                                                                                                                                                                                        • std::_Xinvalid_argument.LIBCPMT ref: 6BB959D1
                                                                                                                                                                                                                                                        • __CxxThrowException@8.LIBCMT ref: 6BB95A5C
                                                                                                                                                                                                                                                        • std::_Xinvalid_argument.LIBCPMT ref: 6BB95A7F
                                                                                                                                                                                                                                                        • __CxxThrowException@8.LIBCMT ref: 6BB95AFC
                                                                                                                                                                                                                                                        Strings
                                                                                                                                                                                                                                                        Memory Dump Source
                                                                                                                                                                                                                                                        • Source File: 0000000C.00000002.2569669714.000000006BB51000.00000020.00000001.01000000.00000015.sdmp, Offset: 6BB50000, based on PE: true
                                                                                                                                                                                                                                                        • Associated: 0000000C.00000002.2569337232.000000006BB50000.00000002.00000001.01000000.00000015.sdmpDownload File
                                                                                                                                                                                                                                                        • Associated: 0000000C.00000002.2570467871.000000006BCC3000.00000002.00000001.01000000.00000015.sdmpDownload File
                                                                                                                                                                                                                                                        • Associated: 0000000C.00000002.2570467871.000000006BCD5000.00000002.00000001.01000000.00000015.sdmpDownload File
                                                                                                                                                                                                                                                        • Associated: 0000000C.00000002.2570976244.000000006BD35000.00000004.00000001.01000000.00000015.sdmpDownload File
                                                                                                                                                                                                                                                        • Associated: 0000000C.00000002.2571057194.000000006BD3A000.00000008.00000001.01000000.00000015.sdmpDownload File
                                                                                                                                                                                                                                                        • Associated: 0000000C.00000002.2571109707.000000006BD42000.00000004.00000001.01000000.00000015.sdmpDownload File
                                                                                                                                                                                                                                                        • Associated: 0000000C.00000002.2571273369.000000006BD48000.00000004.00000001.01000000.00000015.sdmpDownload File
                                                                                                                                                                                                                                                        • Associated: 0000000C.00000002.2571319844.000000006BD4B000.00000002.00000001.01000000.00000015.sdmpDownload File
                                                                                                                                                                                                                                                        Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                                        • Snapshot File: hcaresult_12_2_6bb50000_cpcsgui.jbxd
                                                                                                                                                                                                                                                        Similarity
                                                                                                                                                                                                                                                        • API ID: Exception@8ThrowXinvalid_argumentstd::_$_memmove
                                                                                                                                                                                                                                                        • String ID: $\$illegal EOF in scalar$illegal document indicator in scalar$illegal tab when looking for indentation$invalid string position$string too long
                                                                                                                                                                                                                                                        • API String ID: 647153083-4246587829
                                                                                                                                                                                                                                                        • Opcode ID: d2832324a3ebbdaa8c22bbbf9d3476a412c07c24db56b3b638f890962d5e1808
                                                                                                                                                                                                                                                        • Instruction ID: e10090ab4a992352368c548dfbf36472bc2859edf7ff0b7d4707478ff9cb0d9a
                                                                                                                                                                                                                                                        • Opcode Fuzzy Hash: d2832324a3ebbdaa8c22bbbf9d3476a412c07c24db56b3b638f890962d5e1808
                                                                                                                                                                                                                                                        • Instruction Fuzzy Hash: 3652F2705483C08FD721EF24E481B9EBBE1BF86309F104A6DEA9957381D738D949CB96
                                                                                                                                                                                                                                                        Function 6F88CDF0 Relevance: 21.7, APIs: 6, Strings: 6, Instructions: 730COMMON
                                                                                                                                                                                                                                                        Download Yara Rule
                                                                                                                                                                                                                                                        APIs
                                                                                                                                                                                                                                                        • _memmove.LIBCMT ref: 6F88D34A
                                                                                                                                                                                                                                                        • __CxxThrowException@8.LIBCMT ref: 6F88D6C9
                                                                                                                                                                                                                                                        • std::_Xinvalid_argument.LIBCPMT ref: 6F88D6D3
                                                                                                                                                                                                                                                        • __CxxThrowException@8.LIBCMT ref: 6F88D75E
                                                                                                                                                                                                                                                        • std::_Xinvalid_argument.LIBCPMT ref: 6F88D781
                                                                                                                                                                                                                                                        • __CxxThrowException@8.LIBCMT ref: 6F88D7FE
                                                                                                                                                                                                                                                          • Part of subcall function 6F856840: _memmove.LIBCMT ref: 6F856935
                                                                                                                                                                                                                                                        Strings
                                                                                                                                                                                                                                                        Memory Dump Source
                                                                                                                                                                                                                                                        • Source File: 0000000C.00000002.2571435985.000000006F851000.00000020.00000001.01000000.0000000F.sdmp, Offset: 6F850000, based on PE: true
                                                                                                                                                                                                                                                        • Associated: 0000000C.00000002.2571402531.000000006F850000.00000002.00000001.01000000.0000000F.sdmpDownload File
                                                                                                                                                                                                                                                        • Associated: 0000000C.00000002.2571547852.000000006F8B1000.00000002.00000001.01000000.0000000F.sdmpDownload File
                                                                                                                                                                                                                                                        • Associated: 0000000C.00000002.2571607645.000000006F8C6000.00000004.00000001.01000000.0000000F.sdmpDownload File
                                                                                                                                                                                                                                                        • Associated: 0000000C.00000002.2571648475.000000006F8CC000.00000002.00000001.01000000.0000000F.sdmpDownload File
                                                                                                                                                                                                                                                        Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                                        • Snapshot File: hcaresult_12_2_6f850000_cpcsgui.jbxd
                                                                                                                                                                                                                                                        Similarity
                                                                                                                                                                                                                                                        • API ID: Exception@8Throw$Xinvalid_argument_memmovestd::_
                                                                                                                                                                                                                                                        • String ID: $illegal EOF in scalar$illegal document indicator in scalar$illegal tab when looking for indentation$invalid string position$string too long
                                                                                                                                                                                                                                                        • API String ID: 2480882615-4201326000
                                                                                                                                                                                                                                                        • Opcode ID: 5377a6eb2d5c482ef6b55bafef28eb2f40d4c8e8f1e999d73187cc2f6a0db201
                                                                                                                                                                                                                                                        • Instruction ID: 8b981b0dd0c1ad74a0cfe6cc78e10acb239c142bf1098d8ad3912f7abee6e105
                                                                                                                                                                                                                                                        • Opcode Fuzzy Hash: 5377a6eb2d5c482ef6b55bafef28eb2f40d4c8e8f1e999d73187cc2f6a0db201
                                                                                                                                                                                                                                                        • Instruction Fuzzy Hash: 12527471608385AFD724CF28C48079EBBE2AF85318F504E9FE4A95F391D770A945CB92
                                                                                                                                                                                                                                                        Function 6F85E570 Relevance: 12.1, APIs: 8, Instructions: 95encryptionCOMMON
                                                                                                                                                                                                                                                        Download Yara Rule

                                                                                                                                                                                                                                                        Control-flow Graph

                                                                                                                                                                                                                                                        APIs
                                                                                                                                                                                                                                                          • Part of subcall function 6F85E400: CryptAcquireContextW.ADVAPI32(00000000,00000000,Microsoft Enhanced Cryptographic Provider v1.0,00000001,F0000040,00000001,?,00000000,D0A01E50,00000000,?,00000000,?,?,00000000), ref: 6F85E45E
                                                                                                                                                                                                                                                        • CryptCreateHash.ADVAPI32(00000000,00008003,00000000,00000000,?,?,00000001,?,00000000,D0A01E50,00000000,?,00000000,?,?,00000000), ref: 6F85E591
                                                                                                                                                                                                                                                        • CryptHashData.ADVAPI32(?,?,?,00000000), ref: 6F85E5B3
                                                                                                                                                                                                                                                        • CryptDestroyHash.ADVAPI32(?), ref: 6F85E5C2
                                                                                                                                                                                                                                                        • CryptDeriveKey.ADVAPI32(00000000,00006801,?,00000000,?), ref: 6F85E5E2
                                                                                                                                                                                                                                                        • CryptEncrypt.ADVAPI32(?,00000000,00000001,00000000,?,00000000,?), ref: 6F85E619
                                                                                                                                                                                                                                                        • CryptDecrypt.ADVAPI32(?,00000000,00000001,00000000,?,?), ref: 6F85E632
                                                                                                                                                                                                                                                        • CryptDestroyKey.ADVAPI32(?,?,?), ref: 6F85E63F
                                                                                                                                                                                                                                                        • CryptDestroyHash.ADVAPI32(?,?,?), ref: 6F85E64A
                                                                                                                                                                                                                                                        Memory Dump Source
                                                                                                                                                                                                                                                        • Source File: 0000000C.00000002.2571435985.000000006F851000.00000020.00000001.01000000.0000000F.sdmp, Offset: 6F850000, based on PE: true
                                                                                                                                                                                                                                                        • Associated: 0000000C.00000002.2571402531.000000006F850000.00000002.00000001.01000000.0000000F.sdmpDownload File
                                                                                                                                                                                                                                                        • Associated: 0000000C.00000002.2571547852.000000006F8B1000.00000002.00000001.01000000.0000000F.sdmpDownload File
                                                                                                                                                                                                                                                        • Associated: 0000000C.00000002.2571607645.000000006F8C6000.00000004.00000001.01000000.0000000F.sdmpDownload File
                                                                                                                                                                                                                                                        • Associated: 0000000C.00000002.2571648475.000000006F8CC000.00000002.00000001.01000000.0000000F.sdmpDownload File
                                                                                                                                                                                                                                                        Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                                        • Snapshot File: hcaresult_12_2_6f850000_cpcsgui.jbxd
                                                                                                                                                                                                                                                        Similarity
                                                                                                                                                                                                                                                        • API ID: Crypt$Hash$Destroy$AcquireContextCreateDataDecryptDeriveEncrypt
                                                                                                                                                                                                                                                        • String ID:
                                                                                                                                                                                                                                                        • API String ID: 2252723939-0
                                                                                                                                                                                                                                                        • Opcode ID: aae6acafb2be6ac7294e9c32fca0eea62747b30f5cf1b7508a8719431f10c316
                                                                                                                                                                                                                                                        • Instruction ID: 55c1cdf8d38b6dc5099dba6bb774f2b329a2309b83de20f3b75f77b7578d419b
                                                                                                                                                                                                                                                        • Opcode Fuzzy Hash: aae6acafb2be6ac7294e9c32fca0eea62747b30f5cf1b7508a8719431f10c316
                                                                                                                                                                                                                                                        • Instruction Fuzzy Hash: EB319C75244B01AFEB10DB24CC59F9B77E9AF89760F108998F5449F280DB70E856CBA1
                                                                                                                                                                                                                                                        Function 6BB57020 Relevance: 7.8, APIs: 5, Instructions: 328registryCOMMON
                                                                                                                                                                                                                                                        Download Yara Rule

                                                                                                                                                                                                                                                        Control-flow Graph

                                                                                                                                                                                                                                                        • Executed
                                                                                                                                                                                                                                                        • Not Executed
                                                                                                                                                                                                                                                        control_flow_graph 872 6bb57020-6bb570c8 call 6bb51e90 875 6bb570ce-6bb570e3 RegOpenKeyExW 872->875 876 6bb570ca 872->876 877 6bb570e5-6bb57109 call 6bb581a0 call 6bb58280 875->877 878 6bb5711f-6bb5714e RegQueryInfoKeyW 875->878 876->875 891 6bb57118-6bb5711a 877->891 892 6bb5710b-6bb57115 call 6bb9b53b 877->892 880 6bb571b1-6bb5720d call 6bb9b9a2 * 3 878->880 881 6bb57150-6bb5717f RegCloseKey call 6bb581a0 call 6bb58280 878->881 908 6bb573b3-6bb573e6 call 6bb9bacd * 3 RegCloseKey call 6bb581a0 880->908 909 6bb57213-6bb5724b RegEnumValueW 880->909 898 6bb57181-6bb5718b call 6bb9b53b 881->898 899 6bb5718e-6bb571ac call 6bb56fc0 881->899 896 6bb57496-6bb574bd call 6bb9ae8f 891->896 892->891 898->899 899->896 927 6bb573eb-6bb57405 call 6bb58280 908->927 911 6bb57251-6bb5729d call 6bb57e00 909->911 912 6bb5739c-6bb573a9 909->912 919 6bb572a0-6bb572a9 911->919 912->909 913 6bb573af 912->913 913->908 919->919 920 6bb572ab-6bb57307 call 6bb51fa0 call 6bb51e90 call 6bb58350 919->920 932 6bb5730c-6bb57318 920->932 933 6bb57414-6bb57429 927->933 934 6bb57407-6bb57411 call 6bb9b53b 927->934 938 6bb5732a-6bb5734d 932->938 939 6bb5731a-6bb57327 call 6bb9b53b 932->939 936 6bb57447-6bb5744d 933->936 937 6bb5742b-6bb57444 call 6bb58840 call 6bb9b53b 933->937 934->933 943 6bb57494 936->943 944 6bb5744f-6bb57457 936->944 937->936 945 6bb5735f-6bb5738a 938->945 946 6bb5734f-6bb5735c call 6bb9b53b 938->946 939->938 943->896 949 6bb57487-6bb57491 call 6bb9b53b 944->949 950 6bb57459 944->950 945->912 952 6bb5738c-6bb57399 call 6bb9b53b 945->952 946->945 949->943 956 6bb57460-6bb57464 950->956 952->912 961 6bb57466-6bb5746e call 6bb9b53b 956->961 962 6bb57471-6bb57485 956->962 961->962 962->949 962->956
                                                                                                                                                                                                                                                        APIs
                                                                                                                                                                                                                                                          • Part of subcall function 6BB51E90: std::_Xinvalid_argument.LIBCPMT ref: 6BB51EAA
                                                                                                                                                                                                                                                        • RegOpenKeyExW.KERNELBASE(80000001,?,00000000,00020019,000000FF), ref: 6BB570DB
                                                                                                                                                                                                                                                        • RegQueryInfoKeyW.ADVAPI32(?,00000000,00000000,00000000,?,?,00000000,?,?,?,00000000,00000000), ref: 6BB57146
                                                                                                                                                                                                                                                        • RegCloseKey.KERNELBASE(?,?,?,?,?,?,80000001), ref: 6BB573D7
                                                                                                                                                                                                                                                        • RegCloseKey.ADVAPI32(000000FF), ref: 6BB57155
                                                                                                                                                                                                                                                          • Part of subcall function 6BB581A0: std::_Xinvalid_argument.LIBCPMT ref: 6BB5820C
                                                                                                                                                                                                                                                          • Part of subcall function 6BB58280: std::_Xinvalid_argument.LIBCPMT ref: 6BB582EC
                                                                                                                                                                                                                                                        • RegEnumValueW.KERNELBASE(?,?,00000000,?,00000000,?,00000000,?,?,?,80000001), ref: 6BB57243
                                                                                                                                                                                                                                                        Memory Dump Source
                                                                                                                                                                                                                                                        • Source File: 0000000C.00000002.2569669714.000000006BB51000.00000020.00000001.01000000.00000015.sdmp, Offset: 6BB50000, based on PE: true
                                                                                                                                                                                                                                                        • Associated: 0000000C.00000002.2569337232.000000006BB50000.00000002.00000001.01000000.00000015.sdmpDownload File
                                                                                                                                                                                                                                                        • Associated: 0000000C.00000002.2570467871.000000006BCC3000.00000002.00000001.01000000.00000015.sdmpDownload File
                                                                                                                                                                                                                                                        • Associated: 0000000C.00000002.2570467871.000000006BCD5000.00000002.00000001.01000000.00000015.sdmpDownload File
                                                                                                                                                                                                                                                        • Associated: 0000000C.00000002.2570976244.000000006BD35000.00000004.00000001.01000000.00000015.sdmpDownload File
                                                                                                                                                                                                                                                        • Associated: 0000000C.00000002.2571057194.000000006BD3A000.00000008.00000001.01000000.00000015.sdmpDownload File
                                                                                                                                                                                                                                                        • Associated: 0000000C.00000002.2571109707.000000006BD42000.00000004.00000001.01000000.00000015.sdmpDownload File
                                                                                                                                                                                                                                                        • Associated: 0000000C.00000002.2571273369.000000006BD48000.00000004.00000001.01000000.00000015.sdmpDownload File
                                                                                                                                                                                                                                                        • Associated: 0000000C.00000002.2571319844.000000006BD4B000.00000002.00000001.01000000.00000015.sdmpDownload File
                                                                                                                                                                                                                                                        Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                                        • Snapshot File: hcaresult_12_2_6bb50000_cpcsgui.jbxd
                                                                                                                                                                                                                                                        Similarity
                                                                                                                                                                                                                                                        • API ID: Xinvalid_argumentstd::_$Close$EnumInfoOpenQueryValue
                                                                                                                                                                                                                                                        • String ID:
                                                                                                                                                                                                                                                        • API String ID: 3111832342-0
                                                                                                                                                                                                                                                        • Opcode ID: 10cd741607a37c0ca5207d76e68fdaff15484965b5801426df0f0a5ca1bc0566
                                                                                                                                                                                                                                                        • Instruction ID: ffed6857eaca73a46fc8b1debc22293a1b99c888ccb0e06a07fc38ddc66dcea2
                                                                                                                                                                                                                                                        • Opcode Fuzzy Hash: 10cd741607a37c0ca5207d76e68fdaff15484965b5801426df0f0a5ca1bc0566
                                                                                                                                                                                                                                                        • Instruction Fuzzy Hash: 88C149B25083809BD324DF65D881B9FB7E9BF89304F44892DF59A83250EB79A504CB53
                                                                                                                                                                                                                                                        Function 6F85B9E0 Relevance: 7.8, APIs: 5, Instructions: 326registryCOMMON
                                                                                                                                                                                                                                                        Download Yara Rule

                                                                                                                                                                                                                                                        Control-flow Graph

                                                                                                                                                                                                                                                        • Executed
                                                                                                                                                                                                                                                        • Not Executed
                                                                                                                                                                                                                                                        control_flow_graph 965 6f85b9e0-6f85ba85 call 6f853280 968 6f85ba87 965->968 969 6f85ba8b-6f85baa0 RegOpenKeyExW 965->969 968->969 970 6f85bad5-6f85bb04 RegQueryInfoKeyW 969->970 971 6f85baa2-6f85bac5 call 6f857ba0 call 6f85cc00 969->971 972 6f85bb64-6f85bbc4 call 6f88f6f0 * 3 970->972 973 6f85bb06-6f85bb34 RegCloseKey call 6f857ba0 call 6f85cc00 970->973 984 6f85be54-6f85be7d call 6f890061 971->984 985 6f85bacb-6f85bad0 971->985 998 6f85bd75-6f85bda4 call 6f890a88 * 3 RegCloseKey call 6f857ba0 972->998 999 6f85bbca-6f85bc02 RegEnumValueW 972->999 990 6f85bb36-6f85bb40 call 6f89076b 973->990 991 6f85bb43-6f85bb5f call 6f85b980 973->991 988 6f85be4c-6f85be51 call 6f89076b 985->988 988->984 990->991 991->984 1018 6f85bda9-6f85bdc3 call 6f85cc00 998->1018 1003 6f85bd62-6f85bd6f 999->1003 1004 6f85bc08-6f85bc58 call 6f85c7e0 999->1004 1003->998 1003->999 1011 6f85bc60-6f85bc69 1004->1011 1011->1011 1013 6f85bc6b-6f85bcc8 call 6f853430 call 6f853280 call 6f85ccd0 1011->1013 1026 6f85bccd-6f85bcd9 1013->1026 1024 6f85bdc5-6f85bdcf call 6f89076b 1018->1024 1025 6f85bdd2-6f85bde9 1018->1025 1024->1025 1030 6f85be0f-6f85be15 1025->1030 1031 6f85bdeb-6f85be0c call 6f85d100 call 6f89076b 1025->1031 1027 6f85bceb-6f85bd0f 1026->1027 1028 6f85bcdb-6f85bce8 call 6f89076b 1026->1028 1034 6f85bd21-6f85bd48 1027->1034 1035 6f85bd11-6f85bd1e call 6f89076b 1027->1035 1028->1027 1030->984 1033 6f85be17-6f85be1d 1030->1033 1031->1030 1039 6f85be47-6f85be4b 1033->1039 1040 6f85be1f 1033->1040 1042 6f85bd5a-6f85bd5e 1034->1042 1043 6f85bd4a-6f85bd57 call 6f89076b 1034->1043 1035->1034 1039->988 1045 6f85be20-6f85be24 1040->1045 1042->1003 1043->1042 1050 6f85be26-6f85be2e call 6f89076b 1045->1050 1051 6f85be31-6f85be45 1045->1051 1050->1051 1051->1039 1051->1045
                                                                                                                                                                                                                                                        APIs
                                                                                                                                                                                                                                                          • Part of subcall function 6F853280: std::_Xinvalid_argument.LIBCPMT ref: 6F853298
                                                                                                                                                                                                                                                        • RegOpenKeyExW.KERNELBASE(?,?,00000000,00020019,D0A01E50), ref: 6F85BA98
                                                                                                                                                                                                                                                        • RegQueryInfoKeyW.ADVAPI32(?,00000000,00000000,00000000,00000007,?,00000000,?,?,?,00000000,00000000), ref: 6F85BAFC
                                                                                                                                                                                                                                                        • RegCloseKey.ADVAPI32(D0A01E50), ref: 6F85BB0B
                                                                                                                                                                                                                                                          • Part of subcall function 6F857BA0: std::_Xinvalid_argument.LIBCPMT ref: 6F857C0C
                                                                                                                                                                                                                                                          • Part of subcall function 6F85CC00: std::_Xinvalid_argument.LIBCPMT ref: 6F85CC6C
                                                                                                                                                                                                                                                        • RegEnumValueW.KERNELBASE(?,?,00000000,?,00000000,?,00000000,?,?,?,00000007), ref: 6F85BBFA
                                                                                                                                                                                                                                                        Memory Dump Source
                                                                                                                                                                                                                                                        • Source File: 0000000C.00000002.2571435985.000000006F851000.00000020.00000001.01000000.0000000F.sdmp, Offset: 6F850000, based on PE: true
                                                                                                                                                                                                                                                        • Associated: 0000000C.00000002.2571402531.000000006F850000.00000002.00000001.01000000.0000000F.sdmpDownload File
                                                                                                                                                                                                                                                        • Associated: 0000000C.00000002.2571547852.000000006F8B1000.00000002.00000001.01000000.0000000F.sdmpDownload File
                                                                                                                                                                                                                                                        • Associated: 0000000C.00000002.2571607645.000000006F8C6000.00000004.00000001.01000000.0000000F.sdmpDownload File
                                                                                                                                                                                                                                                        • Associated: 0000000C.00000002.2571648475.000000006F8CC000.00000002.00000001.01000000.0000000F.sdmpDownload File
                                                                                                                                                                                                                                                        Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                                        • Snapshot File: hcaresult_12_2_6f850000_cpcsgui.jbxd
                                                                                                                                                                                                                                                        Similarity
                                                                                                                                                                                                                                                        • API ID: Xinvalid_argumentstd::_$CloseEnumInfoOpenQueryValue
                                                                                                                                                                                                                                                        • String ID:
                                                                                                                                                                                                                                                        • API String ID: 307547635-0
                                                                                                                                                                                                                                                        • Opcode ID: 101d73390b32e1ec2066b206bf90aac08468421b7b7680eb6fdfbb7a521b70d2
                                                                                                                                                                                                                                                        • Instruction ID: 0a973fdfe3b1a05938c6936bcc2d5f40425cab70875a606d576fdf8bc4692021
                                                                                                                                                                                                                                                        • Opcode Fuzzy Hash: 101d73390b32e1ec2066b206bf90aac08468421b7b7680eb6fdfbb7a521b70d2
                                                                                                                                                                                                                                                        • Instruction Fuzzy Hash: C9C14BB1508780ABD764CF68C880A9BB7E8BFD9304F048D5EF59A8B251E771A504CB53
                                                                                                                                                                                                                                                        Function 6F8625E0 Relevance: 7.2, APIs: 3, Strings: 1, Instructions: 232fileCOMMON
                                                                                                                                                                                                                                                        Download Yara Rule

                                                                                                                                                                                                                                                        Control-flow Graph

                                                                                                                                                                                                                                                        • Executed
                                                                                                                                                                                                                                                        • Not Executed
                                                                                                                                                                                                                                                        control_flow_graph 1055 6f8625e0-6f86268a call 6f85f7a0 call 6f85caf0 1060 6f86268e-6f8626a6 FindFirstFileW 1055->1060 1061 6f86268c 1055->1061 1062 6f8626e5 1060->1062 1063 6f8626a8-6f8626cf call 6f857ba0 * 2 1060->1063 1061->1060 1064 6f8626ea-6f8626f5 1062->1064 1080 6f8626d1-6f8626db call 6f89076b 1063->1080 1081 6f8626de-6f8626e0 1063->1081 1066 6f862843-6f862854 FindNextFileW 1064->1066 1067 6f8626fb-6f862700 1064->1067 1066->1064 1070 6f86285a-6f86286a FindClose call 6f857ba0 1066->1070 1069 6f862707-6f86270d 1067->1069 1072 6f86270f-6f862712 1069->1072 1073 6f86272b-6f86272d 1069->1073 1079 6f86286f-6f862889 call 6f857ba0 1070->1079 1076 6f862727-6f862729 1072->1076 1077 6f862714-6f86271c 1072->1077 1078 6f862730-6f862732 1073->1078 1076->1078 1077->1073 1083 6f86271e-6f862725 1077->1083 1078->1066 1084 6f862738-6f86273d 1078->1084 1094 6f86288b-6f862895 call 6f89076b 1079->1094 1095 6f862898-6f8628b5 1079->1095 1080->1081 1082 6f8628e9-6f86290c call 6f890061 1081->1082 1083->1069 1083->1076 1089 6f862744-6f86274a 1084->1089 1092 6f86274c-6f86274f 1089->1092 1093 6f862768-6f86276a 1089->1093 1100 6f862764-6f862766 1092->1100 1101 6f862751-6f862759 1092->1101 1097 6f86276d-6f86276f 1093->1097 1094->1095 1098 6f8628b7-6f8628c8 call 6f853370 call 6f89076b 1095->1098 1099 6f8628cb-6f8628d1 1095->1099 1097->1066 1104 6f862775-6f8627aa call 6f8588b0 1097->1104 1098->1099 1106 6f8628e7 1099->1106 1107 6f8628d3-6f8628e4 call 6f853370 call 6f89076b 1099->1107 1100->1097 1101->1093 1102 6f86275b-6f862762 1101->1102 1102->1089 1102->1100 1114 6f8627b0-6f8627bd call 6f85cb20 1104->1114 1115 6f8627ac 1104->1115 1106->1082 1107->1106 1121 6f862824-6f862834 1114->1121 1122 6f8627bf-6f8627c3 1114->1122 1115->1114 1121->1066 1123 6f862836-6f862840 call 6f89076b 1121->1123 1122->1121 1124 6f8627c5-6f862820 call 6f862540 call 6f862910 * 2 call 6f85fd80 1122->1124 1123->1066 1124->1121
                                                                                                                                                                                                                                                        APIs
                                                                                                                                                                                                                                                        • FindFirstFileW.KERNELBASE(D0A01E50,?), ref: 6F862697
                                                                                                                                                                                                                                                        • FindNextFileW.KERNELBASE(00000000,00000400), ref: 6F86284C
                                                                                                                                                                                                                                                        • FindClose.KERNELBASE(00000000), ref: 6F86285B
                                                                                                                                                                                                                                                        Strings
                                                                                                                                                                                                                                                        Memory Dump Source
                                                                                                                                                                                                                                                        • Source File: 0000000C.00000002.2571435985.000000006F851000.00000020.00000001.01000000.0000000F.sdmp, Offset: 6F850000, based on PE: true
                                                                                                                                                                                                                                                        • Associated: 0000000C.00000002.2571402531.000000006F850000.00000002.00000001.01000000.0000000F.sdmpDownload File
                                                                                                                                                                                                                                                        • Associated: 0000000C.00000002.2571547852.000000006F8B1000.00000002.00000001.01000000.0000000F.sdmpDownload File
                                                                                                                                                                                                                                                        • Associated: 0000000C.00000002.2571607645.000000006F8C6000.00000004.00000001.01000000.0000000F.sdmpDownload File
                                                                                                                                                                                                                                                        • Associated: 0000000C.00000002.2571648475.000000006F8CC000.00000002.00000001.01000000.0000000F.sdmpDownload File
                                                                                                                                                                                                                                                        Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                                        • Snapshot File: hcaresult_12_2_6f850000_cpcsgui.jbxd
                                                                                                                                                                                                                                                        Similarity
                                                                                                                                                                                                                                                        • API ID: Find$File$CloseFirstNext
                                                                                                                                                                                                                                                        • String ID: \
                                                                                                                                                                                                                                                        • API String ID: 3541575487-2967466578
                                                                                                                                                                                                                                                        • Opcode ID: cf591044454c65bf52b4b52f02c606c221db26f556acf09f6e186f12e39d3dcb
                                                                                                                                                                                                                                                        • Instruction ID: 6f0b6e125f7e5b9f4359e4a64ab33b86447b5446b1e9dc4c5c381249065a3359
                                                                                                                                                                                                                                                        • Opcode Fuzzy Hash: cf591044454c65bf52b4b52f02c606c221db26f556acf09f6e186f12e39d3dcb
                                                                                                                                                                                                                                                        • Instruction Fuzzy Hash: ED918D715087819FDB14DF28C844F9BB7E4BF99314F004EADF8998B290E735A909CB92
                                                                                                                                                                                                                                                        Function 6BB592B0 Relevance: 7.2, APIs: 3, Strings: 1, Instructions: 230fileCOMMON
                                                                                                                                                                                                                                                        Download Yara Rule

                                                                                                                                                                                                                                                        Control-flow Graph

                                                                                                                                                                                                                                                        • Executed
                                                                                                                                                                                                                                                        • Not Executed
                                                                                                                                                                                                                                                        control_flow_graph 1135 6bb592b0-6bb5935b call 6bb56bb0 call 6bb56890 1140 6bb5935d 1135->1140 1141 6bb5935f-6bb59377 FindFirstFileW 1135->1141 1140->1141 1142 6bb593b6 1141->1142 1143 6bb59379-6bb593a0 call 6bb581a0 * 2 1141->1143 1144 6bb593bb-6bb593c6 1142->1144 1157 6bb593a2-6bb593ac call 6bb9b53b 1143->1157 1158 6bb593af-6bb593b1 1143->1158 1146 6bb59512-6bb59523 FindNextFileW 1144->1146 1147 6bb593cc-6bb593d1 1144->1147 1146->1144 1151 6bb59529-6bb59539 FindClose call 6bb581a0 1146->1151 1150 6bb593d8-6bb593de 1147->1150 1153 6bb593e0-6bb593e3 1150->1153 1154 6bb593fc-6bb593fe 1150->1154 1156 6bb5953e-6bb59558 call 6bb581a0 1151->1156 1159 6bb593e5-6bb593ed 1153->1159 1160 6bb593f8-6bb593fa 1153->1160 1161 6bb59401-6bb59403 1154->1161 1171 6bb59567-6bb59584 1156->1171 1172 6bb5955a-6bb59564 call 6bb9b53b 1156->1172 1157->1158 1165 6bb595b8-6bb595db call 6bb9ae8f 1158->1165 1159->1154 1166 6bb593ef-6bb593f6 1159->1166 1160->1161 1161->1146 1163 6bb59409-6bb5940e 1161->1163 1167 6bb59415-6bb5941b 1163->1167 1166->1150 1166->1160 1173 6bb5941d-6bb59420 1167->1173 1174 6bb59439-6bb5943b 1167->1174 1179 6bb59586-6bb59597 call 6bb52a00 call 6bb9b53b 1171->1179 1180 6bb5959a-6bb595a0 1171->1180 1172->1171 1176 6bb59435-6bb59437 1173->1176 1177 6bb59422-6bb5942a 1173->1177 1181 6bb5943e-6bb59440 1174->1181 1176->1181 1177->1174 1183 6bb5942c-6bb59433 1177->1183 1179->1180 1186 6bb595b6 1180->1186 1187 6bb595a2-6bb595b3 call 6bb52a00 call 6bb9b53b 1180->1187 1181->1146 1185 6bb59446-6bb5947b call 6bb586f0 1181->1185 1183->1167 1183->1176 1196 6bb59481-6bb5948e call 6bb55ed0 1185->1196 1197 6bb5947d 1185->1197 1186->1165 1187->1186 1201 6bb59490-6bb59494 1196->1201 1202 6bb594f3-6bb59503 1196->1202 1197->1196 1201->1202 1203 6bb59496-6bb594ef call 6bb59220 call 6bb595e0 * 2 call 6bb55ab0 1201->1203 1202->1146 1204 6bb59505-6bb5950f call 6bb9b53b 1202->1204 1203->1202 1204->1146
                                                                                                                                                                                                                                                        APIs
                                                                                                                                                                                                                                                        • FindFirstFileW.KERNELBASE(7BDC3733,?), ref: 6BB59368
                                                                                                                                                                                                                                                        • FindNextFileW.KERNELBASE(00000000,00000400), ref: 6BB5951B
                                                                                                                                                                                                                                                        • FindClose.KERNELBASE(00000000), ref: 6BB5952A
                                                                                                                                                                                                                                                        Strings
                                                                                                                                                                                                                                                        Memory Dump Source
                                                                                                                                                                                                                                                        • Source File: 0000000C.00000002.2569669714.000000006BB51000.00000020.00000001.01000000.00000015.sdmp, Offset: 6BB50000, based on PE: true
                                                                                                                                                                                                                                                        • Associated: 0000000C.00000002.2569337232.000000006BB50000.00000002.00000001.01000000.00000015.sdmpDownload File
                                                                                                                                                                                                                                                        • Associated: 0000000C.00000002.2570467871.000000006BCC3000.00000002.00000001.01000000.00000015.sdmpDownload File
                                                                                                                                                                                                                                                        • Associated: 0000000C.00000002.2570467871.000000006BCD5000.00000002.00000001.01000000.00000015.sdmpDownload File
                                                                                                                                                                                                                                                        • Associated: 0000000C.00000002.2570976244.000000006BD35000.00000004.00000001.01000000.00000015.sdmpDownload File
                                                                                                                                                                                                                                                        • Associated: 0000000C.00000002.2571057194.000000006BD3A000.00000008.00000001.01000000.00000015.sdmpDownload File
                                                                                                                                                                                                                                                        • Associated: 0000000C.00000002.2571109707.000000006BD42000.00000004.00000001.01000000.00000015.sdmpDownload File
                                                                                                                                                                                                                                                        • Associated: 0000000C.00000002.2571273369.000000006BD48000.00000004.00000001.01000000.00000015.sdmpDownload File
                                                                                                                                                                                                                                                        • Associated: 0000000C.00000002.2571319844.000000006BD4B000.00000002.00000001.01000000.00000015.sdmpDownload File
                                                                                                                                                                                                                                                        Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                                        • Snapshot File: hcaresult_12_2_6bb50000_cpcsgui.jbxd
                                                                                                                                                                                                                                                        Similarity
                                                                                                                                                                                                                                                        • API ID: Find$File$CloseFirstNext
                                                                                                                                                                                                                                                        • String ID: \
                                                                                                                                                                                                                                                        • API String ID: 3541575487-2967466578
                                                                                                                                                                                                                                                        • Opcode ID: 05c8f7988b02077f29e51cd3b6a5d13df109b3720baa510796d8d354e2d31ad6
                                                                                                                                                                                                                                                        • Instruction ID: d164870d4bf1a649b428353cde27defcbfb649b33fdd76586a17bdcb5d695b61
                                                                                                                                                                                                                                                        • Opcode Fuzzy Hash: 05c8f7988b02077f29e51cd3b6a5d13df109b3720baa510796d8d354e2d31ad6
                                                                                                                                                                                                                                                        • Instruction Fuzzy Hash: E4917AB25083819BD320DF24D845B9FB3E5FF99314F400A6CE99987291E739E919CB93
                                                                                                                                                                                                                                                        Function 6F85E400 Relevance: 3.6, APIs: 1, Strings: 1, Instructions: 55encryptionCOMMON
                                                                                                                                                                                                                                                        Download Yara Rule
                                                                                                                                                                                                                                                        APIs
                                                                                                                                                                                                                                                          • Part of subcall function 6F8907C7: _malloc.LIBCMT ref: 6F8907E1
                                                                                                                                                                                                                                                        • CryptAcquireContextW.ADVAPI32(00000000,00000000,Microsoft Enhanced Cryptographic Provider v1.0,00000001,F0000040,00000001,?,00000000,D0A01E50,00000000,?,00000000,?,?,00000000), ref: 6F85E45E
                                                                                                                                                                                                                                                        Strings
                                                                                                                                                                                                                                                        • Microsoft Enhanced Cryptographic Provider v1.0, xrefs: 6F85E450
                                                                                                                                                                                                                                                        Memory Dump Source
                                                                                                                                                                                                                                                        • Source File: 0000000C.00000002.2571435985.000000006F851000.00000020.00000001.01000000.0000000F.sdmp, Offset: 6F850000, based on PE: true
                                                                                                                                                                                                                                                        • Associated: 0000000C.00000002.2571402531.000000006F850000.00000002.00000001.01000000.0000000F.sdmpDownload File
                                                                                                                                                                                                                                                        • Associated: 0000000C.00000002.2571547852.000000006F8B1000.00000002.00000001.01000000.0000000F.sdmpDownload File
                                                                                                                                                                                                                                                        • Associated: 0000000C.00000002.2571607645.000000006F8C6000.00000004.00000001.01000000.0000000F.sdmpDownload File
                                                                                                                                                                                                                                                        • Associated: 0000000C.00000002.2571648475.000000006F8CC000.00000002.00000001.01000000.0000000F.sdmpDownload File
                                                                                                                                                                                                                                                        Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                                        • Snapshot File: hcaresult_12_2_6f850000_cpcsgui.jbxd
                                                                                                                                                                                                                                                        Similarity
                                                                                                                                                                                                                                                        • API ID: AcquireContextCrypt_malloc
                                                                                                                                                                                                                                                        • String ID: Microsoft Enhanced Cryptographic Provider v1.0
                                                                                                                                                                                                                                                        • API String ID: 3378577091-1948191093
                                                                                                                                                                                                                                                        • Opcode ID: 60544623c59eeb7e5decd0d72ff87a3870948182f5aa6b836745b31379ab8534
                                                                                                                                                                                                                                                        • Instruction ID: 5263a51f60f4cc305005e669331272ff56887304348d3f13c2af7e4ba31efe66
                                                                                                                                                                                                                                                        • Opcode Fuzzy Hash: 60544623c59eeb7e5decd0d72ff87a3870948182f5aa6b836745b31379ab8534
                                                                                                                                                                                                                                                        • Instruction Fuzzy Hash: 181102B5509B91DFD714CF08D842B517BE4FB49B20F0009AEE995DB780E37AA614CBC2
                                                                                                                                                                                                                                                        Function 6BB6FFD0 Relevance: 3.6, APIs: 1, Strings: 1, Instructions: 55encryptionCOMMON
                                                                                                                                                                                                                                                        Download Yara Rule
                                                                                                                                                                                                                                                        APIs
                                                                                                                                                                                                                                                          • Part of subcall function 6BB9B5AB: _malloc.LIBCMT ref: 6BB9B5C5
                                                                                                                                                                                                                                                        • CryptAcquireContextW.ADVAPI32(00000000,00000000,Microsoft Enhanced Cryptographic Provider v1.0,00000001,F0000040,00000001,00000007,00000000,7BDC3733,?,?,7BDC3733,?,00000007,00000000), ref: 6BB7002E
                                                                                                                                                                                                                                                        Strings
                                                                                                                                                                                                                                                        • Microsoft Enhanced Cryptographic Provider v1.0, xrefs: 6BB70020
                                                                                                                                                                                                                                                        Memory Dump Source
                                                                                                                                                                                                                                                        • Source File: 0000000C.00000002.2569669714.000000006BB51000.00000020.00000001.01000000.00000015.sdmp, Offset: 6BB50000, based on PE: true
                                                                                                                                                                                                                                                        • Associated: 0000000C.00000002.2569337232.000000006BB50000.00000002.00000001.01000000.00000015.sdmpDownload File
                                                                                                                                                                                                                                                        • Associated: 0000000C.00000002.2570467871.000000006BCC3000.00000002.00000001.01000000.00000015.sdmpDownload File
                                                                                                                                                                                                                                                        • Associated: 0000000C.00000002.2570467871.000000006BCD5000.00000002.00000001.01000000.00000015.sdmpDownload File
                                                                                                                                                                                                                                                        • Associated: 0000000C.00000002.2570976244.000000006BD35000.00000004.00000001.01000000.00000015.sdmpDownload File
                                                                                                                                                                                                                                                        • Associated: 0000000C.00000002.2571057194.000000006BD3A000.00000008.00000001.01000000.00000015.sdmpDownload File
                                                                                                                                                                                                                                                        • Associated: 0000000C.00000002.2571109707.000000006BD42000.00000004.00000001.01000000.00000015.sdmpDownload File
                                                                                                                                                                                                                                                        • Associated: 0000000C.00000002.2571273369.000000006BD48000.00000004.00000001.01000000.00000015.sdmpDownload File
                                                                                                                                                                                                                                                        • Associated: 0000000C.00000002.2571319844.000000006BD4B000.00000002.00000001.01000000.00000015.sdmpDownload File
                                                                                                                                                                                                                                                        Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                                        • Snapshot File: hcaresult_12_2_6bb50000_cpcsgui.jbxd
                                                                                                                                                                                                                                                        Similarity
                                                                                                                                                                                                                                                        • API ID: AcquireContextCrypt_malloc
                                                                                                                                                                                                                                                        • String ID: Microsoft Enhanced Cryptographic Provider v1.0
                                                                                                                                                                                                                                                        • API String ID: 3378577091-1948191093
                                                                                                                                                                                                                                                        • Opcode ID: c08e28b37b85d8f7528b87562bba0ea80eb59efd925b88fb6c686c88c1e483a6
                                                                                                                                                                                                                                                        • Instruction ID: 3207f67a99556abace7b942569edfded73d1e65dd693f8374c493dd8ec531469
                                                                                                                                                                                                                                                        • Opcode Fuzzy Hash: c08e28b37b85d8f7528b87562bba0ea80eb59efd925b88fb6c686c88c1e483a6
                                                                                                                                                                                                                                                        • Instruction Fuzzy Hash: 2711E0755087919FE720DF18EA51B42BBE4FB0AB20F40052EE9859B780E37EE940CB81
                                                                                                                                                                                                                                                        Function 6F861A90 Relevance: 9.1, APIs: 6, Instructions: 148fileCOMMON
                                                                                                                                                                                                                                                        Download Yara Rule

                                                                                                                                                                                                                                                        Control-flow Graph

                                                                                                                                                                                                                                                        • Executed
                                                                                                                                                                                                                                                        • Not Executed
                                                                                                                                                                                                                                                        control_flow_graph 745 6f861a90-6f861acf call 6f8907c7 748 6f861ad1-6f861ad9 745->748 749 6f861adb 745->749 750 6f861add-6f861afc call 6f85e840 748->750 749->750 753 6f861b02 750->753 754 6f861afe-6f861b00 750->754 755 6f861b04-6f861b1f CreateFileW 753->755 754->755 756 6f861b21-6f861b34 call 6f85e760 755->756 757 6f861b39-6f861b47 GetFileSizeEx 755->757 764 6f861c00-6f861c0b 756->764 759 6f861be6-6f861bfb CloseHandle call 6f85e760 757->759 760 6f861b4d-6f861b53 757->760 759->764 760->759 762 6f861b59-6f861b5d 760->762 765 6f861b63-6f861b65 762->765 766 6f861b5f-6f861b61 762->766 767 6f861c36-6f861c4b 764->767 768 6f861c0d-6f861c17 764->768 769 6f861bdf-6f861be4 765->769 770 6f861b67 765->770 766->765 766->769 768->767 771 6f861c19-6f861c2b 768->771 769->759 772 6f861b6e-6f861b71 770->772 773 6f861b69-6f861b6c 770->773 771->767 778 6f861c2d-6f861c32 771->778 772->769 774 6f861b73-6f861b97 call 6f861a00 ReadFile 772->774 773->769 773->772 779 6f861bd7-6f861bdd CloseHandle 774->779 780 6f861b99-6f861ba3 CloseHandle call 6f8619d0 774->780 778->767 782 6f861ba8-6f861bd5 call 6f85e760 call 6f85da80 779->782 780->782 782->767
                                                                                                                                                                                                                                                        APIs
                                                                                                                                                                                                                                                          • Part of subcall function 6F8907C7: _malloc.LIBCMT ref: 6F8907E1
                                                                                                                                                                                                                                                        • CreateFileW.KERNELBASE(?,80000000,00000001,00000000,00000003,00000080,00000000,00000000,00000000,000000FF,6F861A7F,?,?,6F861D2A), ref: 6F861B14
                                                                                                                                                                                                                                                        • GetFileSizeEx.KERNEL32(00000000,?), ref: 6F861B3F
                                                                                                                                                                                                                                                        • ReadFile.KERNELBASE(00000000,00000000,?,?,00000000), ref: 6F861B8E
                                                                                                                                                                                                                                                        • CloseHandle.KERNEL32(00000000), ref: 6F861B99
                                                                                                                                                                                                                                                        • CloseHandle.KERNEL32(00000000), ref: 6F861BD7
                                                                                                                                                                                                                                                        • CloseHandle.KERNEL32(00000000), ref: 6F861BE7
                                                                                                                                                                                                                                                        Memory Dump Source
                                                                                                                                                                                                                                                        • Source File: 0000000C.00000002.2571435985.000000006F851000.00000020.00000001.01000000.0000000F.sdmp, Offset: 6F850000, based on PE: true
                                                                                                                                                                                                                                                        • Associated: 0000000C.00000002.2571402531.000000006F850000.00000002.00000001.01000000.0000000F.sdmpDownload File
                                                                                                                                                                                                                                                        • Associated: 0000000C.00000002.2571547852.000000006F8B1000.00000002.00000001.01000000.0000000F.sdmpDownload File
                                                                                                                                                                                                                                                        • Associated: 0000000C.00000002.2571607645.000000006F8C6000.00000004.00000001.01000000.0000000F.sdmpDownload File
                                                                                                                                                                                                                                                        • Associated: 0000000C.00000002.2571648475.000000006F8CC000.00000002.00000001.01000000.0000000F.sdmpDownload File
                                                                                                                                                                                                                                                        Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                                        • Snapshot File: hcaresult_12_2_6f850000_cpcsgui.jbxd
                                                                                                                                                                                                                                                        Similarity
                                                                                                                                                                                                                                                        • API ID: CloseFileHandle$CreateReadSize_malloc
                                                                                                                                                                                                                                                        • String ID:
                                                                                                                                                                                                                                                        • API String ID: 2550811386-0
                                                                                                                                                                                                                                                        • Opcode ID: 0b3af65a90425cf62d7a4bb602420a9445530ee587fdb899f7f471de846535cc
                                                                                                                                                                                                                                                        • Instruction ID: 6b312cda8cf42963af7286090cb4d55c3e0e737ac61e9c400176acd999c461c9
                                                                                                                                                                                                                                                        • Opcode Fuzzy Hash: 0b3af65a90425cf62d7a4bb602420a9445530ee587fdb899f7f471de846535cc
                                                                                                                                                                                                                                                        • Instruction Fuzzy Hash: 8A518170508B449BD314CF29C944B5BB7E8FF89B64F104A9EF4648B291EB74E905CB92
                                                                                                                                                                                                                                                        Function 6BB6EDD0 Relevance: 9.1, APIs: 6, Instructions: 148fileCOMMON
                                                                                                                                                                                                                                                        Download Yara Rule

                                                                                                                                                                                                                                                        Control-flow Graph

                                                                                                                                                                                                                                                        • Executed
                                                                                                                                                                                                                                                        • Not Executed
                                                                                                                                                                                                                                                        control_flow_graph 703 6bb6edd0-6bb6ee0f call 6bb9b5ab 706 6bb6ee11-6bb6ee19 703->706 707 6bb6ee1b 703->707 708 6bb6ee1d-6bb6ee3c call 6bb56270 706->708 707->708 711 6bb6ee42 708->711 712 6bb6ee3e-6bb6ee40 708->712 713 6bb6ee44-6bb6ee5f CreateFileW 711->713 712->713 714 6bb6ee61-6bb6ee74 call 6bb65da0 713->714 715 6bb6ee79-6bb6ee87 GetFileSizeEx 713->715 722 6bb6ef40-6bb6ef4b 714->722 717 6bb6ef26-6bb6ef3b CloseHandle call 6bb65da0 715->717 718 6bb6ee8d-6bb6ee93 715->718 717->722 718->717 720 6bb6ee99-6bb6ee9d 718->720 723 6bb6eea3-6bb6eea5 720->723 724 6bb6ee9f-6bb6eea1 720->724 725 6bb6ef76-6bb6ef8b 722->725 726 6bb6ef4d-6bb6ef57 722->726 727 6bb6ef1f-6bb6ef24 723->727 728 6bb6eea7 723->728 724->723 724->727 726->725 731 6bb6ef59-6bb6ef6b 726->731 727->717 729 6bb6eeae-6bb6eeb1 728->729 730 6bb6eea9-6bb6eeac 728->730 729->727 732 6bb6eeb3-6bb6eed7 call 6bb6ed40 ReadFile 729->732 730->727 730->729 731->725 736 6bb6ef6d-6bb6ef72 731->736 737 6bb6ef17-6bb6ef1d CloseHandle 732->737 738 6bb6eed9-6bb6eee3 CloseHandle call 6bb6ed10 732->738 736->725 740 6bb6eee8-6bb6ef15 call 6bb65da0 call 6bb694b0 737->740 738->740 740->725
                                                                                                                                                                                                                                                        APIs
                                                                                                                                                                                                                                                          • Part of subcall function 6BB9B5AB: _malloc.LIBCMT ref: 6BB9B5C5
                                                                                                                                                                                                                                                        • CreateFileW.KERNELBASE(?,80000000,00000001,00000000,00000003,00000080,00000000,00000000,00000000,000000FF,6BB6EDBF,?,?,6BB6EFCA), ref: 6BB6EE54
                                                                                                                                                                                                                                                        • GetFileSizeEx.KERNEL32(00000000,?), ref: 6BB6EE7F
                                                                                                                                                                                                                                                        • ReadFile.KERNELBASE(00000000,00000000,?,?,00000000), ref: 6BB6EECE
                                                                                                                                                                                                                                                        • CloseHandle.KERNEL32(00000000), ref: 6BB6EED9
                                                                                                                                                                                                                                                        • CloseHandle.KERNEL32(00000000), ref: 6BB6EF17
                                                                                                                                                                                                                                                        • CloseHandle.KERNEL32(00000000), ref: 6BB6EF27
                                                                                                                                                                                                                                                        Memory Dump Source
                                                                                                                                                                                                                                                        • Source File: 0000000C.00000002.2569669714.000000006BB51000.00000020.00000001.01000000.00000015.sdmp, Offset: 6BB50000, based on PE: true
                                                                                                                                                                                                                                                        • Associated: 0000000C.00000002.2569337232.000000006BB50000.00000002.00000001.01000000.00000015.sdmpDownload File
                                                                                                                                                                                                                                                        • Associated: 0000000C.00000002.2570467871.000000006BCC3000.00000002.00000001.01000000.00000015.sdmpDownload File
                                                                                                                                                                                                                                                        • Associated: 0000000C.00000002.2570467871.000000006BCD5000.00000002.00000001.01000000.00000015.sdmpDownload File
                                                                                                                                                                                                                                                        • Associated: 0000000C.00000002.2570976244.000000006BD35000.00000004.00000001.01000000.00000015.sdmpDownload File
                                                                                                                                                                                                                                                        • Associated: 0000000C.00000002.2571057194.000000006BD3A000.00000008.00000001.01000000.00000015.sdmpDownload File
                                                                                                                                                                                                                                                        • Associated: 0000000C.00000002.2571109707.000000006BD42000.00000004.00000001.01000000.00000015.sdmpDownload File
                                                                                                                                                                                                                                                        • Associated: 0000000C.00000002.2571273369.000000006BD48000.00000004.00000001.01000000.00000015.sdmpDownload File
                                                                                                                                                                                                                                                        • Associated: 0000000C.00000002.2571319844.000000006BD4B000.00000002.00000001.01000000.00000015.sdmpDownload File
                                                                                                                                                                                                                                                        Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                                        • Snapshot File: hcaresult_12_2_6bb50000_cpcsgui.jbxd
                                                                                                                                                                                                                                                        Similarity
                                                                                                                                                                                                                                                        • API ID: CloseFileHandle$CreateReadSize_malloc
                                                                                                                                                                                                                                                        • String ID:
                                                                                                                                                                                                                                                        • API String ID: 2550811386-0
                                                                                                                                                                                                                                                        • Opcode ID: a016831f433d8d936a2650afd1233ad58752dd255868154b54c157c714bbac90
                                                                                                                                                                                                                                                        • Instruction ID: 5e0c4d2fd7a43c5d9a05c088b5ef9b62757aeb8a796657e3056785942f040532
                                                                                                                                                                                                                                                        • Opcode Fuzzy Hash: a016831f433d8d936a2650afd1233ad58752dd255868154b54c157c714bbac90
                                                                                                                                                                                                                                                        • Instruction Fuzzy Hash: 9E518A71114281DFE710CF29CC84B5EBBE8FF867A4F114A59F56487290E778ED058B62
                                                                                                                                                                                                                                                        Function 005E0620 Relevance: 9.1, APIs: 6, Instructions: 148fileCOMMON
                                                                                                                                                                                                                                                        Download Yara Rule

                                                                                                                                                                                                                                                        Control-flow Graph

                                                                                                                                                                                                                                                        • Executed
                                                                                                                                                                                                                                                        • Not Executed
                                                                                                                                                                                                                                                        control_flow_graph 661 5e0620-5e065f call 5e7b0d 664 5e066b 661->664 665 5e0661-5e0669 661->665 666 5e066d-5e068c call 5baf30 664->666 665->666 669 5e068e-5e0690 666->669 670 5e0692 666->670 671 5e0694-5e06af CreateFileW 669->671 670->671 672 5e06c9-5e06d7 GetFileSizeEx 671->672 673 5e06b1-5e06c4 call 5e04f0 671->673 675 5e06dd-5e06e3 672->675 676 5e0776-5e078b CloseHandle call 5e04f0 672->676 680 5e0790-5e079b 673->680 675->676 678 5e06e9-5e06ed 675->678 676->680 681 5e06ef-5e06f1 678->681 682 5e06f3-5e06f5 678->682 683 5e079d-5e07a7 680->683 684 5e07c6-5e07db 680->684 681->682 685 5e076f-5e0774 681->685 682->685 686 5e06f7 682->686 683->684 687 5e07a9-5e07bb 683->687 685->676 688 5e06fe-5e0701 686->688 689 5e06f9-5e06fc 686->689 687->684 694 5e07bd-5e07c2 687->694 688->685 690 5e0703-5e0727 call 5e0590 ReadFile 688->690 689->685 689->688 695 5e0729-5e0733 CloseHandle call 5e0560 690->695 696 5e0767-5e076d CloseHandle 690->696 694->684 698 5e0738-5e0765 call 5e04f0 call 5bad40 695->698 696->698 698->684
                                                                                                                                                                                                                                                        APIs
                                                                                                                                                                                                                                                          • Part of subcall function 005E7B0D: _malloc.LIBCMT ref: 005E7B27
                                                                                                                                                                                                                                                        • CreateFileW.KERNELBASE(?,80000000,00000001,00000000,00000003,00000080,00000000,00000000,?,000000FF,005E060F,?,?,005E081A), ref: 005E06A4
                                                                                                                                                                                                                                                        • GetFileSizeEx.KERNEL32(00000000,?), ref: 005E06CF
                                                                                                                                                                                                                                                        • ReadFile.KERNELBASE(00000000,00000000,?,?,00000000), ref: 005E071E
                                                                                                                                                                                                                                                        • CloseHandle.KERNEL32(00000000), ref: 005E0729
                                                                                                                                                                                                                                                        • CloseHandle.KERNEL32(00000000), ref: 005E0767
                                                                                                                                                                                                                                                        • CloseHandle.KERNEL32(00000000), ref: 005E0777
                                                                                                                                                                                                                                                        Memory Dump Source
                                                                                                                                                                                                                                                        • Source File: 0000000C.00000002.2567833069.00000000005B1000.00000020.00000001.01000000.00000014.sdmp, Offset: 005B0000, based on PE: true
                                                                                                                                                                                                                                                        • Associated: 0000000C.00000002.2567804101.00000000005B0000.00000002.00000001.01000000.00000014.sdmpDownload File
                                                                                                                                                                                                                                                        • Associated: 0000000C.00000002.2567917358.0000000000607000.00000002.00000001.01000000.00000014.sdmpDownload File
                                                                                                                                                                                                                                                        • Associated: 0000000C.00000002.2567985326.000000000061A000.00000004.00000001.01000000.00000014.sdmpDownload File
                                                                                                                                                                                                                                                        • Associated: 0000000C.00000002.2568018090.0000000000620000.00000002.00000001.01000000.00000014.sdmpDownload File
                                                                                                                                                                                                                                                        Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                                        • Snapshot File: hcaresult_12_2_5b0000_cpcsgui.jbxd
                                                                                                                                                                                                                                                        Similarity
                                                                                                                                                                                                                                                        • API ID: CloseFileHandle$CreateReadSize_malloc
                                                                                                                                                                                                                                                        • String ID:
                                                                                                                                                                                                                                                        • API String ID: 2550811386-0
                                                                                                                                                                                                                                                        • Opcode ID: f920690a0e76bc4a1079e2b3de8cf8730e0d3f7937f3cfea71f66b0d72bb626a
                                                                                                                                                                                                                                                        • Instruction ID: 5b686ecbb0999997326a350604d86840c440665cffc306b4c29b98c9ed5466e3
                                                                                                                                                                                                                                                        • Opcode Fuzzy Hash: f920690a0e76bc4a1079e2b3de8cf8730e0d3f7937f3cfea71f66b0d72bb626a
                                                                                                                                                                                                                                                        • Instruction Fuzzy Hash: FE5188701082819BC314DF26D984B2BBBE8FFC8724F145A09F4A5872D0E7B4E945CBA2
                                                                                                                                                                                                                                                        Function 005B31F0 Relevance: 8.9, APIs: 3, Strings: 2, Instructions: 111COMMON
                                                                                                                                                                                                                                                        Download Yara Rule

                                                                                                                                                                                                                                                        Control-flow Graph

                                                                                                                                                                                                                                                        • Executed
                                                                                                                                                                                                                                                        • Not Executed
                                                                                                                                                                                                                                                        control_flow_graph 787 5b31f0-5b322c 788 5b322e-5b3230 787->788 789 5b3232-5b3244 787->789 790 5b3259-5b3263 788->790 789->790 791 5b3246-5b3252 789->791 793 5b327c-5b32d4 790->793 794 5b3265-5b326b 790->794 791->790 792 5b3254 791->792 792->790 799 5b32f2-5b32f6 793->799 800 5b32d6-5b32da 793->800 796 5b326d-5b3270 call 5e7b0d 794->796 797 5b3280-5b32c5 call 5e758d call 5e8536 call 5b33c0 794->797 804 5b3275-5b327a 796->804 802 5b32f8-5b3303 call 5e7ab1 799->802 803 5b3306-5b3311 799->803 806 5b32dc-5b32de 800->806 807 5b32e0 800->807 802->803 809 5b3313 803->809 810 5b3315-5b332c 803->810 804->793 804->797 812 5b32e2-5b32ef call 5e8a90 806->812 807->812 809->810 812->799
                                                                                                                                                                                                                                                        APIs
                                                                                                                                                                                                                                                        • std::exception::exception.LIBCMT ref: 005B328E
                                                                                                                                                                                                                                                          • Part of subcall function 005E758D: std::exception::_Copy_str.LIBCMT ref: 005E75A8
                                                                                                                                                                                                                                                        • __CxxThrowException@8.LIBCMT ref: 005B32A3
                                                                                                                                                                                                                                                          • Part of subcall function 005E8536: RaiseException.KERNEL32(005B32A8,?,8CDAA9E8,00607460,005B32A8,?,00611CD0,8CDAA9E8,8CDAA9E8), ref: 005E8578
                                                                                                                                                                                                                                                          • Part of subcall function 005B33C0: std::exception::exception.LIBCMT ref: 005B33F1
                                                                                                                                                                                                                                                          • Part of subcall function 005B33C0: __CxxThrowException@8.LIBCMT ref: 005B3408
                                                                                                                                                                                                                                                        • _memmove.LIBCMT ref: 005B32E7
                                                                                                                                                                                                                                                        Strings
                                                                                                                                                                                                                                                        Memory Dump Source
                                                                                                                                                                                                                                                        • Source File: 0000000C.00000002.2567833069.00000000005B1000.00000020.00000001.01000000.00000014.sdmp, Offset: 005B0000, based on PE: true
                                                                                                                                                                                                                                                        • Associated: 0000000C.00000002.2567804101.00000000005B0000.00000002.00000001.01000000.00000014.sdmpDownload File
                                                                                                                                                                                                                                                        • Associated: 0000000C.00000002.2567917358.0000000000607000.00000002.00000001.01000000.00000014.sdmpDownload File
                                                                                                                                                                                                                                                        • Associated: 0000000C.00000002.2567985326.000000000061A000.00000004.00000001.01000000.00000014.sdmpDownload File
                                                                                                                                                                                                                                                        • Associated: 0000000C.00000002.2568018090.0000000000620000.00000002.00000001.01000000.00000014.sdmpDownload File
                                                                                                                                                                                                                                                        Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                                        • Snapshot File: hcaresult_12_2_5b0000_cpcsgui.jbxd
                                                                                                                                                                                                                                                        Similarity
                                                                                                                                                                                                                                                        • API ID: Exception@8Throwstd::exception::exception$Copy_strExceptionRaise_memmovestd::exception::_
                                                                                                                                                                                                                                                        • String ID: ExecuteMBAMCommand$`t`
                                                                                                                                                                                                                                                        • API String ID: 163498487-1378453443
                                                                                                                                                                                                                                                        • Opcode ID: eb0f077f6690f6520de74c153ea758c7d47690ee8e41129ed0f1216d9a64ecfa
                                                                                                                                                                                                                                                        • Instruction ID: 7c2649ea2b5a426f99013fedcc319496422009849767393d6300b9e92a76dd4b
                                                                                                                                                                                                                                                        • Opcode Fuzzy Hash: eb0f077f6690f6520de74c153ea758c7d47690ee8e41129ed0f1216d9a64ecfa
                                                                                                                                                                                                                                                        • Instruction Fuzzy Hash: 1E419975A04215ABCB04DF69C8455EEFBF5FF44310B15462EE826A7740D730BA14C7A1
                                                                                                                                                                                                                                                        Function 6F853280 Relevance: 8.9, APIs: 3, Strings: 2, Instructions: 105COMMON
                                                                                                                                                                                                                                                        Download Yara Rule

                                                                                                                                                                                                                                                        Control-flow Graph

                                                                                                                                                                                                                                                        • Executed
                                                                                                                                                                                                                                                        • Not Executed
                                                                                                                                                                                                                                                        control_flow_graph 819 6f853280-6f853291 820 6f853293-6f853298 call 6f88f682 819->820 821 6f85329d-6f8532a1 819->821 820->821 822 6f8532a5-6f8532a7 821->822 823 6f8532a3 821->823 825 6f8532c6-6f8532cc 822->825 826 6f8532a9-6f8532c3 call 6f853520 * 2 822->826 823->822 828 6f8532ce-6f8532d3 call 6f88f635 825->828 829 6f8532d8-6f8532dd 825->829 828->829 832 6f8532fc-6f8532fe 829->832 833 6f8532df-6f8532e5 call 6f8536c0 829->833 834 6f853300-6f853306 832->834 835 6f8532ee-6f8532f6 832->835 841 6f8532ea-6f8532ec 833->841 838 6f853318-6f853323 834->838 839 6f853308-6f853315 834->839 842 6f853326 835->842 843 6f8532f8-6f8532fa 835->843 841->835 845 6f853366-6f85336c 841->845 844 6f853328-6f85332b 842->844 843->844 846 6f853331 844->846 847 6f85332d-6f85332f 844->847 848 6f853333-6f85334b call 6f892a50 846->848 847->848 851 6f85334d-6f85335b 848->851 852 6f85335e-6f853362 848->852 852->845
                                                                                                                                                                                                                                                        APIs
                                                                                                                                                                                                                                                        • std::_Xinvalid_argument.LIBCPMT ref: 6F853298
                                                                                                                                                                                                                                                          • Part of subcall function 6F88F682: std::exception::exception.LIBCMT ref: 6F88F697
                                                                                                                                                                                                                                                          • Part of subcall function 6F88F682: __CxxThrowException@8.LIBCMT ref: 6F88F6AC
                                                                                                                                                                                                                                                          • Part of subcall function 6F88F682: std::exception::exception.LIBCMT ref: 6F88F6BD
                                                                                                                                                                                                                                                        • std::_Xinvalid_argument.LIBCPMT ref: 6F8532D3
                                                                                                                                                                                                                                                          • Part of subcall function 6F88F635: std::exception::exception.LIBCMT ref: 6F88F64A
                                                                                                                                                                                                                                                          • Part of subcall function 6F88F635: __CxxThrowException@8.LIBCMT ref: 6F88F65F
                                                                                                                                                                                                                                                          • Part of subcall function 6F88F635: std::exception::exception.LIBCMT ref: 6F88F670
                                                                                                                                                                                                                                                        • _memmove.LIBCMT ref: 6F85333C
                                                                                                                                                                                                                                                        Strings
                                                                                                                                                                                                                                                        Memory Dump Source
                                                                                                                                                                                                                                                        • Source File: 0000000C.00000002.2571435985.000000006F851000.00000020.00000001.01000000.0000000F.sdmp, Offset: 6F850000, based on PE: true
                                                                                                                                                                                                                                                        • Associated: 0000000C.00000002.2571402531.000000006F850000.00000002.00000001.01000000.0000000F.sdmpDownload File
                                                                                                                                                                                                                                                        • Associated: 0000000C.00000002.2571547852.000000006F8B1000.00000002.00000001.01000000.0000000F.sdmpDownload File
                                                                                                                                                                                                                                                        • Associated: 0000000C.00000002.2571607645.000000006F8C6000.00000004.00000001.01000000.0000000F.sdmpDownload File
                                                                                                                                                                                                                                                        • Associated: 0000000C.00000002.2571648475.000000006F8CC000.00000002.00000001.01000000.0000000F.sdmpDownload File
                                                                                                                                                                                                                                                        Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                                        • Snapshot File: hcaresult_12_2_6f850000_cpcsgui.jbxd
                                                                                                                                                                                                                                                        Similarity
                                                                                                                                                                                                                                                        • API ID: std::exception::exception$Exception@8ThrowXinvalid_argumentstd::_$_memmove
                                                                                                                                                                                                                                                        • String ID: invalid string position$string too long
                                                                                                                                                                                                                                                        • API String ID: 1615890066-4289949731
                                                                                                                                                                                                                                                        • Opcode ID: 43e22e2bd24d48844c582211ae00cc2c128eb39b1ca8472ae48420eb4830c656
                                                                                                                                                                                                                                                        • Instruction ID: f6f964a000a04715dcf5c8b8cc8158f24b3df58a93b7ed4feab814fbba59dae6
                                                                                                                                                                                                                                                        • Opcode Fuzzy Hash: 43e22e2bd24d48844c582211ae00cc2c128eb39b1ca8472ae48420eb4830c656
                                                                                                                                                                                                                                                        • Instruction Fuzzy Hash: B221DC733057149B87249E6CB88246AF3A6EF953623104EAFE556CF250EB31EC21C7A5
                                                                                                                                                                                                                                                        Function 005E7B0D Relevance: 8.8, APIs: 4, Strings: 1, Instructions: 41COMMONLIBRARYCODE
                                                                                                                                                                                                                                                        Download Yara Rule

                                                                                                                                                                                                                                                        Control-flow Graph

                                                                                                                                                                                                                                                        • Executed
                                                                                                                                                                                                                                                        • Not Executed
                                                                                                                                                                                                                                                        control_flow_graph 853 5e7b0d-5e7b15 854 5e7b24-5e7b2f call 5e9fe7 853->854 857 5e7b17-5e7b22 call 5ec847 854->857 858 5e7b31-5e7b32 854->858 857->854 861 5e7b33-5e7b44 857->861 862 5e7b46-5e7b71 call 5e7505 call 5e7dd9 861->862 863 5e7b72-5e7b8c call 5e7639 call 5e8536 861->863 862->863
                                                                                                                                                                                                                                                        APIs
                                                                                                                                                                                                                                                        • _malloc.LIBCMT ref: 005E7B27
                                                                                                                                                                                                                                                          • Part of subcall function 005E9FE7: __FF_MSGBANNER.LIBCMT ref: 005EA000
                                                                                                                                                                                                                                                          • Part of subcall function 005E9FE7: __NMSG_WRITE.LIBCMT ref: 005EA007
                                                                                                                                                                                                                                                          • Part of subcall function 005E9FE7: RtlAllocateHeap.NTDLL(00000000,00000001,00000001,00000000,00000000,?,005EB2F9,00000000,00000001,00000000,?,005F0E4F,00000018,006119D0,0000000C,005F0EDF), ref: 005EA02C
                                                                                                                                                                                                                                                        • std::exception::exception.LIBCMT ref: 005E7B5C
                                                                                                                                                                                                                                                        • std::exception::exception.LIBCMT ref: 005E7B76
                                                                                                                                                                                                                                                        • __CxxThrowException@8.LIBCMT ref: 005E7B87
                                                                                                                                                                                                                                                        Strings
                                                                                                                                                                                                                                                        Memory Dump Source
                                                                                                                                                                                                                                                        • Source File: 0000000C.00000002.2567833069.00000000005B1000.00000020.00000001.01000000.00000014.sdmp, Offset: 005B0000, based on PE: true
                                                                                                                                                                                                                                                        • Associated: 0000000C.00000002.2567804101.00000000005B0000.00000002.00000001.01000000.00000014.sdmpDownload File
                                                                                                                                                                                                                                                        • Associated: 0000000C.00000002.2567917358.0000000000607000.00000002.00000001.01000000.00000014.sdmpDownload File
                                                                                                                                                                                                                                                        • Associated: 0000000C.00000002.2567985326.000000000061A000.00000004.00000001.01000000.00000014.sdmpDownload File
                                                                                                                                                                                                                                                        • Associated: 0000000C.00000002.2568018090.0000000000620000.00000002.00000001.01000000.00000014.sdmpDownload File
                                                                                                                                                                                                                                                        Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                                        • Snapshot File: hcaresult_12_2_5b0000_cpcsgui.jbxd
                                                                                                                                                                                                                                                        Similarity
                                                                                                                                                                                                                                                        • API ID: std::exception::exception$AllocateException@8HeapThrow_malloc
                                                                                                                                                                                                                                                        • String ID: `t`
                                                                                                                                                                                                                                                        • API String ID: 615853336-2977419160
                                                                                                                                                                                                                                                        • Opcode ID: 9c84a354a6534560da1a169e4668125d3a30eb6a80d816a0059a9a9aebceab84
                                                                                                                                                                                                                                                        • Instruction ID: f10a7e4a0aedd1b4210769f2cdd08d3bd5ebfe7e7e857ec74f4a6437d64436d4
                                                                                                                                                                                                                                                        • Opcode Fuzzy Hash: 9c84a354a6534560da1a169e4668125d3a30eb6a80d816a0059a9a9aebceab84
                                                                                                                                                                                                                                                        • Instruction Fuzzy Hash: E4F0F97194428E6ACB0DEF56DC0A9DE3FAAFB84718F04045AF450960D1EB709E409690
                                                                                                                                                                                                                                                        Function 6BB51E90 Relevance: 7.1, APIs: 2, Strings: 2, Instructions: 107COMMON
                                                                                                                                                                                                                                                        Download Yara Rule

                                                                                                                                                                                                                                                        Control-flow Graph

                                                                                                                                                                                                                                                        • Executed
                                                                                                                                                                                                                                                        • Not Executed
                                                                                                                                                                                                                                                        control_flow_graph 1215 6bb51e90-6bb51ea3 1216 6bb51ea5-6bb51eaa call 6bbb1350 1215->1216 1217 6bb51eaf-6bb51eb7 1215->1217 1216->1217 1218 6bb51eb9 1217->1218 1219 6bb51ebb-6bb51ebd 1217->1219 1218->1219 1221 6bb51edc-6bb51ee2 1219->1221 1222 6bb51ebf-6bb51ed9 call 6bb520a0 * 2 1219->1222 1224 6bb51ee4-6bb51ee9 call 6bbb1303 1221->1224 1225 6bb51eee-6bb51ef3 1221->1225 1224->1225 1228 6bb51ef5-6bb51efa call 6bb52200 1225->1228 1229 6bb51f11-6bb51f13 1225->1229 1239 6bb51eff-6bb51f01 1228->1239 1230 6bb51f15-6bb51f1b 1229->1230 1231 6bb51f03-6bb51f0b 1229->1231 1236 6bb51f2d-6bb51f38 1230->1236 1237 6bb51f1d-6bb51f2a 1230->1237 1234 6bb51f0d-6bb51f0f 1231->1234 1235 6bb51f3b 1231->1235 1240 6bb51f3d-6bb51f40 1234->1240 1235->1240 1239->1231 1241 6bb51f7b-6bb51f81 1239->1241 1242 6bb51f46 1240->1242 1243 6bb51f42-6bb51f44 1240->1243 1244 6bb51f48-6bb51f60 call 6bba9c80 1242->1244 1243->1244 1247 6bb51f73-6bb51f77 1244->1247 1248 6bb51f62-6bb51f70 1244->1248 1247->1241
                                                                                                                                                                                                                                                        APIs
                                                                                                                                                                                                                                                        • std::_Xinvalid_argument.LIBCPMT ref: 6BB51EAA
                                                                                                                                                                                                                                                          • Part of subcall function 6BBB1350: std::exception::exception.LIBCMT ref: 6BBB1365
                                                                                                                                                                                                                                                          • Part of subcall function 6BBB1350: __CxxThrowException@8.LIBCMT ref: 6BBB137A
                                                                                                                                                                                                                                                          • Part of subcall function 6BBB1350: std::exception::exception.LIBCMT ref: 6BBB138B
                                                                                                                                                                                                                                                        • std::_Xinvalid_argument.LIBCPMT ref: 6BB51EE9
                                                                                                                                                                                                                                                          • Part of subcall function 6BBB1303: std::exception::exception.LIBCMT ref: 6BBB1318
                                                                                                                                                                                                                                                          • Part of subcall function 6BBB1303: __CxxThrowException@8.LIBCMT ref: 6BBB132D
                                                                                                                                                                                                                                                          • Part of subcall function 6BBB1303: std::exception::exception.LIBCMT ref: 6BBB133E
                                                                                                                                                                                                                                                        Strings
                                                                                                                                                                                                                                                        Memory Dump Source
                                                                                                                                                                                                                                                        • Source File: 0000000C.00000002.2569669714.000000006BB51000.00000020.00000001.01000000.00000015.sdmp, Offset: 6BB50000, based on PE: true
                                                                                                                                                                                                                                                        • Associated: 0000000C.00000002.2569337232.000000006BB50000.00000002.00000001.01000000.00000015.sdmpDownload File
                                                                                                                                                                                                                                                        • Associated: 0000000C.00000002.2570467871.000000006BCC3000.00000002.00000001.01000000.00000015.sdmpDownload File
                                                                                                                                                                                                                                                        • Associated: 0000000C.00000002.2570467871.000000006BCD5000.00000002.00000001.01000000.00000015.sdmpDownload File
                                                                                                                                                                                                                                                        • Associated: 0000000C.00000002.2570976244.000000006BD35000.00000004.00000001.01000000.00000015.sdmpDownload File
                                                                                                                                                                                                                                                        • Associated: 0000000C.00000002.2571057194.000000006BD3A000.00000008.00000001.01000000.00000015.sdmpDownload File
                                                                                                                                                                                                                                                        • Associated: 0000000C.00000002.2571109707.000000006BD42000.00000004.00000001.01000000.00000015.sdmpDownload File
                                                                                                                                                                                                                                                        • Associated: 0000000C.00000002.2571273369.000000006BD48000.00000004.00000001.01000000.00000015.sdmpDownload File
                                                                                                                                                                                                                                                        • Associated: 0000000C.00000002.2571319844.000000006BD4B000.00000002.00000001.01000000.00000015.sdmpDownload File
                                                                                                                                                                                                                                                        Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                                        • Snapshot File: hcaresult_12_2_6bb50000_cpcsgui.jbxd
                                                                                                                                                                                                                                                        Similarity
                                                                                                                                                                                                                                                        • API ID: std::exception::exception$Exception@8ThrowXinvalid_argumentstd::_
                                                                                                                                                                                                                                                        • String ID: invalid string position$string too long
                                                                                                                                                                                                                                                        • API String ID: 1823113695-4289949731
                                                                                                                                                                                                                                                        • Opcode ID: b83905471d7cfb8e7e5ba2d05357f18a6b361286f7a3ee283e9b924f7fcaa49f
                                                                                                                                                                                                                                                        • Instruction ID: 113a688652ddc430b56f4eec5c2385e8c4eca1215f8649bb029441b3b3ce2bf9
                                                                                                                                                                                                                                                        • Opcode Fuzzy Hash: b83905471d7cfb8e7e5ba2d05357f18a6b361286f7a3ee283e9b924f7fcaa49f
                                                                                                                                                                                                                                                        • Instruction Fuzzy Hash: 6D31C2337097649B83209E6CEC8096FF3A9EBD1761714096FF552C7250EB26986087A2
                                                                                                                                                                                                                                                        Function 005B2DD0 Relevance: 7.1, APIs: 2, Strings: 2, Instructions: 101COMMON
                                                                                                                                                                                                                                                        Download Yara Rule

                                                                                                                                                                                                                                                        Control-flow Graph

                                                                                                                                                                                                                                                        • Executed
                                                                                                                                                                                                                                                        • Not Executed
                                                                                                                                                                                                                                                        control_flow_graph 1249 5b2dd0-5b2dda 1250 5b2ddc-5b2de2 1249->1250 1251 5b2e23-5b2e29 1249->1251 1254 5b2de8 1250->1254 1255 5b2de4-5b2de6 1250->1255 1252 5b2e2b-5b2e30 call 5e6abc 1251->1252 1253 5b2e35-5b2e3a 1251->1253 1252->1253 1257 5b2e3c-5b2e42 call 5b31f0 1253->1257 1258 5b2e55-5b2e57 1253->1258 1259 5b2dea-5b2dec 1254->1259 1255->1259 1264 5b2e47-5b2e49 1257->1264 1262 5b2e4b-5b2e4f 1258->1262 1263 5b2e59-5b2e5f 1258->1263 1259->1251 1260 5b2dee-5b2df1 1259->1260 1267 5b2df3-5b2df5 1260->1267 1268 5b2df7 1260->1268 1265 5b2e7b 1262->1265 1266 5b2e51-5b2e53 1262->1266 1269 5b2e6f-5b2e78 1263->1269 1270 5b2e61-5b2e6c 1263->1270 1264->1262 1272 5b2eaf-5b2eb3 1264->1272 1273 5b2e7d-5b2e94 call 5e8a90 1265->1273 1266->1273 1271 5b2df9-5b2e01 1267->1271 1268->1271 1271->1251 1274 5b2e03-5b2e06 1271->1274 1279 5b2ea6-5b2eae 1273->1279 1280 5b2e96-5b2ea3 1273->1280 1276 5b2e08-5b2e0a 1274->1276 1277 5b2e0c 1274->1277 1281 5b2e0e-5b2e20 call 5b2b30 1276->1281 1277->1281 1279->1272
                                                                                                                                                                                                                                                        APIs
                                                                                                                                                                                                                                                        Strings
                                                                                                                                                                                                                                                        Memory Dump Source
                                                                                                                                                                                                                                                        • Source File: 0000000C.00000002.2567833069.00000000005B1000.00000020.00000001.01000000.00000014.sdmp, Offset: 005B0000, based on PE: true
                                                                                                                                                                                                                                                        • Associated: 0000000C.00000002.2567804101.00000000005B0000.00000002.00000001.01000000.00000014.sdmpDownload File
                                                                                                                                                                                                                                                        • Associated: 0000000C.00000002.2567917358.0000000000607000.00000002.00000001.01000000.00000014.sdmpDownload File
                                                                                                                                                                                                                                                        • Associated: 0000000C.00000002.2567985326.000000000061A000.00000004.00000001.01000000.00000014.sdmpDownload File
                                                                                                                                                                                                                                                        • Associated: 0000000C.00000002.2568018090.0000000000620000.00000002.00000001.01000000.00000014.sdmpDownload File
                                                                                                                                                                                                                                                        Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                                        • Snapshot File: hcaresult_12_2_5b0000_cpcsgui.jbxd
                                                                                                                                                                                                                                                        Similarity
                                                                                                                                                                                                                                                        • API ID: Xinvalid_argument_memmovestd::_
                                                                                                                                                                                                                                                        • String ID: ExecuteMBAMCommand$string too long
                                                                                                                                                                                                                                                        • API String ID: 256744135-492468810
                                                                                                                                                                                                                                                        • Opcode ID: a656efaa31ebec1affebf57baf8dcaa89dca11d25c88be144b0a83a994a77140
                                                                                                                                                                                                                                                        • Instruction ID: 0362fb7afe743063b00f3e4eee0ceb71a55d4c76680c5a095fc3bf81c662216d
                                                                                                                                                                                                                                                        • Opcode Fuzzy Hash: a656efaa31ebec1affebf57baf8dcaa89dca11d25c88be144b0a83a994a77140
                                                                                                                                                                                                                                                        • Instruction Fuzzy Hash: 8E216F727146048B8A24DE5EE8848BAFBEEFFE5740B10092EE146C7611DB71FC468775
                                                                                                                                                                                                                                                        Function 6BB57BB0 Relevance: 6.1, APIs: 4, Instructions: 127registryCOMMON
                                                                                                                                                                                                                                                        Download Yara Rule

                                                                                                                                                                                                                                                        Control-flow Graph

                                                                                                                                                                                                                                                        • Executed
                                                                                                                                                                                                                                                        • Not Executed
                                                                                                                                                                                                                                                        control_flow_graph 1284 6bb57bb0-6bb57c38 call 6bb51e90 1287 6bb57c3e-6bb57c50 RegOpenKeyExW 1284->1287 1288 6bb57c3a 1284->1288 1289 6bb57c83-6bb57c8b 1287->1289 1290 6bb57c52-6bb57c73 call 6bb51fa0 1287->1290 1288->1287 1292 6bb57c8d 1289->1292 1293 6bb57c8f-6bb57cae RegQueryValueExW 1289->1293 1298 6bb57d2f-6bb57d57 call 6bb9ae8f 1290->1298 1299 6bb57c79-6bb57c7e 1290->1299 1292->1293 1295 6bb57cb0-6bb57cd6 RegCloseKey call 6bb51fa0 1293->1295 1296 6bb57cdf-6bb57cfb RegCloseKey 1293->1296 1295->1298 1305 6bb57cd8-6bb57cdd 1295->1305 1297 6bb57d00-6bb57d09 1296->1297 1297->1297 1302 6bb57d0b-6bb57d20 call 6bb51fa0 1297->1302 1303 6bb57d27-6bb57d2c call 6bb9b53b 1299->1303 1302->1298 1311 6bb57d22-6bb57d26 1302->1311 1303->1298 1305->1303 1311->1303
                                                                                                                                                                                                                                                        APIs
                                                                                                                                                                                                                                                          • Part of subcall function 6BB51E90: std::_Xinvalid_argument.LIBCPMT ref: 6BB51EAA
                                                                                                                                                                                                                                                        • RegOpenKeyExW.KERNELBASE(?,00000000,00000000,00000001,7BDC3733), ref: 6BB57C48
                                                                                                                                                                                                                                                        • RegQueryValueExW.KERNELBASE(7BDC3733,?,00000000,00000000,00000007,00000800), ref: 6BB57CA1
                                                                                                                                                                                                                                                        • RegCloseKey.ADVAPI32(7BDC3733), ref: 6BB57CB0
                                                                                                                                                                                                                                                        • RegCloseKey.ADVAPI32(7BDC3733), ref: 6BB57CDF
                                                                                                                                                                                                                                                        Memory Dump Source
                                                                                                                                                                                                                                                        • Source File: 0000000C.00000002.2569669714.000000006BB51000.00000020.00000001.01000000.00000015.sdmp, Offset: 6BB50000, based on PE: true
                                                                                                                                                                                                                                                        • Associated: 0000000C.00000002.2569337232.000000006BB50000.00000002.00000001.01000000.00000015.sdmpDownload File
                                                                                                                                                                                                                                                        • Associated: 0000000C.00000002.2570467871.000000006BCC3000.00000002.00000001.01000000.00000015.sdmpDownload File
                                                                                                                                                                                                                                                        • Associated: 0000000C.00000002.2570467871.000000006BCD5000.00000002.00000001.01000000.00000015.sdmpDownload File
                                                                                                                                                                                                                                                        • Associated: 0000000C.00000002.2570976244.000000006BD35000.00000004.00000001.01000000.00000015.sdmpDownload File
                                                                                                                                                                                                                                                        • Associated: 0000000C.00000002.2571057194.000000006BD3A000.00000008.00000001.01000000.00000015.sdmpDownload File
                                                                                                                                                                                                                                                        • Associated: 0000000C.00000002.2571109707.000000006BD42000.00000004.00000001.01000000.00000015.sdmpDownload File
                                                                                                                                                                                                                                                        • Associated: 0000000C.00000002.2571273369.000000006BD48000.00000004.00000001.01000000.00000015.sdmpDownload File
                                                                                                                                                                                                                                                        • Associated: 0000000C.00000002.2571319844.000000006BD4B000.00000002.00000001.01000000.00000015.sdmpDownload File
                                                                                                                                                                                                                                                        Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                                        • Snapshot File: hcaresult_12_2_6bb50000_cpcsgui.jbxd
                                                                                                                                                                                                                                                        Similarity
                                                                                                                                                                                                                                                        • API ID: Close$OpenQueryValueXinvalid_argumentstd::_
                                                                                                                                                                                                                                                        • String ID:
                                                                                                                                                                                                                                                        • API String ID: 4154549875-0
                                                                                                                                                                                                                                                        • Opcode ID: 496174d1620377e215204dda6d676ad373fb665df9f5a87115a444aadecbd5be
                                                                                                                                                                                                                                                        • Instruction ID: 0cbe0decc18a404f2f60a638645563ec2f136964084faaa907cd734c568f2afa
                                                                                                                                                                                                                                                        • Opcode Fuzzy Hash: 496174d1620377e215204dda6d676ad373fb665df9f5a87115a444aadecbd5be
                                                                                                                                                                                                                                                        • Instruction Fuzzy Hash: F0414CB2609385AFD760DF25D844A6BB7F9FFC9714F404A1EE08587240DB78A504CBA3
                                                                                                                                                                                                                                                        Function 6F85C500 Relevance: 6.1, APIs: 4, Instructions: 107registryCOMMON
                                                                                                                                                                                                                                                        Download Yara Rule
                                                                                                                                                                                                                                                        APIs
                                                                                                                                                                                                                                                          • Part of subcall function 6F853280: std::_Xinvalid_argument.LIBCPMT ref: 6F853298
                                                                                                                                                                                                                                                        • RegOpenKeyExW.KERNELBASE(80000002,?,00000000,00000001,D0A01E50), ref: 6F85C597
                                                                                                                                                                                                                                                        • RegQueryValueExW.KERNELBASE(D0A01E50,?,00000000,00000000,?,00000800), ref: 6F85C5CE
                                                                                                                                                                                                                                                        • RegCloseKey.KERNELBASE(D0A01E50), ref: 6F85C5DD
                                                                                                                                                                                                                                                        • RegCloseKey.KERNELBASE(D0A01E50), ref: 6F85C5E5
                                                                                                                                                                                                                                                        Memory Dump Source
                                                                                                                                                                                                                                                        • Source File: 0000000C.00000002.2571435985.000000006F851000.00000020.00000001.01000000.0000000F.sdmp, Offset: 6F850000, based on PE: true
                                                                                                                                                                                                                                                        • Associated: 0000000C.00000002.2571402531.000000006F850000.00000002.00000001.01000000.0000000F.sdmpDownload File
                                                                                                                                                                                                                                                        • Associated: 0000000C.00000002.2571547852.000000006F8B1000.00000002.00000001.01000000.0000000F.sdmpDownload File
                                                                                                                                                                                                                                                        • Associated: 0000000C.00000002.2571607645.000000006F8C6000.00000004.00000001.01000000.0000000F.sdmpDownload File
                                                                                                                                                                                                                                                        • Associated: 0000000C.00000002.2571648475.000000006F8CC000.00000002.00000001.01000000.0000000F.sdmpDownload File
                                                                                                                                                                                                                                                        Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                                        • Snapshot File: hcaresult_12_2_6f850000_cpcsgui.jbxd
                                                                                                                                                                                                                                                        Similarity
                                                                                                                                                                                                                                                        • API ID: Close$OpenQueryValueXinvalid_argumentstd::_
                                                                                                                                                                                                                                                        • String ID:
                                                                                                                                                                                                                                                        • API String ID: 4154549875-0
                                                                                                                                                                                                                                                        • Opcode ID: 257ef09e418dbdb2e90dd99c3f6994e36725d121ae8534df4c3d5550e9fcc3d9
                                                                                                                                                                                                                                                        • Instruction ID: b0cf4edbc7859ff89c66704479673084f5479613792e9ca2a6feca3892a259f8
                                                                                                                                                                                                                                                        • Opcode Fuzzy Hash: 257ef09e418dbdb2e90dd99c3f6994e36725d121ae8534df4c3d5550e9fcc3d9
                                                                                                                                                                                                                                                        • Instruction Fuzzy Hash: A7415B715047419FC764CF29C884A5BB7E8FF8A714F404E5EF4958B250EB30A518CBA2
                                                                                                                                                                                                                                                        Function 005BC860 Relevance: 6.1, APIs: 4, Instructions: 107registryCOMMON
                                                                                                                                                                                                                                                        Download Yara Rule
                                                                                                                                                                                                                                                        APIs
                                                                                                                                                                                                                                                          • Part of subcall function 005B2B30: std::_Xinvalid_argument.LIBCPMT ref: 005B2B48
                                                                                                                                                                                                                                                        • RegOpenKeyExW.KERNELBASE(80000002,?,00000000,00000001,8CDAA9E8), ref: 005BC8F7
                                                                                                                                                                                                                                                        • RegQueryValueExW.KERNELBASE(8CDAA9E8,?,00000000,00000000,?,00000800), ref: 005BC92E
                                                                                                                                                                                                                                                        • RegCloseKey.ADVAPI32(8CDAA9E8), ref: 005BC93D
                                                                                                                                                                                                                                                        • RegCloseKey.ADVAPI32(8CDAA9E8), ref: 005BC945
                                                                                                                                                                                                                                                        Memory Dump Source
                                                                                                                                                                                                                                                        • Source File: 0000000C.00000002.2567833069.00000000005B1000.00000020.00000001.01000000.00000014.sdmp, Offset: 005B0000, based on PE: true
                                                                                                                                                                                                                                                        • Associated: 0000000C.00000002.2567804101.00000000005B0000.00000002.00000001.01000000.00000014.sdmpDownload File
                                                                                                                                                                                                                                                        • Associated: 0000000C.00000002.2567917358.0000000000607000.00000002.00000001.01000000.00000014.sdmpDownload File
                                                                                                                                                                                                                                                        • Associated: 0000000C.00000002.2567985326.000000000061A000.00000004.00000001.01000000.00000014.sdmpDownload File
                                                                                                                                                                                                                                                        • Associated: 0000000C.00000002.2568018090.0000000000620000.00000002.00000001.01000000.00000014.sdmpDownload File
                                                                                                                                                                                                                                                        Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                                        • Snapshot File: hcaresult_12_2_5b0000_cpcsgui.jbxd
                                                                                                                                                                                                                                                        Similarity
                                                                                                                                                                                                                                                        • API ID: Close$OpenQueryValueXinvalid_argumentstd::_
                                                                                                                                                                                                                                                        • String ID:
                                                                                                                                                                                                                                                        • API String ID: 4154549875-0
                                                                                                                                                                                                                                                        • Opcode ID: ac5b7026e838d1543e1eff841964984fcb46177bd7bb36212d63c20ff22e44f4
                                                                                                                                                                                                                                                        • Instruction ID: ac2e10e6c4b582584f89a28503d16ecf57da87454fe0fdcd3fb311cd8b355703
                                                                                                                                                                                                                                                        • Opcode Fuzzy Hash: ac5b7026e838d1543e1eff841964984fcb46177bd7bb36212d63c20ff22e44f4
                                                                                                                                                                                                                                                        • Instruction Fuzzy Hash: F4415E715083459FD724CF15D885AABFBE9FFC9710F404A1EF49687250DB30A504CBA6
                                                                                                                                                                                                                                                        Function 6F8907C7 Relevance: 6.0, APIs: 4, Instructions: 41COMMONLIBRARYCODE
                                                                                                                                                                                                                                                        Download Yara Rule
                                                                                                                                                                                                                                                        APIs
                                                                                                                                                                                                                                                        • _malloc.LIBCMT ref: 6F8907E1
                                                                                                                                                                                                                                                          • Part of subcall function 6F8932A4: __FF_MSGBANNER.LIBCMT ref: 6F8932BD
                                                                                                                                                                                                                                                          • Part of subcall function 6F8932A4: __NMSG_WRITE.LIBCMT ref: 6F8932C4
                                                                                                                                                                                                                                                          • Part of subcall function 6F8932A4: RtlAllocateHeap.NTDLL(00000000,00000001,00000001,00000000,00000000,?,6F89450F,00000000,00000001,00000000,?,6F89A441,00000018,6F8BD148,0000000C,6F89A4D1), ref: 6F8932E9
                                                                                                                                                                                                                                                        • std::exception::exception.LIBCMT ref: 6F890816
                                                                                                                                                                                                                                                        • std::exception::exception.LIBCMT ref: 6F890830
                                                                                                                                                                                                                                                        • __CxxThrowException@8.LIBCMT ref: 6F890841
                                                                                                                                                                                                                                                        Memory Dump Source
                                                                                                                                                                                                                                                        • Source File: 0000000C.00000002.2571435985.000000006F851000.00000020.00000001.01000000.0000000F.sdmp, Offset: 6F850000, based on PE: true
                                                                                                                                                                                                                                                        • Associated: 0000000C.00000002.2571402531.000000006F850000.00000002.00000001.01000000.0000000F.sdmpDownload File
                                                                                                                                                                                                                                                        • Associated: 0000000C.00000002.2571547852.000000006F8B1000.00000002.00000001.01000000.0000000F.sdmpDownload File
                                                                                                                                                                                                                                                        • Associated: 0000000C.00000002.2571607645.000000006F8C6000.00000004.00000001.01000000.0000000F.sdmpDownload File
                                                                                                                                                                                                                                                        • Associated: 0000000C.00000002.2571648475.000000006F8CC000.00000002.00000001.01000000.0000000F.sdmpDownload File
                                                                                                                                                                                                                                                        Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                                        • Snapshot File: hcaresult_12_2_6f850000_cpcsgui.jbxd
                                                                                                                                                                                                                                                        Similarity
                                                                                                                                                                                                                                                        • API ID: std::exception::exception$AllocateException@8HeapThrow_malloc
                                                                                                                                                                                                                                                        • String ID:
                                                                                                                                                                                                                                                        • API String ID: 615853336-0
                                                                                                                                                                                                                                                        • Opcode ID: 5a74989dd54243d11881c942115c7e680d5540109aa95d691eee130deb6e5abe
                                                                                                                                                                                                                                                        • Instruction ID: a5a567bcb07e457e48c337d3a549b103643ebd9b9b507caea62f36841d52263e
                                                                                                                                                                                                                                                        • Opcode Fuzzy Hash: 5a74989dd54243d11881c942115c7e680d5540109aa95d691eee130deb6e5abe
                                                                                                                                                                                                                                                        • Instruction Fuzzy Hash: 93F0F431401309BBDF08DF7DC844A9E7AA9AF4026CF101CC9E414AE6C4DB719A45CB80
                                                                                                                                                                                                                                                        Function 6BB9B5AB Relevance: 6.0, APIs: 4, Instructions: 41COMMONLIBRARYCODE
                                                                                                                                                                                                                                                        Download Yara Rule
                                                                                                                                                                                                                                                        APIs
                                                                                                                                                                                                                                                        • _malloc.LIBCMT ref: 6BB9B5C5
                                                                                                                                                                                                                                                          • Part of subcall function 6BB9C134: __FF_MSGBANNER.LIBCMT ref: 6BB9C14D
                                                                                                                                                                                                                                                          • Part of subcall function 6BB9C134: __NMSG_WRITE.LIBCMT ref: 6BB9C154
                                                                                                                                                                                                                                                          • Part of subcall function 6BB9C134: RtlAllocateHeap.NTDLL(00000000,00000001,00000001,00000000,00000000,?,6BB9C3B9,6BCC4320,00000001,6BCC4320,?,6BBA12C9,00000018,6BD25808,0000000C,6BBA1359), ref: 6BB9C179
                                                                                                                                                                                                                                                        • std::exception::exception.LIBCMT ref: 6BB9B5FA
                                                                                                                                                                                                                                                        • std::exception::exception.LIBCMT ref: 6BB9B614
                                                                                                                                                                                                                                                        • __CxxThrowException@8.LIBCMT ref: 6BB9B625
                                                                                                                                                                                                                                                        Memory Dump Source
                                                                                                                                                                                                                                                        • Source File: 0000000C.00000002.2569669714.000000006BB51000.00000020.00000001.01000000.00000015.sdmp, Offset: 6BB50000, based on PE: true
                                                                                                                                                                                                                                                        • Associated: 0000000C.00000002.2569337232.000000006BB50000.00000002.00000001.01000000.00000015.sdmpDownload File
                                                                                                                                                                                                                                                        • Associated: 0000000C.00000002.2570467871.000000006BCC3000.00000002.00000001.01000000.00000015.sdmpDownload File
                                                                                                                                                                                                                                                        • Associated: 0000000C.00000002.2570467871.000000006BCD5000.00000002.00000001.01000000.00000015.sdmpDownload File
                                                                                                                                                                                                                                                        • Associated: 0000000C.00000002.2570976244.000000006BD35000.00000004.00000001.01000000.00000015.sdmpDownload File
                                                                                                                                                                                                                                                        • Associated: 0000000C.00000002.2571057194.000000006BD3A000.00000008.00000001.01000000.00000015.sdmpDownload File
                                                                                                                                                                                                                                                        • Associated: 0000000C.00000002.2571109707.000000006BD42000.00000004.00000001.01000000.00000015.sdmpDownload File
                                                                                                                                                                                                                                                        • Associated: 0000000C.00000002.2571273369.000000006BD48000.00000004.00000001.01000000.00000015.sdmpDownload File
                                                                                                                                                                                                                                                        • Associated: 0000000C.00000002.2571319844.000000006BD4B000.00000002.00000001.01000000.00000015.sdmpDownload File
                                                                                                                                                                                                                                                        Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                                        • Snapshot File: hcaresult_12_2_6bb50000_cpcsgui.jbxd
                                                                                                                                                                                                                                                        Similarity
                                                                                                                                                                                                                                                        • API ID: std::exception::exception$AllocateException@8HeapThrow_malloc
                                                                                                                                                                                                                                                        • String ID:
                                                                                                                                                                                                                                                        • API String ID: 615853336-0
                                                                                                                                                                                                                                                        • Opcode ID: d8edd0485291db57e0d28f26be94f09949e5442a1b1272ca34574b3d067a3ef4
                                                                                                                                                                                                                                                        • Instruction ID: 86629680e146003811bb0f6c71ada884e88b2ba18976e6274bdf39546995b45e
                                                                                                                                                                                                                                                        • Opcode Fuzzy Hash: d8edd0485291db57e0d28f26be94f09949e5442a1b1272ca34574b3d067a3ef4
                                                                                                                                                                                                                                                        • Instruction Fuzzy Hash: BAF08171804189AAEF18FFA4FC15A9EBAA5EB47758F100179E5109B180DF78DA81CFA1
                                                                                                                                                                                                                                                        Function 6F881B30 Relevance: 5.5, APIs: 2, Strings: 1, Instructions: 266COMMON
                                                                                                                                                                                                                                                        Download Yara Rule
                                                                                                                                                                                                                                                        Strings
                                                                                                                                                                                                                                                        Memory Dump Source
                                                                                                                                                                                                                                                        • Source File: 0000000C.00000002.2571435985.000000006F851000.00000020.00000001.01000000.0000000F.sdmp, Offset: 6F850000, based on PE: true
                                                                                                                                                                                                                                                        • Associated: 0000000C.00000002.2571402531.000000006F850000.00000002.00000001.01000000.0000000F.sdmpDownload File
                                                                                                                                                                                                                                                        • Associated: 0000000C.00000002.2571547852.000000006F8B1000.00000002.00000001.01000000.0000000F.sdmpDownload File
                                                                                                                                                                                                                                                        • Associated: 0000000C.00000002.2571607645.000000006F8C6000.00000004.00000001.01000000.0000000F.sdmpDownload File
                                                                                                                                                                                                                                                        • Associated: 0000000C.00000002.2571648475.000000006F8CC000.00000002.00000001.01000000.0000000F.sdmpDownload File
                                                                                                                                                                                                                                                        Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                                        • Snapshot File: hcaresult_12_2_6f850000_cpcsgui.jbxd
                                                                                                                                                                                                                                                        Similarity
                                                                                                                                                                                                                                                        • API ID:
                                                                                                                                                                                                                                                        • String ID: end of map not found
                                                                                                                                                                                                                                                        • API String ID: 0-1937500125
                                                                                                                                                                                                                                                        • Opcode ID: 26f7e01ef81645f0c26922e74afdbaf7428394614c470dac7bd4a6f4ab5bb3e8
                                                                                                                                                                                                                                                        • Instruction ID: 2a11f6b5601c12d7b0199c4f5d775bb43d30c2963342e97c6e3880f2bc57af49
                                                                                                                                                                                                                                                        • Opcode Fuzzy Hash: 26f7e01ef81645f0c26922e74afdbaf7428394614c470dac7bd4a6f4ab5bb3e8
                                                                                                                                                                                                                                                        • Instruction Fuzzy Hash: F2B15F71504781AFC724CF68C480A9EB7E5BF85318F104DAEE5AA9F390DB30E945CB92
                                                                                                                                                                                                                                                        Function 005E15E0 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 73COMMON
                                                                                                                                                                                                                                                        Download Yara Rule
                                                                                                                                                                                                                                                        APIs
                                                                                                                                                                                                                                                          • Part of subcall function 005E7B0D: _malloc.LIBCMT ref: 005E7B27
                                                                                                                                                                                                                                                        • std::exception::exception.LIBCMT ref: 005E1699
                                                                                                                                                                                                                                                        • __CxxThrowException@8.LIBCMT ref: 005E16B0
                                                                                                                                                                                                                                                        Strings
                                                                                                                                                                                                                                                        Memory Dump Source
                                                                                                                                                                                                                                                        • Source File: 0000000C.00000002.2567833069.00000000005B1000.00000020.00000001.01000000.00000014.sdmp, Offset: 005B0000, based on PE: true
                                                                                                                                                                                                                                                        • Associated: 0000000C.00000002.2567804101.00000000005B0000.00000002.00000001.01000000.00000014.sdmpDownload File
                                                                                                                                                                                                                                                        • Associated: 0000000C.00000002.2567917358.0000000000607000.00000002.00000001.01000000.00000014.sdmpDownload File
                                                                                                                                                                                                                                                        • Associated: 0000000C.00000002.2567985326.000000000061A000.00000004.00000001.01000000.00000014.sdmpDownload File
                                                                                                                                                                                                                                                        • Associated: 0000000C.00000002.2568018090.0000000000620000.00000002.00000001.01000000.00000014.sdmpDownload File
                                                                                                                                                                                                                                                        Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                                        • Snapshot File: hcaresult_12_2_5b0000_cpcsgui.jbxd
                                                                                                                                                                                                                                                        Similarity
                                                                                                                                                                                                                                                        • API ID: Exception@8Throw_mallocstd::exception::exception
                                                                                                                                                                                                                                                        • String ID: `t`
                                                                                                                                                                                                                                                        • API String ID: 4063778783-2977419160
                                                                                                                                                                                                                                                        • Opcode ID: 084ed4c1ec9cc90a7ad560568f8653b38bf96a45d9922e211ce9513434bd22f0
                                                                                                                                                                                                                                                        • Instruction ID: 532693b209036ff98c6d7a5b34205eeeb84e2212e7fb8d44b669352ea5871297
                                                                                                                                                                                                                                                        • Opcode Fuzzy Hash: 084ed4c1ec9cc90a7ad560568f8653b38bf96a45d9922e211ce9513434bd22f0
                                                                                                                                                                                                                                                        • Instruction Fuzzy Hash: F5213AB18187919BC304DF19C845A5BBFE9FFC8B04F444A1EF48993250E7749608CB96
                                                                                                                                                                                                                                                        Function 005E2490 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 67COMMON
                                                                                                                                                                                                                                                        Download Yara Rule
                                                                                                                                                                                                                                                        APIs
                                                                                                                                                                                                                                                        • std::exception::exception.LIBCMT ref: 005E251C
                                                                                                                                                                                                                                                        • __CxxThrowException@8.LIBCMT ref: 005E2533
                                                                                                                                                                                                                                                          • Part of subcall function 005D2060: std::_Xinvalid_argument.LIBCPMT ref: 005D2080
                                                                                                                                                                                                                                                          • Part of subcall function 005D2060: _memmove.LIBCMT ref: 005D20F3
                                                                                                                                                                                                                                                          • Part of subcall function 005D2060: _memmove.LIBCMT ref: 005D2118
                                                                                                                                                                                                                                                        Strings
                                                                                                                                                                                                                                                        Memory Dump Source
                                                                                                                                                                                                                                                        • Source File: 0000000C.00000002.2567833069.00000000005B1000.00000020.00000001.01000000.00000014.sdmp, Offset: 005B0000, based on PE: true
                                                                                                                                                                                                                                                        • Associated: 0000000C.00000002.2567804101.00000000005B0000.00000002.00000001.01000000.00000014.sdmpDownload File
                                                                                                                                                                                                                                                        • Associated: 0000000C.00000002.2567917358.0000000000607000.00000002.00000001.01000000.00000014.sdmpDownload File
                                                                                                                                                                                                                                                        • Associated: 0000000C.00000002.2567985326.000000000061A000.00000004.00000001.01000000.00000014.sdmpDownload File
                                                                                                                                                                                                                                                        • Associated: 0000000C.00000002.2568018090.0000000000620000.00000002.00000001.01000000.00000014.sdmpDownload File
                                                                                                                                                                                                                                                        Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                                        • Snapshot File: hcaresult_12_2_5b0000_cpcsgui.jbxd
                                                                                                                                                                                                                                                        Similarity
                                                                                                                                                                                                                                                        • API ID: _memmove$Exception@8ThrowXinvalid_argumentstd::_std::exception::exception
                                                                                                                                                                                                                                                        • String ID: `t`
                                                                                                                                                                                                                                                        • API String ID: 2097953723-2977419160
                                                                                                                                                                                                                                                        • Opcode ID: 7d169d653a121ddf31334834eb639f3085e789db4d29981c8a70a66f2658b2b9
                                                                                                                                                                                                                                                        • Instruction ID: 3509913da1b92bd72316140fd1f773d69651a3d97d468af2cc0d20023daae71b
                                                                                                                                                                                                                                                        • Opcode Fuzzy Hash: 7d169d653a121ddf31334834eb639f3085e789db4d29981c8a70a66f2658b2b9
                                                                                                                                                                                                                                                        • Instruction Fuzzy Hash: CC1190752042458BDB18DF0AC480A56BBE9FFD4314F5884A9ED998F38BD731E905CBA2
                                                                                                                                                                                                                                                        Function 005B8670 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 27COMMON
                                                                                                                                                                                                                                                        Download Yara Rule
                                                                                                                                                                                                                                                        APIs
                                                                                                                                                                                                                                                        • std::exception::exception.LIBCMT ref: 005B86AB
                                                                                                                                                                                                                                                        • __CxxThrowException@8.LIBCMT ref: 005B86C2
                                                                                                                                                                                                                                                          • Part of subcall function 005E7B0D: _malloc.LIBCMT ref: 005E7B27
                                                                                                                                                                                                                                                        Strings
                                                                                                                                                                                                                                                        Memory Dump Source
                                                                                                                                                                                                                                                        • Source File: 0000000C.00000002.2567833069.00000000005B1000.00000020.00000001.01000000.00000014.sdmp, Offset: 005B0000, based on PE: true
                                                                                                                                                                                                                                                        • Associated: 0000000C.00000002.2567804101.00000000005B0000.00000002.00000001.01000000.00000014.sdmpDownload File
                                                                                                                                                                                                                                                        • Associated: 0000000C.00000002.2567917358.0000000000607000.00000002.00000001.01000000.00000014.sdmpDownload File
                                                                                                                                                                                                                                                        • Associated: 0000000C.00000002.2567985326.000000000061A000.00000004.00000001.01000000.00000014.sdmpDownload File
                                                                                                                                                                                                                                                        • Associated: 0000000C.00000002.2568018090.0000000000620000.00000002.00000001.01000000.00000014.sdmpDownload File
                                                                                                                                                                                                                                                        Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                                        • Snapshot File: hcaresult_12_2_5b0000_cpcsgui.jbxd
                                                                                                                                                                                                                                                        Similarity
                                                                                                                                                                                                                                                        • API ID: Exception@8Throw_mallocstd::exception::exception
                                                                                                                                                                                                                                                        • String ID: `t`
                                                                                                                                                                                                                                                        • API String ID: 4063778783-2977419160
                                                                                                                                                                                                                                                        • Opcode ID: 8d61965f914a45f92d9d0b8119291c362cfc4e9dcf9a5714552a4a1b929bd0c1
                                                                                                                                                                                                                                                        • Instruction ID: 45ea3acd95588fe0ef550ec5d5b4c85b1e524ce251c7b20b36dd9a8b42404f9b
                                                                                                                                                                                                                                                        • Opcode Fuzzy Hash: 8d61965f914a45f92d9d0b8119291c362cfc4e9dcf9a5714552a4a1b929bd0c1
                                                                                                                                                                                                                                                        • Instruction Fuzzy Hash: F2E0A07150430256E70CEF6ACD06BAA7FD8AB94340F84482DA484C2160FA38D1488A53
                                                                                                                                                                                                                                                        Function 005BAEE0 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 23COMMON
                                                                                                                                                                                                                                                        Download Yara Rule
                                                                                                                                                                                                                                                        APIs
                                                                                                                                                                                                                                                        • std::exception::exception.LIBCMT ref: 005BAF0B
                                                                                                                                                                                                                                                        • __CxxThrowException@8.LIBCMT ref: 005BAF22
                                                                                                                                                                                                                                                          • Part of subcall function 005E7B0D: _malloc.LIBCMT ref: 005E7B27
                                                                                                                                                                                                                                                        Strings
                                                                                                                                                                                                                                                        Memory Dump Source
                                                                                                                                                                                                                                                        • Source File: 0000000C.00000002.2567833069.00000000005B1000.00000020.00000001.01000000.00000014.sdmp, Offset: 005B0000, based on PE: true
                                                                                                                                                                                                                                                        • Associated: 0000000C.00000002.2567804101.00000000005B0000.00000002.00000001.01000000.00000014.sdmpDownload File
                                                                                                                                                                                                                                                        • Associated: 0000000C.00000002.2567917358.0000000000607000.00000002.00000001.01000000.00000014.sdmpDownload File
                                                                                                                                                                                                                                                        • Associated: 0000000C.00000002.2567985326.000000000061A000.00000004.00000001.01000000.00000014.sdmpDownload File
                                                                                                                                                                                                                                                        • Associated: 0000000C.00000002.2568018090.0000000000620000.00000002.00000001.01000000.00000014.sdmpDownload File
                                                                                                                                                                                                                                                        Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                                        • Snapshot File: hcaresult_12_2_5b0000_cpcsgui.jbxd
                                                                                                                                                                                                                                                        Similarity
                                                                                                                                                                                                                                                        • API ID: Exception@8Throw_mallocstd::exception::exception
                                                                                                                                                                                                                                                        • String ID: `t`
                                                                                                                                                                                                                                                        • API String ID: 4063778783-2977419160
                                                                                                                                                                                                                                                        • Opcode ID: 46bbecd5cc975aae77b6ac5264b8f8771f4b662ff5066b8b73bf20d93b254fac
                                                                                                                                                                                                                                                        • Instruction ID: 658e4d5ae10f80c69204edb94c66d91fc403d72d5b0ecbe32958dbc7e0e92495
                                                                                                                                                                                                                                                        • Opcode Fuzzy Hash: 46bbecd5cc975aae77b6ac5264b8f8771f4b662ff5066b8b73bf20d93b254fac
                                                                                                                                                                                                                                                        • Instruction Fuzzy Hash: 68E0DFB480830366EB28BB258812AEB7ED8FF94350F804A1DF4A981191FB30E1488953
                                                                                                                                                                                                                                                        Function 6F879D20 Relevance: 4.6, APIs: 3, Instructions: 132COMMON
                                                                                                                                                                                                                                                        Download Yara Rule
                                                                                                                                                                                                                                                        APIs
                                                                                                                                                                                                                                                          • Part of subcall function 6F8907C7: _malloc.LIBCMT ref: 6F8907E1
                                                                                                                                                                                                                                                        • _memmove.LIBCMT ref: 6F879E37
                                                                                                                                                                                                                                                          • Part of subcall function 6F8907C7: std::exception::exception.LIBCMT ref: 6F890816
                                                                                                                                                                                                                                                          • Part of subcall function 6F8907C7: std::exception::exception.LIBCMT ref: 6F890830
                                                                                                                                                                                                                                                          • Part of subcall function 6F8907C7: __CxxThrowException@8.LIBCMT ref: 6F890841
                                                                                                                                                                                                                                                        • std::exception::exception.LIBCMT ref: 6F879DB1
                                                                                                                                                                                                                                                        • __CxxThrowException@8.LIBCMT ref: 6F879DC8
                                                                                                                                                                                                                                                        Memory Dump Source
                                                                                                                                                                                                                                                        • Source File: 0000000C.00000002.2571435985.000000006F851000.00000020.00000001.01000000.0000000F.sdmp, Offset: 6F850000, based on PE: true
                                                                                                                                                                                                                                                        • Associated: 0000000C.00000002.2571402531.000000006F850000.00000002.00000001.01000000.0000000F.sdmpDownload File
                                                                                                                                                                                                                                                        • Associated: 0000000C.00000002.2571547852.000000006F8B1000.00000002.00000001.01000000.0000000F.sdmpDownload File
                                                                                                                                                                                                                                                        • Associated: 0000000C.00000002.2571607645.000000006F8C6000.00000004.00000001.01000000.0000000F.sdmpDownload File
                                                                                                                                                                                                                                                        • Associated: 0000000C.00000002.2571648475.000000006F8CC000.00000002.00000001.01000000.0000000F.sdmpDownload File
                                                                                                                                                                                                                                                        Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                                        • Snapshot File: hcaresult_12_2_6f850000_cpcsgui.jbxd
                                                                                                                                                                                                                                                        Similarity
                                                                                                                                                                                                                                                        • API ID: std::exception::exception$Exception@8Throw$_malloc_memmove
                                                                                                                                                                                                                                                        • String ID:
                                                                                                                                                                                                                                                        • API String ID: 4266200104-0
                                                                                                                                                                                                                                                        • Opcode ID: 4a6461ce7ef586f619616d38d8766154517c672b547609714622180d0d524d82
                                                                                                                                                                                                                                                        • Instruction ID: 0c01c9d36fd423df8b15a999f64a2ee1c935f9b219da3f7cbd0c52311bd83d24
                                                                                                                                                                                                                                                        • Opcode Fuzzy Hash: 4a6461ce7ef586f619616d38d8766154517c672b547609714622180d0d524d82
                                                                                                                                                                                                                                                        • Instruction Fuzzy Hash: 31518CB5904745EFC324CF28D880B86BBE4FB09714F044AAEE8968B751E771F914CB92
                                                                                                                                                                                                                                                        Function 6F856840 Relevance: 4.6, APIs: 3, Instructions: 113COMMON
                                                                                                                                                                                                                                                        Download Yara Rule
                                                                                                                                                                                                                                                        APIs
                                                                                                                                                                                                                                                        • std::exception::exception.LIBCMT ref: 6F8568D9
                                                                                                                                                                                                                                                          • Part of subcall function 6F890109: std::exception::_Copy_str.LIBCMT ref: 6F890124
                                                                                                                                                                                                                                                        • __CxxThrowException@8.LIBCMT ref: 6F8568EE
                                                                                                                                                                                                                                                          • Part of subcall function 6F8924F0: RaiseException.KERNEL32(6F853778,?,D0A01E50,6F8B13C0,6F853778,?,6F8BD3C8,80000002,D0A01E50), ref: 6F892532
                                                                                                                                                                                                                                                          • Part of subcall function 6F8569B0: std::exception::exception.LIBCMT ref: 6F8569E0
                                                                                                                                                                                                                                                          • Part of subcall function 6F8569B0: __CxxThrowException@8.LIBCMT ref: 6F8569F7
                                                                                                                                                                                                                                                        • _memmove.LIBCMT ref: 6F856935
                                                                                                                                                                                                                                                        Memory Dump Source
                                                                                                                                                                                                                                                        • Source File: 0000000C.00000002.2571435985.000000006F851000.00000020.00000001.01000000.0000000F.sdmp, Offset: 6F850000, based on PE: true
                                                                                                                                                                                                                                                        • Associated: 0000000C.00000002.2571402531.000000006F850000.00000002.00000001.01000000.0000000F.sdmpDownload File
                                                                                                                                                                                                                                                        • Associated: 0000000C.00000002.2571547852.000000006F8B1000.00000002.00000001.01000000.0000000F.sdmpDownload File
                                                                                                                                                                                                                                                        • Associated: 0000000C.00000002.2571607645.000000006F8C6000.00000004.00000001.01000000.0000000F.sdmpDownload File
                                                                                                                                                                                                                                                        • Associated: 0000000C.00000002.2571648475.000000006F8CC000.00000002.00000001.01000000.0000000F.sdmpDownload File
                                                                                                                                                                                                                                                        Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                                        • Snapshot File: hcaresult_12_2_6f850000_cpcsgui.jbxd
                                                                                                                                                                                                                                                        Similarity
                                                                                                                                                                                                                                                        • API ID: Exception@8Throwstd::exception::exception$Copy_strExceptionRaise_memmovestd::exception::_
                                                                                                                                                                                                                                                        • String ID:
                                                                                                                                                                                                                                                        • API String ID: 163498487-0
                                                                                                                                                                                                                                                        • Opcode ID: 7461b70a196e9ecfb2b0138495b45ce5e6ae6ce2f13b2c04a2bbd7dbc41929d7
                                                                                                                                                                                                                                                        • Instruction ID: ef4feb1f557b0e2b3915cefd07f6281505a63e332d97a4198eeeb906e18b1807
                                                                                                                                                                                                                                                        • Opcode Fuzzy Hash: 7461b70a196e9ecfb2b0138495b45ce5e6ae6ce2f13b2c04a2bbd7dbc41929d7
                                                                                                                                                                                                                                                        • Instruction Fuzzy Hash: DB41A971E00605ABDB44CF6CC89069EBBF4EB46360F544AAAE8159F780D731A954CBE1
                                                                                                                                                                                                                                                        Function 6F8536C0 Relevance: 4.6, APIs: 3, Instructions: 111COMMON
                                                                                                                                                                                                                                                        Download Yara Rule
                                                                                                                                                                                                                                                        APIs
                                                                                                                                                                                                                                                        • std::exception::exception.LIBCMT ref: 6F85375E
                                                                                                                                                                                                                                                          • Part of subcall function 6F890109: std::exception::_Copy_str.LIBCMT ref: 6F890124
                                                                                                                                                                                                                                                        • __CxxThrowException@8.LIBCMT ref: 6F853773
                                                                                                                                                                                                                                                          • Part of subcall function 6F8924F0: RaiseException.KERNEL32(6F853778,?,D0A01E50,6F8B13C0,6F853778,?,6F8BD3C8,80000002,D0A01E50), ref: 6F892532
                                                                                                                                                                                                                                                          • Part of subcall function 6F8538B0: std::exception::exception.LIBCMT ref: 6F8538E1
                                                                                                                                                                                                                                                          • Part of subcall function 6F8538B0: __CxxThrowException@8.LIBCMT ref: 6F8538F8
                                                                                                                                                                                                                                                        • _memmove.LIBCMT ref: 6F8537B7
                                                                                                                                                                                                                                                        Memory Dump Source
                                                                                                                                                                                                                                                        • Source File: 0000000C.00000002.2571435985.000000006F851000.00000020.00000001.01000000.0000000F.sdmp, Offset: 6F850000, based on PE: true
                                                                                                                                                                                                                                                        • Associated: 0000000C.00000002.2571402531.000000006F850000.00000002.00000001.01000000.0000000F.sdmpDownload File
                                                                                                                                                                                                                                                        • Associated: 0000000C.00000002.2571547852.000000006F8B1000.00000002.00000001.01000000.0000000F.sdmpDownload File
                                                                                                                                                                                                                                                        • Associated: 0000000C.00000002.2571607645.000000006F8C6000.00000004.00000001.01000000.0000000F.sdmpDownload File
                                                                                                                                                                                                                                                        • Associated: 0000000C.00000002.2571648475.000000006F8CC000.00000002.00000001.01000000.0000000F.sdmpDownload File
                                                                                                                                                                                                                                                        Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                                        • Snapshot File: hcaresult_12_2_6f850000_cpcsgui.jbxd
                                                                                                                                                                                                                                                        Similarity
                                                                                                                                                                                                                                                        • API ID: Exception@8Throwstd::exception::exception$Copy_strExceptionRaise_memmovestd::exception::_
                                                                                                                                                                                                                                                        • String ID:
                                                                                                                                                                                                                                                        • API String ID: 163498487-0
                                                                                                                                                                                                                                                        • Opcode ID: f1cf4fb1566943370da52b6ce947807d7bdcc2e8979c44beca23cb0fdae3c58f
                                                                                                                                                                                                                                                        • Instruction ID: 92b3e8c2f3d90c4899d206d3825eb016428715b81779f26e8570736452b156ed
                                                                                                                                                                                                                                                        • Opcode Fuzzy Hash: f1cf4fb1566943370da52b6ce947807d7bdcc2e8979c44beca23cb0fdae3c58f
                                                                                                                                                                                                                                                        • Instruction Fuzzy Hash: 404176B5E00615EBCB08CF6CC85199EB7F6FB45214B144ABEE8159B780E731BD24CBA1
                                                                                                                                                                                                                                                        Function 6F857B10 Relevance: 4.5, APIs: 3, Instructions: 45COMMON
                                                                                                                                                                                                                                                        Download Yara Rule
                                                                                                                                                                                                                                                        APIs
                                                                                                                                                                                                                                                        • GetFileAttributesW.KERNELBASE(00000000,?,6F85140B), ref: 6F857B1C
                                                                                                                                                                                                                                                        • GetLastError.KERNEL32 ref: 6F857B53
                                                                                                                                                                                                                                                        • GetLastError.KERNEL32 ref: 6F857B5A
                                                                                                                                                                                                                                                        Memory Dump Source
                                                                                                                                                                                                                                                        • Source File: 0000000C.00000002.2571435985.000000006F851000.00000020.00000001.01000000.0000000F.sdmp, Offset: 6F850000, based on PE: true
                                                                                                                                                                                                                                                        • Associated: 0000000C.00000002.2571402531.000000006F850000.00000002.00000001.01000000.0000000F.sdmpDownload File
                                                                                                                                                                                                                                                        • Associated: 0000000C.00000002.2571547852.000000006F8B1000.00000002.00000001.01000000.0000000F.sdmpDownload File
                                                                                                                                                                                                                                                        • Associated: 0000000C.00000002.2571607645.000000006F8C6000.00000004.00000001.01000000.0000000F.sdmpDownload File
                                                                                                                                                                                                                                                        • Associated: 0000000C.00000002.2571648475.000000006F8CC000.00000002.00000001.01000000.0000000F.sdmpDownload File
                                                                                                                                                                                                                                                        Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                                        • Snapshot File: hcaresult_12_2_6f850000_cpcsgui.jbxd
                                                                                                                                                                                                                                                        Similarity
                                                                                                                                                                                                                                                        • API ID: ErrorLast$AttributesFile
                                                                                                                                                                                                                                                        • String ID:
                                                                                                                                                                                                                                                        • API String ID: 2642427456-0
                                                                                                                                                                                                                                                        • Opcode ID: 8670eead17c27b264ed888f4ec96fe281b731d30b1db48b4fa4ca6a39e1b2035
                                                                                                                                                                                                                                                        • Instruction ID: b7c893a248e3dfd02358b296b5a7ae078f2d7a5dc3a14c6f71d426e54eddc0ed
                                                                                                                                                                                                                                                        • Opcode Fuzzy Hash: 8670eead17c27b264ed888f4ec96fe281b731d30b1db48b4fa4ca6a39e1b2035
                                                                                                                                                                                                                                                        • Instruction Fuzzy Hash: E2F0443191492C8BDB949A68F4C068DB3F2AF46370B51DDDED1518F590C220BCE687D2
                                                                                                                                                                                                                                                        Function 6BB54FC0 Relevance: 3.6, APIs: 1, Strings: 1, Instructions: 108COMMON
                                                                                                                                                                                                                                                        Download Yara Rule
                                                                                                                                                                                                                                                        APIs
                                                                                                                                                                                                                                                        • std::_Xinvalid_argument.LIBCPMT ref: 6BB55034
                                                                                                                                                                                                                                                          • Part of subcall function 6BB55110: std::_Xinvalid_argument.LIBCPMT ref: 6BB5512A
                                                                                                                                                                                                                                                        Strings
                                                                                                                                                                                                                                                        Memory Dump Source
                                                                                                                                                                                                                                                        • Source File: 0000000C.00000002.2569669714.000000006BB51000.00000020.00000001.01000000.00000015.sdmp, Offset: 6BB50000, based on PE: true
                                                                                                                                                                                                                                                        • Associated: 0000000C.00000002.2569337232.000000006BB50000.00000002.00000001.01000000.00000015.sdmpDownload File
                                                                                                                                                                                                                                                        • Associated: 0000000C.00000002.2570467871.000000006BCC3000.00000002.00000001.01000000.00000015.sdmpDownload File
                                                                                                                                                                                                                                                        • Associated: 0000000C.00000002.2570467871.000000006BCD5000.00000002.00000001.01000000.00000015.sdmpDownload File
                                                                                                                                                                                                                                                        • Associated: 0000000C.00000002.2570976244.000000006BD35000.00000004.00000001.01000000.00000015.sdmpDownload File
                                                                                                                                                                                                                                                        • Associated: 0000000C.00000002.2571057194.000000006BD3A000.00000008.00000001.01000000.00000015.sdmpDownload File
                                                                                                                                                                                                                                                        • Associated: 0000000C.00000002.2571109707.000000006BD42000.00000004.00000001.01000000.00000015.sdmpDownload File
                                                                                                                                                                                                                                                        • Associated: 0000000C.00000002.2571273369.000000006BD48000.00000004.00000001.01000000.00000015.sdmpDownload File
                                                                                                                                                                                                                                                        • Associated: 0000000C.00000002.2571319844.000000006BD4B000.00000002.00000001.01000000.00000015.sdmpDownload File
                                                                                                                                                                                                                                                        Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                                        • Snapshot File: hcaresult_12_2_6bb50000_cpcsgui.jbxd
                                                                                                                                                                                                                                                        Similarity
                                                                                                                                                                                                                                                        • API ID: Xinvalid_argumentstd::_
                                                                                                                                                                                                                                                        • String ID: string too long
                                                                                                                                                                                                                                                        • API String ID: 909987262-2556327735
                                                                                                                                                                                                                                                        • Opcode ID: 34af6fd3ce0488d698fac4ae15696df6b92319f147b32e299b28ff99d64f83be
                                                                                                                                                                                                                                                        • Instruction ID: 4f1a3fcef081c08eb7cf085a229ad64f1792e317e4ebfa8436a8218470d5779b
                                                                                                                                                                                                                                                        • Opcode Fuzzy Hash: 34af6fd3ce0488d698fac4ae15696df6b92319f147b32e299b28ff99d64f83be
                                                                                                                                                                                                                                                        • Instruction Fuzzy Hash: 6431E4337106904FD3208E6CD890B5FF7EAEB95652B24492EF291C7240C7A59C6483F7
                                                                                                                                                                                                                                                        Function 6F87F140 Relevance: 3.6, APIs: 1, Strings: 1, Instructions: 68COMMON
                                                                                                                                                                                                                                                        Download Yara Rule
                                                                                                                                                                                                                                                        APIs
                                                                                                                                                                                                                                                        • std::_Xinvalid_argument.LIBCPMT ref: 6F87F1AF
                                                                                                                                                                                                                                                          • Part of subcall function 6F88F635: std::exception::exception.LIBCMT ref: 6F88F64A
                                                                                                                                                                                                                                                          • Part of subcall function 6F88F635: __CxxThrowException@8.LIBCMT ref: 6F88F65F
                                                                                                                                                                                                                                                          • Part of subcall function 6F88F635: std::exception::exception.LIBCMT ref: 6F88F670
                                                                                                                                                                                                                                                        Strings
                                                                                                                                                                                                                                                        Memory Dump Source
                                                                                                                                                                                                                                                        • Source File: 0000000C.00000002.2571435985.000000006F851000.00000020.00000001.01000000.0000000F.sdmp, Offset: 6F850000, based on PE: true
                                                                                                                                                                                                                                                        • Associated: 0000000C.00000002.2571402531.000000006F850000.00000002.00000001.01000000.0000000F.sdmpDownload File
                                                                                                                                                                                                                                                        • Associated: 0000000C.00000002.2571547852.000000006F8B1000.00000002.00000001.01000000.0000000F.sdmpDownload File
                                                                                                                                                                                                                                                        • Associated: 0000000C.00000002.2571607645.000000006F8C6000.00000004.00000001.01000000.0000000F.sdmpDownload File
                                                                                                                                                                                                                                                        • Associated: 0000000C.00000002.2571648475.000000006F8CC000.00000002.00000001.01000000.0000000F.sdmpDownload File
                                                                                                                                                                                                                                                        Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                                        • Snapshot File: hcaresult_12_2_6f850000_cpcsgui.jbxd
                                                                                                                                                                                                                                                        Similarity
                                                                                                                                                                                                                                                        • API ID: std::exception::exception$Exception@8ThrowXinvalid_argumentstd::_
                                                                                                                                                                                                                                                        • String ID: vector<T> too long
                                                                                                                                                                                                                                                        • API String ID: 1823113695-3788999226
                                                                                                                                                                                                                                                        • Opcode ID: d7e749e71e5364681e0068c3cb38c06b362b5c2b80a64383f9065024044cdb2b
                                                                                                                                                                                                                                                        • Instruction ID: 592860382e11ecc795974613c613b2c2483cbc6276956990cc9e37057b5ad962
                                                                                                                                                                                                                                                        • Opcode Fuzzy Hash: d7e749e71e5364681e0068c3cb38c06b362b5c2b80a64383f9065024044cdb2b
                                                                                                                                                                                                                                                        • Instruction Fuzzy Hash: 03214FB19006059FC714CF1DC981B5ABBF9EB58714F10896EE469CB754EB34A900CB90
                                                                                                                                                                                                                                                        Function 6BB86AE0 Relevance: 3.6, APIs: 1, Strings: 1, Instructions: 68COMMON
                                                                                                                                                                                                                                                        Download Yara Rule
                                                                                                                                                                                                                                                        APIs
                                                                                                                                                                                                                                                        • std::_Xinvalid_argument.LIBCPMT ref: 6BB86B4F
                                                                                                                                                                                                                                                          • Part of subcall function 6BBB1303: std::exception::exception.LIBCMT ref: 6BBB1318
                                                                                                                                                                                                                                                          • Part of subcall function 6BBB1303: __CxxThrowException@8.LIBCMT ref: 6BBB132D
                                                                                                                                                                                                                                                          • Part of subcall function 6BBB1303: std::exception::exception.LIBCMT ref: 6BBB133E
                                                                                                                                                                                                                                                        Strings
                                                                                                                                                                                                                                                        Memory Dump Source
                                                                                                                                                                                                                                                        • Source File: 0000000C.00000002.2569669714.000000006BB51000.00000020.00000001.01000000.00000015.sdmp, Offset: 6BB50000, based on PE: true
                                                                                                                                                                                                                                                        • Associated: 0000000C.00000002.2569337232.000000006BB50000.00000002.00000001.01000000.00000015.sdmpDownload File
                                                                                                                                                                                                                                                        • Associated: 0000000C.00000002.2570467871.000000006BCC3000.00000002.00000001.01000000.00000015.sdmpDownload File
                                                                                                                                                                                                                                                        • Associated: 0000000C.00000002.2570467871.000000006BCD5000.00000002.00000001.01000000.00000015.sdmpDownload File
                                                                                                                                                                                                                                                        • Associated: 0000000C.00000002.2570976244.000000006BD35000.00000004.00000001.01000000.00000015.sdmpDownload File
                                                                                                                                                                                                                                                        • Associated: 0000000C.00000002.2571057194.000000006BD3A000.00000008.00000001.01000000.00000015.sdmpDownload File
                                                                                                                                                                                                                                                        • Associated: 0000000C.00000002.2571109707.000000006BD42000.00000004.00000001.01000000.00000015.sdmpDownload File
                                                                                                                                                                                                                                                        • Associated: 0000000C.00000002.2571273369.000000006BD48000.00000004.00000001.01000000.00000015.sdmpDownload File
                                                                                                                                                                                                                                                        • Associated: 0000000C.00000002.2571319844.000000006BD4B000.00000002.00000001.01000000.00000015.sdmpDownload File
                                                                                                                                                                                                                                                        Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                                        • Snapshot File: hcaresult_12_2_6bb50000_cpcsgui.jbxd
                                                                                                                                                                                                                                                        Similarity
                                                                                                                                                                                                                                                        • API ID: std::exception::exception$Exception@8ThrowXinvalid_argumentstd::_
                                                                                                                                                                                                                                                        • String ID: vector<T> too long
                                                                                                                                                                                                                                                        • API String ID: 1823113695-3788999226
                                                                                                                                                                                                                                                        • Opcode ID: 37c83af7b1ea9962d73389e86f34013f5a57c8c5905a5b7355f708aa797c401d
                                                                                                                                                                                                                                                        • Instruction ID: a268c53d818fa7f5494e45491dd570912f7cab70af68ac92f565f6419262cd16
                                                                                                                                                                                                                                                        • Opcode Fuzzy Hash: 37c83af7b1ea9962d73389e86f34013f5a57c8c5905a5b7355f708aa797c401d
                                                                                                                                                                                                                                                        • Instruction Fuzzy Hash: 14214DB2A00A059FC714CF6DC991B5ABBF9EF48714F10866EE55DCB750E778A900CBA0
                                                                                                                                                                                                                                                        Function 6F85CD90 Relevance: 3.5, APIs: 1, Strings: 1, Instructions: 47COMMON
                                                                                                                                                                                                                                                        Download Yara Rule
                                                                                                                                                                                                                                                        APIs
                                                                                                                                                                                                                                                        • std::_Xinvalid_argument.LIBCPMT ref: 6F85CDB9
                                                                                                                                                                                                                                                          • Part of subcall function 6F88F635: std::exception::exception.LIBCMT ref: 6F88F64A
                                                                                                                                                                                                                                                          • Part of subcall function 6F88F635: __CxxThrowException@8.LIBCMT ref: 6F88F65F
                                                                                                                                                                                                                                                          • Part of subcall function 6F88F635: std::exception::exception.LIBCMT ref: 6F88F670
                                                                                                                                                                                                                                                        Strings
                                                                                                                                                                                                                                                        Memory Dump Source
                                                                                                                                                                                                                                                        • Source File: 0000000C.00000002.2571435985.000000006F851000.00000020.00000001.01000000.0000000F.sdmp, Offset: 6F850000, based on PE: true
                                                                                                                                                                                                                                                        • Associated: 0000000C.00000002.2571402531.000000006F850000.00000002.00000001.01000000.0000000F.sdmpDownload File
                                                                                                                                                                                                                                                        • Associated: 0000000C.00000002.2571547852.000000006F8B1000.00000002.00000001.01000000.0000000F.sdmpDownload File
                                                                                                                                                                                                                                                        • Associated: 0000000C.00000002.2571607645.000000006F8C6000.00000004.00000001.01000000.0000000F.sdmpDownload File
                                                                                                                                                                                                                                                        • Associated: 0000000C.00000002.2571648475.000000006F8CC000.00000002.00000001.01000000.0000000F.sdmpDownload File
                                                                                                                                                                                                                                                        Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                                        • Snapshot File: hcaresult_12_2_6f850000_cpcsgui.jbxd
                                                                                                                                                                                                                                                        Similarity
                                                                                                                                                                                                                                                        • API ID: std::exception::exception$Exception@8ThrowXinvalid_argumentstd::_
                                                                                                                                                                                                                                                        • String ID: vector<T> too long
                                                                                                                                                                                                                                                        • API String ID: 1823113695-3788999226
                                                                                                                                                                                                                                                        • Opcode ID: 52d4e70fbcbfec814a59d2ec4b7410f7a15f7745abb2647f7706fb53cb478330
                                                                                                                                                                                                                                                        • Instruction ID: 3fd274f939d713da8f7f0f0985b6c414af0fb2b4f4c973be9d22462ba13cbd94
                                                                                                                                                                                                                                                        • Opcode Fuzzy Hash: 52d4e70fbcbfec814a59d2ec4b7410f7a15f7745abb2647f7706fb53cb478330
                                                                                                                                                                                                                                                        • Instruction Fuzzy Hash: C1F0B433F000311B8368887DCD9508ABD576AC532D35E8AB6E958FF386ED31EC2159D0
                                                                                                                                                                                                                                                        Function 6BB584C0 Relevance: 3.5, APIs: 1, Strings: 1, Instructions: 47COMMON
                                                                                                                                                                                                                                                        Download Yara Rule
                                                                                                                                                                                                                                                        APIs
                                                                                                                                                                                                                                                        • std::_Xinvalid_argument.LIBCPMT ref: 6BB584E9
                                                                                                                                                                                                                                                          • Part of subcall function 6BBB1303: std::exception::exception.LIBCMT ref: 6BBB1318
                                                                                                                                                                                                                                                          • Part of subcall function 6BBB1303: __CxxThrowException@8.LIBCMT ref: 6BBB132D
                                                                                                                                                                                                                                                          • Part of subcall function 6BBB1303: std::exception::exception.LIBCMT ref: 6BBB133E
                                                                                                                                                                                                                                                        Strings
                                                                                                                                                                                                                                                        Memory Dump Source
                                                                                                                                                                                                                                                        • Source File: 0000000C.00000002.2569669714.000000006BB51000.00000020.00000001.01000000.00000015.sdmp, Offset: 6BB50000, based on PE: true
                                                                                                                                                                                                                                                        • Associated: 0000000C.00000002.2569337232.000000006BB50000.00000002.00000001.01000000.00000015.sdmpDownload File
                                                                                                                                                                                                                                                        • Associated: 0000000C.00000002.2570467871.000000006BCC3000.00000002.00000001.01000000.00000015.sdmpDownload File
                                                                                                                                                                                                                                                        • Associated: 0000000C.00000002.2570467871.000000006BCD5000.00000002.00000001.01000000.00000015.sdmpDownload File
                                                                                                                                                                                                                                                        • Associated: 0000000C.00000002.2570976244.000000006BD35000.00000004.00000001.01000000.00000015.sdmpDownload File
                                                                                                                                                                                                                                                        • Associated: 0000000C.00000002.2571057194.000000006BD3A000.00000008.00000001.01000000.00000015.sdmpDownload File
                                                                                                                                                                                                                                                        • Associated: 0000000C.00000002.2571109707.000000006BD42000.00000004.00000001.01000000.00000015.sdmpDownload File
                                                                                                                                                                                                                                                        • Associated: 0000000C.00000002.2571273369.000000006BD48000.00000004.00000001.01000000.00000015.sdmpDownload File
                                                                                                                                                                                                                                                        • Associated: 0000000C.00000002.2571319844.000000006BD4B000.00000002.00000001.01000000.00000015.sdmpDownload File
                                                                                                                                                                                                                                                        Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                                        • Snapshot File: hcaresult_12_2_6bb50000_cpcsgui.jbxd
                                                                                                                                                                                                                                                        Similarity
                                                                                                                                                                                                                                                        • API ID: std::exception::exception$Exception@8ThrowXinvalid_argumentstd::_
                                                                                                                                                                                                                                                        • String ID: vector<T> too long
                                                                                                                                                                                                                                                        • API String ID: 1823113695-3788999226
                                                                                                                                                                                                                                                        • Opcode ID: e7f96d9c7a706b68d126e30672a2adbe0a7fd6e2747c3c839a1f437ce7a5b187
                                                                                                                                                                                                                                                        • Instruction ID: c8f89d3c9faf087964a0fd44f9e15d0f4e7fe68f4a8b86cae4aa12a43d23169b
                                                                                                                                                                                                                                                        • Opcode Fuzzy Hash: e7f96d9c7a706b68d126e30672a2adbe0a7fd6e2747c3c839a1f437ce7a5b187
                                                                                                                                                                                                                                                        • Instruction Fuzzy Hash: ACF0F023F100300BC324893DEC9209EA59B6AC432935EC272EA88EF744FD39ED1141D2
                                                                                                                                                                                                                                                        Function 005B8390 Relevance: 3.5, APIs: 1, Strings: 1, Instructions: 47COMMON
                                                                                                                                                                                                                                                        Download Yara Rule
                                                                                                                                                                                                                                                        APIs
                                                                                                                                                                                                                                                        • std::_Xinvalid_argument.LIBCPMT ref: 005B83B9
                                                                                                                                                                                                                                                          • Part of subcall function 005E6ABC: std::exception::exception.LIBCMT ref: 005E6AD1
                                                                                                                                                                                                                                                          • Part of subcall function 005E6ABC: __CxxThrowException@8.LIBCMT ref: 005E6AE6
                                                                                                                                                                                                                                                          • Part of subcall function 005E6ABC: std::exception::exception.LIBCMT ref: 005E6AF7
                                                                                                                                                                                                                                                        Strings
                                                                                                                                                                                                                                                        Memory Dump Source
                                                                                                                                                                                                                                                        • Source File: 0000000C.00000002.2567833069.00000000005B1000.00000020.00000001.01000000.00000014.sdmp, Offset: 005B0000, based on PE: true
                                                                                                                                                                                                                                                        • Associated: 0000000C.00000002.2567804101.00000000005B0000.00000002.00000001.01000000.00000014.sdmpDownload File
                                                                                                                                                                                                                                                        • Associated: 0000000C.00000002.2567917358.0000000000607000.00000002.00000001.01000000.00000014.sdmpDownload File
                                                                                                                                                                                                                                                        • Associated: 0000000C.00000002.2567985326.000000000061A000.00000004.00000001.01000000.00000014.sdmpDownload File
                                                                                                                                                                                                                                                        • Associated: 0000000C.00000002.2568018090.0000000000620000.00000002.00000001.01000000.00000014.sdmpDownload File
                                                                                                                                                                                                                                                        Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                                        • Snapshot File: hcaresult_12_2_5b0000_cpcsgui.jbxd
                                                                                                                                                                                                                                                        Similarity
                                                                                                                                                                                                                                                        • API ID: std::exception::exception$Exception@8ThrowXinvalid_argumentstd::_
                                                                                                                                                                                                                                                        • String ID: vector<T> too long
                                                                                                                                                                                                                                                        • API String ID: 1823113695-3788999226
                                                                                                                                                                                                                                                        • Opcode ID: 984ee764b94fff71502f5e700141cf2498c3734fdffaf7c906ab4529d8081c71
                                                                                                                                                                                                                                                        • Instruction ID: 65e6039315dc54c4db28b0dd24d6ba2f1c370e0881cc11b27495aa0e501ce961
                                                                                                                                                                                                                                                        • Opcode Fuzzy Hash: 984ee764b94fff71502f5e700141cf2498c3734fdffaf7c906ab4529d8081c71
                                                                                                                                                                                                                                                        • Instruction Fuzzy Hash: 59F0C237F001310B8318D43D8C844AEBD8AB6D5B5531A9A35E859EB386EC22FC4182D0
                                                                                                                                                                                                                                                        Function 6BB8F7B0 Relevance: 3.5, APIs: 1, Strings: 1, Instructions: 43COMMON
                                                                                                                                                                                                                                                        Download Yara Rule
                                                                                                                                                                                                                                                        APIs
                                                                                                                                                                                                                                                        • std::_Xinvalid_argument.LIBCPMT ref: 6BB8F7D7
                                                                                                                                                                                                                                                          • Part of subcall function 6BBB1303: std::exception::exception.LIBCMT ref: 6BBB1318
                                                                                                                                                                                                                                                          • Part of subcall function 6BBB1303: __CxxThrowException@8.LIBCMT ref: 6BBB132D
                                                                                                                                                                                                                                                          • Part of subcall function 6BBB1303: std::exception::exception.LIBCMT ref: 6BBB133E
                                                                                                                                                                                                                                                        Strings
                                                                                                                                                                                                                                                        Memory Dump Source
                                                                                                                                                                                                                                                        • Source File: 0000000C.00000002.2569669714.000000006BB51000.00000020.00000001.01000000.00000015.sdmp, Offset: 6BB50000, based on PE: true
                                                                                                                                                                                                                                                        • Associated: 0000000C.00000002.2569337232.000000006BB50000.00000002.00000001.01000000.00000015.sdmpDownload File
                                                                                                                                                                                                                                                        • Associated: 0000000C.00000002.2570467871.000000006BCC3000.00000002.00000001.01000000.00000015.sdmpDownload File
                                                                                                                                                                                                                                                        • Associated: 0000000C.00000002.2570467871.000000006BCD5000.00000002.00000001.01000000.00000015.sdmpDownload File
                                                                                                                                                                                                                                                        • Associated: 0000000C.00000002.2570976244.000000006BD35000.00000004.00000001.01000000.00000015.sdmpDownload File
                                                                                                                                                                                                                                                        • Associated: 0000000C.00000002.2571057194.000000006BD3A000.00000008.00000001.01000000.00000015.sdmpDownload File
                                                                                                                                                                                                                                                        • Associated: 0000000C.00000002.2571109707.000000006BD42000.00000004.00000001.01000000.00000015.sdmpDownload File
                                                                                                                                                                                                                                                        • Associated: 0000000C.00000002.2571273369.000000006BD48000.00000004.00000001.01000000.00000015.sdmpDownload File
                                                                                                                                                                                                                                                        • Associated: 0000000C.00000002.2571319844.000000006BD4B000.00000002.00000001.01000000.00000015.sdmpDownload File
                                                                                                                                                                                                                                                        Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                                        • Snapshot File: hcaresult_12_2_6bb50000_cpcsgui.jbxd
                                                                                                                                                                                                                                                        Similarity
                                                                                                                                                                                                                                                        • API ID: std::exception::exception$Exception@8ThrowXinvalid_argumentstd::_
                                                                                                                                                                                                                                                        • String ID: vector<T> too long
                                                                                                                                                                                                                                                        • API String ID: 1823113695-3788999226
                                                                                                                                                                                                                                                        • Opcode ID: 224b506efe771253244cc5c745e1cd7d8d256c122129871eed6ca5b9ba4c5caf
                                                                                                                                                                                                                                                        • Instruction ID: 2207902efbad156d5b2330fbaade1fd179d6990f92a23965f726ed01fedc1ec3
                                                                                                                                                                                                                                                        • Opcode Fuzzy Hash: 224b506efe771253244cc5c745e1cd7d8d256c122129871eed6ca5b9ba4c5caf
                                                                                                                                                                                                                                                        • Instruction Fuzzy Hash: 44F05437F040615F8314953DAD4548FAAD79AD13543AACA71D948DF289E939EC4251D0
                                                                                                                                                                                                                                                        Function 6F88BA50 Relevance: 3.2, APIs: 2, Instructions: 166COMMON
                                                                                                                                                                                                                                                        Download Yara Rule
                                                                                                                                                                                                                                                        APIs
                                                                                                                                                                                                                                                          • Part of subcall function 6F8907C7: _malloc.LIBCMT ref: 6F8907E1
                                                                                                                                                                                                                                                        • std::exception::exception.LIBCMT ref: 6F88BC49
                                                                                                                                                                                                                                                        • __CxxThrowException@8.LIBCMT ref: 6F88BC60
                                                                                                                                                                                                                                                        Memory Dump Source
                                                                                                                                                                                                                                                        • Source File: 0000000C.00000002.2571435985.000000006F851000.00000020.00000001.01000000.0000000F.sdmp, Offset: 6F850000, based on PE: true
                                                                                                                                                                                                                                                        • Associated: 0000000C.00000002.2571402531.000000006F850000.00000002.00000001.01000000.0000000F.sdmpDownload File
                                                                                                                                                                                                                                                        • Associated: 0000000C.00000002.2571547852.000000006F8B1000.00000002.00000001.01000000.0000000F.sdmpDownload File
                                                                                                                                                                                                                                                        • Associated: 0000000C.00000002.2571607645.000000006F8C6000.00000004.00000001.01000000.0000000F.sdmpDownload File
                                                                                                                                                                                                                                                        • Associated: 0000000C.00000002.2571648475.000000006F8CC000.00000002.00000001.01000000.0000000F.sdmpDownload File
                                                                                                                                                                                                                                                        Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                                        • Snapshot File: hcaresult_12_2_6f850000_cpcsgui.jbxd
                                                                                                                                                                                                                                                        Similarity
                                                                                                                                                                                                                                                        • API ID: Exception@8Throw_mallocstd::exception::exception
                                                                                                                                                                                                                                                        • String ID:
                                                                                                                                                                                                                                                        • API String ID: 4063778783-0
                                                                                                                                                                                                                                                        • Opcode ID: 34c8d40de5cbe33d7b6cf894860efdb3407ae702ba66af720459b56dbdcc048e
                                                                                                                                                                                                                                                        • Instruction ID: 04ee870731447d69130bb88ee4393e204bdff83b78c023eb72c3c7c81f99ec9f
                                                                                                                                                                                                                                                        • Opcode Fuzzy Hash: 34c8d40de5cbe33d7b6cf894860efdb3407ae702ba66af720459b56dbdcc048e
                                                                                                                                                                                                                                                        • Instruction Fuzzy Hash: 78519D705087458BD718CF29C88065ABBE0FB8A314F408EBEE5668F295D735E946CF82
                                                                                                                                                                                                                                                        Function 6BB93AB0 Relevance: 3.2, APIs: 2, Instructions: 164COMMON
                                                                                                                                                                                                                                                        Download Yara Rule
                                                                                                                                                                                                                                                        APIs
                                                                                                                                                                                                                                                          • Part of subcall function 6BB9B5AB: _malloc.LIBCMT ref: 6BB9B5C5
                                                                                                                                                                                                                                                        • std::exception::exception.LIBCMT ref: 6BB93CA8
                                                                                                                                                                                                                                                        • __CxxThrowException@8.LIBCMT ref: 6BB93CBF
                                                                                                                                                                                                                                                        Memory Dump Source
                                                                                                                                                                                                                                                        • Source File: 0000000C.00000002.2569669714.000000006BB51000.00000020.00000001.01000000.00000015.sdmp, Offset: 6BB50000, based on PE: true
                                                                                                                                                                                                                                                        • Associated: 0000000C.00000002.2569337232.000000006BB50000.00000002.00000001.01000000.00000015.sdmpDownload File
                                                                                                                                                                                                                                                        • Associated: 0000000C.00000002.2570467871.000000006BCC3000.00000002.00000001.01000000.00000015.sdmpDownload File
                                                                                                                                                                                                                                                        • Associated: 0000000C.00000002.2570467871.000000006BCD5000.00000002.00000001.01000000.00000015.sdmpDownload File
                                                                                                                                                                                                                                                        • Associated: 0000000C.00000002.2570976244.000000006BD35000.00000004.00000001.01000000.00000015.sdmpDownload File
                                                                                                                                                                                                                                                        • Associated: 0000000C.00000002.2571057194.000000006BD3A000.00000008.00000001.01000000.00000015.sdmpDownload File
                                                                                                                                                                                                                                                        • Associated: 0000000C.00000002.2571109707.000000006BD42000.00000004.00000001.01000000.00000015.sdmpDownload File
                                                                                                                                                                                                                                                        • Associated: 0000000C.00000002.2571273369.000000006BD48000.00000004.00000001.01000000.00000015.sdmpDownload File
                                                                                                                                                                                                                                                        • Associated: 0000000C.00000002.2571319844.000000006BD4B000.00000002.00000001.01000000.00000015.sdmpDownload File
                                                                                                                                                                                                                                                        Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                                        • Snapshot File: hcaresult_12_2_6bb50000_cpcsgui.jbxd
                                                                                                                                                                                                                                                        Similarity
                                                                                                                                                                                                                                                        • API ID: Exception@8Throw_mallocstd::exception::exception
                                                                                                                                                                                                                                                        • String ID:
                                                                                                                                                                                                                                                        • API String ID: 4063778783-0
                                                                                                                                                                                                                                                        • Opcode ID: 985cdbef5a18817e4ee6c18f87b2972b56b3d576d0c6af6d7977c46369338a66
                                                                                                                                                                                                                                                        • Instruction ID: f70a1312f8cb1811352a5391ba1348d455cabfe6504ea9cb98e38751d518ce8c
                                                                                                                                                                                                                                                        • Opcode Fuzzy Hash: 985cdbef5a18817e4ee6c18f87b2972b56b3d576d0c6af6d7977c46369338a66
                                                                                                                                                                                                                                                        • Instruction Fuzzy Hash: 4D5190B15087C5CBD720EF28E49065ABBF0FB4A718F408A7EE56AC7250D779C545CB82
                                                                                                                                                                                                                                                        Function 6BB52200 Relevance: 3.1, APIs: 2, Instructions: 115COMMON
                                                                                                                                                                                                                                                        Download Yara Rule
                                                                                                                                                                                                                                                        APIs
                                                                                                                                                                                                                                                        • std::exception::exception.LIBCMT ref: 6BB522A0
                                                                                                                                                                                                                                                          • Part of subcall function 6BB9AF37: std::exception::_Copy_str.LIBCMT ref: 6BB9AF52
                                                                                                                                                                                                                                                        • __CxxThrowException@8.LIBCMT ref: 6BB522B5
                                                                                                                                                                                                                                                          • Part of subcall function 6BB9CC0F: RaiseException.KERNEL32(6BB522BA,?,7BDC3733,6BCC387C,6BB522BA,?,6BD2AAA8,?,7BDC3733), ref: 6BB9CC51
                                                                                                                                                                                                                                                          • Part of subcall function 6BB52380: std::exception::exception.LIBCMT ref: 6BB523B6
                                                                                                                                                                                                                                                          • Part of subcall function 6BB52380: __CxxThrowException@8.LIBCMT ref: 6BB523CD
                                                                                                                                                                                                                                                        Memory Dump Source
                                                                                                                                                                                                                                                        • Source File: 0000000C.00000002.2569669714.000000006BB51000.00000020.00000001.01000000.00000015.sdmp, Offset: 6BB50000, based on PE: true
                                                                                                                                                                                                                                                        • Associated: 0000000C.00000002.2569337232.000000006BB50000.00000002.00000001.01000000.00000015.sdmpDownload File
                                                                                                                                                                                                                                                        • Associated: 0000000C.00000002.2570467871.000000006BCC3000.00000002.00000001.01000000.00000015.sdmpDownload File
                                                                                                                                                                                                                                                        • Associated: 0000000C.00000002.2570467871.000000006BCD5000.00000002.00000001.01000000.00000015.sdmpDownload File
                                                                                                                                                                                                                                                        • Associated: 0000000C.00000002.2570976244.000000006BD35000.00000004.00000001.01000000.00000015.sdmpDownload File
                                                                                                                                                                                                                                                        • Associated: 0000000C.00000002.2571057194.000000006BD3A000.00000008.00000001.01000000.00000015.sdmpDownload File
                                                                                                                                                                                                                                                        • Associated: 0000000C.00000002.2571109707.000000006BD42000.00000004.00000001.01000000.00000015.sdmpDownload File
                                                                                                                                                                                                                                                        • Associated: 0000000C.00000002.2571273369.000000006BD48000.00000004.00000001.01000000.00000015.sdmpDownload File
                                                                                                                                                                                                                                                        • Associated: 0000000C.00000002.2571319844.000000006BD4B000.00000002.00000001.01000000.00000015.sdmpDownload File
                                                                                                                                                                                                                                                        Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                                        • Snapshot File: hcaresult_12_2_6bb50000_cpcsgui.jbxd
                                                                                                                                                                                                                                                        Similarity
                                                                                                                                                                                                                                                        • API ID: Exception@8Throwstd::exception::exception$Copy_strExceptionRaisestd::exception::_
                                                                                                                                                                                                                                                        • String ID:
                                                                                                                                                                                                                                                        • API String ID: 1430062303-0
                                                                                                                                                                                                                                                        • Opcode ID: cd326bf8eab209146802df72b6005e933ea305c4aa67a448b8df6318313cea2d
                                                                                                                                                                                                                                                        • Instruction ID: fc37525dbf2c670095e42c7dfce78b148cabf6ba6da708732aebd08b1ec98012
                                                                                                                                                                                                                                                        • Opcode Fuzzy Hash: cd326bf8eab209146802df72b6005e933ea305c4aa67a448b8df6318313cea2d
                                                                                                                                                                                                                                                        • Instruction Fuzzy Hash: 0741E876A01549ABCB04DFA8C8916AEF7F5FF49310F10426EE816D7740E739A910CBE2
                                                                                                                                                                                                                                                        Function 6BB55370 Relevance: 3.1, APIs: 2, Instructions: 113COMMON
                                                                                                                                                                                                                                                        Download Yara Rule
                                                                                                                                                                                                                                                        APIs
                                                                                                                                                                                                                                                        • std::exception::exception.LIBCMT ref: 6BB55409
                                                                                                                                                                                                                                                          • Part of subcall function 6BB9AF37: std::exception::_Copy_str.LIBCMT ref: 6BB9AF52
                                                                                                                                                                                                                                                        • __CxxThrowException@8.LIBCMT ref: 6BB5541E
                                                                                                                                                                                                                                                          • Part of subcall function 6BB9CC0F: RaiseException.KERNEL32(6BB522BA,?,7BDC3733,6BCC387C,6BB522BA,?,6BD2AAA8,?,7BDC3733), ref: 6BB9CC51
                                                                                                                                                                                                                                                          • Part of subcall function 6BB56030: std::exception::exception.LIBCMT ref: 6BB56060
                                                                                                                                                                                                                                                          • Part of subcall function 6BB56030: __CxxThrowException@8.LIBCMT ref: 6BB56077
                                                                                                                                                                                                                                                        Memory Dump Source
                                                                                                                                                                                                                                                        • Source File: 0000000C.00000002.2569669714.000000006BB51000.00000020.00000001.01000000.00000015.sdmp, Offset: 6BB50000, based on PE: true
                                                                                                                                                                                                                                                        • Associated: 0000000C.00000002.2569337232.000000006BB50000.00000002.00000001.01000000.00000015.sdmpDownload File
                                                                                                                                                                                                                                                        • Associated: 0000000C.00000002.2570467871.000000006BCC3000.00000002.00000001.01000000.00000015.sdmpDownload File
                                                                                                                                                                                                                                                        • Associated: 0000000C.00000002.2570467871.000000006BCD5000.00000002.00000001.01000000.00000015.sdmpDownload File
                                                                                                                                                                                                                                                        • Associated: 0000000C.00000002.2570976244.000000006BD35000.00000004.00000001.01000000.00000015.sdmpDownload File
                                                                                                                                                                                                                                                        • Associated: 0000000C.00000002.2571057194.000000006BD3A000.00000008.00000001.01000000.00000015.sdmpDownload File
                                                                                                                                                                                                                                                        • Associated: 0000000C.00000002.2571109707.000000006BD42000.00000004.00000001.01000000.00000015.sdmpDownload File
                                                                                                                                                                                                                                                        • Associated: 0000000C.00000002.2571273369.000000006BD48000.00000004.00000001.01000000.00000015.sdmpDownload File
                                                                                                                                                                                                                                                        • Associated: 0000000C.00000002.2571319844.000000006BD4B000.00000002.00000001.01000000.00000015.sdmpDownload File
                                                                                                                                                                                                                                                        Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                                        • Snapshot File: hcaresult_12_2_6bb50000_cpcsgui.jbxd
                                                                                                                                                                                                                                                        Similarity
                                                                                                                                                                                                                                                        • API ID: Exception@8Throwstd::exception::exception$Copy_strExceptionRaisestd::exception::_
                                                                                                                                                                                                                                                        • String ID:
                                                                                                                                                                                                                                                        • API String ID: 1430062303-0
                                                                                                                                                                                                                                                        • Opcode ID: abafc37c8e26f388ffc77e1c9c7852aa2b45508ed7243246d0f3b90276a93a20
                                                                                                                                                                                                                                                        • Instruction ID: c1c31c67198fbebe6f8da2ddb794a536a1c6088fe891231821aabfb63fef16a3
                                                                                                                                                                                                                                                        • Opcode Fuzzy Hash: abafc37c8e26f388ffc77e1c9c7852aa2b45508ed7243246d0f3b90276a93a20
                                                                                                                                                                                                                                                        • Instruction Fuzzy Hash: F441FAB2D00285ABD704DF78D8917DEBBF5EF05361F104229E91A97380D778A950CBE2
                                                                                                                                                                                                                                                        Function 6F858200 Relevance: 3.1, APIs: 2, Instructions: 72COMMON
                                                                                                                                                                                                                                                        Download Yara Rule
                                                                                                                                                                                                                                                        APIs
                                                                                                                                                                                                                                                          • Part of subcall function 6F8583C0: std::_Xinvalid_argument.LIBCPMT ref: 6F8583DC
                                                                                                                                                                                                                                                          • Part of subcall function 6F8583C0: _memmove.LIBCMT ref: 6F85844C
                                                                                                                                                                                                                                                          • Part of subcall function 6F8583C0: _memmove.LIBCMT ref: 6F858471
                                                                                                                                                                                                                                                        • std::exception::exception.LIBCMT ref: 6F8582C3
                                                                                                                                                                                                                                                          • Part of subcall function 6F890109: std::exception::_Copy_str.LIBCMT ref: 6F890124
                                                                                                                                                                                                                                                        • __CxxThrowException@8.LIBCMT ref: 6F8582DA
                                                                                                                                                                                                                                                          • Part of subcall function 6F8924F0: RaiseException.KERNEL32(6F853778,?,D0A01E50,6F8B13C0,6F853778,?,6F8BD3C8,80000002,D0A01E50), ref: 6F892532
                                                                                                                                                                                                                                                        Memory Dump Source
                                                                                                                                                                                                                                                        • Source File: 0000000C.00000002.2571435985.000000006F851000.00000020.00000001.01000000.0000000F.sdmp, Offset: 6F850000, based on PE: true
                                                                                                                                                                                                                                                        • Associated: 0000000C.00000002.2571402531.000000006F850000.00000002.00000001.01000000.0000000F.sdmpDownload File
                                                                                                                                                                                                                                                        • Associated: 0000000C.00000002.2571547852.000000006F8B1000.00000002.00000001.01000000.0000000F.sdmpDownload File
                                                                                                                                                                                                                                                        • Associated: 0000000C.00000002.2571607645.000000006F8C6000.00000004.00000001.01000000.0000000F.sdmpDownload File
                                                                                                                                                                                                                                                        • Associated: 0000000C.00000002.2571648475.000000006F8CC000.00000002.00000001.01000000.0000000F.sdmpDownload File
                                                                                                                                                                                                                                                        Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                                        • Snapshot File: hcaresult_12_2_6f850000_cpcsgui.jbxd
                                                                                                                                                                                                                                                        Similarity
                                                                                                                                                                                                                                                        • API ID: _memmove$Copy_strExceptionException@8RaiseThrowXinvalid_argumentstd::_std::exception::_std::exception::exception
                                                                                                                                                                                                                                                        • String ID:
                                                                                                                                                                                                                                                        • API String ID: 518014629-0
                                                                                                                                                                                                                                                        • Opcode ID: 570992f176a529342eb67380c8ed7cf75b771208ba124328eea53a3a235eef75
                                                                                                                                                                                                                                                        • Instruction ID: 282acb5ee3bf8c166d03fd7eb324e8f622dde25d02a237a81637448b29789ac4
                                                                                                                                                                                                                                                        • Opcode Fuzzy Hash: 570992f176a529342eb67380c8ed7cf75b771208ba124328eea53a3a235eef75
                                                                                                                                                                                                                                                        • Instruction Fuzzy Hash: DD2145B5508B51AFC704CF18C480A46BBF4FB88714F008A9EE8998B745E735E955CFA2
                                                                                                                                                                                                                                                        Function 6F861FF0 Relevance: 3.0, APIs: 2, Instructions: 50COMMON
                                                                                                                                                                                                                                                        Download Yara Rule
                                                                                                                                                                                                                                                        APIs
                                                                                                                                                                                                                                                        • GetFileVersionInfoSizeW.KERNELBASE(?,?,?,?,?,6F861F0D,D0A01E50,?,?,?,?), ref: 6F862003
                                                                                                                                                                                                                                                        • GetFileVersionInfoW.VERSION(?,00000000,00000000,00000000,?), ref: 6F862030
                                                                                                                                                                                                                                                        Memory Dump Source
                                                                                                                                                                                                                                                        • Source File: 0000000C.00000002.2571435985.000000006F851000.00000020.00000001.01000000.0000000F.sdmp, Offset: 6F850000, based on PE: true
                                                                                                                                                                                                                                                        • Associated: 0000000C.00000002.2571402531.000000006F850000.00000002.00000001.01000000.0000000F.sdmpDownload File
                                                                                                                                                                                                                                                        • Associated: 0000000C.00000002.2571547852.000000006F8B1000.00000002.00000001.01000000.0000000F.sdmpDownload File
                                                                                                                                                                                                                                                        • Associated: 0000000C.00000002.2571607645.000000006F8C6000.00000004.00000001.01000000.0000000F.sdmpDownload File
                                                                                                                                                                                                                                                        • Associated: 0000000C.00000002.2571648475.000000006F8CC000.00000002.00000001.01000000.0000000F.sdmpDownload File
                                                                                                                                                                                                                                                        Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                                        • Snapshot File: hcaresult_12_2_6f850000_cpcsgui.jbxd
                                                                                                                                                                                                                                                        Similarity
                                                                                                                                                                                                                                                        • API ID: FileInfoVersion$Size
                                                                                                                                                                                                                                                        • String ID:
                                                                                                                                                                                                                                                        • API String ID: 2104008232-0
                                                                                                                                                                                                                                                        • Opcode ID: 5e0bdba6dd19197956e44fab8bd2c13de4ea2d8f0b89d188887d5719e9199be6
                                                                                                                                                                                                                                                        • Instruction ID: 573addc9b2b7020bdd3f364cb6b305f7ff687c9d385a285ae8448303688cea6a
                                                                                                                                                                                                                                                        • Opcode Fuzzy Hash: 5e0bdba6dd19197956e44fab8bd2c13de4ea2d8f0b89d188887d5719e9199be6
                                                                                                                                                                                                                                                        • Instruction Fuzzy Hash: A6F0C273206A10ABDF149A69AC88A8737A8EFC577672005FAF902CE240E724D410C3B3
                                                                                                                                                                                                                                                        Function 6BB70D30 Relevance: 3.0, APIs: 2, Instructions: 50COMMON
                                                                                                                                                                                                                                                        Download Yara Rule
                                                                                                                                                                                                                                                        APIs
                                                                                                                                                                                                                                                        • GetFileVersionInfoSizeW.KERNELBASE(?,?,?,?,?,6BB70C4D,7BDC3733,?,?,?,?,?), ref: 6BB70D43
                                                                                                                                                                                                                                                        • GetFileVersionInfoW.VERSION(?,00000000,00000000,00000000,?,?), ref: 6BB70D70
                                                                                                                                                                                                                                                        Memory Dump Source
                                                                                                                                                                                                                                                        • Source File: 0000000C.00000002.2569669714.000000006BB51000.00000020.00000001.01000000.00000015.sdmp, Offset: 6BB50000, based on PE: true
                                                                                                                                                                                                                                                        • Associated: 0000000C.00000002.2569337232.000000006BB50000.00000002.00000001.01000000.00000015.sdmpDownload File
                                                                                                                                                                                                                                                        • Associated: 0000000C.00000002.2570467871.000000006BCC3000.00000002.00000001.01000000.00000015.sdmpDownload File
                                                                                                                                                                                                                                                        • Associated: 0000000C.00000002.2570467871.000000006BCD5000.00000002.00000001.01000000.00000015.sdmpDownload File
                                                                                                                                                                                                                                                        • Associated: 0000000C.00000002.2570976244.000000006BD35000.00000004.00000001.01000000.00000015.sdmpDownload File
                                                                                                                                                                                                                                                        • Associated: 0000000C.00000002.2571057194.000000006BD3A000.00000008.00000001.01000000.00000015.sdmpDownload File
                                                                                                                                                                                                                                                        • Associated: 0000000C.00000002.2571109707.000000006BD42000.00000004.00000001.01000000.00000015.sdmpDownload File
                                                                                                                                                                                                                                                        • Associated: 0000000C.00000002.2571273369.000000006BD48000.00000004.00000001.01000000.00000015.sdmpDownload File
                                                                                                                                                                                                                                                        • Associated: 0000000C.00000002.2571319844.000000006BD4B000.00000002.00000001.01000000.00000015.sdmpDownload File
                                                                                                                                                                                                                                                        Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                                        • Snapshot File: hcaresult_12_2_6bb50000_cpcsgui.jbxd
                                                                                                                                                                                                                                                        Similarity
                                                                                                                                                                                                                                                        • API ID: FileInfoVersion$Size
                                                                                                                                                                                                                                                        • String ID:
                                                                                                                                                                                                                                                        • API String ID: 2104008232-0
                                                                                                                                                                                                                                                        • Opcode ID: c4ce87619928403e69879199be3818451c2544daae355f5f4de34182dc17f578
                                                                                                                                                                                                                                                        • Instruction ID: 260c7b6c45feb9301bfca9b2aee4b766d9e79a42d2d7ea9d081803b4074bad05
                                                                                                                                                                                                                                                        • Opcode Fuzzy Hash: c4ce87619928403e69879199be3818451c2544daae355f5f4de34182dc17f578
                                                                                                                                                                                                                                                        • Instruction Fuzzy Hash: D3F04C727022515BDB306A68BC84E8B7368EBC127771001BBFC06C6100D725E40083B2
                                                                                                                                                                                                                                                        Function 6F85CF60 Relevance: 3.0, APIs: 2, Instructions: 28COMMON
                                                                                                                                                                                                                                                        Download Yara Rule
                                                                                                                                                                                                                                                        APIs
                                                                                                                                                                                                                                                        • std::exception::exception.LIBCMT ref: 6F85CF99
                                                                                                                                                                                                                                                        • __CxxThrowException@8.LIBCMT ref: 6F85CFB0
                                                                                                                                                                                                                                                          • Part of subcall function 6F8907C7: _malloc.LIBCMT ref: 6F8907E1
                                                                                                                                                                                                                                                        Memory Dump Source
                                                                                                                                                                                                                                                        • Source File: 0000000C.00000002.2571435985.000000006F851000.00000020.00000001.01000000.0000000F.sdmp, Offset: 6F850000, based on PE: true
                                                                                                                                                                                                                                                        • Associated: 0000000C.00000002.2571402531.000000006F850000.00000002.00000001.01000000.0000000F.sdmpDownload File
                                                                                                                                                                                                                                                        • Associated: 0000000C.00000002.2571547852.000000006F8B1000.00000002.00000001.01000000.0000000F.sdmpDownload File
                                                                                                                                                                                                                                                        • Associated: 0000000C.00000002.2571607645.000000006F8C6000.00000004.00000001.01000000.0000000F.sdmpDownload File
                                                                                                                                                                                                                                                        • Associated: 0000000C.00000002.2571648475.000000006F8CC000.00000002.00000001.01000000.0000000F.sdmpDownload File
                                                                                                                                                                                                                                                        Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                                        • Snapshot File: hcaresult_12_2_6f850000_cpcsgui.jbxd
                                                                                                                                                                                                                                                        Similarity
                                                                                                                                                                                                                                                        • API ID: Exception@8Throw_mallocstd::exception::exception
                                                                                                                                                                                                                                                        • String ID:
                                                                                                                                                                                                                                                        • API String ID: 4063778783-0
                                                                                                                                                                                                                                                        • Opcode ID: 91216add9b63ef068710b857ccf77ac4748ad8c0e30aee52fba01b69a9b2559c
                                                                                                                                                                                                                                                        • Instruction ID: 99423db885f413a39320389f26e410417ff80374c0809891e61c5334f7d7af2b
                                                                                                                                                                                                                                                        • Opcode Fuzzy Hash: 91216add9b63ef068710b857ccf77ac4748ad8c0e30aee52fba01b69a9b2559c
                                                                                                                                                                                                                                                        • Instruction Fuzzy Hash: DFE0657550470177F74CAA798C126ABB6E09F8415CF405CADE855CA245F778D2198A43
                                                                                                                                                                                                                                                        Function 6BB58690 Relevance: 3.0, APIs: 2, Instructions: 28COMMON
                                                                                                                                                                                                                                                        Download Yara Rule
                                                                                                                                                                                                                                                        APIs
                                                                                                                                                                                                                                                        • std::exception::exception.LIBCMT ref: 6BB586C9
                                                                                                                                                                                                                                                        • __CxxThrowException@8.LIBCMT ref: 6BB586E0
                                                                                                                                                                                                                                                          • Part of subcall function 6BB9B5AB: _malloc.LIBCMT ref: 6BB9B5C5
                                                                                                                                                                                                                                                        Memory Dump Source
                                                                                                                                                                                                                                                        • Source File: 0000000C.00000002.2569669714.000000006BB51000.00000020.00000001.01000000.00000015.sdmp, Offset: 6BB50000, based on PE: true
                                                                                                                                                                                                                                                        • Associated: 0000000C.00000002.2569337232.000000006BB50000.00000002.00000001.01000000.00000015.sdmpDownload File
                                                                                                                                                                                                                                                        • Associated: 0000000C.00000002.2570467871.000000006BCC3000.00000002.00000001.01000000.00000015.sdmpDownload File
                                                                                                                                                                                                                                                        • Associated: 0000000C.00000002.2570467871.000000006BCD5000.00000002.00000001.01000000.00000015.sdmpDownload File
                                                                                                                                                                                                                                                        • Associated: 0000000C.00000002.2570976244.000000006BD35000.00000004.00000001.01000000.00000015.sdmpDownload File
                                                                                                                                                                                                                                                        • Associated: 0000000C.00000002.2571057194.000000006BD3A000.00000008.00000001.01000000.00000015.sdmpDownload File
                                                                                                                                                                                                                                                        • Associated: 0000000C.00000002.2571109707.000000006BD42000.00000004.00000001.01000000.00000015.sdmpDownload File
                                                                                                                                                                                                                                                        • Associated: 0000000C.00000002.2571273369.000000006BD48000.00000004.00000001.01000000.00000015.sdmpDownload File
                                                                                                                                                                                                                                                        • Associated: 0000000C.00000002.2571319844.000000006BD4B000.00000002.00000001.01000000.00000015.sdmpDownload File
                                                                                                                                                                                                                                                        Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                                        • Snapshot File: hcaresult_12_2_6bb50000_cpcsgui.jbxd
                                                                                                                                                                                                                                                        Similarity
                                                                                                                                                                                                                                                        • API ID: Exception@8Throw_mallocstd::exception::exception
                                                                                                                                                                                                                                                        • String ID:
                                                                                                                                                                                                                                                        • API String ID: 4063778783-0
                                                                                                                                                                                                                                                        • Opcode ID: fdaf93055cddc58fd58c3204e26d2b1b931b5d52f685c2be421d0571596ec803
                                                                                                                                                                                                                                                        • Instruction ID: 144e6a494e9260f96f58b744bb39e25040823d80c3d5189581bb4f0ee2c34d4c
                                                                                                                                                                                                                                                        • Opcode Fuzzy Hash: fdaf93055cddc58fd58c3204e26d2b1b931b5d52f685c2be421d0571596ec803
                                                                                                                                                                                                                                                        • Instruction Fuzzy Hash: 6EE0EDB251424116F708FBB4DD137AF76A0CF8829CF40886DE8A9C2200FB3CC1188A93
                                                                                                                                                                                                                                                        Function 6F87F8C0 Relevance: 3.0, APIs: 2, Instructions: 27COMMON
                                                                                                                                                                                                                                                        Download Yara Rule
                                                                                                                                                                                                                                                        APIs
                                                                                                                                                                                                                                                        • std::exception::exception.LIBCMT ref: 6F87F8F7
                                                                                                                                                                                                                                                        • __CxxThrowException@8.LIBCMT ref: 6F87F90E
                                                                                                                                                                                                                                                          • Part of subcall function 6F8907C7: _malloc.LIBCMT ref: 6F8907E1
                                                                                                                                                                                                                                                        Memory Dump Source
                                                                                                                                                                                                                                                        • Source File: 0000000C.00000002.2571435985.000000006F851000.00000020.00000001.01000000.0000000F.sdmp, Offset: 6F850000, based on PE: true
                                                                                                                                                                                                                                                        • Associated: 0000000C.00000002.2571402531.000000006F850000.00000002.00000001.01000000.0000000F.sdmpDownload File
                                                                                                                                                                                                                                                        • Associated: 0000000C.00000002.2571547852.000000006F8B1000.00000002.00000001.01000000.0000000F.sdmpDownload File
                                                                                                                                                                                                                                                        • Associated: 0000000C.00000002.2571607645.000000006F8C6000.00000004.00000001.01000000.0000000F.sdmpDownload File
                                                                                                                                                                                                                                                        • Associated: 0000000C.00000002.2571648475.000000006F8CC000.00000002.00000001.01000000.0000000F.sdmpDownload File
                                                                                                                                                                                                                                                        Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                                        • Snapshot File: hcaresult_12_2_6f850000_cpcsgui.jbxd
                                                                                                                                                                                                                                                        Similarity
                                                                                                                                                                                                                                                        • API ID: Exception@8Throw_mallocstd::exception::exception
                                                                                                                                                                                                                                                        • String ID:
                                                                                                                                                                                                                                                        • API String ID: 4063778783-0
                                                                                                                                                                                                                                                        • Opcode ID: 18c776609b3c903100a2d59b5dd3c7e4403efe7884c9a3a6a8240a2a2c050d9b
                                                                                                                                                                                                                                                        • Instruction ID: b139fb2cf925107ec4241214d4437a4d004daa85cab61e1eccb0abf94687c17d
                                                                                                                                                                                                                                                        • Opcode Fuzzy Hash: 18c776609b3c903100a2d59b5dd3c7e4403efe7884c9a3a6a8240a2a2c050d9b
                                                                                                                                                                                                                                                        • Instruction Fuzzy Hash: C6E022751043017AE318EB69CC11BAFB2E0AFA0318F808CECE855CA354FB3CD2098A43
                                                                                                                                                                                                                                                        Function 6BB87060 Relevance: 3.0, APIs: 2, Instructions: 27COMMON
                                                                                                                                                                                                                                                        Download Yara Rule
                                                                                                                                                                                                                                                        APIs
                                                                                                                                                                                                                                                        • std::exception::exception.LIBCMT ref: 6BB87097
                                                                                                                                                                                                                                                        • __CxxThrowException@8.LIBCMT ref: 6BB870AE
                                                                                                                                                                                                                                                          • Part of subcall function 6BB9B5AB: _malloc.LIBCMT ref: 6BB9B5C5
                                                                                                                                                                                                                                                        Memory Dump Source
                                                                                                                                                                                                                                                        • Source File: 0000000C.00000002.2569669714.000000006BB51000.00000020.00000001.01000000.00000015.sdmp, Offset: 6BB50000, based on PE: true
                                                                                                                                                                                                                                                        • Associated: 0000000C.00000002.2569337232.000000006BB50000.00000002.00000001.01000000.00000015.sdmpDownload File
                                                                                                                                                                                                                                                        • Associated: 0000000C.00000002.2570467871.000000006BCC3000.00000002.00000001.01000000.00000015.sdmpDownload File
                                                                                                                                                                                                                                                        • Associated: 0000000C.00000002.2570467871.000000006BCD5000.00000002.00000001.01000000.00000015.sdmpDownload File
                                                                                                                                                                                                                                                        • Associated: 0000000C.00000002.2570976244.000000006BD35000.00000004.00000001.01000000.00000015.sdmpDownload File
                                                                                                                                                                                                                                                        • Associated: 0000000C.00000002.2571057194.000000006BD3A000.00000008.00000001.01000000.00000015.sdmpDownload File
                                                                                                                                                                                                                                                        • Associated: 0000000C.00000002.2571109707.000000006BD42000.00000004.00000001.01000000.00000015.sdmpDownload File
                                                                                                                                                                                                                                                        • Associated: 0000000C.00000002.2571273369.000000006BD48000.00000004.00000001.01000000.00000015.sdmpDownload File
                                                                                                                                                                                                                                                        • Associated: 0000000C.00000002.2571319844.000000006BD4B000.00000002.00000001.01000000.00000015.sdmpDownload File
                                                                                                                                                                                                                                                        Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                                        • Snapshot File: hcaresult_12_2_6bb50000_cpcsgui.jbxd
                                                                                                                                                                                                                                                        Similarity
                                                                                                                                                                                                                                                        • API ID: Exception@8Throw_mallocstd::exception::exception
                                                                                                                                                                                                                                                        • String ID:
                                                                                                                                                                                                                                                        • API String ID: 4063778783-0
                                                                                                                                                                                                                                                        • Opcode ID: 2c9d3e2cd06778711d48735d95a0af776d2ad5bf5f6628ea1af0a3cf6a29a23d
                                                                                                                                                                                                                                                        • Instruction ID: 690a986e9af3a591bcfea443b30f85caafbac5384923118a93754c428d3087a9
                                                                                                                                                                                                                                                        • Opcode Fuzzy Hash: 2c9d3e2cd06778711d48735d95a0af776d2ad5bf5f6628ea1af0a3cf6a29a23d
                                                                                                                                                                                                                                                        • Instruction Fuzzy Hash: AEE02BB15042415FE300FBB1DD127AE72E1DF54398F4488BCD458C2110F7BCC1198663
                                                                                                                                                                                                                                                        Function 005EC99C Relevance: 3.0, APIs: 2, Instructions: 8COMMONLIBRARYCODE
                                                                                                                                                                                                                                                        Download Yara Rule
                                                                                                                                                                                                                                                        APIs
                                                                                                                                                                                                                                                        • ___crtCorExitProcess.LIBCMT ref: 005EC9A4
                                                                                                                                                                                                                                                          • Part of subcall function 005EC971: GetModuleHandleW.KERNEL32(mscoree.dll,?,005EC9A9,00000000,?,005EA016,000000FF,0000001E,00000001,00000000,00000000,?,005EB2F9,00000000,00000001,00000000), ref: 005EC97B
                                                                                                                                                                                                                                                          • Part of subcall function 005EC971: GetProcAddress.KERNEL32(00000000,CorExitProcess), ref: 005EC98B
                                                                                                                                                                                                                                                        • ExitProcess.KERNEL32 ref: 005EC9AD
                                                                                                                                                                                                                                                        Memory Dump Source
                                                                                                                                                                                                                                                        • Source File: 0000000C.00000002.2567833069.00000000005B1000.00000020.00000001.01000000.00000014.sdmp, Offset: 005B0000, based on PE: true
                                                                                                                                                                                                                                                        • Associated: 0000000C.00000002.2567804101.00000000005B0000.00000002.00000001.01000000.00000014.sdmpDownload File
                                                                                                                                                                                                                                                        • Associated: 0000000C.00000002.2567917358.0000000000607000.00000002.00000001.01000000.00000014.sdmpDownload File
                                                                                                                                                                                                                                                        • Associated: 0000000C.00000002.2567985326.000000000061A000.00000004.00000001.01000000.00000014.sdmpDownload File
                                                                                                                                                                                                                                                        • Associated: 0000000C.00000002.2568018090.0000000000620000.00000002.00000001.01000000.00000014.sdmpDownload File
                                                                                                                                                                                                                                                        Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                                        • Snapshot File: hcaresult_12_2_5b0000_cpcsgui.jbxd
                                                                                                                                                                                                                                                        Similarity
                                                                                                                                                                                                                                                        • API ID: ExitProcess$AddressHandleModuleProc___crt
                                                                                                                                                                                                                                                        • String ID:
                                                                                                                                                                                                                                                        • API String ID: 2427264223-0
                                                                                                                                                                                                                                                        • Opcode ID: cf34de41a7cdcfe487ebff477d3ba3e4450f27eb88fe4293572db0f6a05ecf53
                                                                                                                                                                                                                                                        • Instruction ID: b200264f7dec46e5754d10f80bc4b6bfde4da71f9fed16c729b9805e244345e8
                                                                                                                                                                                                                                                        • Opcode Fuzzy Hash: cf34de41a7cdcfe487ebff477d3ba3e4450f27eb88fe4293572db0f6a05ecf53
                                                                                                                                                                                                                                                        • Instruction Fuzzy Hash: 11B0923200824CBBCB052F22DC0E85A3F2AFB813A0B544020F80849072DF72FD93DA80
                                                                                                                                                                                                                                                        Function 6F8623C0 Relevance: 2.6, APIs: 2, Instructions: 57COMMON
                                                                                                                                                                                                                                                        Download Yara Rule
                                                                                                                                                                                                                                                        APIs
                                                                                                                                                                                                                                                        • MultiByteToWideChar.KERNEL32(0000FDE9,00000000,0000000F,000000FF,00000000,00000000,?,00000000,?,6F8621F9,?,D0A01E50,0000000F,?,?), ref: 6F8623DB
                                                                                                                                                                                                                                                        • MultiByteToWideChar.KERNEL32(0000FDE9,00000000,0000000F,000000FF,00000000,00000000,0000000F,?,?,?,?,D0A01E50,?,00000000), ref: 6F862412
                                                                                                                                                                                                                                                        Memory Dump Source
                                                                                                                                                                                                                                                        • Source File: 0000000C.00000002.2571435985.000000006F851000.00000020.00000001.01000000.0000000F.sdmp, Offset: 6F850000, based on PE: true
                                                                                                                                                                                                                                                        • Associated: 0000000C.00000002.2571402531.000000006F850000.00000002.00000001.01000000.0000000F.sdmpDownload File
                                                                                                                                                                                                                                                        • Associated: 0000000C.00000002.2571547852.000000006F8B1000.00000002.00000001.01000000.0000000F.sdmpDownload File
                                                                                                                                                                                                                                                        • Associated: 0000000C.00000002.2571607645.000000006F8C6000.00000004.00000001.01000000.0000000F.sdmpDownload File
                                                                                                                                                                                                                                                        • Associated: 0000000C.00000002.2571648475.000000006F8CC000.00000002.00000001.01000000.0000000F.sdmpDownload File
                                                                                                                                                                                                                                                        Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                                        • Snapshot File: hcaresult_12_2_6f850000_cpcsgui.jbxd
                                                                                                                                                                                                                                                        Similarity
                                                                                                                                                                                                                                                        • API ID: ByteCharMultiWide
                                                                                                                                                                                                                                                        • String ID:
                                                                                                                                                                                                                                                        • API String ID: 626452242-0
                                                                                                                                                                                                                                                        • Opcode ID: d202a1fcd863798443bbca3e44a158c8f114f6997f23cfc1667982440701c8f1
                                                                                                                                                                                                                                                        • Instruction ID: 86fc81ead80e644198aa9642fabeaecc2f34e2f163bcaa7ed25839e6e1ec0cb9
                                                                                                                                                                                                                                                        • Opcode Fuzzy Hash: d202a1fcd863798443bbca3e44a158c8f114f6997f23cfc1667982440701c8f1
                                                                                                                                                                                                                                                        • Instruction Fuzzy Hash: D8F0F47738671137D620167EAC42F6BB388CB85771F2407B7F625DE5C0EA12E41052A1
                                                                                                                                                                                                                                                        Function 6F857A20 Relevance: 1.6, APIs: 1, Instructions: 53COMMON
                                                                                                                                                                                                                                                        Download Yara Rule
                                                                                                                                                                                                                                                        APIs
                                                                                                                                                                                                                                                        Memory Dump Source
                                                                                                                                                                                                                                                        • Source File: 0000000C.00000002.2571435985.000000006F851000.00000020.00000001.01000000.0000000F.sdmp, Offset: 6F850000, based on PE: true
                                                                                                                                                                                                                                                        • Associated: 0000000C.00000002.2571402531.000000006F850000.00000002.00000001.01000000.0000000F.sdmpDownload File
                                                                                                                                                                                                                                                        • Associated: 0000000C.00000002.2571547852.000000006F8B1000.00000002.00000001.01000000.0000000F.sdmpDownload File
                                                                                                                                                                                                                                                        • Associated: 0000000C.00000002.2571607645.000000006F8C6000.00000004.00000001.01000000.0000000F.sdmpDownload File
                                                                                                                                                                                                                                                        • Associated: 0000000C.00000002.2571648475.000000006F8CC000.00000002.00000001.01000000.0000000F.sdmpDownload File
                                                                                                                                                                                                                                                        Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                                        • Snapshot File: hcaresult_12_2_6f850000_cpcsgui.jbxd
                                                                                                                                                                                                                                                        Similarity
                                                                                                                                                                                                                                                        • API ID: FolderPath
                                                                                                                                                                                                                                                        • String ID:
                                                                                                                                                                                                                                                        • API String ID: 1514166925-0
                                                                                                                                                                                                                                                        • Opcode ID: eeed9b2542e2630b22d4c5d3877a7d5414e3fc6e5347299f48ddb769f7a10f0c
                                                                                                                                                                                                                                                        • Instruction ID: d3c9b017dbcedfc3071c5d421ef22a8e5467cbe5405d2b5883d161556ff19e62
                                                                                                                                                                                                                                                        • Opcode Fuzzy Hash: eeed9b2542e2630b22d4c5d3877a7d5414e3fc6e5347299f48ddb769f7a10f0c
                                                                                                                                                                                                                                                        • Instruction Fuzzy Hash: C511E170610704ABD324DF28C806BEBB3E9AF84314F444A59E44ACF2D0E7B4AA4487D2
                                                                                                                                                                                                                                                        Function 005ECBF4 Relevance: 1.5, APIs: 1, Instructions: 10COMMON
                                                                                                                                                                                                                                                        Download Yara Rule
                                                                                                                                                                                                                                                        APIs
                                                                                                                                                                                                                                                        • _doexit.LIBCMT ref: 005ECC00
                                                                                                                                                                                                                                                          • Part of subcall function 005ECAB4: __lock.LIBCMT ref: 005ECAC2
                                                                                                                                                                                                                                                        Memory Dump Source
                                                                                                                                                                                                                                                        • Source File: 0000000C.00000002.2567833069.00000000005B1000.00000020.00000001.01000000.00000014.sdmp, Offset: 005B0000, based on PE: true
                                                                                                                                                                                                                                                        • Associated: 0000000C.00000002.2567804101.00000000005B0000.00000002.00000001.01000000.00000014.sdmpDownload File
                                                                                                                                                                                                                                                        • Associated: 0000000C.00000002.2567917358.0000000000607000.00000002.00000001.01000000.00000014.sdmpDownload File
                                                                                                                                                                                                                                                        • Associated: 0000000C.00000002.2567985326.000000000061A000.00000004.00000001.01000000.00000014.sdmpDownload File
                                                                                                                                                                                                                                                        • Associated: 0000000C.00000002.2568018090.0000000000620000.00000002.00000001.01000000.00000014.sdmpDownload File
                                                                                                                                                                                                                                                        Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                                        • Snapshot File: hcaresult_12_2_5b0000_cpcsgui.jbxd
                                                                                                                                                                                                                                                        Similarity
                                                                                                                                                                                                                                                        • API ID: __lock_doexit
                                                                                                                                                                                                                                                        • String ID:
                                                                                                                                                                                                                                                        • API String ID: 368792745-0
                                                                                                                                                                                                                                                        • Opcode ID: b7f9ddcf0c01e83a82a0f1c6c29853ea6c7db7599a0eb0d3eddd439c3244ce42
                                                                                                                                                                                                                                                        • Instruction ID: 2abf5c676588a210c706e86e5d16de56b94967b3098b1296718a2c20484e0ec2
                                                                                                                                                                                                                                                        • Opcode Fuzzy Hash: b7f9ddcf0c01e83a82a0f1c6c29853ea6c7db7599a0eb0d3eddd439c3244ce42
                                                                                                                                                                                                                                                        • Instruction Fuzzy Hash: F0B0923258024C33DA202542AC07F0A3E1A97C0B60E240021BA0C192A1A9A2A9628089
                                                                                                                                                                                                                                                        Function 6BB9C7BB Relevance: 1.5, APIs: 1, Instructions: 6COMMONLIBRARYCODE
                                                                                                                                                                                                                                                        Download Yara Rule
                                                                                                                                                                                                                                                        APIs
                                                                                                                                                                                                                                                        • _doexit.LIBCMT ref: 6BB9C7C1
                                                                                                                                                                                                                                                          • Part of subcall function 6BB9C64F: __lock.LIBCMT ref: 6BB9C65D
                                                                                                                                                                                                                                                        Memory Dump Source
                                                                                                                                                                                                                                                        • Source File: 0000000C.00000002.2569669714.000000006BB51000.00000020.00000001.01000000.00000015.sdmp, Offset: 6BB50000, based on PE: true
                                                                                                                                                                                                                                                        • Associated: 0000000C.00000002.2569337232.000000006BB50000.00000002.00000001.01000000.00000015.sdmpDownload File
                                                                                                                                                                                                                                                        • Associated: 0000000C.00000002.2570467871.000000006BCC3000.00000002.00000001.01000000.00000015.sdmpDownload File
                                                                                                                                                                                                                                                        • Associated: 0000000C.00000002.2570467871.000000006BCD5000.00000002.00000001.01000000.00000015.sdmpDownload File
                                                                                                                                                                                                                                                        • Associated: 0000000C.00000002.2570976244.000000006BD35000.00000004.00000001.01000000.00000015.sdmpDownload File
                                                                                                                                                                                                                                                        • Associated: 0000000C.00000002.2571057194.000000006BD3A000.00000008.00000001.01000000.00000015.sdmpDownload File
                                                                                                                                                                                                                                                        • Associated: 0000000C.00000002.2571109707.000000006BD42000.00000004.00000001.01000000.00000015.sdmpDownload File
                                                                                                                                                                                                                                                        • Associated: 0000000C.00000002.2571273369.000000006BD48000.00000004.00000001.01000000.00000015.sdmpDownload File
                                                                                                                                                                                                                                                        • Associated: 0000000C.00000002.2571319844.000000006BD4B000.00000002.00000001.01000000.00000015.sdmpDownload File
                                                                                                                                                                                                                                                        Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                                        • Snapshot File: hcaresult_12_2_6bb50000_cpcsgui.jbxd
                                                                                                                                                                                                                                                        Similarity
                                                                                                                                                                                                                                                        • API ID: __lock_doexit
                                                                                                                                                                                                                                                        • String ID:
                                                                                                                                                                                                                                                        • API String ID: 368792745-0
                                                                                                                                                                                                                                                        • Opcode ID: 61cc1048c9adf6bbef98f44e7947428adfb5ecee68712f559f8c60e7f46661f4
                                                                                                                                                                                                                                                        • Instruction ID: 44a784effb527a941d77492570b118a76a8311b4affb96ed49f64a8054185212
                                                                                                                                                                                                                                                        • Opcode Fuzzy Hash: 61cc1048c9adf6bbef98f44e7947428adfb5ecee68712f559f8c60e7f46661f4
                                                                                                                                                                                                                                                        • Instruction Fuzzy Hash: 3BA00265BD434425F8A465683C57F5835011751F05FD41060BB082D1C0A5CA52584057
                                                                                                                                                                                                                                                        Function 6F86B040 Relevance: 1.3, APIs: 1, Instructions: 71COMMON
                                                                                                                                                                                                                                                        Download Yara Rule
                                                                                                                                                                                                                                                        APIs
                                                                                                                                                                                                                                                        • InitializeCriticalSection.KERNEL32(?,D0A01E50,00000007,00000008), ref: 6F86B0C5
                                                                                                                                                                                                                                                          • Part of subcall function 6F853210: _memmove.LIBCMT ref: 6F853248
                                                                                                                                                                                                                                                        Memory Dump Source
                                                                                                                                                                                                                                                        • Source File: 0000000C.00000002.2571435985.000000006F851000.00000020.00000001.01000000.0000000F.sdmp, Offset: 6F850000, based on PE: true
                                                                                                                                                                                                                                                        • Associated: 0000000C.00000002.2571402531.000000006F850000.00000002.00000001.01000000.0000000F.sdmpDownload File
                                                                                                                                                                                                                                                        • Associated: 0000000C.00000002.2571547852.000000006F8B1000.00000002.00000001.01000000.0000000F.sdmpDownload File
                                                                                                                                                                                                                                                        • Associated: 0000000C.00000002.2571607645.000000006F8C6000.00000004.00000001.01000000.0000000F.sdmpDownload File
                                                                                                                                                                                                                                                        • Associated: 0000000C.00000002.2571648475.000000006F8CC000.00000002.00000001.01000000.0000000F.sdmpDownload File
                                                                                                                                                                                                                                                        Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                                        • Snapshot File: hcaresult_12_2_6f850000_cpcsgui.jbxd
                                                                                                                                                                                                                                                        Similarity
                                                                                                                                                                                                                                                        • API ID: CriticalInitializeSection_memmove
                                                                                                                                                                                                                                                        • String ID:
                                                                                                                                                                                                                                                        • API String ID: 1595129083-0
                                                                                                                                                                                                                                                        • Opcode ID: 77b6c3d6d787636dc8640cd82e9b2b1dd172f7101751a81c5c0dbd34de5d4ed5
                                                                                                                                                                                                                                                        • Instruction ID: 399a3b399293787e37fc3e543ce3e4fb1a56c415af03130b01739af99a1b2abd
                                                                                                                                                                                                                                                        • Opcode Fuzzy Hash: 77b6c3d6d787636dc8640cd82e9b2b1dd172f7101751a81c5c0dbd34de5d4ed5
                                                                                                                                                                                                                                                        • Instruction Fuzzy Hash: FE3114B19087889FCB44CF29C90068ABBE4FF89718F404A6EF959C7350E7359804CF96

                                                                                                                                                                                                                                                        Non-executed Functions

                                                                                                                                                                                                                                                        Function 6F854C50 Relevance: 63.4, APIs: 6, Strings: 30, Instructions: 357timeCOMMON
                                                                                                                                                                                                                                                        Download Yara Rule
                                                                                                                                                                                                                                                        APIs
                                                                                                                                                                                                                                                        • _swscanf.LIBCMT ref: 6F854F93
                                                                                                                                                                                                                                                        • GetLocalTime.KERNEL32(?), ref: 6F854FAE
                                                                                                                                                                                                                                                        • _swscanf.LIBCMT ref: 6F854FED
                                                                                                                                                                                                                                                        • _swscanf.LIBCMT ref: 6F85502A
                                                                                                                                                                                                                                                        • _ScheduleTask@16.MBAM(00000000,00000000,?,?), ref: 6F855052
                                                                                                                                                                                                                                                        • _UnscheduleTask@16.MBAM(00000000,00000000,?,?), ref: 6F855072
                                                                                                                                                                                                                                                        Strings
                                                                                                                                                                                                                                                        Memory Dump Source
                                                                                                                                                                                                                                                        • Source File: 0000000C.00000002.2571435985.000000006F851000.00000020.00000001.01000000.0000000F.sdmp, Offset: 6F850000, based on PE: true
                                                                                                                                                                                                                                                        • Associated: 0000000C.00000002.2571402531.000000006F850000.00000002.00000001.01000000.0000000F.sdmpDownload File
                                                                                                                                                                                                                                                        • Associated: 0000000C.00000002.2571547852.000000006F8B1000.00000002.00000001.01000000.0000000F.sdmpDownload File
                                                                                                                                                                                                                                                        • Associated: 0000000C.00000002.2571607645.000000006F8C6000.00000004.00000001.01000000.0000000F.sdmpDownload File
                                                                                                                                                                                                                                                        • Associated: 0000000C.00000002.2571648475.000000006F8CC000.00000002.00000001.01000000.0000000F.sdmpDownload File
                                                                                                                                                                                                                                                        Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                                        • Snapshot File: hcaresult_12_2_6f850000_cpcsgui.jbxd
                                                                                                                                                                                                                                                        Similarity
                                                                                                                                                                                                                                                        • API ID: _swscanf$Task@16$LocalScheduleTimeUnschedule
                                                                                                                                                                                                                                                        • String ID: -log$ -reboot$ -remove$ -terminate$ -xml$ /all$ /all -scan$ /all -update$ /daily$ /every $ /flash$ /hourly$ /monthly$ /once$ /onreboot$ /random$ /realtime$ /recover $ /scan -flash$ /scan -full$ /scan -quick$ /silent$ /starting $ /update$ /wakefromsleep$ /weekly$ /xml$%hu/%hu/%hu %hu:%hu:%hu$/schedule$/unschedule
                                                                                                                                                                                                                                                        • API String ID: 2320526193-207438677
                                                                                                                                                                                                                                                        • Opcode ID: 24f8235c006eb11f531de92368777d49d3e17b9e23910fc7cc2c4c3429f18276
                                                                                                                                                                                                                                                        • Instruction ID: f58f9cd45e14a76bb28cd95922ecf067271e8e98d7f77aa0b3fe3531fd62edde
                                                                                                                                                                                                                                                        • Opcode Fuzzy Hash: 24f8235c006eb11f531de92368777d49d3e17b9e23910fc7cc2c4c3429f18276
                                                                                                                                                                                                                                                        • Instruction Fuzzy Hash: 87A1A4B390530037EB849A7D5C52F9B7298AFD5219F040DBAFD54AD381EB25E13482E6
                                                                                                                                                                                                                                                        Function 6F86FAA0 Relevance: 21.3, APIs: 2, Strings: 10, Instructions: 309COMMON
                                                                                                                                                                                                                                                        Download Yara Rule
                                                                                                                                                                                                                                                        APIs
                                                                                                                                                                                                                                                        • ShellExecuteW.SHELL32(00000000,open,00000000,00000000,00000000,00000001), ref: 6F86FC33
                                                                                                                                                                                                                                                          • Part of subcall function 6F853280: std::_Xinvalid_argument.LIBCPMT ref: 6F853298
                                                                                                                                                                                                                                                        • ExitProcess.KERNEL32 ref: 6F86FF21
                                                                                                                                                                                                                                                        Strings
                                                                                                                                                                                                                                                        Memory Dump Source
                                                                                                                                                                                                                                                        • Source File: 0000000C.00000002.2571435985.000000006F851000.00000020.00000001.01000000.0000000F.sdmp, Offset: 6F850000, based on PE: true
                                                                                                                                                                                                                                                        • Associated: 0000000C.00000002.2571402531.000000006F850000.00000002.00000001.01000000.0000000F.sdmpDownload File
                                                                                                                                                                                                                                                        • Associated: 0000000C.00000002.2571547852.000000006F8B1000.00000002.00000001.01000000.0000000F.sdmpDownload File
                                                                                                                                                                                                                                                        • Associated: 0000000C.00000002.2571607645.000000006F8C6000.00000004.00000001.01000000.0000000F.sdmpDownload File
                                                                                                                                                                                                                                                        • Associated: 0000000C.00000002.2571648475.000000006F8CC000.00000002.00000001.01000000.0000000F.sdmpDownload File
                                                                                                                                                                                                                                                        Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                                        • Snapshot File: hcaresult_12_2_6f850000_cpcsgui.jbxd
                                                                                                                                                                                                                                                        Similarity
                                                                                                                                                                                                                                                        • API ID: ExecuteExitProcessShellXinvalid_argumentstd::_
                                                                                                                                                                                                                                                        • String ID: /uninstall$ExecuteMBAMCommand$arguments$command$exit$exitpm$link$messaging\actions\$open$path
                                                                                                                                                                                                                                                        • API String ID: 1620226084-2726402617
                                                                                                                                                                                                                                                        • Opcode ID: 2fd8f6ca965a6cfa01a3beda4ad0d33c644db4a6dffea496c18fd306418ed73c
                                                                                                                                                                                                                                                        • Instruction ID: 073c8dba1b1441c15f936bcd662678476a5c9d62a40b9d63c711122072248a66
                                                                                                                                                                                                                                                        • Opcode Fuzzy Hash: 2fd8f6ca965a6cfa01a3beda4ad0d33c644db4a6dffea496c18fd306418ed73c
                                                                                                                                                                                                                                                        • Instruction Fuzzy Hash: 61D149B1909780EBD720CF69C540B9BB7E5AF99704F404D5DE5898B381EB35A8048B93
                                                                                                                                                                                                                                                        Function 6F856A20 Relevance: 17.7, APIs: 9, Strings: 1, Instructions: 166filetimeCOMMON
                                                                                                                                                                                                                                                        Download Yara Rule
                                                                                                                                                                                                                                                        APIs
                                                                                                                                                                                                                                                        • GetSystemTimeAsFileTime.KERNEL32(?,?,0000001C,0000000C,Function_000031A0,?), ref: 6F856ABE
                                                                                                                                                                                                                                                        • CreateFileW.KERNEL32(?,40000000,00000000,00000000,00000003,00000000,00000000), ref: 6F856B22
                                                                                                                                                                                                                                                        • GetCurrentProcess.KERNEL32(00020008,?), ref: 6F856B3B
                                                                                                                                                                                                                                                        • OpenProcessToken.ADVAPI32(00000000), ref: 6F856B42
                                                                                                                                                                                                                                                        • GetTokenInformation.ADVAPI32(?,00000012(TokenIntegrityLevel),?,00000004,?), ref: 6F856B5F
                                                                                                                                                                                                                                                        • CloseHandle.KERNEL32(?), ref: 6F856B6E
                                                                                                                                                                                                                                                        • CloseHandle.KERNEL32(?), ref: 6F856B99
                                                                                                                                                                                                                                                        • __aulldiv.LIBCMT ref: 6F856BE8
                                                                                                                                                                                                                                                        Strings
                                                                                                                                                                                                                                                        Memory Dump Source
                                                                                                                                                                                                                                                        • Source File: 0000000C.00000002.2571435985.000000006F851000.00000020.00000001.01000000.0000000F.sdmp, Offset: 6F850000, based on PE: true
                                                                                                                                                                                                                                                        • Associated: 0000000C.00000002.2571402531.000000006F850000.00000002.00000001.01000000.0000000F.sdmpDownload File
                                                                                                                                                                                                                                                        • Associated: 0000000C.00000002.2571547852.000000006F8B1000.00000002.00000001.01000000.0000000F.sdmpDownload File
                                                                                                                                                                                                                                                        • Associated: 0000000C.00000002.2571607645.000000006F8C6000.00000004.00000001.01000000.0000000F.sdmpDownload File
                                                                                                                                                                                                                                                        • Associated: 0000000C.00000002.2571648475.000000006F8CC000.00000002.00000001.01000000.0000000F.sdmpDownload File
                                                                                                                                                                                                                                                        Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                                        • Snapshot File: hcaresult_12_2_6f850000_cpcsgui.jbxd
                                                                                                                                                                                                                                                        Similarity
                                                                                                                                                                                                                                                        • API ID: CloseFileHandleProcessTimeToken$CreateCurrentInformationOpenSystem__aulldiv
                                                                                                                                                                                                                                                        • String ID: \rules.ref
                                                                                                                                                                                                                                                        • API String ID: 47722894-2077845452
                                                                                                                                                                                                                                                        • Opcode ID: c82c33641473e8637d9810e1fd5311ae8af96630351b0d21c6a32c9b5c95a5a0
                                                                                                                                                                                                                                                        • Instruction ID: 9d2d1d3d6e6cbaf3e26e7f3d174b5f9b03b3f7d8099331ecbbd1734b9ee04f96
                                                                                                                                                                                                                                                        • Opcode Fuzzy Hash: c82c33641473e8637d9810e1fd5311ae8af96630351b0d21c6a32c9b5c95a5a0
                                                                                                                                                                                                                                                        • Instruction Fuzzy Hash: AD51C571608300ABDB54DB78D885A9FB3E5EB85765F000DAEF5498B190DB30E958CB93
                                                                                                                                                                                                                                                        Function 6F85FAE0 Relevance: 14.1, APIs: 7, Strings: 1, Instructions: 63COMMON
                                                                                                                                                                                                                                                        Download Yara Rule
                                                                                                                                                                                                                                                        APIs
                                                                                                                                                                                                                                                        • GetCurrentProcess.KERNEL32(000F01FF,D0A01E50,?,?,?,6F873D6F,D0A01E50,?,D0A01E50,75090460,750A49C0), ref: 6F85FAF7
                                                                                                                                                                                                                                                        • OpenProcessToken.ADVAPI32(00000000,?,?,?,6F873D6F,D0A01E50,?,D0A01E50,75090460,750A49C0), ref: 6F85FAFE
                                                                                                                                                                                                                                                        • LookupPrivilegeValueW.ADVAPI32(00000000,SeDebugPrivilege,?), ref: 6F85FB14
                                                                                                                                                                                                                                                        • CloseHandle.KERNEL32(?,?,?,?,6F873D6F,D0A01E50,?,D0A01E50,75090460,750A49C0), ref: 6F85FB22
                                                                                                                                                                                                                                                        • AdjustTokenPrivileges.ADVAPI32 ref: 6F85FB6B
                                                                                                                                                                                                                                                        • CloseHandle.KERNEL32 ref: 6F85FB79
                                                                                                                                                                                                                                                        • CloseHandle.KERNEL32 ref: 6F85FB94
                                                                                                                                                                                                                                                        Strings
                                                                                                                                                                                                                                                        Memory Dump Source
                                                                                                                                                                                                                                                        • Source File: 0000000C.00000002.2571435985.000000006F851000.00000020.00000001.01000000.0000000F.sdmp, Offset: 6F850000, based on PE: true
                                                                                                                                                                                                                                                        • Associated: 0000000C.00000002.2571402531.000000006F850000.00000002.00000001.01000000.0000000F.sdmpDownload File
                                                                                                                                                                                                                                                        • Associated: 0000000C.00000002.2571547852.000000006F8B1000.00000002.00000001.01000000.0000000F.sdmpDownload File
                                                                                                                                                                                                                                                        • Associated: 0000000C.00000002.2571607645.000000006F8C6000.00000004.00000001.01000000.0000000F.sdmpDownload File
                                                                                                                                                                                                                                                        • Associated: 0000000C.00000002.2571648475.000000006F8CC000.00000002.00000001.01000000.0000000F.sdmpDownload File
                                                                                                                                                                                                                                                        Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                                        • Snapshot File: hcaresult_12_2_6f850000_cpcsgui.jbxd
                                                                                                                                                                                                                                                        Similarity
                                                                                                                                                                                                                                                        • API ID: CloseHandle$ProcessToken$AdjustCurrentLookupOpenPrivilegePrivilegesValue
                                                                                                                                                                                                                                                        • String ID: SeDebugPrivilege
                                                                                                                                                                                                                                                        • API String ID: 1280518032-2896544425
                                                                                                                                                                                                                                                        • Opcode ID: e9cd4ea85900086a96d0db6e1a18036786e1cf93c7a9c4a5a0b4773403824a86
                                                                                                                                                                                                                                                        • Instruction ID: 1d3686ea81bc25efd11b106741c27476b8e841cc54163c7b3aa3332b4fcfb02b
                                                                                                                                                                                                                                                        • Opcode Fuzzy Hash: e9cd4ea85900086a96d0db6e1a18036786e1cf93c7a9c4a5a0b4773403824a86
                                                                                                                                                                                                                                                        • Instruction Fuzzy Hash: DB114AB0608700AFCB08DF75C85AB5BB7E5BF88704F804D8CF09A8A280E774E555DB96
                                                                                                                                                                                                                                                        Function 6F869C00 Relevance: 12.6, APIs: 1, Strings: 6, Instructions: 366encryptionCOMMON
                                                                                                                                                                                                                                                        Download Yara Rule
                                                                                                                                                                                                                                                        APIs
                                                                                                                                                                                                                                                        • CryptGenRandom.ADVAPI32(00000000,00000100,?,D0A01E50,?,?), ref: 6F869C6A
                                                                                                                                                                                                                                                        Strings
                                                                                                                                                                                                                                                        Memory Dump Source
                                                                                                                                                                                                                                                        • Source File: 0000000C.00000002.2571435985.000000006F851000.00000020.00000001.01000000.0000000F.sdmp, Offset: 6F850000, based on PE: true
                                                                                                                                                                                                                                                        • Associated: 0000000C.00000002.2571402531.000000006F850000.00000002.00000001.01000000.0000000F.sdmpDownload File
                                                                                                                                                                                                                                                        • Associated: 0000000C.00000002.2571547852.000000006F8B1000.00000002.00000001.01000000.0000000F.sdmpDownload File
                                                                                                                                                                                                                                                        • Associated: 0000000C.00000002.2571607645.000000006F8C6000.00000004.00000001.01000000.0000000F.sdmpDownload File
                                                                                                                                                                                                                                                        • Associated: 0000000C.00000002.2571648475.000000006F8CC000.00000002.00000001.01000000.0000000F.sdmpDownload File
                                                                                                                                                                                                                                                        Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                                        • Snapshot File: hcaresult_12_2_6f850000_cpcsgui.jbxd
                                                                                                                                                                                                                                                        Similarity
                                                                                                                                                                                                                                                        • API ID: CryptRandom
                                                                                                                                                                                                                                                        • String ID: \algorithm$\password$\salt$local$passwords\$whirlpool
                                                                                                                                                                                                                                                        • API String ID: 2662593985-3942015599
                                                                                                                                                                                                                                                        • Opcode ID: 71cf23d321490212fad8545bf3238020ce86ea2cee9720794ece29c14c89a863
                                                                                                                                                                                                                                                        • Instruction ID: 0d7d5208fa02a1bcb1a7474de3a4e56351b32bfaaa36096d6ac4d52dc125c489
                                                                                                                                                                                                                                                        • Opcode Fuzzy Hash: 71cf23d321490212fad8545bf3238020ce86ea2cee9720794ece29c14c89a863
                                                                                                                                                                                                                                                        • Instruction Fuzzy Hash: 2EF115B09083819BD364CF69C480B9BF7E5AFD9708F004D6EE5998B391DBB49505CB93
                                                                                                                                                                                                                                                        Function 6F872930 Relevance: 9.1, APIs: 6, Instructions: 87servicesleepCOMMON
                                                                                                                                                                                                                                                        Download Yara Rule
                                                                                                                                                                                                                                                        APIs
                                                                                                                                                                                                                                                          • Part of subcall function 6F88EA00: GetVersionExW.KERNEL32(?,00000000,?,6F87117A), ref: 6F88EA09
                                                                                                                                                                                                                                                          • Part of subcall function 6F88EA00: GetModuleHandleW.KERNEL32(kernel32.dll,GetNativeSystemInfo,?,6F87117A), ref: 6F88EA1F
                                                                                                                                                                                                                                                          • Part of subcall function 6F88EA00: GetProcAddress.KERNEL32(00000000), ref: 6F88EA28
                                                                                                                                                                                                                                                          • Part of subcall function 6F88EA00: GetModuleHandleW.KERNEL32(kernel32.dll,Wow64DisableWow64FsRedirection,?,6F87117A), ref: 6F88EA46
                                                                                                                                                                                                                                                          • Part of subcall function 6F88EA00: GetProcAddress.KERNEL32(00000000), ref: 6F88EA49
                                                                                                                                                                                                                                                          • Part of subcall function 6F88EA00: GetModuleHandleW.KERNEL32(kernel32.dll,Wow64RevertWow64FsRedirection,?,6F87117A), ref: 6F88EA5B
                                                                                                                                                                                                                                                          • Part of subcall function 6F88EA00: GetProcAddress.KERNEL32(00000000), ref: 6F88EA5E
                                                                                                                                                                                                                                                          • Part of subcall function 6F88EA00: OpenSCManagerW.ADVAPI32(00000000,00000000,000F003F,?,6F87117A), ref: 6F88EAA0
                                                                                                                                                                                                                                                        • ControlService.ADVAPI32(?,00000001,?,00000000), ref: 6F8729C7
                                                                                                                                                                                                                                                        • DeleteService.ADVAPI32(?), ref: 6F8729DD
                                                                                                                                                                                                                                                        • CloseServiceHandle.ADVAPI32(?), ref: 6F8729F4
                                                                                                                                                                                                                                                        • Sleep.KERNEL32(00000064), ref: 6F872A03
                                                                                                                                                                                                                                                        • CloseServiceHandle.ADVAPI32(?,00000000), ref: 6F872A15
                                                                                                                                                                                                                                                        • CloseServiceHandle.ADVAPI32(?,00000000), ref: 6F872A2E
                                                                                                                                                                                                                                                        Memory Dump Source
                                                                                                                                                                                                                                                        • Source File: 0000000C.00000002.2571435985.000000006F851000.00000020.00000001.01000000.0000000F.sdmp, Offset: 6F850000, based on PE: true
                                                                                                                                                                                                                                                        • Associated: 0000000C.00000002.2571402531.000000006F850000.00000002.00000001.01000000.0000000F.sdmpDownload File
                                                                                                                                                                                                                                                        • Associated: 0000000C.00000002.2571547852.000000006F8B1000.00000002.00000001.01000000.0000000F.sdmpDownload File
                                                                                                                                                                                                                                                        • Associated: 0000000C.00000002.2571607645.000000006F8C6000.00000004.00000001.01000000.0000000F.sdmpDownload File
                                                                                                                                                                                                                                                        • Associated: 0000000C.00000002.2571648475.000000006F8CC000.00000002.00000001.01000000.0000000F.sdmpDownload File
                                                                                                                                                                                                                                                        Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                                        • Snapshot File: hcaresult_12_2_6f850000_cpcsgui.jbxd
                                                                                                                                                                                                                                                        Similarity
                                                                                                                                                                                                                                                        • API ID: Handle$Service$AddressCloseModuleProc$ControlDeleteManagerOpenSleepVersion
                                                                                                                                                                                                                                                        • String ID:
                                                                                                                                                                                                                                                        • API String ID: 3650110176-0
                                                                                                                                                                                                                                                        • Opcode ID: e1c79e4a17f850faaae484880b83b8538640e0c9d827eefb46271a4aff7d7c85
                                                                                                                                                                                                                                                        • Instruction ID: 3d9651262cdd47eda4ddb9c55a13a84e7e0844e89631e973af12519c2efbae35
                                                                                                                                                                                                                                                        • Opcode Fuzzy Hash: e1c79e4a17f850faaae484880b83b8538640e0c9d827eefb46271a4aff7d7c85
                                                                                                                                                                                                                                                        • Instruction Fuzzy Hash: 10314371618781ABDB30CB68C945BDBB3E8AB49714F004D5DE499DB280DF35E514CF92
                                                                                                                                                                                                                                                        Function 6F85E670 Relevance: 9.1, APIs: 6, Instructions: 55encryptionCOMMON
                                                                                                                                                                                                                                                        Download Yara Rule
                                                                                                                                                                                                                                                        APIs
                                                                                                                                                                                                                                                          • Part of subcall function 6F85E400: CryptAcquireContextW.ADVAPI32(00000000,00000000,Microsoft Enhanced Cryptographic Provider v1.0,00000001,F0000040,00000001,?,00000000,D0A01E50,00000000,?,00000000,?,?,00000000), ref: 6F85E45E
                                                                                                                                                                                                                                                        • CryptCreateHash.ADVAPI32(00000000,?,00000000,00000000,?,00000000,?), ref: 6F85E68A
                                                                                                                                                                                                                                                        • CryptHashData.ADVAPI32(?,?,?,00000000,?,00000000,?), ref: 6F85E6A4
                                                                                                                                                                                                                                                        • CryptDestroyHash.ADVAPI32(00000000,?,?,?,00000000,?,00000000,?), ref: 6F85E6B2
                                                                                                                                                                                                                                                        • CryptGetHashParam.ADVAPI32(?,00000002,?,00000000,00000000,?,?,?,00000000,?,00000000,?), ref: 6F85E6D9
                                                                                                                                                                                                                                                        • CryptDestroyHash.ADVAPI32(?,?,?,?,00000000,?,00000000,?), ref: 6F85E6E7
                                                                                                                                                                                                                                                        • CryptDestroyHash.ADVAPI32(00000000,?,?,?,00000000,?,00000000,?), ref: 6F85E6F7
                                                                                                                                                                                                                                                        Memory Dump Source
                                                                                                                                                                                                                                                        • Source File: 0000000C.00000002.2571435985.000000006F851000.00000020.00000001.01000000.0000000F.sdmp, Offset: 6F850000, based on PE: true
                                                                                                                                                                                                                                                        • Associated: 0000000C.00000002.2571402531.000000006F850000.00000002.00000001.01000000.0000000F.sdmpDownload File
                                                                                                                                                                                                                                                        • Associated: 0000000C.00000002.2571547852.000000006F8B1000.00000002.00000001.01000000.0000000F.sdmpDownload File
                                                                                                                                                                                                                                                        • Associated: 0000000C.00000002.2571607645.000000006F8C6000.00000004.00000001.01000000.0000000F.sdmpDownload File
                                                                                                                                                                                                                                                        • Associated: 0000000C.00000002.2571648475.000000006F8CC000.00000002.00000001.01000000.0000000F.sdmpDownload File
                                                                                                                                                                                                                                                        Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                                        • Snapshot File: hcaresult_12_2_6f850000_cpcsgui.jbxd
                                                                                                                                                                                                                                                        Similarity
                                                                                                                                                                                                                                                        • API ID: Crypt$Hash$Destroy$AcquireContextCreateDataParam
                                                                                                                                                                                                                                                        • String ID:
                                                                                                                                                                                                                                                        • API String ID: 1709778380-0
                                                                                                                                                                                                                                                        • Opcode ID: edb61ba26f8bb8ad6e272a29880ce2422f35d637e11145da50467091bafa4cdf
                                                                                                                                                                                                                                                        • Instruction ID: 91a116a4bf47fa5ac5114aa55cd5b8c3c8f10f97fe74540b5018dd500d4f9bdc
                                                                                                                                                                                                                                                        • Opcode Fuzzy Hash: edb61ba26f8bb8ad6e272a29880ce2422f35d637e11145da50467091bafa4cdf
                                                                                                                                                                                                                                                        • Instruction Fuzzy Hash: EE112AB4608701AFEB14EF60DC49F5A77E8AB89750F804888B594CB280E634E419CBA2
                                                                                                                                                                                                                                                        Function 6F852420 Relevance: 9.0, APIs: 3, Strings: 2, Instructions: 206COMMON
                                                                                                                                                                                                                                                        Download Yara Rule
                                                                                                                                                                                                                                                        APIs
                                                                                                                                                                                                                                                          • Part of subcall function 6F85B0B0: GetCommandLineW.KERNEL32 ref: 6F85B109
                                                                                                                                                                                                                                                        • _PasswordMatches@4.MBAM(?,/setpassword), ref: 6F852522
                                                                                                                                                                                                                                                        • _PasswordSet@4.MBAM(?,/setpassword), ref: 6F85258A
                                                                                                                                                                                                                                                        • _PasswordMatches@4.MBAM(?,/clearpassword,/setpassword), ref: 6F85267C
                                                                                                                                                                                                                                                        Strings
                                                                                                                                                                                                                                                        Memory Dump Source
                                                                                                                                                                                                                                                        • Source File: 0000000C.00000002.2571435985.000000006F851000.00000020.00000001.01000000.0000000F.sdmp, Offset: 6F850000, based on PE: true
                                                                                                                                                                                                                                                        • Associated: 0000000C.00000002.2571402531.000000006F850000.00000002.00000001.01000000.0000000F.sdmpDownload File
                                                                                                                                                                                                                                                        • Associated: 0000000C.00000002.2571547852.000000006F8B1000.00000002.00000001.01000000.0000000F.sdmpDownload File
                                                                                                                                                                                                                                                        • Associated: 0000000C.00000002.2571607645.000000006F8C6000.00000004.00000001.01000000.0000000F.sdmpDownload File
                                                                                                                                                                                                                                                        • Associated: 0000000C.00000002.2571648475.000000006F8CC000.00000002.00000001.01000000.0000000F.sdmpDownload File
                                                                                                                                                                                                                                                        Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                                        • Snapshot File: hcaresult_12_2_6f850000_cpcsgui.jbxd
                                                                                                                                                                                                                                                        Similarity
                                                                                                                                                                                                                                                        • API ID: Password$Matches@4$CommandLineSet@4
                                                                                                                                                                                                                                                        • String ID: /clearpassword$/setpassword
                                                                                                                                                                                                                                                        • API String ID: 4275981024-1545071088
                                                                                                                                                                                                                                                        • Opcode ID: a65d05133b19e24efef828afedf1abe509de34bcb2a4b9c9cf71c8d53653515c
                                                                                                                                                                                                                                                        • Instruction ID: ad5c3c0f02488462ba5e0128ccd655aeab96ebb7cf5184785d81e92609b9db34
                                                                                                                                                                                                                                                        • Opcode Fuzzy Hash: a65d05133b19e24efef828afedf1abe509de34bcb2a4b9c9cf71c8d53653515c
                                                                                                                                                                                                                                                        • Instruction Fuzzy Hash: DF714AB2908344DBD784DF29C94095BB6E5BFC5308F040EAEF5959B290EB39E919CB43
                                                                                                                                                                                                                                                        Function 6F89ADCC Relevance: 8.8, APIs: 3, Strings: 2, Instructions: 54COMMONLIBRARYCODE
                                                                                                                                                                                                                                                        Download Yara Rule
                                                                                                                                                                                                                                                        APIs
                                                                                                                                                                                                                                                        • GetLocaleInfoW.KERNEL32(?,2000000B,00000000,00000002,?,?,6F89B409,?,6F89144D,?,000000BC,?,00000001,00000000,00000000), ref: 6F89AE0B
                                                                                                                                                                                                                                                        • GetLocaleInfoW.KERNEL32(?,20001004,00000000,00000002,?,?,6F89B409,?,6F89144D,?,000000BC,?,00000001,00000000,00000000), ref: 6F89AE34
                                                                                                                                                                                                                                                        • GetACP.KERNEL32(?,?,6F89B409,?,6F89144D,?,000000BC,?,00000001,00000000), ref: 6F89AE48
                                                                                                                                                                                                                                                        Strings
                                                                                                                                                                                                                                                        Memory Dump Source
                                                                                                                                                                                                                                                        • Source File: 0000000C.00000002.2571435985.000000006F851000.00000020.00000001.01000000.0000000F.sdmp, Offset: 6F850000, based on PE: true
                                                                                                                                                                                                                                                        • Associated: 0000000C.00000002.2571402531.000000006F850000.00000002.00000001.01000000.0000000F.sdmpDownload File
                                                                                                                                                                                                                                                        • Associated: 0000000C.00000002.2571547852.000000006F8B1000.00000002.00000001.01000000.0000000F.sdmpDownload File
                                                                                                                                                                                                                                                        • Associated: 0000000C.00000002.2571607645.000000006F8C6000.00000004.00000001.01000000.0000000F.sdmpDownload File
                                                                                                                                                                                                                                                        • Associated: 0000000C.00000002.2571648475.000000006F8CC000.00000002.00000001.01000000.0000000F.sdmpDownload File
                                                                                                                                                                                                                                                        Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                                        • Snapshot File: hcaresult_12_2_6f850000_cpcsgui.jbxd
                                                                                                                                                                                                                                                        Similarity
                                                                                                                                                                                                                                                        • API ID: InfoLocale
                                                                                                                                                                                                                                                        • String ID: ACP$OCP
                                                                                                                                                                                                                                                        • API String ID: 2299586839-711371036
                                                                                                                                                                                                                                                        • Opcode ID: 87aaf2d327816f7d5f663c43b23f979b690cac302f93ae67fc047bd553b90c94
                                                                                                                                                                                                                                                        • Instruction ID: 5271af24d26fc9b143d54e4a9d840f7f9f6852677b22f6ab31ce1537494c53f5
                                                                                                                                                                                                                                                        • Opcode Fuzzy Hash: 87aaf2d327816f7d5f663c43b23f979b690cac302f93ae67fc047bd553b90c94
                                                                                                                                                                                                                                                        • Instruction Fuzzy Hash: 9901D431E05A0ABAEB15AAADD805B8F77E8EF01369F1048D9E501ED180EB30EA51C254
                                                                                                                                                                                                                                                        Function 6F890061 Relevance: 7.6, APIs: 5, Instructions: 58COMMONLIBRARYCODE
                                                                                                                                                                                                                                                        Download Yara Rule
                                                                                                                                                                                                                                                        APIs
                                                                                                                                                                                                                                                        • IsDebuggerPresent.KERNEL32 ref: 6F894822
                                                                                                                                                                                                                                                        • SetUnhandledExceptionFilter.KERNEL32(00000000), ref: 6F894837
                                                                                                                                                                                                                                                        • UnhandledExceptionFilter.KERNEL32(6F8B1E38), ref: 6F894842
                                                                                                                                                                                                                                                        • GetCurrentProcess.KERNEL32(C0000409), ref: 6F89485E
                                                                                                                                                                                                                                                        • TerminateProcess.KERNEL32(00000000), ref: 6F894865
                                                                                                                                                                                                                                                        Memory Dump Source
                                                                                                                                                                                                                                                        • Source File: 0000000C.00000002.2571435985.000000006F851000.00000020.00000001.01000000.0000000F.sdmp, Offset: 6F850000, based on PE: true
                                                                                                                                                                                                                                                        • Associated: 0000000C.00000002.2571402531.000000006F850000.00000002.00000001.01000000.0000000F.sdmpDownload File
                                                                                                                                                                                                                                                        • Associated: 0000000C.00000002.2571547852.000000006F8B1000.00000002.00000001.01000000.0000000F.sdmpDownload File
                                                                                                                                                                                                                                                        • Associated: 0000000C.00000002.2571607645.000000006F8C6000.00000004.00000001.01000000.0000000F.sdmpDownload File
                                                                                                                                                                                                                                                        • Associated: 0000000C.00000002.2571648475.000000006F8CC000.00000002.00000001.01000000.0000000F.sdmpDownload File
                                                                                                                                                                                                                                                        Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                                        • Snapshot File: hcaresult_12_2_6f850000_cpcsgui.jbxd
                                                                                                                                                                                                                                                        Similarity
                                                                                                                                                                                                                                                        • API ID: ExceptionFilterProcessUnhandled$CurrentDebuggerPresentTerminate
                                                                                                                                                                                                                                                        • String ID:
                                                                                                                                                                                                                                                        • API String ID: 2579439406-0
                                                                                                                                                                                                                                                        • Opcode ID: 16deaff9ed1c76e7c5c21276604c61b3dbe4a7361b9f2d9cbe9f474145297fb8
                                                                                                                                                                                                                                                        • Instruction ID: a9da9954a7f9e649c9d508802e172cec78ede6b2aa49c9d22c575de991c44445
                                                                                                                                                                                                                                                        • Opcode Fuzzy Hash: 16deaff9ed1c76e7c5c21276604c61b3dbe4a7361b9f2d9cbe9f474145297fb8
                                                                                                                                                                                                                                                        • Instruction Fuzzy Hash: BF21CCB8A02A08DFDF01DF2AC449A843FE4FB4A768F4055DAE4198B748E77054A5CF95
                                                                                                                                                                                                                                                        Function 6F88DAB0 Relevance: 7.5, APIs: 2, Strings: 2, Instructions: 457COMMON
                                                                                                                                                                                                                                                        Download Yara Rule
                                                                                                                                                                                                                                                        APIs
                                                                                                                                                                                                                                                        • __CxxThrowException@8.LIBCMT ref: 6F88DD9F
                                                                                                                                                                                                                                                        • std::_Xinvalid_argument.LIBCPMT ref: 6F88DDA9
                                                                                                                                                                                                                                                          • Part of subcall function 6F856840: _memmove.LIBCMT ref: 6F856935
                                                                                                                                                                                                                                                        Strings
                                                                                                                                                                                                                                                        Memory Dump Source
                                                                                                                                                                                                                                                        • Source File: 0000000C.00000002.2571435985.000000006F851000.00000020.00000001.01000000.0000000F.sdmp, Offset: 6F850000, based on PE: true
                                                                                                                                                                                                                                                        • Associated: 0000000C.00000002.2571402531.000000006F850000.00000002.00000001.01000000.0000000F.sdmpDownload File
                                                                                                                                                                                                                                                        • Associated: 0000000C.00000002.2571547852.000000006F8B1000.00000002.00000001.01000000.0000000F.sdmpDownload File
                                                                                                                                                                                                                                                        • Associated: 0000000C.00000002.2571607645.000000006F8C6000.00000004.00000001.01000000.0000000F.sdmpDownload File
                                                                                                                                                                                                                                                        • Associated: 0000000C.00000002.2571648475.000000006F8CC000.00000002.00000001.01000000.0000000F.sdmpDownload File
                                                                                                                                                                                                                                                        Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                                        • Snapshot File: hcaresult_12_2_6f850000_cpcsgui.jbxd
                                                                                                                                                                                                                                                        Similarity
                                                                                                                                                                                                                                                        • API ID: Exception@8ThrowXinvalid_argument_memmovestd::_
                                                                                                                                                                                                                                                        • String ID: invalid unicode: $string too long
                                                                                                                                                                                                                                                        • API String ID: 3247205923-254660679
                                                                                                                                                                                                                                                        • Opcode ID: 1859f9ea552a2c10282a6742c927cfd7d0d6184e5d9b517493547ca7f1c96ae7
                                                                                                                                                                                                                                                        • Instruction ID: d014daf1a34c8e2b1cb2f55db25339fd15ef3b34c962c3085e1c826825404b11
                                                                                                                                                                                                                                                        • Opcode Fuzzy Hash: 1859f9ea552a2c10282a6742c927cfd7d0d6184e5d9b517493547ca7f1c96ae7
                                                                                                                                                                                                                                                        • Instruction Fuzzy Hash: 8E1228B29083809BD771CB68C840BCFB7E6ABD9704F044D6EE59E5B281DB71A544CB93
                                                                                                                                                                                                                                                        Function 6F86E690 Relevance: 7.2, APIs: 1, Strings: 3, Instructions: 241COMMON
                                                                                                                                                                                                                                                        Download Yara Rule
                                                                                                                                                                                                                                                        APIs
                                                                                                                                                                                                                                                        Strings
                                                                                                                                                                                                                                                        • %02x%02x%02x%02x%02x%02x%02x%02x%02x%02x%02x%02x%02x%02x%02x%02x, xrefs: 6F86E775
                                                                                                                                                                                                                                                        • 0123456789ABCDEFGHJKLMNPQRTUVWXY, xrefs: 6F86E7E2
                                                                                                                                                                                                                                                        • %wc%wc%wc%wc-%wc%wc%wc%wc-%wc%wc%wc%wc-%wc%wc%wc%wc, xrefs: 6F86E910
                                                                                                                                                                                                                                                        Memory Dump Source
                                                                                                                                                                                                                                                        • Source File: 0000000C.00000002.2571435985.000000006F851000.00000020.00000001.01000000.0000000F.sdmp, Offset: 6F850000, based on PE: true
                                                                                                                                                                                                                                                        • Associated: 0000000C.00000002.2571402531.000000006F850000.00000002.00000001.01000000.0000000F.sdmpDownload File
                                                                                                                                                                                                                                                        • Associated: 0000000C.00000002.2571547852.000000006F8B1000.00000002.00000001.01000000.0000000F.sdmpDownload File
                                                                                                                                                                                                                                                        • Associated: 0000000C.00000002.2571607645.000000006F8C6000.00000004.00000001.01000000.0000000F.sdmpDownload File
                                                                                                                                                                                                                                                        • Associated: 0000000C.00000002.2571648475.000000006F8CC000.00000002.00000001.01000000.0000000F.sdmpDownload File
                                                                                                                                                                                                                                                        Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                                        • Snapshot File: hcaresult_12_2_6f850000_cpcsgui.jbxd
                                                                                                                                                                                                                                                        Similarity
                                                                                                                                                                                                                                                        • API ID: _swscanf
                                                                                                                                                                                                                                                        • String ID: %02x%02x%02x%02x%02x%02x%02x%02x%02x%02x%02x%02x%02x%02x%02x%02x$%wc%wc%wc%wc-%wc%wc%wc%wc-%wc%wc%wc%wc-%wc%wc%wc%wc$0123456789ABCDEFGHJKLMNPQRTUVWXY
                                                                                                                                                                                                                                                        • API String ID: 2748852333-3380361984
                                                                                                                                                                                                                                                        • Opcode ID: b61a93f5056f63c78898777a87b8678bdbcb59751eac0420a918992ad25341c1
                                                                                                                                                                                                                                                        • Instruction ID: e465f10e826f61202eb01ae45465b6690878d455f8a576a5c82ecdaa8905b133
                                                                                                                                                                                                                                                        • Opcode Fuzzy Hash: b61a93f5056f63c78898777a87b8678bdbcb59751eac0420a918992ad25341c1
                                                                                                                                                                                                                                                        • Instruction Fuzzy Hash: F891BFB260C7409AC325CF69D840AABB7E7AFC8700F088D5EF5D58A250D774E558CB67
                                                                                                                                                                                                                                                        Function 6F852ED0 Relevance: 6.2, APIs: 4, Instructions: 214encryptionCOMMON
                                                                                                                                                                                                                                                        Download Yara Rule
                                                                                                                                                                                                                                                        APIs
                                                                                                                                                                                                                                                        • CryptGenRandom.ADVAPI32(00000000,00000004,?,?,?), ref: 6F852F45
                                                                                                                                                                                                                                                        • _wcstoul.LIBCMT ref: 6F852FD3
                                                                                                                                                                                                                                                        • CryptGenRandom.ADVAPI32(00000000,00000004,?), ref: 6F853003
                                                                                                                                                                                                                                                        • CryptGenRandom.ADVAPI32(00000000,00000004,?), ref: 6F8530A2
                                                                                                                                                                                                                                                          • Part of subcall function 6F85E400: CryptAcquireContextW.ADVAPI32(00000000,00000000,Microsoft Enhanced Cryptographic Provider v1.0,00000001,F0000040,00000001,?,00000000,D0A01E50,00000000,?,00000000,?,?,00000000), ref: 6F85E45E
                                                                                                                                                                                                                                                        Memory Dump Source
                                                                                                                                                                                                                                                        • Source File: 0000000C.00000002.2571435985.000000006F851000.00000020.00000001.01000000.0000000F.sdmp, Offset: 6F850000, based on PE: true
                                                                                                                                                                                                                                                        • Associated: 0000000C.00000002.2571402531.000000006F850000.00000002.00000001.01000000.0000000F.sdmpDownload File
                                                                                                                                                                                                                                                        • Associated: 0000000C.00000002.2571547852.000000006F8B1000.00000002.00000001.01000000.0000000F.sdmpDownload File
                                                                                                                                                                                                                                                        • Associated: 0000000C.00000002.2571607645.000000006F8C6000.00000004.00000001.01000000.0000000F.sdmpDownload File
                                                                                                                                                                                                                                                        • Associated: 0000000C.00000002.2571648475.000000006F8CC000.00000002.00000001.01000000.0000000F.sdmpDownload File
                                                                                                                                                                                                                                                        Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                                        • Snapshot File: hcaresult_12_2_6f850000_cpcsgui.jbxd
                                                                                                                                                                                                                                                        Similarity
                                                                                                                                                                                                                                                        • API ID: Crypt$Random$AcquireContext_wcstoul
                                                                                                                                                                                                                                                        • String ID:
                                                                                                                                                                                                                                                        • API String ID: 1279355896-0
                                                                                                                                                                                                                                                        • Opcode ID: d010a710b8dac1ab994c88ba2fe581b7f70955f7c9664a85b0ed2d002bceacbe
                                                                                                                                                                                                                                                        • Instruction ID: f19ffd4411478121dd8e2ff7af2e5ca14bfae443737be6b145bce5efd8d71fca
                                                                                                                                                                                                                                                        • Opcode Fuzzy Hash: d010a710b8dac1ab994c88ba2fe581b7f70955f7c9664a85b0ed2d002bceacbe
                                                                                                                                                                                                                                                        • Instruction Fuzzy Hash: DE61E772A087019BCB54CF2CDD8165BB7E2AB84714F040D6EF9959F240DB35EC598B93
                                                                                                                                                                                                                                                        Function 6F88EBA0 Relevance: 6.1, APIs: 4, Instructions: 135serviceCOMMON
                                                                                                                                                                                                                                                        Download Yara Rule
                                                                                                                                                                                                                                                        APIs
                                                                                                                                                                                                                                                        • CloseServiceHandle.ADVAPI32(?,D0A01E50,00000000,00000000,00000007), ref: 6F88EC0D
                                                                                                                                                                                                                                                        • CreateServiceW.ADVAPI32(00000000,?,00000000,000F01FF,?,?,00000001,00000000,?,00000000,?,00000000,00000000), ref: 6F88ECBF
                                                                                                                                                                                                                                                        • GetLastError.KERNEL32 ref: 6F88ECCF
                                                                                                                                                                                                                                                        • OpenServiceW.ADVAPI32(00000000,?,000F01FF), ref: 6F88ECF0
                                                                                                                                                                                                                                                        Memory Dump Source
                                                                                                                                                                                                                                                        • Source File: 0000000C.00000002.2571435985.000000006F851000.00000020.00000001.01000000.0000000F.sdmp, Offset: 6F850000, based on PE: true
                                                                                                                                                                                                                                                        • Associated: 0000000C.00000002.2571402531.000000006F850000.00000002.00000001.01000000.0000000F.sdmpDownload File
                                                                                                                                                                                                                                                        • Associated: 0000000C.00000002.2571547852.000000006F8B1000.00000002.00000001.01000000.0000000F.sdmpDownload File
                                                                                                                                                                                                                                                        • Associated: 0000000C.00000002.2571607645.000000006F8C6000.00000004.00000001.01000000.0000000F.sdmpDownload File
                                                                                                                                                                                                                                                        • Associated: 0000000C.00000002.2571648475.000000006F8CC000.00000002.00000001.01000000.0000000F.sdmpDownload File
                                                                                                                                                                                                                                                        Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                                        • Snapshot File: hcaresult_12_2_6f850000_cpcsgui.jbxd
                                                                                                                                                                                                                                                        Similarity
                                                                                                                                                                                                                                                        • API ID: Service$CloseCreateErrorHandleLastOpen
                                                                                                                                                                                                                                                        • String ID:
                                                                                                                                                                                                                                                        • API String ID: 4007200304-0
                                                                                                                                                                                                                                                        • Opcode ID: 4143a58251a9473749441f313e7747abfdf3eaf8157f58c8edc5d35c05bb05e9
                                                                                                                                                                                                                                                        • Instruction ID: b5fecaea120721de71a49d229a909962d360114c665ac3da49966898fee587eb
                                                                                                                                                                                                                                                        • Opcode Fuzzy Hash: 4143a58251a9473749441f313e7747abfdf3eaf8157f58c8edc5d35c05bb05e9
                                                                                                                                                                                                                                                        • Instruction Fuzzy Hash: 2B518A70A04B41EBD704CF68C884B9AB7E6BF89715F104E6EF5669B380D770E844CB92
                                                                                                                                                                                                                                                        Function 6F85C7E0 Relevance: 5.5, APIs: 2, Strings: 1, Instructions: 229COMMON
                                                                                                                                                                                                                                                        Download Yara Rule
                                                                                                                                                                                                                                                        Strings
                                                                                                                                                                                                                                                        Memory Dump Source
                                                                                                                                                                                                                                                        • Source File: 0000000C.00000002.2571435985.000000006F851000.00000020.00000001.01000000.0000000F.sdmp, Offset: 6F850000, based on PE: true
                                                                                                                                                                                                                                                        • Associated: 0000000C.00000002.2571402531.000000006F850000.00000002.00000001.01000000.0000000F.sdmpDownload File
                                                                                                                                                                                                                                                        • Associated: 0000000C.00000002.2571547852.000000006F8B1000.00000002.00000001.01000000.0000000F.sdmpDownload File
                                                                                                                                                                                                                                                        • Associated: 0000000C.00000002.2571607645.000000006F8C6000.00000004.00000001.01000000.0000000F.sdmpDownload File
                                                                                                                                                                                                                                                        • Associated: 0000000C.00000002.2571648475.000000006F8CC000.00000002.00000001.01000000.0000000F.sdmpDownload File
                                                                                                                                                                                                                                                        Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                                        • Snapshot File: hcaresult_12_2_6f850000_cpcsgui.jbxd
                                                                                                                                                                                                                                                        Similarity
                                                                                                                                                                                                                                                        • API ID: __vswprintf_c_l
                                                                                                                                                                                                                                                        • String ID: %llu
                                                                                                                                                                                                                                                        • API String ID: 4171875762-507646796
                                                                                                                                                                                                                                                        • Opcode ID: b79c6a12d7bb2fed87ebe30b1d50812bb44b46a160c3fef7b66bd5f71b3fa3d0
                                                                                                                                                                                                                                                        • Instruction ID: f18a182de237f98a922fe5d6f9ad96e95203bbd72a00e5ba47c5f89f2982072b
                                                                                                                                                                                                                                                        • Opcode Fuzzy Hash: b79c6a12d7bb2fed87ebe30b1d50812bb44b46a160c3fef7b66bd5f71b3fa3d0
                                                                                                                                                                                                                                                        • Instruction Fuzzy Hash: 4C8190B1608340AFCB54CF78D881A5BB7E5AF86318F004E5EF8959B281D774E819CB93
                                                                                                                                                                                                                                                        Function 6F888C70 Relevance: 5.5, APIs: 2, Strings: 1, Instructions: 207COMMON
                                                                                                                                                                                                                                                        Download Yara Rule
                                                                                                                                                                                                                                                        APIs
                                                                                                                                                                                                                                                          • Part of subcall function 6F864430: std::exception::exception.LIBCMT ref: 6F864498
                                                                                                                                                                                                                                                        • __CxxThrowException@8.LIBCMT ref: 6F888D25
                                                                                                                                                                                                                                                          • Part of subcall function 6F8924F0: RaiseException.KERNEL32(6F853778,?,D0A01E50,6F8B13C0,6F853778,?,6F8BD3C8,80000002,D0A01E50), ref: 6F892532
                                                                                                                                                                                                                                                        • __CxxThrowException@8.LIBCMT ref: 6F888ED1
                                                                                                                                                                                                                                                        Strings
                                                                                                                                                                                                                                                        Memory Dump Source
                                                                                                                                                                                                                                                        • Source File: 0000000C.00000002.2571435985.000000006F851000.00000020.00000001.01000000.0000000F.sdmp, Offset: 6F850000, based on PE: true
                                                                                                                                                                                                                                                        • Associated: 0000000C.00000002.2571402531.000000006F850000.00000002.00000001.01000000.0000000F.sdmpDownload File
                                                                                                                                                                                                                                                        • Associated: 0000000C.00000002.2571547852.000000006F8B1000.00000002.00000001.01000000.0000000F.sdmpDownload File
                                                                                                                                                                                                                                                        • Associated: 0000000C.00000002.2571607645.000000006F8C6000.00000004.00000001.01000000.0000000F.sdmpDownload File
                                                                                                                                                                                                                                                        • Associated: 0000000C.00000002.2571648475.000000006F8CC000.00000002.00000001.01000000.0000000F.sdmpDownload File
                                                                                                                                                                                                                                                        Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                                        • Snapshot File: hcaresult_12_2_6f850000_cpcsgui.jbxd
                                                                                                                                                                                                                                                        Similarity
                                                                                                                                                                                                                                                        • API ID: Exception@8Throw$ExceptionRaisestd::exception::exception
                                                                                                                                                                                                                                                        • String ID: illegal flow end
                                                                                                                                                                                                                                                        • API String ID: 994420026-2303308288
                                                                                                                                                                                                                                                        • Opcode ID: 15f0446bb6b4507addce45af13acdb047056a2aba41f3b75a4a001a87a261208
                                                                                                                                                                                                                                                        • Instruction ID: 87eb5607c4b25b762f410d06711bb8fea658562be352a95cfcacae955b79ae40
                                                                                                                                                                                                                                                        • Opcode Fuzzy Hash: 15f0446bb6b4507addce45af13acdb047056a2aba41f3b75a4a001a87a261208
                                                                                                                                                                                                                                                        • Instruction Fuzzy Hash: 079106716087459FC324DF29C480B9AF7E1FF89704F404EAEE5A98B751DB70A904CB82
                                                                                                                                                                                                                                                        Function 6F852FB9 Relevance: 4.6, APIs: 3, Instructions: 103encryptionCOMMON
                                                                                                                                                                                                                                                        Download Yara Rule
                                                                                                                                                                                                                                                        APIs
                                                                                                                                                                                                                                                        • _wcstoul.LIBCMT ref: 6F852FD3
                                                                                                                                                                                                                                                        • CryptGenRandom.ADVAPI32(00000000,00000004,?), ref: 6F853003
                                                                                                                                                                                                                                                        • CryptGenRandom.ADVAPI32(00000000,00000004,?), ref: 6F8530A2
                                                                                                                                                                                                                                                        Memory Dump Source
                                                                                                                                                                                                                                                        • Source File: 0000000C.00000002.2571435985.000000006F851000.00000020.00000001.01000000.0000000F.sdmp, Offset: 6F850000, based on PE: true
                                                                                                                                                                                                                                                        • Associated: 0000000C.00000002.2571402531.000000006F850000.00000002.00000001.01000000.0000000F.sdmpDownload File
                                                                                                                                                                                                                                                        • Associated: 0000000C.00000002.2571547852.000000006F8B1000.00000002.00000001.01000000.0000000F.sdmpDownload File
                                                                                                                                                                                                                                                        • Associated: 0000000C.00000002.2571607645.000000006F8C6000.00000004.00000001.01000000.0000000F.sdmpDownload File
                                                                                                                                                                                                                                                        • Associated: 0000000C.00000002.2571648475.000000006F8CC000.00000002.00000001.01000000.0000000F.sdmpDownload File
                                                                                                                                                                                                                                                        Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                                        • Snapshot File: hcaresult_12_2_6f850000_cpcsgui.jbxd
                                                                                                                                                                                                                                                        Similarity
                                                                                                                                                                                                                                                        • API ID: CryptRandom$_wcstoul
                                                                                                                                                                                                                                                        • String ID:
                                                                                                                                                                                                                                                        • API String ID: 865278744-0
                                                                                                                                                                                                                                                        • Opcode ID: a6886d2fb049f8ba12cbedc61e526ce82a393cc5a97648080d4db762c86d6088
                                                                                                                                                                                                                                                        • Instruction ID: 85b3dcd68a8b7df6a5550f73aa5bd85bed4915198e8a11a4538c19fde0f85b17
                                                                                                                                                                                                                                                        • Opcode Fuzzy Hash: a6886d2fb049f8ba12cbedc61e526ce82a393cc5a97648080d4db762c86d6088
                                                                                                                                                                                                                                                        • Instruction Fuzzy Hash: AB31FC71A047019BCB54DF38DD8175AB3E2AB80314F000DBDE5959F240E735EC6D8693
                                                                                                                                                                                                                                                        Function 6F872F00 Relevance: 4.6, APIs: 3, Instructions: 74serviceCOMMON
                                                                                                                                                                                                                                                        Download Yara Rule
                                                                                                                                                                                                                                                        APIs
                                                                                                                                                                                                                                                          • Part of subcall function 6F88EA00: GetVersionExW.KERNEL32(?,00000000,?,6F87117A), ref: 6F88EA09
                                                                                                                                                                                                                                                          • Part of subcall function 6F88EA00: GetModuleHandleW.KERNEL32(kernel32.dll,GetNativeSystemInfo,?,6F87117A), ref: 6F88EA1F
                                                                                                                                                                                                                                                          • Part of subcall function 6F88EA00: GetProcAddress.KERNEL32(00000000), ref: 6F88EA28
                                                                                                                                                                                                                                                          • Part of subcall function 6F88EA00: GetModuleHandleW.KERNEL32(kernel32.dll,Wow64DisableWow64FsRedirection,?,6F87117A), ref: 6F88EA46
                                                                                                                                                                                                                                                          • Part of subcall function 6F88EA00: GetProcAddress.KERNEL32(00000000), ref: 6F88EA49
                                                                                                                                                                                                                                                          • Part of subcall function 6F88EA00: GetModuleHandleW.KERNEL32(kernel32.dll,Wow64RevertWow64FsRedirection,?,6F87117A), ref: 6F88EA5B
                                                                                                                                                                                                                                                          • Part of subcall function 6F88EA00: GetProcAddress.KERNEL32(00000000), ref: 6F88EA5E
                                                                                                                                                                                                                                                          • Part of subcall function 6F88EA00: OpenSCManagerW.ADVAPI32(00000000,00000000,000F003F,?,6F87117A), ref: 6F88EAA0
                                                                                                                                                                                                                                                        • ChangeServiceConfigW.ADVAPI32(?,000000FF,00000004,000000FF,00000000,00000000,00000000,00000000,00000000,00000000,00000000,00000000), ref: 6F872FA3
                                                                                                                                                                                                                                                        • CloseServiceHandle.ADVAPI32(?), ref: 6F872FB5
                                                                                                                                                                                                                                                        • CloseServiceHandle.ADVAPI32(?,00000000), ref: 6F872FCE
                                                                                                                                                                                                                                                        Memory Dump Source
                                                                                                                                                                                                                                                        • Source File: 0000000C.00000002.2571435985.000000006F851000.00000020.00000001.01000000.0000000F.sdmp, Offset: 6F850000, based on PE: true
                                                                                                                                                                                                                                                        • Associated: 0000000C.00000002.2571402531.000000006F850000.00000002.00000001.01000000.0000000F.sdmpDownload File
                                                                                                                                                                                                                                                        • Associated: 0000000C.00000002.2571547852.000000006F8B1000.00000002.00000001.01000000.0000000F.sdmpDownload File
                                                                                                                                                                                                                                                        • Associated: 0000000C.00000002.2571607645.000000006F8C6000.00000004.00000001.01000000.0000000F.sdmpDownload File
                                                                                                                                                                                                                                                        • Associated: 0000000C.00000002.2571648475.000000006F8CC000.00000002.00000001.01000000.0000000F.sdmpDownload File
                                                                                                                                                                                                                                                        Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                                        • Snapshot File: hcaresult_12_2_6f850000_cpcsgui.jbxd
                                                                                                                                                                                                                                                        Similarity
                                                                                                                                                                                                                                                        • API ID: Handle$AddressModuleProcService$Close$ChangeConfigManagerOpenVersion
                                                                                                                                                                                                                                                        • String ID:
                                                                                                                                                                                                                                                        • API String ID: 4162453160-0
                                                                                                                                                                                                                                                        • Opcode ID: f8287a4ebead65567865fbc35adf436dba60a6adc4d795e5f87ed92900e67fad
                                                                                                                                                                                                                                                        • Instruction ID: 79bd5803e37ef6c080453e2f6a248d77e238cb3d90f03d0b2c861a60b32c8154
                                                                                                                                                                                                                                                        • Opcode Fuzzy Hash: f8287a4ebead65567865fbc35adf436dba60a6adc4d795e5f87ed92900e67fad
                                                                                                                                                                                                                                                        • Instruction Fuzzy Hash: CB21217161C781ABDB30CB68CC45BDB77E8AB4A724F400E5DE5A99B2C0DF35A444CB92
                                                                                                                                                                                                                                                        Function 6F85BF10 Relevance: 56.4, APIs: 26, Strings: 6, Instructions: 448registryCOMMON
                                                                                                                                                                                                                                                        Download Yara Rule
                                                                                                                                                                                                                                                        APIs
                                                                                                                                                                                                                                                          • Part of subcall function 6F853280: std::_Xinvalid_argument.LIBCPMT ref: 6F853298
                                                                                                                                                                                                                                                        • RegCreateKeyExW.ADVAPI32(80000002,?,00000000,00000000,00000000,00000003,00000000,?,00000000,00000000,D0A01E50,80000002,?), ref: 6F85BF8F
                                                                                                                                                                                                                                                        • RegQueryValueExW.ADVAPI32(?,?,00000000,?,00000000,00000000), ref: 6F85BFF3
                                                                                                                                                                                                                                                        • std::exception::exception.LIBCMT ref: 6F85C040
                                                                                                                                                                                                                                                        • GetLastError.KERNEL32(?,RegQueryValueEx,0000000F), ref: 6F85C04F
                                                                                                                                                                                                                                                        • __CxxThrowException@8.LIBCMT ref: 6F85C067
                                                                                                                                                                                                                                                        • _swscanf.LIBCMT ref: 6F85C089
                                                                                                                                                                                                                                                        • std::exception::exception.LIBCMT ref: 6F85C0C5
                                                                                                                                                                                                                                                        • GetLastError.KERNEL32(?,swscanf), ref: 6F85C0D4
                                                                                                                                                                                                                                                        • __CxxThrowException@8.LIBCMT ref: 6F85C0EC
                                                                                                                                                                                                                                                        • RegSetValueExW.ADVAPI32(?,?,00000000,00000004,?,00000004), ref: 6F85C10B
                                                                                                                                                                                                                                                        • __CxxThrowException@8.LIBCMT ref: 6F85C140
                                                                                                                                                                                                                                                        • _swscanf.LIBCMT ref: 6F85C162
                                                                                                                                                                                                                                                        • __CxxThrowException@8.LIBCMT ref: 6F85C196
                                                                                                                                                                                                                                                        • RegSetValueExW.ADVAPI32(?,?,00000000,0000000B,?,00000008), ref: 6F85C1B7
                                                                                                                                                                                                                                                        • __CxxThrowException@8.LIBCMT ref: 6F85C1EC
                                                                                                                                                                                                                                                        • WideCharToMultiByte.KERNEL32(00000000,00000000,00000001,?,00000000,?,00000000,00000000), ref: 6F85C21C
                                                                                                                                                                                                                                                        • __CxxThrowException@8.LIBCMT ref: 6F85C256
                                                                                                                                                                                                                                                        • RegCloseKey.ADVAPI32(?), ref: 6F85C2C1
                                                                                                                                                                                                                                                        • RegSetValueExW.ADVAPI32(?,?,00000000,00000007,?,6F8A8450), ref: 6F85C3B1
                                                                                                                                                                                                                                                        • __CxxThrowException@8.LIBCMT ref: 6F85C3E2
                                                                                                                                                                                                                                                        • __CxxThrowException@8.LIBCMT ref: 6F85C425
                                                                                                                                                                                                                                                        • RegSetValueExW.ADVAPI32(?,?,00000000,?,00000001,?), ref: 6F85C44D
                                                                                                                                                                                                                                                        • __CxxThrowException@8.LIBCMT ref: 6F85C2AB
                                                                                                                                                                                                                                                          • Part of subcall function 6F8924F0: RaiseException.KERNEL32(6F853778,?,D0A01E50,6F8B13C0,6F853778,?,6F8BD3C8,80000002,D0A01E50), ref: 6F892532
                                                                                                                                                                                                                                                        • RegSetValueExW.ADVAPI32(?,?,00000000,00000003,00000000,?), ref: 6F85C271
                                                                                                                                                                                                                                                          • Part of subcall function 6F85FBB0: std::exception::exception.LIBCMT ref: 6F85FBC3
                                                                                                                                                                                                                                                          • Part of subcall function 6F85FBB0: GetLastError.KERNEL32(?,?,6F85C47A,RegSetValueEx), ref: 6F85FBCE
                                                                                                                                                                                                                                                        • __CxxThrowException@8.LIBCMT ref: 6F85C482
                                                                                                                                                                                                                                                        • RegCloseKey.ADVAPI32(?,?,6F8BD420,RegSetValueEx), ref: 6F85C48B
                                                                                                                                                                                                                                                        Strings
                                                                                                                                                                                                                                                        Memory Dump Source
                                                                                                                                                                                                                                                        • Source File: 0000000C.00000002.2571435985.000000006F851000.00000020.00000001.01000000.0000000F.sdmp, Offset: 6F850000, based on PE: true
                                                                                                                                                                                                                                                        • Associated: 0000000C.00000002.2571402531.000000006F850000.00000002.00000001.01000000.0000000F.sdmpDownload File
                                                                                                                                                                                                                                                        • Associated: 0000000C.00000002.2571547852.000000006F8B1000.00000002.00000001.01000000.0000000F.sdmpDownload File
                                                                                                                                                                                                                                                        • Associated: 0000000C.00000002.2571607645.000000006F8C6000.00000004.00000001.01000000.0000000F.sdmpDownload File
                                                                                                                                                                                                                                                        • Associated: 0000000C.00000002.2571648475.000000006F8CC000.00000002.00000001.01000000.0000000F.sdmpDownload File
                                                                                                                                                                                                                                                        Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                                        • Snapshot File: hcaresult_12_2_6f850000_cpcsgui.jbxd
                                                                                                                                                                                                                                                        Similarity
                                                                                                                                                                                                                                                        • API ID: Exception@8Throw$Value$ErrorLaststd::exception::exception$Close_swscanf$ByteCharCreateExceptionMultiQueryRaiseWideXinvalid_argumentstd::_
                                                                                                                                                                                                                                                        • String ID: %llu$Invalid value type$RegQueryValueEx$RegSetValueEx$WideCharToMultiByte$swscanf
                                                                                                                                                                                                                                                        • API String ID: 2334525903-1655690740
                                                                                                                                                                                                                                                        • Opcode ID: dea3fa9e77e77e9ea4b31193246577d44db2e5cbd7cf402381404dc6dabca7c4
                                                                                                                                                                                                                                                        • Instruction ID: 4748334bb965143822b5e090cc040f1870dbb9e8cb201b157101a156610d5348
                                                                                                                                                                                                                                                        • Opcode Fuzzy Hash: dea3fa9e77e77e9ea4b31193246577d44db2e5cbd7cf402381404dc6dabca7c4
                                                                                                                                                                                                                                                        • Instruction Fuzzy Hash: BEF18D70901208EBDF54CFB8C981FDEB7B5AF42708F2049A9E505AF281D770AA55CFA1
                                                                                                                                                                                                                                                        Function 6F8ADA70 Relevance: 38.7, APIs: 2, Strings: 20, Instructions: 218COMMON
                                                                                                                                                                                                                                                        Download Yara Rule
                                                                                                                                                                                                                                                        APIs
                                                                                                                                                                                                                                                          • Part of subcall function 6F8907C7: _malloc.LIBCMT ref: 6F8907E1
                                                                                                                                                                                                                                                        • std::exception::exception.LIBCMT ref: 6F8ADACD
                                                                                                                                                                                                                                                        • __CxxThrowException@8.LIBCMT ref: 6F8ADAE4
                                                                                                                                                                                                                                                        Strings
                                                                                                                                                                                                                                                        Memory Dump Source
                                                                                                                                                                                                                                                        • Source File: 0000000C.00000002.2571435985.000000006F851000.00000020.00000001.01000000.0000000F.sdmp, Offset: 6F850000, based on PE: true
                                                                                                                                                                                                                                                        • Associated: 0000000C.00000002.2571402531.000000006F850000.00000002.00000001.01000000.0000000F.sdmpDownload File
                                                                                                                                                                                                                                                        • Associated: 0000000C.00000002.2571547852.000000006F8B1000.00000002.00000001.01000000.0000000F.sdmpDownload File
                                                                                                                                                                                                                                                        • Associated: 0000000C.00000002.2571607645.000000006F8C6000.00000004.00000001.01000000.0000000F.sdmpDownload File
                                                                                                                                                                                                                                                        • Associated: 0000000C.00000002.2571648475.000000006F8CC000.00000002.00000001.01000000.0000000F.sdmpDownload File
                                                                                                                                                                                                                                                        Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                                        • Snapshot File: hcaresult_12_2_6f850000_cpcsgui.jbxd
                                                                                                                                                                                                                                                        Similarity
                                                                                                                                                                                                                                                        • API ID: Exception@8Throw_mallocstd::exception::exception
                                                                                                                                                                                                                                                        • String ID: ALIAS$ANCHOR$BLOCK_ENTRY$BLOCK_MAP_END$BLOCK_MAP_START$BLOCK_SEQ_END$BLOCK_SEQ_START$DIRECTIVE$DOC_END$DOC_START$FLOW_ENTRY$FLOW_MAP_COMPACT$FLOW_MAP_END$FLOW_MAP_START$FLOW_SEQ_END$FLOW_SEQ_START$KEY$SCALAR$TAG$VALUE
                                                                                                                                                                                                                                                        • API String ID: 4063778783-3171149512
                                                                                                                                                                                                                                                        • Opcode ID: 6d4794487a2b4f7c67336381bfe59d38953321e4dd7cb54692d02fe8e99a3ad9
                                                                                                                                                                                                                                                        • Instruction ID: 525805cb9d9ddd1b0d836710d4682891d4272264b4504e9e62c9a5f30a5e128c
                                                                                                                                                                                                                                                        • Opcode Fuzzy Hash: 6d4794487a2b4f7c67336381bfe59d38953321e4dd7cb54692d02fe8e99a3ad9
                                                                                                                                                                                                                                                        • Instruction Fuzzy Hash: 5E91AB70549B82AADB11CF2DE84071E7EE0A757A20F8409DEE6545F385DB788528CBE3
                                                                                                                                                                                                                                                        Function 6F8980FD Relevance: 29.9, APIs: 12, Strings: 5, Instructions: 109libraryloadermemoryCOMMONLIBRARYCODE
                                                                                                                                                                                                                                                        Download Yara Rule
                                                                                                                                                                                                                                                        APIs
                                                                                                                                                                                                                                                        • GetModuleHandleW.KERNEL32(KERNEL32.DLL,?,6F890ABC,6F8BCE30,00000008,6F890C50,?,?,?,6F8BCE50,0000000C,6F890D0B,?), ref: 6F898105
                                                                                                                                                                                                                                                        • __mtterm.LIBCMT ref: 6F898111
                                                                                                                                                                                                                                                          • Part of subcall function 6F897DDC: TlsFree.KERNEL32(0000000D,6F890B7F,6F890B65,6F8BCE30,00000008,6F890C50,?,?,?,6F8BCE50,0000000C,6F890D0B,?), ref: 6F897E07
                                                                                                                                                                                                                                                          • Part of subcall function 6F897DDC: DeleteCriticalSection.KERNEL32(00000000,00000000,?,?,6F890B7F,6F890B65,6F8BCE30,00000008,6F890C50,?,?,?,6F8BCE50,0000000C,6F890D0B,?), ref: 6F89A3A3
                                                                                                                                                                                                                                                          • Part of subcall function 6F897DDC: _free.LIBCMT ref: 6F89A3A6
                                                                                                                                                                                                                                                          • Part of subcall function 6F897DDC: DeleteCriticalSection.KERNEL32(0000000D,?,?,6F890B7F,6F890B65,6F8BCE30,00000008,6F890C50,?,?,?,6F8BCE50,0000000C,6F890D0B,?), ref: 6F89A3CD
                                                                                                                                                                                                                                                        • GetProcAddress.KERNEL32(00000000,FlsAlloc), ref: 6F898127
                                                                                                                                                                                                                                                        • GetProcAddress.KERNEL32(00000000,FlsGetValue), ref: 6F898134
                                                                                                                                                                                                                                                        • GetProcAddress.KERNEL32(00000000,FlsSetValue), ref: 6F898141
                                                                                                                                                                                                                                                        • GetProcAddress.KERNEL32(00000000,FlsFree), ref: 6F89814E
                                                                                                                                                                                                                                                        • TlsAlloc.KERNEL32(?,?,6F890ABC,6F8BCE30,00000008,6F890C50,?,?,?,6F8BCE50,0000000C,6F890D0B,?), ref: 6F89819E
                                                                                                                                                                                                                                                        • TlsSetValue.KERNEL32(00000000,?,?,6F890ABC,6F8BCE30,00000008,6F890C50,?,?,?,6F8BCE50,0000000C,6F890D0B,?), ref: 6F8981B9
                                                                                                                                                                                                                                                        • __init_pointers.LIBCMT ref: 6F8981C3
                                                                                                                                                                                                                                                        • __calloc_crt.LIBCMT ref: 6F898231
                                                                                                                                                                                                                                                        • GetCurrentThreadId.KERNEL32 ref: 6F89825D
                                                                                                                                                                                                                                                        Strings
                                                                                                                                                                                                                                                        Memory Dump Source
                                                                                                                                                                                                                                                        • Source File: 0000000C.00000002.2571435985.000000006F851000.00000020.00000001.01000000.0000000F.sdmp, Offset: 6F850000, based on PE: true
                                                                                                                                                                                                                                                        • Associated: 0000000C.00000002.2571402531.000000006F850000.00000002.00000001.01000000.0000000F.sdmpDownload File
                                                                                                                                                                                                                                                        • Associated: 0000000C.00000002.2571547852.000000006F8B1000.00000002.00000001.01000000.0000000F.sdmpDownload File
                                                                                                                                                                                                                                                        • Associated: 0000000C.00000002.2571607645.000000006F8C6000.00000004.00000001.01000000.0000000F.sdmpDownload File
                                                                                                                                                                                                                                                        • Associated: 0000000C.00000002.2571648475.000000006F8CC000.00000002.00000001.01000000.0000000F.sdmpDownload File
                                                                                                                                                                                                                                                        Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                                        • Snapshot File: hcaresult_12_2_6f850000_cpcsgui.jbxd
                                                                                                                                                                                                                                                        Similarity
                                                                                                                                                                                                                                                        • API ID: AddressProc$CriticalDeleteSection$AllocCurrentFreeHandleModuleThreadValue__calloc_crt__init_pointers__mtterm_free
                                                                                                                                                                                                                                                        • String ID: FlsAlloc$FlsFree$FlsGetValue$FlsSetValue$KERNEL32.DLL
                                                                                                                                                                                                                                                        • API String ID: 4163708885-3819984048
                                                                                                                                                                                                                                                        • Opcode ID: 7b63ffa3c36df9636a15acffbb5eaac54998f83af02ad8d5c9cc00d21edc2ad9
                                                                                                                                                                                                                                                        • Instruction ID: 43f695c1c0ba103f75236cf6734a21809205187bf62fa6417012737e717db306
                                                                                                                                                                                                                                                        • Opcode Fuzzy Hash: 7b63ffa3c36df9636a15acffbb5eaac54998f83af02ad8d5c9cc00d21edc2ad9
                                                                                                                                                                                                                                                        • Instruction Fuzzy Hash: B6314F32908E11AEDF149B7D8C05B5A3FA9EB46379F5009EBE4149F698DB309021CFD0
                                                                                                                                                                                                                                                        Function 6F85EB50 Relevance: 26.4, APIs: 8, Strings: 7, Instructions: 130COMMON
                                                                                                                                                                                                                                                        Download Yara Rule
                                                                                                                                                                                                                                                        APIs
                                                                                                                                                                                                                                                        Strings
                                                                                                                                                                                                                                                        Memory Dump Source
                                                                                                                                                                                                                                                        • Source File: 0000000C.00000002.2571435985.000000006F851000.00000020.00000001.01000000.0000000F.sdmp, Offset: 6F850000, based on PE: true
                                                                                                                                                                                                                                                        • Associated: 0000000C.00000002.2571402531.000000006F850000.00000002.00000001.01000000.0000000F.sdmpDownload File
                                                                                                                                                                                                                                                        • Associated: 0000000C.00000002.2571547852.000000006F8B1000.00000002.00000001.01000000.0000000F.sdmpDownload File
                                                                                                                                                                                                                                                        • Associated: 0000000C.00000002.2571607645.000000006F8C6000.00000004.00000001.01000000.0000000F.sdmpDownload File
                                                                                                                                                                                                                                                        • Associated: 0000000C.00000002.2571648475.000000006F8CC000.00000002.00000001.01000000.0000000F.sdmpDownload File
                                                                                                                                                                                                                                                        Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                                        • Snapshot File: hcaresult_12_2_6f850000_cpcsgui.jbxd
                                                                                                                                                                                                                                                        Similarity
                                                                                                                                                                                                                                                        • API ID: _swscanf
                                                                                                                                                                                                                                                        • String ID: %u.%u$%u.%u.%u$%u.%u.%u.%u$v%u$v%u.%u$v%u.%u.%u$v%u.%u.%u.%u
                                                                                                                                                                                                                                                        • API String ID: 2748852333-538441230
                                                                                                                                                                                                                                                        • Opcode ID: 1b68fe7b4336e74dedb86f3a6d8e039426fd643d67e8068c395d1354b35e924c
                                                                                                                                                                                                                                                        • Instruction ID: c385c48589b3e626e8820948d840d510818bef6c78b5c24b62b2d3c84c3266fa
                                                                                                                                                                                                                                                        • Opcode Fuzzy Hash: 1b68fe7b4336e74dedb86f3a6d8e039426fd643d67e8068c395d1354b35e924c
                                                                                                                                                                                                                                                        • Instruction Fuzzy Hash: 533181F1910605EBDB708E2DCC88D57BBA9EE512557100C9AF01ADE240E331F9B0CBA2
                                                                                                                                                                                                                                                        Function 6F88EA00 Relevance: 21.0, APIs: 8, Strings: 4, Instructions: 48libraryloaderCOMMON
                                                                                                                                                                                                                                                        Download Yara Rule
                                                                                                                                                                                                                                                        APIs
                                                                                                                                                                                                                                                        • GetVersionExW.KERNEL32(?,00000000,?,6F87117A), ref: 6F88EA09
                                                                                                                                                                                                                                                        • GetModuleHandleW.KERNEL32(kernel32.dll,GetNativeSystemInfo,?,6F87117A), ref: 6F88EA1F
                                                                                                                                                                                                                                                        • GetProcAddress.KERNEL32(00000000), ref: 6F88EA28
                                                                                                                                                                                                                                                        • GetModuleHandleW.KERNEL32(kernel32.dll,Wow64DisableWow64FsRedirection,?,6F87117A), ref: 6F88EA46
                                                                                                                                                                                                                                                        • GetProcAddress.KERNEL32(00000000), ref: 6F88EA49
                                                                                                                                                                                                                                                        • GetModuleHandleW.KERNEL32(kernel32.dll,Wow64RevertWow64FsRedirection,?,6F87117A), ref: 6F88EA5B
                                                                                                                                                                                                                                                        • GetProcAddress.KERNEL32(00000000), ref: 6F88EA5E
                                                                                                                                                                                                                                                        • OpenSCManagerW.ADVAPI32(00000000,00000000,000F003F,?,6F87117A), ref: 6F88EAA0
                                                                                                                                                                                                                                                        Strings
                                                                                                                                                                                                                                                        Memory Dump Source
                                                                                                                                                                                                                                                        • Source File: 0000000C.00000002.2571435985.000000006F851000.00000020.00000001.01000000.0000000F.sdmp, Offset: 6F850000, based on PE: true
                                                                                                                                                                                                                                                        • Associated: 0000000C.00000002.2571402531.000000006F850000.00000002.00000001.01000000.0000000F.sdmpDownload File
                                                                                                                                                                                                                                                        • Associated: 0000000C.00000002.2571547852.000000006F8B1000.00000002.00000001.01000000.0000000F.sdmpDownload File
                                                                                                                                                                                                                                                        • Associated: 0000000C.00000002.2571607645.000000006F8C6000.00000004.00000001.01000000.0000000F.sdmpDownload File
                                                                                                                                                                                                                                                        • Associated: 0000000C.00000002.2571648475.000000006F8CC000.00000002.00000001.01000000.0000000F.sdmpDownload File
                                                                                                                                                                                                                                                        Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                                        • Snapshot File: hcaresult_12_2_6f850000_cpcsgui.jbxd
                                                                                                                                                                                                                                                        Similarity
                                                                                                                                                                                                                                                        • API ID: AddressHandleModuleProc$ManagerOpenVersion
                                                                                                                                                                                                                                                        • String ID: GetNativeSystemInfo$Wow64DisableWow64FsRedirection$Wow64RevertWow64FsRedirection$kernel32.dll
                                                                                                                                                                                                                                                        • API String ID: 4247078701-1191386364
                                                                                                                                                                                                                                                        • Opcode ID: 8db05d4f7994bf2fcc0ee676bebbbed0580a09bea30089cc92925af596674a5b
                                                                                                                                                                                                                                                        • Instruction ID: afdee2688e66c6b8eca9e3f6c962aad257d0fde30a552aa281de813a5fd889f1
                                                                                                                                                                                                                                                        • Opcode Fuzzy Hash: 8db05d4f7994bf2fcc0ee676bebbbed0580a09bea30089cc92925af596674a5b
                                                                                                                                                                                                                                                        • Instruction Fuzzy Hash: 2D112D70500B45ABDB209FB58C89BDBB7E8AF9A355F00485DE15ADF350DB74A401CB94
                                                                                                                                                                                                                                                        Function 6F874A00 Relevance: 16.0, APIs: 5, Strings: 4, Instructions: 212COMMON
                                                                                                                                                                                                                                                        Download Yara Rule
                                                                                                                                                                                                                                                        APIs
                                                                                                                                                                                                                                                        • __CxxThrowException@8.LIBCMT ref: 6F874ABE
                                                                                                                                                                                                                                                          • Part of subcall function 6F8924F0: RaiseException.KERNEL32(6F853778,?,D0A01E50,6F8B13C0,6F853778,?,6F8BD3C8,80000002,D0A01E50), ref: 6F892532
                                                                                                                                                                                                                                                        • __CxxThrowException@8.LIBCMT ref: 6F874B2B
                                                                                                                                                                                                                                                        • __CxxThrowException@8.LIBCMT ref: 6F874BE5
                                                                                                                                                                                                                                                          • Part of subcall function 6F864430: std::exception::exception.LIBCMT ref: 6F864498
                                                                                                                                                                                                                                                        • __CxxThrowException@8.LIBCMT ref: 6F874CA1
                                                                                                                                                                                                                                                        • std::exception::exception.LIBCMT ref: 6F874CDE
                                                                                                                                                                                                                                                          • Part of subcall function 6F8901B5: std::exception::operator=.LIBCMT ref: 6F8901CE
                                                                                                                                                                                                                                                          • Part of subcall function 6F856620: std::_Xinvalid_argument.LIBCPMT ref: 6F85663A
                                                                                                                                                                                                                                                        Strings
                                                                                                                                                                                                                                                        • YAML major version too large, xrefs: 6F874BA2
                                                                                                                                                                                                                                                        • repeated YAML directive, xrefs: 6F874ACC
                                                                                                                                                                                                                                                        • bad YAML version: , xrefs: 6F874C2A
                                                                                                                                                                                                                                                        • YAML directives must have exactly one argument, xrefs: 6F874A63
                                                                                                                                                                                                                                                        Memory Dump Source
                                                                                                                                                                                                                                                        • Source File: 0000000C.00000002.2571435985.000000006F851000.00000020.00000001.01000000.0000000F.sdmp, Offset: 6F850000, based on PE: true
                                                                                                                                                                                                                                                        • Associated: 0000000C.00000002.2571402531.000000006F850000.00000002.00000001.01000000.0000000F.sdmpDownload File
                                                                                                                                                                                                                                                        • Associated: 0000000C.00000002.2571547852.000000006F8B1000.00000002.00000001.01000000.0000000F.sdmpDownload File
                                                                                                                                                                                                                                                        • Associated: 0000000C.00000002.2571607645.000000006F8C6000.00000004.00000001.01000000.0000000F.sdmpDownload File
                                                                                                                                                                                                                                                        • Associated: 0000000C.00000002.2571648475.000000006F8CC000.00000002.00000001.01000000.0000000F.sdmpDownload File
                                                                                                                                                                                                                                                        Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                                        • Snapshot File: hcaresult_12_2_6f850000_cpcsgui.jbxd
                                                                                                                                                                                                                                                        Similarity
                                                                                                                                                                                                                                                        • API ID: Exception@8Throw$std::exception::exception$ExceptionRaiseXinvalid_argumentstd::_std::exception::operator=
                                                                                                                                                                                                                                                        • String ID: YAML directives must have exactly one argument$YAML major version too large$bad YAML version: $repeated YAML directive
                                                                                                                                                                                                                                                        • API String ID: 1017350598-727870030
                                                                                                                                                                                                                                                        • Opcode ID: 49f3af913b29cf5aad10503f1b9854ba09efc055c81a60d35e0c094f5bba1cd2
                                                                                                                                                                                                                                                        • Instruction ID: 9fb2533ed0d6792aaf493cc407e4f0c1b387b8adda9d23394effc4f56b3e9ea4
                                                                                                                                                                                                                                                        • Opcode Fuzzy Hash: 49f3af913b29cf5aad10503f1b9854ba09efc055c81a60d35e0c094f5bba1cd2
                                                                                                                                                                                                                                                        • Instruction Fuzzy Hash: D4818CB1508381ABC338DF58D850BDBB7E4BBC9714F404E9DE5999B380DB35A408CBA2
                                                                                                                                                                                                                                                        Function 6F870DD0 Relevance: 15.9, APIs: 1, Strings: 8, Instructions: 192windowCOMMON
                                                                                                                                                                                                                                                        Download Yara Rule
                                                                                                                                                                                                                                                        APIs
                                                                                                                                                                                                                                                        • MessageBoxW.USER32(00000000,?,00000000,00000003), ref: 6F870F18
                                                                                                                                                                                                                                                        Strings
                                                                                                                                                                                                                                                        Memory Dump Source
                                                                                                                                                                                                                                                        • Source File: 0000000C.00000002.2571435985.000000006F851000.00000020.00000001.01000000.0000000F.sdmp, Offset: 6F850000, based on PE: true
                                                                                                                                                                                                                                                        • Associated: 0000000C.00000002.2571402531.000000006F850000.00000002.00000001.01000000.0000000F.sdmpDownload File
                                                                                                                                                                                                                                                        • Associated: 0000000C.00000002.2571547852.000000006F8B1000.00000002.00000001.01000000.0000000F.sdmpDownload File
                                                                                                                                                                                                                                                        • Associated: 0000000C.00000002.2571607645.000000006F8C6000.00000004.00000001.01000000.0000000F.sdmpDownload File
                                                                                                                                                                                                                                                        • Associated: 0000000C.00000002.2571648475.000000006F8CC000.00000002.00000001.01000000.0000000F.sdmpDownload File
                                                                                                                                                                                                                                                        Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                                        • Snapshot File: hcaresult_12_2_6f850000_cpcsgui.jbxd
                                                                                                                                                                                                                                                        Similarity
                                                                                                                                                                                                                                                        • API ID: Message
                                                                                                                                                                                                                                                        • String ID: cancel$error$information$okcancel$warning$yes$yesno$yesnocancel
                                                                                                                                                                                                                                                        • API String ID: 2030045667-3513478497
                                                                                                                                                                                                                                                        • Opcode ID: 2999c9216387c05ff2ce8fee282a76731ffc9bfa2aec93773e713231893b1f3b
                                                                                                                                                                                                                                                        • Instruction ID: 84a8cbc6103e6e726ae4fdd76d171dd1d5bbc78ff69fbf38aa62dc84c74a3989
                                                                                                                                                                                                                                                        • Opcode Fuzzy Hash: 2999c9216387c05ff2ce8fee282a76731ffc9bfa2aec93773e713231893b1f3b
                                                                                                                                                                                                                                                        • Instruction Fuzzy Hash: 5E613872A083409BD714CF28C581B1FB7E5AB85718F401EADF9859F380DB76E8458B82
                                                                                                                                                                                                                                                        Function 6F853C60 Relevance: 14.2, APIs: 6, Strings: 2, Instructions: 155COMMON
                                                                                                                                                                                                                                                        Download Yara Rule
                                                                                                                                                                                                                                                        APIs
                                                                                                                                                                                                                                                        Strings
                                                                                                                                                                                                                                                        Memory Dump Source
                                                                                                                                                                                                                                                        • Source File: 0000000C.00000002.2571435985.000000006F851000.00000020.00000001.01000000.0000000F.sdmp, Offset: 6F850000, based on PE: true
                                                                                                                                                                                                                                                        • Associated: 0000000C.00000002.2571402531.000000006F850000.00000002.00000001.01000000.0000000F.sdmpDownload File
                                                                                                                                                                                                                                                        • Associated: 0000000C.00000002.2571547852.000000006F8B1000.00000002.00000001.01000000.0000000F.sdmpDownload File
                                                                                                                                                                                                                                                        • Associated: 0000000C.00000002.2571607645.000000006F8C6000.00000004.00000001.01000000.0000000F.sdmpDownload File
                                                                                                                                                                                                                                                        • Associated: 0000000C.00000002.2571648475.000000006F8CC000.00000002.00000001.01000000.0000000F.sdmpDownload File
                                                                                                                                                                                                                                                        Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                                        • Snapshot File: hcaresult_12_2_6f850000_cpcsgui.jbxd
                                                                                                                                                                                                                                                        Similarity
                                                                                                                                                                                                                                                        • API ID: Xinvalid_argumentstd::_$_memmove
                                                                                                                                                                                                                                                        • String ID: invalid string position$string too long
                                                                                                                                                                                                                                                        • API String ID: 2168136238-4289949731
                                                                                                                                                                                                                                                        • Opcode ID: 55096aff34424a9baecdf1deb1cb51bcfb90c3f68c67782780b7921bc2861514
                                                                                                                                                                                                                                                        • Instruction ID: 9ec22c5cd483ec6305b8b54b2e3b885cd6782d8d9cdcf0ec977cff4808c38df7
                                                                                                                                                                                                                                                        • Opcode Fuzzy Hash: 55096aff34424a9baecdf1deb1cb51bcfb90c3f68c67782780b7921bc2861514
                                                                                                                                                                                                                                                        • Instruction Fuzzy Hash: 8F416F713046059BC365CEACD98185AB3B7BFD57047208EAEE4528F264EB30ED658B61
                                                                                                                                                                                                                                                        Function 6F873F70 Relevance: 14.1, APIs: 6, Strings: 2, Instructions: 101servicesleepCOMMON
                                                                                                                                                                                                                                                        Download Yara Rule
                                                                                                                                                                                                                                                        APIs
                                                                                                                                                                                                                                                        • DeleteService.ADVAPI32(?), ref: 6F873FED
                                                                                                                                                                                                                                                        • CloseServiceHandle.ADVAPI32(?), ref: 6F873FFA
                                                                                                                                                                                                                                                        • Sleep.KERNEL32(00000064), ref: 6F874008
                                                                                                                                                                                                                                                        • DeleteService.ADVAPI32(?,00000000), ref: 6F87404C
                                                                                                                                                                                                                                                        • CloseServiceHandle.ADVAPI32(?), ref: 6F874059
                                                                                                                                                                                                                                                        • Sleep.KERNEL32(00000064), ref: 6F874067
                                                                                                                                                                                                                                                        Strings
                                                                                                                                                                                                                                                        • Notification Area, xrefs: 6F8740A1
                                                                                                                                                                                                                                                        • User Promoted Notification Area, xrefs: 6F8740AE
                                                                                                                                                                                                                                                        Memory Dump Source
                                                                                                                                                                                                                                                        • Source File: 0000000C.00000002.2571435985.000000006F851000.00000020.00000001.01000000.0000000F.sdmp, Offset: 6F850000, based on PE: true
                                                                                                                                                                                                                                                        • Associated: 0000000C.00000002.2571402531.000000006F850000.00000002.00000001.01000000.0000000F.sdmpDownload File
                                                                                                                                                                                                                                                        • Associated: 0000000C.00000002.2571547852.000000006F8B1000.00000002.00000001.01000000.0000000F.sdmpDownload File
                                                                                                                                                                                                                                                        • Associated: 0000000C.00000002.2571607645.000000006F8C6000.00000004.00000001.01000000.0000000F.sdmpDownload File
                                                                                                                                                                                                                                                        • Associated: 0000000C.00000002.2571648475.000000006F8CC000.00000002.00000001.01000000.0000000F.sdmpDownload File
                                                                                                                                                                                                                                                        Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                                        • Snapshot File: hcaresult_12_2_6f850000_cpcsgui.jbxd
                                                                                                                                                                                                                                                        Similarity
                                                                                                                                                                                                                                                        • API ID: Service$CloseDeleteHandleSleep
                                                                                                                                                                                                                                                        • String ID: Notification Area$User Promoted Notification Area
                                                                                                                                                                                                                                                        • API String ID: 4165916433-1815018085
                                                                                                                                                                                                                                                        • Opcode ID: 9720eaaf820c842ba9c147e8c6ced77c6705aa340a8663f54c86d69237880dfb
                                                                                                                                                                                                                                                        • Instruction ID: b6ec5642b7d12a796a8a651d9ea960df215a7eca592f23e34667b470026cb226
                                                                                                                                                                                                                                                        • Opcode Fuzzy Hash: 9720eaaf820c842ba9c147e8c6ced77c6705aa340a8663f54c86d69237880dfb
                                                                                                                                                                                                                                                        • Instruction Fuzzy Hash: 313170B1504B80EBDB20DB68CC85B9BB3E8BB85715F400D5DF0669B380DB75E4548B63
                                                                                                                                                                                                                                                        Function 6F88E6A0 Relevance: 12.4, APIs: 6, Strings: 1, Instructions: 117COMMON
                                                                                                                                                                                                                                                        Download Yara Rule
                                                                                                                                                                                                                                                        APIs
                                                                                                                                                                                                                                                        Strings
                                                                                                                                                                                                                                                        Memory Dump Source
                                                                                                                                                                                                                                                        • Source File: 0000000C.00000002.2571435985.000000006F851000.00000020.00000001.01000000.0000000F.sdmp, Offset: 6F850000, based on PE: true
                                                                                                                                                                                                                                                        • Associated: 0000000C.00000002.2571402531.000000006F850000.00000002.00000001.01000000.0000000F.sdmpDownload File
                                                                                                                                                                                                                                                        • Associated: 0000000C.00000002.2571547852.000000006F8B1000.00000002.00000001.01000000.0000000F.sdmpDownload File
                                                                                                                                                                                                                                                        • Associated: 0000000C.00000002.2571607645.000000006F8C6000.00000004.00000001.01000000.0000000F.sdmpDownload File
                                                                                                                                                                                                                                                        • Associated: 0000000C.00000002.2571648475.000000006F8CC000.00000002.00000001.01000000.0000000F.sdmpDownload File
                                                                                                                                                                                                                                                        Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                                        • Snapshot File: hcaresult_12_2_6f850000_cpcsgui.jbxd
                                                                                                                                                                                                                                                        Similarity
                                                                                                                                                                                                                                                        • API ID: Xinvalid_argument_memmovestd::_
                                                                                                                                                                                                                                                        • String ID: string too long
                                                                                                                                                                                                                                                        • API String ID: 256744135-2556327735
                                                                                                                                                                                                                                                        • Opcode ID: 244298182fcb3b429dc9dac276ec490f71a446d123014131cd5dd4a26481cf6b
                                                                                                                                                                                                                                                        • Instruction ID: 89029814d1f8ee741b30caa6533637bcb29bb80257ae9d6ef820e4732f4eb1c3
                                                                                                                                                                                                                                                        • Opcode Fuzzy Hash: 244298182fcb3b429dc9dac276ec490f71a446d123014131cd5dd4a26481cf6b
                                                                                                                                                                                                                                                        • Instruction Fuzzy Hash: 0F31A4357047049BD734AEECE980A1AB7E6DB82714B600FDEE4B28F6D1DB20EC408756
                                                                                                                                                                                                                                                        Function 6F8740E0 Relevance: 12.4, APIs: 3, Strings: 4, Instructions: 114libraryloaderCOMMON
                                                                                                                                                                                                                                                        Download Yara Rule
                                                                                                                                                                                                                                                        APIs
                                                                                                                                                                                                                                                        • GetVersionExW.KERNEL32 ref: 6F87412D
                                                                                                                                                                                                                                                        • GetModuleHandleW.KERNEL32(kernel32.dll,GetNativeSystemInfo), ref: 6F87413D
                                                                                                                                                                                                                                                        • GetProcAddress.KERNEL32(00000000), ref: 6F874144
                                                                                                                                                                                                                                                        Strings
                                                                                                                                                                                                                                                        Memory Dump Source
                                                                                                                                                                                                                                                        • Source File: 0000000C.00000002.2571435985.000000006F851000.00000020.00000001.01000000.0000000F.sdmp, Offset: 6F850000, based on PE: true
                                                                                                                                                                                                                                                        • Associated: 0000000C.00000002.2571402531.000000006F850000.00000002.00000001.01000000.0000000F.sdmpDownload File
                                                                                                                                                                                                                                                        • Associated: 0000000C.00000002.2571547852.000000006F8B1000.00000002.00000001.01000000.0000000F.sdmpDownload File
                                                                                                                                                                                                                                                        • Associated: 0000000C.00000002.2571607645.000000006F8C6000.00000004.00000001.01000000.0000000F.sdmpDownload File
                                                                                                                                                                                                                                                        • Associated: 0000000C.00000002.2571648475.000000006F8CC000.00000002.00000001.01000000.0000000F.sdmpDownload File
                                                                                                                                                                                                                                                        Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                                        • Snapshot File: hcaresult_12_2_6f850000_cpcsgui.jbxd
                                                                                                                                                                                                                                                        Similarity
                                                                                                                                                                                                                                                        • API ID: AddressHandleModuleProcVersion
                                                                                                                                                                                                                                                        • String ID: GetNativeSystemInfo$kernel32.dll$x64$x86
                                                                                                                                                                                                                                                        • API String ID: 3310240892-405694257
                                                                                                                                                                                                                                                        • Opcode ID: 766b661248ceede3116966a697fafdf04049e77020ee632e6a695cb60a9a90fe
                                                                                                                                                                                                                                                        • Instruction ID: c15cc828d1b4da39d64b09bb2faf863b7c93a4ae25233781ee6841ea2ca8c7cb
                                                                                                                                                                                                                                                        • Opcode Fuzzy Hash: 766b661248ceede3116966a697fafdf04049e77020ee632e6a695cb60a9a90fe
                                                                                                                                                                                                                                                        • Instruction Fuzzy Hash: 86419171518740DBC720DB68C881B8FB7E4BBD6314F000DAEF5558A290EA31E555CB93
                                                                                                                                                                                                                                                        Function 6F878E80 Relevance: 12.3, APIs: 6, Strings: 1, Instructions: 96COMMON
                                                                                                                                                                                                                                                        Download Yara Rule
                                                                                                                                                                                                                                                        APIs
                                                                                                                                                                                                                                                        • std::_Lockit::_Lockit.LIBCPMT ref: 6F878EAB
                                                                                                                                                                                                                                                        • std::_Lockit::_Lockit.LIBCPMT ref: 6F878ED1
                                                                                                                                                                                                                                                        • std::bad_exception::bad_exception.LIBCMT ref: 6F878F55
                                                                                                                                                                                                                                                        • __CxxThrowException@8.LIBCMT ref: 6F878F64
                                                                                                                                                                                                                                                        • std::_Lockit::_Lockit.LIBCPMT ref: 6F878F79
                                                                                                                                                                                                                                                        • std::locale::facet::_Facet_Register.LIBCPMT ref: 6F878F94
                                                                                                                                                                                                                                                        Strings
                                                                                                                                                                                                                                                        Memory Dump Source
                                                                                                                                                                                                                                                        • Source File: 0000000C.00000002.2571435985.000000006F851000.00000020.00000001.01000000.0000000F.sdmp, Offset: 6F850000, based on PE: true
                                                                                                                                                                                                                                                        • Associated: 0000000C.00000002.2571402531.000000006F850000.00000002.00000001.01000000.0000000F.sdmpDownload File
                                                                                                                                                                                                                                                        • Associated: 0000000C.00000002.2571547852.000000006F8B1000.00000002.00000001.01000000.0000000F.sdmpDownload File
                                                                                                                                                                                                                                                        • Associated: 0000000C.00000002.2571607645.000000006F8C6000.00000004.00000001.01000000.0000000F.sdmpDownload File
                                                                                                                                                                                                                                                        • Associated: 0000000C.00000002.2571648475.000000006F8CC000.00000002.00000001.01000000.0000000F.sdmpDownload File
                                                                                                                                                                                                                                                        Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                                        • Snapshot File: hcaresult_12_2_6f850000_cpcsgui.jbxd
                                                                                                                                                                                                                                                        Similarity
                                                                                                                                                                                                                                                        • API ID: LockitLockit::_std::_$Exception@8Facet_RegisterThrowstd::bad_exception::bad_exceptionstd::locale::facet::_
                                                                                                                                                                                                                                                        • String ID: bad cast
                                                                                                                                                                                                                                                        • API String ID: 2427920155-3145022300
                                                                                                                                                                                                                                                        • Opcode ID: 259fa5f81d15762fc8c303881f25d1dca73599fefc2b9b183a6db469a5a62d09
                                                                                                                                                                                                                                                        • Instruction ID: 1289d1c3ec34a1d38ff0c89a2d7b21934361df6a684867f02cc7f7dfe340c837
                                                                                                                                                                                                                                                        • Opcode Fuzzy Hash: 259fa5f81d15762fc8c303881f25d1dca73599fefc2b9b183a6db469a5a62d09
                                                                                                                                                                                                                                                        • Instruction Fuzzy Hash: 4C31BA71508750AFD728DF28D884B4E73E1AF55728F204EDDE8669F2C0DB30A949CB92
                                                                                                                                                                                                                                                        Function 6F868C60 Relevance: 12.3, APIs: 6, Strings: 1, Instructions: 96COMMON
                                                                                                                                                                                                                                                        Download Yara Rule
                                                                                                                                                                                                                                                        APIs
                                                                                                                                                                                                                                                        • std::_Lockit::_Lockit.LIBCPMT ref: 6F868C8B
                                                                                                                                                                                                                                                        • std::_Lockit::_Lockit.LIBCPMT ref: 6F868CB1
                                                                                                                                                                                                                                                        • std::bad_exception::bad_exception.LIBCMT ref: 6F868D35
                                                                                                                                                                                                                                                        • __CxxThrowException@8.LIBCMT ref: 6F868D44
                                                                                                                                                                                                                                                        • std::_Lockit::_Lockit.LIBCPMT ref: 6F868D59
                                                                                                                                                                                                                                                        • std::locale::facet::_Facet_Register.LIBCPMT ref: 6F868D74
                                                                                                                                                                                                                                                        Strings
                                                                                                                                                                                                                                                        Memory Dump Source
                                                                                                                                                                                                                                                        • Source File: 0000000C.00000002.2571435985.000000006F851000.00000020.00000001.01000000.0000000F.sdmp, Offset: 6F850000, based on PE: true
                                                                                                                                                                                                                                                        • Associated: 0000000C.00000002.2571402531.000000006F850000.00000002.00000001.01000000.0000000F.sdmpDownload File
                                                                                                                                                                                                                                                        • Associated: 0000000C.00000002.2571547852.000000006F8B1000.00000002.00000001.01000000.0000000F.sdmpDownload File
                                                                                                                                                                                                                                                        • Associated: 0000000C.00000002.2571607645.000000006F8C6000.00000004.00000001.01000000.0000000F.sdmpDownload File
                                                                                                                                                                                                                                                        • Associated: 0000000C.00000002.2571648475.000000006F8CC000.00000002.00000001.01000000.0000000F.sdmpDownload File
                                                                                                                                                                                                                                                        Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                                        • Snapshot File: hcaresult_12_2_6f850000_cpcsgui.jbxd
                                                                                                                                                                                                                                                        Similarity
                                                                                                                                                                                                                                                        • API ID: LockitLockit::_std::_$Exception@8Facet_RegisterThrowstd::bad_exception::bad_exceptionstd::locale::facet::_
                                                                                                                                                                                                                                                        • String ID: bad cast
                                                                                                                                                                                                                                                        • API String ID: 2427920155-3145022300
                                                                                                                                                                                                                                                        • Opcode ID: 37053a6b6732b720d1c643443313f77c1bcefad20114b7d3befea352cd1371f5
                                                                                                                                                                                                                                                        • Instruction ID: 9dc805f8be1856415b8695c2ca8514e1a7381661a9e8d6407ce20a66c98bb301
                                                                                                                                                                                                                                                        • Opcode Fuzzy Hash: 37053a6b6732b720d1c643443313f77c1bcefad20114b7d3befea352cd1371f5
                                                                                                                                                                                                                                                        • Instruction Fuzzy Hash: DE31A0315087109FC714DF28C894B5A77A0BF66728F000EDDE8A59F2D1DB34A948CBA2
                                                                                                                                                                                                                                                        Function 6F868B10 Relevance: 12.3, APIs: 6, Strings: 1, Instructions: 96COMMON
                                                                                                                                                                                                                                                        Download Yara Rule
                                                                                                                                                                                                                                                        APIs
                                                                                                                                                                                                                                                        • std::_Lockit::_Lockit.LIBCPMT ref: 6F868B3B
                                                                                                                                                                                                                                                        • std::_Lockit::_Lockit.LIBCPMT ref: 6F868B61
                                                                                                                                                                                                                                                        • std::bad_exception::bad_exception.LIBCMT ref: 6F868BE5
                                                                                                                                                                                                                                                        • __CxxThrowException@8.LIBCMT ref: 6F868BF4
                                                                                                                                                                                                                                                        • std::_Lockit::_Lockit.LIBCPMT ref: 6F868C09
                                                                                                                                                                                                                                                        • std::locale::facet::_Facet_Register.LIBCPMT ref: 6F868C24
                                                                                                                                                                                                                                                        Strings
                                                                                                                                                                                                                                                        Memory Dump Source
                                                                                                                                                                                                                                                        • Source File: 0000000C.00000002.2571435985.000000006F851000.00000020.00000001.01000000.0000000F.sdmp, Offset: 6F850000, based on PE: true
                                                                                                                                                                                                                                                        • Associated: 0000000C.00000002.2571402531.000000006F850000.00000002.00000001.01000000.0000000F.sdmpDownload File
                                                                                                                                                                                                                                                        • Associated: 0000000C.00000002.2571547852.000000006F8B1000.00000002.00000001.01000000.0000000F.sdmpDownload File
                                                                                                                                                                                                                                                        • Associated: 0000000C.00000002.2571607645.000000006F8C6000.00000004.00000001.01000000.0000000F.sdmpDownload File
                                                                                                                                                                                                                                                        • Associated: 0000000C.00000002.2571648475.000000006F8CC000.00000002.00000001.01000000.0000000F.sdmpDownload File
                                                                                                                                                                                                                                                        Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                                        • Snapshot File: hcaresult_12_2_6f850000_cpcsgui.jbxd
                                                                                                                                                                                                                                                        Similarity
                                                                                                                                                                                                                                                        • API ID: LockitLockit::_std::_$Exception@8Facet_RegisterThrowstd::bad_exception::bad_exceptionstd::locale::facet::_
                                                                                                                                                                                                                                                        • String ID: bad cast
                                                                                                                                                                                                                                                        • API String ID: 2427920155-3145022300
                                                                                                                                                                                                                                                        • Opcode ID: d21291eaeb0e9e5daea425708921be6201bfd5652bdad250d828b02865d46235
                                                                                                                                                                                                                                                        • Instruction ID: 51041a21cf7198394ef9d9bfd044a9a3c27b5b82cd9167a8c44c08a862fd32a6
                                                                                                                                                                                                                                                        • Opcode Fuzzy Hash: d21291eaeb0e9e5daea425708921be6201bfd5652bdad250d828b02865d46235
                                                                                                                                                                                                                                                        • Instruction Fuzzy Hash: A7319271508711DFC708CF28D890B4A73E4AF5A724F004EDDE8AA9F2D0DB34A909CB92
                                                                                                                                                                                                                                                        Function 6F868400 Relevance: 12.3, APIs: 6, Strings: 1, Instructions: 96COMMON
                                                                                                                                                                                                                                                        Download Yara Rule
                                                                                                                                                                                                                                                        APIs
                                                                                                                                                                                                                                                        • std::_Lockit::_Lockit.LIBCPMT ref: 6F86842B
                                                                                                                                                                                                                                                        • std::_Lockit::_Lockit.LIBCPMT ref: 6F868451
                                                                                                                                                                                                                                                        • std::bad_exception::bad_exception.LIBCMT ref: 6F8684D5
                                                                                                                                                                                                                                                        • __CxxThrowException@8.LIBCMT ref: 6F8684E4
                                                                                                                                                                                                                                                        • std::_Lockit::_Lockit.LIBCPMT ref: 6F8684F9
                                                                                                                                                                                                                                                        • std::locale::facet::_Facet_Register.LIBCPMT ref: 6F868514
                                                                                                                                                                                                                                                        Strings
                                                                                                                                                                                                                                                        Memory Dump Source
                                                                                                                                                                                                                                                        • Source File: 0000000C.00000002.2571435985.000000006F851000.00000020.00000001.01000000.0000000F.sdmp, Offset: 6F850000, based on PE: true
                                                                                                                                                                                                                                                        • Associated: 0000000C.00000002.2571402531.000000006F850000.00000002.00000001.01000000.0000000F.sdmpDownload File
                                                                                                                                                                                                                                                        • Associated: 0000000C.00000002.2571547852.000000006F8B1000.00000002.00000001.01000000.0000000F.sdmpDownload File
                                                                                                                                                                                                                                                        • Associated: 0000000C.00000002.2571607645.000000006F8C6000.00000004.00000001.01000000.0000000F.sdmpDownload File
                                                                                                                                                                                                                                                        • Associated: 0000000C.00000002.2571648475.000000006F8CC000.00000002.00000001.01000000.0000000F.sdmpDownload File
                                                                                                                                                                                                                                                        Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                                        • Snapshot File: hcaresult_12_2_6f850000_cpcsgui.jbxd
                                                                                                                                                                                                                                                        Similarity
                                                                                                                                                                                                                                                        • API ID: LockitLockit::_std::_$Exception@8Facet_RegisterThrowstd::bad_exception::bad_exceptionstd::locale::facet::_
                                                                                                                                                                                                                                                        • String ID: bad cast
                                                                                                                                                                                                                                                        • API String ID: 2427920155-3145022300
                                                                                                                                                                                                                                                        • Opcode ID: 4f73caa5dc60a5e7623c9a3504516354e6fab091ab300bbe77b8fe36d3b985d0
                                                                                                                                                                                                                                                        • Instruction ID: fdcebc38cf5b78ea7803cc3f47f0c2a651806b90d45b69fc381b02d4709f1310
                                                                                                                                                                                                                                                        • Opcode Fuzzy Hash: 4f73caa5dc60a5e7623c9a3504516354e6fab091ab300bbe77b8fe36d3b985d0
                                                                                                                                                                                                                                                        • Instruction Fuzzy Hash: E8319C315087119FC718DF28D880B9A77A4BF56338F000EDDE8A69F2D4DB34A944CB92
                                                                                                                                                                                                                                                        Function 6F853A40 Relevance: 12.3, APIs: 4, Strings: 3, Instructions: 91COMMON
                                                                                                                                                                                                                                                        Download Yara Rule
                                                                                                                                                                                                                                                        APIs
                                                                                                                                                                                                                                                        • std::_Xinvalid_argument.LIBCPMT ref: 6F853A57
                                                                                                                                                                                                                                                          • Part of subcall function 6F88F682: std::exception::exception.LIBCMT ref: 6F88F697
                                                                                                                                                                                                                                                          • Part of subcall function 6F88F682: __CxxThrowException@8.LIBCMT ref: 6F88F6AC
                                                                                                                                                                                                                                                          • Part of subcall function 6F88F682: std::exception::exception.LIBCMT ref: 6F88F6BD
                                                                                                                                                                                                                                                        • std::_Xinvalid_argument.LIBCPMT ref: 6F853A75
                                                                                                                                                                                                                                                        • std::_Xinvalid_argument.LIBCPMT ref: 6F853A93
                                                                                                                                                                                                                                                        • _memmove.LIBCMT ref: 6F853AFC
                                                                                                                                                                                                                                                        Strings
                                                                                                                                                                                                                                                        Memory Dump Source
                                                                                                                                                                                                                                                        • Source File: 0000000C.00000002.2571435985.000000006F851000.00000020.00000001.01000000.0000000F.sdmp, Offset: 6F850000, based on PE: true
                                                                                                                                                                                                                                                        • Associated: 0000000C.00000002.2571402531.000000006F850000.00000002.00000001.01000000.0000000F.sdmpDownload File
                                                                                                                                                                                                                                                        • Associated: 0000000C.00000002.2571547852.000000006F8B1000.00000002.00000001.01000000.0000000F.sdmpDownload File
                                                                                                                                                                                                                                                        • Associated: 0000000C.00000002.2571607645.000000006F8C6000.00000004.00000001.01000000.0000000F.sdmpDownload File
                                                                                                                                                                                                                                                        • Associated: 0000000C.00000002.2571648475.000000006F8CC000.00000002.00000001.01000000.0000000F.sdmpDownload File
                                                                                                                                                                                                                                                        Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                                        • Snapshot File: hcaresult_12_2_6f850000_cpcsgui.jbxd
                                                                                                                                                                                                                                                        Similarity
                                                                                                                                                                                                                                                        • API ID: Xinvalid_argumentstd::_$std::exception::exception$Exception@8Throw_memmove
                                                                                                                                                                                                                                                        • String ID: \ChicaLogic\ChicaPC-Shield$invalid string position$string too long
                                                                                                                                                                                                                                                        • API String ID: 443534600-3045764314
                                                                                                                                                                                                                                                        • Opcode ID: ea2eb71b618c1df8c8bc1e2bebf572968d33775b44880b3b21284b0d3f67390d
                                                                                                                                                                                                                                                        • Instruction ID: 7a8c79a570be196acd902ff6b5026fec7d061364156cfd5872fa8b8ca856f16f
                                                                                                                                                                                                                                                        • Opcode Fuzzy Hash: ea2eb71b618c1df8c8bc1e2bebf572968d33775b44880b3b21284b0d3f67390d
                                                                                                                                                                                                                                                        • Instruction Fuzzy Hash: 312164323047019B8765DEACD89281AB3E7BFD57153214EAEE092CF650D731ED25C762
                                                                                                                                                                                                                                                        Function 6F873D30 Relevance: 12.2, APIs: 8, Instructions: 171sleepfilesynchronizationCOMMON
                                                                                                                                                                                                                                                        Download Yara Rule
                                                                                                                                                                                                                                                        APIs
                                                                                                                                                                                                                                                          • Part of subcall function 6F85FAE0: GetCurrentProcess.KERNEL32(000F01FF,D0A01E50,?,?,?,6F873D6F,D0A01E50,?,D0A01E50,75090460,750A49C0), ref: 6F85FAF7
                                                                                                                                                                                                                                                          • Part of subcall function 6F85FAE0: OpenProcessToken.ADVAPI32(00000000,?,?,?,6F873D6F,D0A01E50,?,D0A01E50,75090460,750A49C0), ref: 6F85FAFE
                                                                                                                                                                                                                                                          • Part of subcall function 6F85FAE0: LookupPrivilegeValueW.ADVAPI32(00000000,SeDebugPrivilege,?), ref: 6F85FB14
                                                                                                                                                                                                                                                          • Part of subcall function 6F85FAE0: CloseHandle.KERNEL32(?,?,?,?,6F873D6F,D0A01E50,?,D0A01E50,75090460,750A49C0), ref: 6F85FB22
                                                                                                                                                                                                                                                        • CreateFileW.KERNEL32(00000000,80000000,00000000,00000000,00000003,00000000,00000000), ref: 6F873DA2
                                                                                                                                                                                                                                                        • CloseHandle.KERNEL32(00000000), ref: 6F873DD2
                                                                                                                                                                                                                                                        • DeviceIoControl.KERNEL32(00000000,00222404,00000000,00000000,?,00000004,?,00000000), ref: 6F873DFF
                                                                                                                                                                                                                                                        • CloseHandle.KERNEL32(00000000), ref: 6F873E19
                                                                                                                                                                                                                                                        • OpenProcess.KERNEL32(00100000,00000000,00000000), ref: 6F873E71
                                                                                                                                                                                                                                                        • WaitForSingleObject.KERNEL32(00000000,000493E0), ref: 6F873EB1
                                                                                                                                                                                                                                                        • CloseHandle.KERNEL32(00000000), ref: 6F873EBA
                                                                                                                                                                                                                                                        • Sleep.KERNEL32(0000012C), ref: 6F873ED0
                                                                                                                                                                                                                                                        Memory Dump Source
                                                                                                                                                                                                                                                        • Source File: 0000000C.00000002.2571435985.000000006F851000.00000020.00000001.01000000.0000000F.sdmp, Offset: 6F850000, based on PE: true
                                                                                                                                                                                                                                                        • Associated: 0000000C.00000002.2571402531.000000006F850000.00000002.00000001.01000000.0000000F.sdmpDownload File
                                                                                                                                                                                                                                                        • Associated: 0000000C.00000002.2571547852.000000006F8B1000.00000002.00000001.01000000.0000000F.sdmpDownload File
                                                                                                                                                                                                                                                        • Associated: 0000000C.00000002.2571607645.000000006F8C6000.00000004.00000001.01000000.0000000F.sdmpDownload File
                                                                                                                                                                                                                                                        • Associated: 0000000C.00000002.2571648475.000000006F8CC000.00000002.00000001.01000000.0000000F.sdmpDownload File
                                                                                                                                                                                                                                                        Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                                        • Snapshot File: hcaresult_12_2_6f850000_cpcsgui.jbxd
                                                                                                                                                                                                                                                        Similarity
                                                                                                                                                                                                                                                        • API ID: CloseHandle$Process$Open$ControlCreateCurrentDeviceFileLookupObjectPrivilegeSingleSleepTokenValueWait
                                                                                                                                                                                                                                                        • String ID:
                                                                                                                                                                                                                                                        • API String ID: 1709624590-0
                                                                                                                                                                                                                                                        • Opcode ID: 672d3f9d3cac3ff7d705288630a75db1b70e2bf3f921026bdfdb7a3abd2719ef
                                                                                                                                                                                                                                                        • Instruction ID: 25ce5097582e23c8833699ffaff2760cf50a4f3580df7dc9a8bb979f74f039e3
                                                                                                                                                                                                                                                        • Opcode Fuzzy Hash: 672d3f9d3cac3ff7d705288630a75db1b70e2bf3f921026bdfdb7a3abd2719ef
                                                                                                                                                                                                                                                        • Instruction Fuzzy Hash: 13517C72508700AFD610DB68C846B9FBBE9AF85758F000E9EF5A59B290DB31D944CF93
                                                                                                                                                                                                                                                        Function 6F87E070 Relevance: 12.2, APIs: 8, Instructions: 158COMMON
                                                                                                                                                                                                                                                        Download Yara Rule
                                                                                                                                                                                                                                                        APIs
                                                                                                                                                                                                                                                          • Part of subcall function 6F8907C7: _malloc.LIBCMT ref: 6F8907E1
                                                                                                                                                                                                                                                        • std::exception::exception.LIBCMT ref: 6F87E1B5
                                                                                                                                                                                                                                                        • __CxxThrowException@8.LIBCMT ref: 6F87E1CC
                                                                                                                                                                                                                                                        • std::exception::exception.LIBCMT ref: 6F87E1DE
                                                                                                                                                                                                                                                        • __CxxThrowException@8.LIBCMT ref: 6F87E1F5
                                                                                                                                                                                                                                                        • std::exception::exception.LIBCMT ref: 6F87E207
                                                                                                                                                                                                                                                        • __CxxThrowException@8.LIBCMT ref: 6F87E21E
                                                                                                                                                                                                                                                        • std::exception::exception.LIBCMT ref: 6F87E230
                                                                                                                                                                                                                                                        • __CxxThrowException@8.LIBCMT ref: 6F87E247
                                                                                                                                                                                                                                                          • Part of subcall function 6F8907C7: std::exception::exception.LIBCMT ref: 6F890816
                                                                                                                                                                                                                                                          • Part of subcall function 6F8907C7: std::exception::exception.LIBCMT ref: 6F890830
                                                                                                                                                                                                                                                          • Part of subcall function 6F8907C7: __CxxThrowException@8.LIBCMT ref: 6F890841
                                                                                                                                                                                                                                                        Memory Dump Source
                                                                                                                                                                                                                                                        • Source File: 0000000C.00000002.2571435985.000000006F851000.00000020.00000001.01000000.0000000F.sdmp, Offset: 6F850000, based on PE: true
                                                                                                                                                                                                                                                        • Associated: 0000000C.00000002.2571402531.000000006F850000.00000002.00000001.01000000.0000000F.sdmpDownload File
                                                                                                                                                                                                                                                        • Associated: 0000000C.00000002.2571547852.000000006F8B1000.00000002.00000001.01000000.0000000F.sdmpDownload File
                                                                                                                                                                                                                                                        • Associated: 0000000C.00000002.2571607645.000000006F8C6000.00000004.00000001.01000000.0000000F.sdmpDownload File
                                                                                                                                                                                                                                                        • Associated: 0000000C.00000002.2571648475.000000006F8CC000.00000002.00000001.01000000.0000000F.sdmpDownload File
                                                                                                                                                                                                                                                        Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                                        • Snapshot File: hcaresult_12_2_6f850000_cpcsgui.jbxd
                                                                                                                                                                                                                                                        Similarity
                                                                                                                                                                                                                                                        • API ID: std::exception::exception$Exception@8Throw$_malloc
                                                                                                                                                                                                                                                        • String ID:
                                                                                                                                                                                                                                                        • API String ID: 2621100827-0
                                                                                                                                                                                                                                                        • Opcode ID: a78cb8072aee68e0eeca8cae56d9f7b6d69b11862531feaed0ca8672d588a222
                                                                                                                                                                                                                                                        • Instruction ID: 6de7cb93c2b14884a4c47349dc38a9cd1b07fd941a4c82e5ae6101cb536e1b79
                                                                                                                                                                                                                                                        • Opcode Fuzzy Hash: a78cb8072aee68e0eeca8cae56d9f7b6d69b11862531feaed0ca8672d588a222
                                                                                                                                                                                                                                                        • Instruction Fuzzy Hash: B6510AB1505701AFC308CF6AC880A4AFBF5BF98304F509D6EE19A9B750D774A218CF92
                                                                                                                                                                                                                                                        Function 6F8544F0 Relevance: 10.8, APIs: 3, Strings: 3, Instructions: 317timeCOMMON
                                                                                                                                                                                                                                                        Download Yara Rule
                                                                                                                                                                                                                                                        APIs
                                                                                                                                                                                                                                                        Strings
                                                                                                                                                                                                                                                        Memory Dump Source
                                                                                                                                                                                                                                                        • Source File: 0000000C.00000002.2571435985.000000006F851000.00000020.00000001.01000000.0000000F.sdmp, Offset: 6F850000, based on PE: true
                                                                                                                                                                                                                                                        • Associated: 0000000C.00000002.2571402531.000000006F850000.00000002.00000001.01000000.0000000F.sdmpDownload File
                                                                                                                                                                                                                                                        • Associated: 0000000C.00000002.2571547852.000000006F8B1000.00000002.00000001.01000000.0000000F.sdmpDownload File
                                                                                                                                                                                                                                                        • Associated: 0000000C.00000002.2571607645.000000006F8C6000.00000004.00000001.01000000.0000000F.sdmpDownload File
                                                                                                                                                                                                                                                        • Associated: 0000000C.00000002.2571648475.000000006F8CC000.00000002.00000001.01000000.0000000F.sdmpDownload File
                                                                                                                                                                                                                                                        Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                                        • Snapshot File: hcaresult_12_2_6f850000_cpcsgui.jbxd
                                                                                                                                                                                                                                                        Similarity
                                                                                                                                                                                                                                                        • API ID: Time$FileSystem__swprintf_swscanf
                                                                                                                                                                                                                                                        • String ID: %u, $%u, %u, %u, %u, %u | $0, 0
                                                                                                                                                                                                                                                        • API String ID: 2298001682-3198786647
                                                                                                                                                                                                                                                        • Opcode ID: 501c67105508a59e4d6bf6f25fdb0076dfd7ec8338a5e099bd3efda807d0c7df
                                                                                                                                                                                                                                                        • Instruction ID: bc2e76db9b56e8d5ae9b2d3501e4672ae6accdcd27937ff57121867cfb85e14f
                                                                                                                                                                                                                                                        • Opcode Fuzzy Hash: 501c67105508a59e4d6bf6f25fdb0076dfd7ec8338a5e099bd3efda807d0c7df
                                                                                                                                                                                                                                                        • Instruction Fuzzy Hash: 0EA1CE316083419BE798CA2888617AB73F5BFC0315F814DAEEC659F190EB20E9748792
                                                                                                                                                                                                                                                        Function 6F8759C0 Relevance: 10.8, APIs: 5, Strings: 1, Instructions: 252COMMON
                                                                                                                                                                                                                                                        Download Yara Rule
                                                                                                                                                                                                                                                        APIs
                                                                                                                                                                                                                                                        • std::_Lockit::_Lockit.LIBCPMT ref: 6F875A62
                                                                                                                                                                                                                                                        • std::_Xinvalid_argument.LIBCPMT ref: 6F875B0A
                                                                                                                                                                                                                                                        • std::_Xinvalid_argument.LIBCPMT ref: 6F875B1C
                                                                                                                                                                                                                                                        • __Stoulx.LIBCPMT ref: 6F875C58
                                                                                                                                                                                                                                                        • std::_Lockit::_Lockit.LIBCPMT ref: 6F875C7B
                                                                                                                                                                                                                                                          • Part of subcall function 6F864230: std::_Lockit::_Lockit.LIBCPMT ref: 6F86423F
                                                                                                                                                                                                                                                          • Part of subcall function 6F868C60: std::_Lockit::_Lockit.LIBCPMT ref: 6F868C8B
                                                                                                                                                                                                                                                          • Part of subcall function 6F868C60: std::_Lockit::_Lockit.LIBCPMT ref: 6F868CB1
                                                                                                                                                                                                                                                        Strings
                                                                                                                                                                                                                                                        Memory Dump Source
                                                                                                                                                                                                                                                        • Source File: 0000000C.00000002.2571435985.000000006F851000.00000020.00000001.01000000.0000000F.sdmp, Offset: 6F850000, based on PE: true
                                                                                                                                                                                                                                                        • Associated: 0000000C.00000002.2571402531.000000006F850000.00000002.00000001.01000000.0000000F.sdmpDownload File
                                                                                                                                                                                                                                                        • Associated: 0000000C.00000002.2571547852.000000006F8B1000.00000002.00000001.01000000.0000000F.sdmpDownload File
                                                                                                                                                                                                                                                        • Associated: 0000000C.00000002.2571607645.000000006F8C6000.00000004.00000001.01000000.0000000F.sdmpDownload File
                                                                                                                                                                                                                                                        • Associated: 0000000C.00000002.2571648475.000000006F8CC000.00000002.00000001.01000000.0000000F.sdmpDownload File
                                                                                                                                                                                                                                                        Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                                        • Snapshot File: hcaresult_12_2_6f850000_cpcsgui.jbxd
                                                                                                                                                                                                                                                        Similarity
                                                                                                                                                                                                                                                        • API ID: std::_$LockitLockit::_$Xinvalid_argument$Stoulx
                                                                                                                                                                                                                                                        • String ID: string too long
                                                                                                                                                                                                                                                        • API String ID: 533899799-2556327735
                                                                                                                                                                                                                                                        • Opcode ID: f5d669aee1f04a1ae6751e6cb9c0c64731e4edeb7d0308091ad928e42fc21b11
                                                                                                                                                                                                                                                        • Instruction ID: 4bce866d02d72f6f0e48b20eca895c477a76e1241b1adac9cbf9dfc3d260f121
                                                                                                                                                                                                                                                        • Opcode Fuzzy Hash: f5d669aee1f04a1ae6751e6cb9c0c64731e4edeb7d0308091ad928e42fc21b11
                                                                                                                                                                                                                                                        • Instruction Fuzzy Hash: 0CA14B715087409FD324CF28C880B9FB7E5BF86718F504E9DE9A99F290DB31A945CB92
                                                                                                                                                                                                                                                        Function 6F858D00 Relevance: 10.6, APIs: 5, Strings: 1, Instructions: 126COMMON
                                                                                                                                                                                                                                                        Download Yara Rule
                                                                                                                                                                                                                                                        APIs
                                                                                                                                                                                                                                                        • std::_Xinvalid_argument.LIBCPMT ref: 6F858D20
                                                                                                                                                                                                                                                          • Part of subcall function 6F88F635: std::exception::exception.LIBCMT ref: 6F88F64A
                                                                                                                                                                                                                                                          • Part of subcall function 6F88F635: __CxxThrowException@8.LIBCMT ref: 6F88F65F
                                                                                                                                                                                                                                                          • Part of subcall function 6F88F635: std::exception::exception.LIBCMT ref: 6F88F670
                                                                                                                                                                                                                                                        • _memmove.LIBCMT ref: 6F858D93
                                                                                                                                                                                                                                                        • _memmove.LIBCMT ref: 6F858DB8
                                                                                                                                                                                                                                                        • _memmove.LIBCMT ref: 6F858DF5
                                                                                                                                                                                                                                                        • _memmove.LIBCMT ref: 6F858E12
                                                                                                                                                                                                                                                        Strings
                                                                                                                                                                                                                                                        Memory Dump Source
                                                                                                                                                                                                                                                        • Source File: 0000000C.00000002.2571435985.000000006F851000.00000020.00000001.01000000.0000000F.sdmp, Offset: 6F850000, based on PE: true
                                                                                                                                                                                                                                                        • Associated: 0000000C.00000002.2571402531.000000006F850000.00000002.00000001.01000000.0000000F.sdmpDownload File
                                                                                                                                                                                                                                                        • Associated: 0000000C.00000002.2571547852.000000006F8B1000.00000002.00000001.01000000.0000000F.sdmpDownload File
                                                                                                                                                                                                                                                        • Associated: 0000000C.00000002.2571607645.000000006F8C6000.00000004.00000001.01000000.0000000F.sdmpDownload File
                                                                                                                                                                                                                                                        • Associated: 0000000C.00000002.2571648475.000000006F8CC000.00000002.00000001.01000000.0000000F.sdmpDownload File
                                                                                                                                                                                                                                                        Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                                        • Snapshot File: hcaresult_12_2_6f850000_cpcsgui.jbxd
                                                                                                                                                                                                                                                        Similarity
                                                                                                                                                                                                                                                        • API ID: _memmove$std::exception::exception$Exception@8ThrowXinvalid_argumentstd::_
                                                                                                                                                                                                                                                        • String ID: deque<T> too long
                                                                                                                                                                                                                                                        • API String ID: 4034224661-309773918
                                                                                                                                                                                                                                                        • Opcode ID: bbd2b26def7127046aa29e63951ece678f86281612d12fcca13a3383c0d9a51a
                                                                                                                                                                                                                                                        • Instruction ID: 57664514baff4d4749528914f91219c67ca022ce1df09b4df54b04458093823e
                                                                                                                                                                                                                                                        • Opcode Fuzzy Hash: bbd2b26def7127046aa29e63951ece678f86281612d12fcca13a3383c0d9a51a
                                                                                                                                                                                                                                                        • Instruction Fuzzy Hash: 1A41F672A043049BD748CF6CCC8066BB7E6EFD0214F198EADE8198B348EB34EC158791
                                                                                                                                                                                                                                                        Function 6F880A60 Relevance: 10.6, APIs: 5, Strings: 1, Instructions: 126COMMON
                                                                                                                                                                                                                                                        Download Yara Rule
                                                                                                                                                                                                                                                        APIs
                                                                                                                                                                                                                                                        • std::_Xinvalid_argument.LIBCPMT ref: 6F880A80
                                                                                                                                                                                                                                                          • Part of subcall function 6F88F635: std::exception::exception.LIBCMT ref: 6F88F64A
                                                                                                                                                                                                                                                          • Part of subcall function 6F88F635: __CxxThrowException@8.LIBCMT ref: 6F88F65F
                                                                                                                                                                                                                                                          • Part of subcall function 6F88F635: std::exception::exception.LIBCMT ref: 6F88F670
                                                                                                                                                                                                                                                        • _memmove.LIBCMT ref: 6F880AF3
                                                                                                                                                                                                                                                        • _memmove.LIBCMT ref: 6F880B18
                                                                                                                                                                                                                                                        • _memmove.LIBCMT ref: 6F880B55
                                                                                                                                                                                                                                                        • _memmove.LIBCMT ref: 6F880B72
                                                                                                                                                                                                                                                        Strings
                                                                                                                                                                                                                                                        Memory Dump Source
                                                                                                                                                                                                                                                        • Source File: 0000000C.00000002.2571435985.000000006F851000.00000020.00000001.01000000.0000000F.sdmp, Offset: 6F850000, based on PE: true
                                                                                                                                                                                                                                                        • Associated: 0000000C.00000002.2571402531.000000006F850000.00000002.00000001.01000000.0000000F.sdmpDownload File
                                                                                                                                                                                                                                                        • Associated: 0000000C.00000002.2571547852.000000006F8B1000.00000002.00000001.01000000.0000000F.sdmpDownload File
                                                                                                                                                                                                                                                        • Associated: 0000000C.00000002.2571607645.000000006F8C6000.00000004.00000001.01000000.0000000F.sdmpDownload File
                                                                                                                                                                                                                                                        • Associated: 0000000C.00000002.2571648475.000000006F8CC000.00000002.00000001.01000000.0000000F.sdmpDownload File
                                                                                                                                                                                                                                                        Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                                        • Snapshot File: hcaresult_12_2_6f850000_cpcsgui.jbxd
                                                                                                                                                                                                                                                        Similarity
                                                                                                                                                                                                                                                        • API ID: _memmove$std::exception::exception$Exception@8ThrowXinvalid_argumentstd::_
                                                                                                                                                                                                                                                        • String ID: deque<T> too long
                                                                                                                                                                                                                                                        • API String ID: 4034224661-309773918
                                                                                                                                                                                                                                                        • Opcode ID: 046d88aab8dfc557781720ddc5c041cba6a08a227e57a51d8169f6d28c66c94a
                                                                                                                                                                                                                                                        • Instruction ID: 4242896834a89cb5541a93c48fa2b800aa003d11a17eb673f8a5f7cbabc8f4cf
                                                                                                                                                                                                                                                        • Opcode Fuzzy Hash: 046d88aab8dfc557781720ddc5c041cba6a08a227e57a51d8169f6d28c66c94a
                                                                                                                                                                                                                                                        • Instruction Fuzzy Hash: 9241FB72A043055FD718CF6CCD8166BB7E6EFC0214F19CA6DE8298B345EA34EC058791
                                                                                                                                                                                                                                                        Function 6F8583C0 Relevance: 10.6, APIs: 5, Strings: 1, Instructions: 122COMMON
                                                                                                                                                                                                                                                        Download Yara Rule
                                                                                                                                                                                                                                                        APIs
                                                                                                                                                                                                                                                        • std::_Xinvalid_argument.LIBCPMT ref: 6F8583DC
                                                                                                                                                                                                                                                          • Part of subcall function 6F88F635: std::exception::exception.LIBCMT ref: 6F88F64A
                                                                                                                                                                                                                                                          • Part of subcall function 6F88F635: __CxxThrowException@8.LIBCMT ref: 6F88F65F
                                                                                                                                                                                                                                                          • Part of subcall function 6F88F635: std::exception::exception.LIBCMT ref: 6F88F670
                                                                                                                                                                                                                                                        • _memmove.LIBCMT ref: 6F85844C
                                                                                                                                                                                                                                                        • _memmove.LIBCMT ref: 6F858471
                                                                                                                                                                                                                                                        • _memmove.LIBCMT ref: 6F8584AE
                                                                                                                                                                                                                                                        • _memmove.LIBCMT ref: 6F8584CB
                                                                                                                                                                                                                                                        Strings
                                                                                                                                                                                                                                                        Memory Dump Source
                                                                                                                                                                                                                                                        • Source File: 0000000C.00000002.2571435985.000000006F851000.00000020.00000001.01000000.0000000F.sdmp, Offset: 6F850000, based on PE: true
                                                                                                                                                                                                                                                        • Associated: 0000000C.00000002.2571402531.000000006F850000.00000002.00000001.01000000.0000000F.sdmpDownload File
                                                                                                                                                                                                                                                        • Associated: 0000000C.00000002.2571547852.000000006F8B1000.00000002.00000001.01000000.0000000F.sdmpDownload File
                                                                                                                                                                                                                                                        • Associated: 0000000C.00000002.2571607645.000000006F8C6000.00000004.00000001.01000000.0000000F.sdmpDownload File
                                                                                                                                                                                                                                                        • Associated: 0000000C.00000002.2571648475.000000006F8CC000.00000002.00000001.01000000.0000000F.sdmpDownload File
                                                                                                                                                                                                                                                        Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                                        • Snapshot File: hcaresult_12_2_6f850000_cpcsgui.jbxd
                                                                                                                                                                                                                                                        Similarity
                                                                                                                                                                                                                                                        • API ID: _memmove$std::exception::exception$Exception@8ThrowXinvalid_argumentstd::_
                                                                                                                                                                                                                                                        • String ID: deque<T> too long
                                                                                                                                                                                                                                                        • API String ID: 4034224661-309773918
                                                                                                                                                                                                                                                        • Opcode ID: 81f7007284196684ea450c76adfdf25bd117a9e8d77bed722d83aa5737288d94
                                                                                                                                                                                                                                                        • Instruction ID: afaf209075a2d1a3bbaa511b852a4aa2c5b6d54b6bf75360026b31d8afe38d62
                                                                                                                                                                                                                                                        • Opcode Fuzzy Hash: 81f7007284196684ea450c76adfdf25bd117a9e8d77bed722d83aa5737288d94
                                                                                                                                                                                                                                                        • Instruction Fuzzy Hash: 2041D4B1A042159BD718CF2CCC8066BB7E6EBC0214F098A6DE8199F349EB38E8158791
                                                                                                                                                                                                                                                        Function 6F85E980 Relevance: 10.6, APIs: 5, Strings: 1, Instructions: 106COMMON
                                                                                                                                                                                                                                                        Download Yara Rule
                                                                                                                                                                                                                                                        APIs
                                                                                                                                                                                                                                                        • std::_Xinvalid_argument.LIBCPMT ref: 6F85E9A6
                                                                                                                                                                                                                                                          • Part of subcall function 6F88F635: std::exception::exception.LIBCMT ref: 6F88F64A
                                                                                                                                                                                                                                                          • Part of subcall function 6F88F635: __CxxThrowException@8.LIBCMT ref: 6F88F65F
                                                                                                                                                                                                                                                          • Part of subcall function 6F88F635: std::exception::exception.LIBCMT ref: 6F88F670
                                                                                                                                                                                                                                                        • _memmove.LIBCMT ref: 6F85E9FC
                                                                                                                                                                                                                                                        • _memmove.LIBCMT ref: 6F85EA0A
                                                                                                                                                                                                                                                        • _memmove.LIBCMT ref: 6F85EA1D
                                                                                                                                                                                                                                                        • _memmove.LIBCMT ref: 6F85EA5E
                                                                                                                                                                                                                                                        Strings
                                                                                                                                                                                                                                                        Memory Dump Source
                                                                                                                                                                                                                                                        • Source File: 0000000C.00000002.2571435985.000000006F851000.00000020.00000001.01000000.0000000F.sdmp, Offset: 6F850000, based on PE: true
                                                                                                                                                                                                                                                        • Associated: 0000000C.00000002.2571402531.000000006F850000.00000002.00000001.01000000.0000000F.sdmpDownload File
                                                                                                                                                                                                                                                        • Associated: 0000000C.00000002.2571547852.000000006F8B1000.00000002.00000001.01000000.0000000F.sdmpDownload File
                                                                                                                                                                                                                                                        • Associated: 0000000C.00000002.2571607645.000000006F8C6000.00000004.00000001.01000000.0000000F.sdmpDownload File
                                                                                                                                                                                                                                                        • Associated: 0000000C.00000002.2571648475.000000006F8CC000.00000002.00000001.01000000.0000000F.sdmpDownload File
                                                                                                                                                                                                                                                        Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                                        • Snapshot File: hcaresult_12_2_6f850000_cpcsgui.jbxd
                                                                                                                                                                                                                                                        Similarity
                                                                                                                                                                                                                                                        • API ID: _memmove$std::exception::exception$Exception@8ThrowXinvalid_argumentstd::_
                                                                                                                                                                                                                                                        • String ID: vector<T> too long
                                                                                                                                                                                                                                                        • API String ID: 4034224661-3788999226
                                                                                                                                                                                                                                                        • Opcode ID: e35d05746db366c46ea07bd459ab43c668af2f6c4fcefc7f86ec942535f3dd1e
                                                                                                                                                                                                                                                        • Instruction ID: 18182b9327623353d6a527ab33e03cdabb610cc927ab05769b27f2160248e484
                                                                                                                                                                                                                                                        • Opcode Fuzzy Hash: e35d05746db366c46ea07bd459ab43c668af2f6c4fcefc7f86ec942535f3dd1e
                                                                                                                                                                                                                                                        • Instruction Fuzzy Hash: DD31C3B16043046FC718CE7CCD9582BB7EAEFD4214F148E6DE4968B384EA34F8158761
                                                                                                                                                                                                                                                        Function 6F866F80 Relevance: 10.6, APIs: 4, Strings: 2, Instructions: 92COMMON
                                                                                                                                                                                                                                                        Download Yara Rule
                                                                                                                                                                                                                                                        APIs
                                                                                                                                                                                                                                                        • std::_Xinvalid_argument.LIBCPMT ref: 6F866F94
                                                                                                                                                                                                                                                          • Part of subcall function 6F88F682: std::exception::exception.LIBCMT ref: 6F88F697
                                                                                                                                                                                                                                                          • Part of subcall function 6F88F682: __CxxThrowException@8.LIBCMT ref: 6F88F6AC
                                                                                                                                                                                                                                                          • Part of subcall function 6F88F682: std::exception::exception.LIBCMT ref: 6F88F6BD
                                                                                                                                                                                                                                                        • std::_Xinvalid_argument.LIBCPMT ref: 6F866FA7
                                                                                                                                                                                                                                                        • std::_Xinvalid_argument.LIBCPMT ref: 6F866FC2
                                                                                                                                                                                                                                                        • _memmove.LIBCMT ref: 6F867025
                                                                                                                                                                                                                                                        Strings
                                                                                                                                                                                                                                                        Memory Dump Source
                                                                                                                                                                                                                                                        • Source File: 0000000C.00000002.2571435985.000000006F851000.00000020.00000001.01000000.0000000F.sdmp, Offset: 6F850000, based on PE: true
                                                                                                                                                                                                                                                        • Associated: 0000000C.00000002.2571402531.000000006F850000.00000002.00000001.01000000.0000000F.sdmpDownload File
                                                                                                                                                                                                                                                        • Associated: 0000000C.00000002.2571547852.000000006F8B1000.00000002.00000001.01000000.0000000F.sdmpDownload File
                                                                                                                                                                                                                                                        • Associated: 0000000C.00000002.2571607645.000000006F8C6000.00000004.00000001.01000000.0000000F.sdmpDownload File
                                                                                                                                                                                                                                                        • Associated: 0000000C.00000002.2571648475.000000006F8CC000.00000002.00000001.01000000.0000000F.sdmpDownload File
                                                                                                                                                                                                                                                        Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                                        • Snapshot File: hcaresult_12_2_6f850000_cpcsgui.jbxd
                                                                                                                                                                                                                                                        Similarity
                                                                                                                                                                                                                                                        • API ID: Xinvalid_argumentstd::_$std::exception::exception$Exception@8Throw_memmove
                                                                                                                                                                                                                                                        • String ID: invalid string position$string too long
                                                                                                                                                                                                                                                        • API String ID: 443534600-4289949731
                                                                                                                                                                                                                                                        • Opcode ID: b7a347b500fc7d64ba326b935e431866e964c439ebdd1aa2d04217781bc7b559
                                                                                                                                                                                                                                                        • Instruction ID: 03fdf0943046759f6230ae580f1a6f3242d875dd2771b33e8b1aa5b264377f7d
                                                                                                                                                                                                                                                        • Opcode Fuzzy Hash: b7a347b500fc7d64ba326b935e431866e964c439ebdd1aa2d04217781bc7b559
                                                                                                                                                                                                                                                        • Instruction Fuzzy Hash: 8D212B313043559BD6159E6C9CD0A6EBBAABF92324B240E9EE055CF7C1CB61A854C3B2
                                                                                                                                                                                                                                                        Function 6F868270 Relevance: 10.6, APIs: 4, Strings: 2, Instructions: 85COMMON
                                                                                                                                                                                                                                                        Download Yara Rule
                                                                                                                                                                                                                                                        APIs
                                                                                                                                                                                                                                                        • std::_Xinvalid_argument.LIBCPMT ref: 6F868287
                                                                                                                                                                                                                                                          • Part of subcall function 6F88F682: std::exception::exception.LIBCMT ref: 6F88F697
                                                                                                                                                                                                                                                          • Part of subcall function 6F88F682: __CxxThrowException@8.LIBCMT ref: 6F88F6AC
                                                                                                                                                                                                                                                          • Part of subcall function 6F88F682: std::exception::exception.LIBCMT ref: 6F88F6BD
                                                                                                                                                                                                                                                        • std::_Xinvalid_argument.LIBCPMT ref: 6F8682A5
                                                                                                                                                                                                                                                        • std::_Xinvalid_argument.LIBCPMT ref: 6F8682C0
                                                                                                                                                                                                                                                        • _memmove.LIBCMT ref: 6F86831F
                                                                                                                                                                                                                                                        Strings
                                                                                                                                                                                                                                                        Memory Dump Source
                                                                                                                                                                                                                                                        • Source File: 0000000C.00000002.2571435985.000000006F851000.00000020.00000001.01000000.0000000F.sdmp, Offset: 6F850000, based on PE: true
                                                                                                                                                                                                                                                        • Associated: 0000000C.00000002.2571402531.000000006F850000.00000002.00000001.01000000.0000000F.sdmpDownload File
                                                                                                                                                                                                                                                        • Associated: 0000000C.00000002.2571547852.000000006F8B1000.00000002.00000001.01000000.0000000F.sdmpDownload File
                                                                                                                                                                                                                                                        • Associated: 0000000C.00000002.2571607645.000000006F8C6000.00000004.00000001.01000000.0000000F.sdmpDownload File
                                                                                                                                                                                                                                                        • Associated: 0000000C.00000002.2571648475.000000006F8CC000.00000002.00000001.01000000.0000000F.sdmpDownload File
                                                                                                                                                                                                                                                        Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                                        • Snapshot File: hcaresult_12_2_6f850000_cpcsgui.jbxd
                                                                                                                                                                                                                                                        Similarity
                                                                                                                                                                                                                                                        • API ID: Xinvalid_argumentstd::_$std::exception::exception$Exception@8Throw_memmove
                                                                                                                                                                                                                                                        • String ID: invalid string position$string too long
                                                                                                                                                                                                                                                        • API String ID: 443534600-4289949731
                                                                                                                                                                                                                                                        • Opcode ID: 4b1ed71322db09ab438fc4ad314c54858797b2cb318ef634a58d05bd43651f51
                                                                                                                                                                                                                                                        • Instruction ID: 2f973290b1c83cbc4fa774e846cba98f9b20183542c626792818770f928620d1
                                                                                                                                                                                                                                                        • Opcode Fuzzy Hash: 4b1ed71322db09ab438fc4ad314c54858797b2cb318ef634a58d05bd43651f51
                                                                                                                                                                                                                                                        • Instruction Fuzzy Hash: 0621C7313087019BD328CE6CD990A1AB7E5AFA6719F200E9EE096CF391D771D844C751
                                                                                                                                                                                                                                                        Function 6F864130 Relevance: 10.6, APIs: 7, Instructions: 68COMMON
                                                                                                                                                                                                                                                        Download Yara Rule
                                                                                                                                                                                                                                                        APIs
                                                                                                                                                                                                                                                        • __CxxThrowException@8.LIBCMT ref: 6F864156
                                                                                                                                                                                                                                                          • Part of subcall function 6F8924F0: RaiseException.KERNEL32(6F853778,?,D0A01E50,6F8B13C0,6F853778,?,6F8BD3C8,80000002,D0A01E50), ref: 6F892532
                                                                                                                                                                                                                                                        • std::exception::exception.LIBCMT ref: 6F86417D
                                                                                                                                                                                                                                                        • __CxxThrowException@8.LIBCMT ref: 6F86419C
                                                                                                                                                                                                                                                        • std::exception::exception.LIBCMT ref: 6F8641BE
                                                                                                                                                                                                                                                        • __CxxThrowException@8.LIBCMT ref: 6F8641DD
                                                                                                                                                                                                                                                        • std::exception::exception.LIBCMT ref: 6F8641FA
                                                                                                                                                                                                                                                        • __CxxThrowException@8.LIBCMT ref: 6F864219
                                                                                                                                                                                                                                                        Memory Dump Source
                                                                                                                                                                                                                                                        • Source File: 0000000C.00000002.2571435985.000000006F851000.00000020.00000001.01000000.0000000F.sdmp, Offset: 6F850000, based on PE: true
                                                                                                                                                                                                                                                        • Associated: 0000000C.00000002.2571402531.000000006F850000.00000002.00000001.01000000.0000000F.sdmpDownload File
                                                                                                                                                                                                                                                        • Associated: 0000000C.00000002.2571547852.000000006F8B1000.00000002.00000001.01000000.0000000F.sdmpDownload File
                                                                                                                                                                                                                                                        • Associated: 0000000C.00000002.2571607645.000000006F8C6000.00000004.00000001.01000000.0000000F.sdmpDownload File
                                                                                                                                                                                                                                                        • Associated: 0000000C.00000002.2571648475.000000006F8CC000.00000002.00000001.01000000.0000000F.sdmpDownload File
                                                                                                                                                                                                                                                        Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                                        • Snapshot File: hcaresult_12_2_6f850000_cpcsgui.jbxd
                                                                                                                                                                                                                                                        Similarity
                                                                                                                                                                                                                                                        • API ID: Exception@8Throw$std::exception::exception$ExceptionRaise
                                                                                                                                                                                                                                                        • String ID:
                                                                                                                                                                                                                                                        • API String ID: 4237746311-0
                                                                                                                                                                                                                                                        • Opcode ID: 36111ec5cd4129108ccd1ed9fdbf5c8ea498549d7d8d1476895a30251e1946b0
                                                                                                                                                                                                                                                        • Instruction ID: bd85950dc330635ece4e2aa0265e5f2368453e0bc921a7624d5611a0303a6228
                                                                                                                                                                                                                                                        • Opcode Fuzzy Hash: 36111ec5cd4129108ccd1ed9fdbf5c8ea498549d7d8d1476895a30251e1946b0
                                                                                                                                                                                                                                                        • Instruction Fuzzy Hash: 63217FB64183006BC304DF5CC411BDEB7E8BFD8658F544E9EF9999A290EB349508CBA7
                                                                                                                                                                                                                                                        Function 6F8A2453 Relevance: 10.6, APIs: 7, Instructions: 63threadCOMMON
                                                                                                                                                                                                                                                        Download Yara Rule
                                                                                                                                                                                                                                                        APIs
                                                                                                                                                                                                                                                        • ___set_flsgetvalue.LIBCMT ref: 6F8A2478
                                                                                                                                                                                                                                                        • __calloc_crt.LIBCMT ref: 6F8A2484
                                                                                                                                                                                                                                                        • __getptd.LIBCMT ref: 6F8A2491
                                                                                                                                                                                                                                                        • CreateThread.KERNEL32(?,?,6F8A23EE,00000000,?,?), ref: 6F8A24C8
                                                                                                                                                                                                                                                        • GetLastError.KERNEL32(?,?,?,?,6F85449C,00000000,00000000,6F871BC0,?,00000000,00000000), ref: 6F8A24D2
                                                                                                                                                                                                                                                        • _free.LIBCMT ref: 6F8A24DB
                                                                                                                                                                                                                                                        • __dosmaperr.LIBCMT ref: 6F8A24E6
                                                                                                                                                                                                                                                          • Part of subcall function 6F89257E: __getptd_noexit.LIBCMT ref: 6F89257E
                                                                                                                                                                                                                                                        Memory Dump Source
                                                                                                                                                                                                                                                        • Source File: 0000000C.00000002.2571435985.000000006F851000.00000020.00000001.01000000.0000000F.sdmp, Offset: 6F850000, based on PE: true
                                                                                                                                                                                                                                                        • Associated: 0000000C.00000002.2571402531.000000006F850000.00000002.00000001.01000000.0000000F.sdmpDownload File
                                                                                                                                                                                                                                                        • Associated: 0000000C.00000002.2571547852.000000006F8B1000.00000002.00000001.01000000.0000000F.sdmpDownload File
                                                                                                                                                                                                                                                        • Associated: 0000000C.00000002.2571607645.000000006F8C6000.00000004.00000001.01000000.0000000F.sdmpDownload File
                                                                                                                                                                                                                                                        • Associated: 0000000C.00000002.2571648475.000000006F8CC000.00000002.00000001.01000000.0000000F.sdmpDownload File
                                                                                                                                                                                                                                                        Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                                        • Snapshot File: hcaresult_12_2_6f850000_cpcsgui.jbxd
                                                                                                                                                                                                                                                        Similarity
                                                                                                                                                                                                                                                        • API ID: CreateErrorLastThread___set_flsgetvalue__calloc_crt__dosmaperr__getptd__getptd_noexit_free
                                                                                                                                                                                                                                                        • String ID:
                                                                                                                                                                                                                                                        • API String ID: 155776804-0
                                                                                                                                                                                                                                                        • Opcode ID: 0f4246b6cf63e1a623c80cb6257c8504122ebd9723164081cf8b0cfa000c16f7
                                                                                                                                                                                                                                                        • Instruction ID: 8d27800e31886b7f09f7e49814ff80e4ef359bb9883325e77e0f2941b06f4803
                                                                                                                                                                                                                                                        • Opcode Fuzzy Hash: 0f4246b6cf63e1a623c80cb6257c8504122ebd9723164081cf8b0cfa000c16f7
                                                                                                                                                                                                                                                        • Instruction Fuzzy Hash: 3711A532205B06BFA7249FEEDC40A9B77E8EF453747104DA9F914DE190EB7AD81186A0
                                                                                                                                                                                                                                                        Function 6F897E19 Relevance: 10.5, APIs: 5, Strings: 1, Instructions: 40COMMONLIBRARYCODE
                                                                                                                                                                                                                                                        Download Yara Rule
                                                                                                                                                                                                                                                        APIs
                                                                                                                                                                                                                                                        • GetModuleHandleW.KERNEL32(KERNEL32.DLL,6F8BD0D8,00000008,6F897F21,00000000,00000000,?,6F8537D0,?,D0A01E50,?), ref: 6F897E2A
                                                                                                                                                                                                                                                        • __lock.LIBCMT ref: 6F897E5E
                                                                                                                                                                                                                                                          • Part of subcall function 6F89A4B6: __mtinitlocknum.LIBCMT ref: 6F89A4CC
                                                                                                                                                                                                                                                          • Part of subcall function 6F89A4B6: __amsg_exit.LIBCMT ref: 6F89A4D8
                                                                                                                                                                                                                                                          • Part of subcall function 6F89A4B6: EnterCriticalSection.KERNEL32(00000000,00000000,?,6F897E63,0000000D), ref: 6F89A4E0
                                                                                                                                                                                                                                                        • InterlockedIncrement.KERNEL32(?), ref: 6F897E6B
                                                                                                                                                                                                                                                        • __lock.LIBCMT ref: 6F897E7F
                                                                                                                                                                                                                                                        • ___addlocaleref.LIBCMT ref: 6F897E9D
                                                                                                                                                                                                                                                        Strings
                                                                                                                                                                                                                                                        Memory Dump Source
                                                                                                                                                                                                                                                        • Source File: 0000000C.00000002.2571435985.000000006F851000.00000020.00000001.01000000.0000000F.sdmp, Offset: 6F850000, based on PE: true
                                                                                                                                                                                                                                                        • Associated: 0000000C.00000002.2571402531.000000006F850000.00000002.00000001.01000000.0000000F.sdmpDownload File
                                                                                                                                                                                                                                                        • Associated: 0000000C.00000002.2571547852.000000006F8B1000.00000002.00000001.01000000.0000000F.sdmpDownload File
                                                                                                                                                                                                                                                        • Associated: 0000000C.00000002.2571607645.000000006F8C6000.00000004.00000001.01000000.0000000F.sdmpDownload File
                                                                                                                                                                                                                                                        • Associated: 0000000C.00000002.2571648475.000000006F8CC000.00000002.00000001.01000000.0000000F.sdmpDownload File
                                                                                                                                                                                                                                                        Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                                        • Snapshot File: hcaresult_12_2_6f850000_cpcsgui.jbxd
                                                                                                                                                                                                                                                        Similarity
                                                                                                                                                                                                                                                        • API ID: __lock$CriticalEnterHandleIncrementInterlockedModuleSection___addlocaleref__amsg_exit__mtinitlocknum
                                                                                                                                                                                                                                                        • String ID: KERNEL32.DLL
                                                                                                                                                                                                                                                        • API String ID: 637971194-2576044830
                                                                                                                                                                                                                                                        • Opcode ID: 80691b858385db1d80a7aa9573626c1833d118418af57a2eea54f05938ff7e42
                                                                                                                                                                                                                                                        • Instruction ID: 4e09ed476b991aabccc43d95ebf7be97cf64f8b45cb31ab645a1c3744d5b0392
                                                                                                                                                                                                                                                        • Opcode Fuzzy Hash: 80691b858385db1d80a7aa9573626c1833d118418af57a2eea54f05938ff7e42
                                                                                                                                                                                                                                                        • Instruction Fuzzy Hash: 64011B76804B01EADB209F6DD80574DBBE0AF51325F108D8ED596AF3D0CB74AA45CB51
                                                                                                                                                                                                                                                        Function 6F8A23EE Relevance: 10.5, APIs: 7, Instructions: 34threadCOMMON
                                                                                                                                                                                                                                                        Download Yara Rule
                                                                                                                                                                                                                                                        APIs
                                                                                                                                                                                                                                                        • ___set_flsgetvalue.LIBCMT ref: 6F8A23F4
                                                                                                                                                                                                                                                          • Part of subcall function 6F897D8B: TlsGetValue.KERNEL32(6F851114,6F897EE4,?,6F8537D0,?,D0A01E50,?), ref: 6F897D94
                                                                                                                                                                                                                                                          • Part of subcall function 6F897D8B: TlsSetValue.KERNEL32(00000000,?,6F8537D0,?,D0A01E50,?), ref: 6F897DB5
                                                                                                                                                                                                                                                        • ___fls_getvalue@4.LIBCMT ref: 6F8A23FF
                                                                                                                                                                                                                                                          • Part of subcall function 6F897D6B: TlsGetValue.KERNEL32(?,?,6F8A2404,00000000), ref: 6F897D79
                                                                                                                                                                                                                                                        • ___fls_setvalue@8.LIBCMT ref: 6F8A2412
                                                                                                                                                                                                                                                        • GetLastError.KERNEL32(00000000,?,00000000), ref: 6F8A241B
                                                                                                                                                                                                                                                        • ExitThread.KERNEL32 ref: 6F8A2422
                                                                                                                                                                                                                                                        • GetCurrentThreadId.KERNEL32 ref: 6F8A2428
                                                                                                                                                                                                                                                        • __freefls@4.LIBCMT ref: 6F8A2448
                                                                                                                                                                                                                                                        Memory Dump Source
                                                                                                                                                                                                                                                        • Source File: 0000000C.00000002.2571435985.000000006F851000.00000020.00000001.01000000.0000000F.sdmp, Offset: 6F850000, based on PE: true
                                                                                                                                                                                                                                                        • Associated: 0000000C.00000002.2571402531.000000006F850000.00000002.00000001.01000000.0000000F.sdmpDownload File
                                                                                                                                                                                                                                                        • Associated: 0000000C.00000002.2571547852.000000006F8B1000.00000002.00000001.01000000.0000000F.sdmpDownload File
                                                                                                                                                                                                                                                        • Associated: 0000000C.00000002.2571607645.000000006F8C6000.00000004.00000001.01000000.0000000F.sdmpDownload File
                                                                                                                                                                                                                                                        • Associated: 0000000C.00000002.2571648475.000000006F8CC000.00000002.00000001.01000000.0000000F.sdmpDownload File
                                                                                                                                                                                                                                                        Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                                        • Snapshot File: hcaresult_12_2_6f850000_cpcsgui.jbxd
                                                                                                                                                                                                                                                        Similarity
                                                                                                                                                                                                                                                        • API ID: Value$Thread$CurrentErrorExitLast___fls_getvalue@4___fls_setvalue@8___set_flsgetvalue__freefls@4
                                                                                                                                                                                                                                                        • String ID:
                                                                                                                                                                                                                                                        • API String ID: 259663610-0
                                                                                                                                                                                                                                                        • Opcode ID: 516375dd7a88f909cbe699c55eed26e0f35cf1054cfc9ab552c63fdebef4c36f
                                                                                                                                                                                                                                                        • Instruction ID: 597fc0baaae96ed694930b03fef9056222f9ae809a981c8402195271a94b9100
                                                                                                                                                                                                                                                        • Opcode Fuzzy Hash: 516375dd7a88f909cbe699c55eed26e0f35cf1054cfc9ab552c63fdebef4c36f
                                                                                                                                                                                                                                                        • Instruction Fuzzy Hash: DDF09074401B44BBD7089F7EC90889E7BA9EF853183208AD4E8048F358EB39D802CBA0
                                                                                                                                                                                                                                                        Function 6F880100 Relevance: 9.2, APIs: 6, Instructions: 178COMMON
                                                                                                                                                                                                                                                        Download Yara Rule
                                                                                                                                                                                                                                                        APIs
                                                                                                                                                                                                                                                          • Part of subcall function 6F8907C7: _malloc.LIBCMT ref: 6F8907E1
                                                                                                                                                                                                                                                        • std::exception::exception.LIBCMT ref: 6F880276
                                                                                                                                                                                                                                                        • __CxxThrowException@8.LIBCMT ref: 6F88028D
                                                                                                                                                                                                                                                          • Part of subcall function 6F879D20: _memmove.LIBCMT ref: 6F879E37
                                                                                                                                                                                                                                                          • Part of subcall function 6F87F800: std::_Xinvalid_argument.LIBCPMT ref: 6F87F819
                                                                                                                                                                                                                                                        • std::exception::exception.LIBCMT ref: 6F88029F
                                                                                                                                                                                                                                                        • __CxxThrowException@8.LIBCMT ref: 6F8802B6
                                                                                                                                                                                                                                                        • std::exception::exception.LIBCMT ref: 6F8802C8
                                                                                                                                                                                                                                                        • __CxxThrowException@8.LIBCMT ref: 6F8802DF
                                                                                                                                                                                                                                                          • Part of subcall function 6F8907C7: std::exception::exception.LIBCMT ref: 6F890816
                                                                                                                                                                                                                                                          • Part of subcall function 6F8907C7: std::exception::exception.LIBCMT ref: 6F890830
                                                                                                                                                                                                                                                          • Part of subcall function 6F8907C7: __CxxThrowException@8.LIBCMT ref: 6F890841
                                                                                                                                                                                                                                                        Memory Dump Source
                                                                                                                                                                                                                                                        • Source File: 0000000C.00000002.2571435985.000000006F851000.00000020.00000001.01000000.0000000F.sdmp, Offset: 6F850000, based on PE: true
                                                                                                                                                                                                                                                        • Associated: 0000000C.00000002.2571402531.000000006F850000.00000002.00000001.01000000.0000000F.sdmpDownload File
                                                                                                                                                                                                                                                        • Associated: 0000000C.00000002.2571547852.000000006F8B1000.00000002.00000001.01000000.0000000F.sdmpDownload File
                                                                                                                                                                                                                                                        • Associated: 0000000C.00000002.2571607645.000000006F8C6000.00000004.00000001.01000000.0000000F.sdmpDownload File
                                                                                                                                                                                                                                                        • Associated: 0000000C.00000002.2571648475.000000006F8CC000.00000002.00000001.01000000.0000000F.sdmpDownload File
                                                                                                                                                                                                                                                        Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                                        • Snapshot File: hcaresult_12_2_6f850000_cpcsgui.jbxd
                                                                                                                                                                                                                                                        Similarity
                                                                                                                                                                                                                                                        • API ID: std::exception::exception$Exception@8Throw$Xinvalid_argument_malloc_memmovestd::_
                                                                                                                                                                                                                                                        • String ID:
                                                                                                                                                                                                                                                        • API String ID: 410196489-0
                                                                                                                                                                                                                                                        • Opcode ID: c76e05438c9cd725971b6b2b21193c1d769c990ae66c48914a0b8da5e9d181f9
                                                                                                                                                                                                                                                        • Instruction ID: 07c413072d75dfbe25f83efc4278cd7a36a159b012417c1c1a4b32bc8441c021
                                                                                                                                                                                                                                                        • Opcode Fuzzy Hash: c76e05438c9cd725971b6b2b21193c1d769c990ae66c48914a0b8da5e9d181f9
                                                                                                                                                                                                                                                        • Instruction Fuzzy Hash: B36148B1505B41EFC318CF29C88098AFBE0BF89314F509DAEE19A8B750D775E549CB92
                                                                                                                                                                                                                                                        Function 6F89CA3C Relevance: 9.1, APIs: 6, Instructions: 92COMMONLIBRARYCODE
                                                                                                                                                                                                                                                        Download Yara Rule
                                                                                                                                                                                                                                                        APIs
                                                                                                                                                                                                                                                        • MultiByteToWideChar.KERNEL32(00000001,00000000,?,0000009C,00000000,00000000,00000003,00000001,00000000,?,?,?,6F89CB51,?,00000001,?), ref: 6F89CA86
                                                                                                                                                                                                                                                        • _malloc.LIBCMT ref: 6F89CABB
                                                                                                                                                                                                                                                        • _memset.LIBCMT ref: 6F89CADB
                                                                                                                                                                                                                                                        • MultiByteToWideChar.KERNEL32(00000000,00000001,00000000,00000000,00000000,00000000,?,?,0000009C,?,00000001,0000009C,?,00000008,6F89144D,0000009C), ref: 6F89CAF0
                                                                                                                                                                                                                                                        • GetStringTypeW.KERNEL32(?,00000000,00000000,?), ref: 6F89CAFE
                                                                                                                                                                                                                                                        • __freea.LIBCMT ref: 6F89CB08
                                                                                                                                                                                                                                                        Memory Dump Source
                                                                                                                                                                                                                                                        • Source File: 0000000C.00000002.2571435985.000000006F851000.00000020.00000001.01000000.0000000F.sdmp, Offset: 6F850000, based on PE: true
                                                                                                                                                                                                                                                        • Associated: 0000000C.00000002.2571402531.000000006F850000.00000002.00000001.01000000.0000000F.sdmpDownload File
                                                                                                                                                                                                                                                        • Associated: 0000000C.00000002.2571547852.000000006F8B1000.00000002.00000001.01000000.0000000F.sdmpDownload File
                                                                                                                                                                                                                                                        • Associated: 0000000C.00000002.2571607645.000000006F8C6000.00000004.00000001.01000000.0000000F.sdmpDownload File
                                                                                                                                                                                                                                                        • Associated: 0000000C.00000002.2571648475.000000006F8CC000.00000002.00000001.01000000.0000000F.sdmpDownload File
                                                                                                                                                                                                                                                        Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                                        • Snapshot File: hcaresult_12_2_6f850000_cpcsgui.jbxd
                                                                                                                                                                                                                                                        Similarity
                                                                                                                                                                                                                                                        • API ID: ByteCharMultiWide$StringType__freea_malloc_memset
                                                                                                                                                                                                                                                        • String ID:
                                                                                                                                                                                                                                                        • API String ID: 525495869-0
                                                                                                                                                                                                                                                        • Opcode ID: 2b3b91f777adbcc0702aceac5fb7ddf24b7065d49908dd2333ebf6bbe8e836e7
                                                                                                                                                                                                                                                        • Instruction ID: 440680de6259c9ff3de13628cab4d2b7af2b0739d23a79645f37fea9e11064d9
                                                                                                                                                                                                                                                        • Opcode Fuzzy Hash: 2b3b91f777adbcc0702aceac5fb7ddf24b7065d49908dd2333ebf6bbe8e836e7
                                                                                                                                                                                                                                                        • Instruction Fuzzy Hash: 273130B160020AAFEF00CF69EC81DAE7BE9EB45354F1148A6F9159A191E731DD60DB60
                                                                                                                                                                                                                                                        Function 6F89A70C Relevance: 9.0, APIs: 6, Instructions: 47COMMONLIBRARYCODE
                                                                                                                                                                                                                                                        Download Yara Rule
                                                                                                                                                                                                                                                        APIs
                                                                                                                                                                                                                                                        • __getptd.LIBCMT ref: 6F89A718
                                                                                                                                                                                                                                                          • Part of subcall function 6F897F46: __getptd_noexit.LIBCMT ref: 6F897F49
                                                                                                                                                                                                                                                          • Part of subcall function 6F897F46: __amsg_exit.LIBCMT ref: 6F897F56
                                                                                                                                                                                                                                                        • __amsg_exit.LIBCMT ref: 6F89A738
                                                                                                                                                                                                                                                        • __lock.LIBCMT ref: 6F89A748
                                                                                                                                                                                                                                                        • InterlockedDecrement.KERNEL32(?), ref: 6F89A765
                                                                                                                                                                                                                                                        • _free.LIBCMT ref: 6F89A778
                                                                                                                                                                                                                                                        • InterlockedIncrement.KERNEL32(010F1668), ref: 6F89A790
                                                                                                                                                                                                                                                        Memory Dump Source
                                                                                                                                                                                                                                                        • Source File: 0000000C.00000002.2571435985.000000006F851000.00000020.00000001.01000000.0000000F.sdmp, Offset: 6F850000, based on PE: true
                                                                                                                                                                                                                                                        • Associated: 0000000C.00000002.2571402531.000000006F850000.00000002.00000001.01000000.0000000F.sdmpDownload File
                                                                                                                                                                                                                                                        • Associated: 0000000C.00000002.2571547852.000000006F8B1000.00000002.00000001.01000000.0000000F.sdmpDownload File
                                                                                                                                                                                                                                                        • Associated: 0000000C.00000002.2571607645.000000006F8C6000.00000004.00000001.01000000.0000000F.sdmpDownload File
                                                                                                                                                                                                                                                        • Associated: 0000000C.00000002.2571648475.000000006F8CC000.00000002.00000001.01000000.0000000F.sdmpDownload File
                                                                                                                                                                                                                                                        Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                                        • Snapshot File: hcaresult_12_2_6f850000_cpcsgui.jbxd
                                                                                                                                                                                                                                                        Similarity
                                                                                                                                                                                                                                                        • API ID: Interlocked__amsg_exit$DecrementIncrement__getptd__getptd_noexit__lock_free
                                                                                                                                                                                                                                                        • String ID:
                                                                                                                                                                                                                                                        • API String ID: 3470314060-0
                                                                                                                                                                                                                                                        • Opcode ID: be6354c58d4d4bf800ad865a1bd6bd5dd737dce8c9b33046179ff1e46ff32766
                                                                                                                                                                                                                                                        • Instruction ID: 3ccfe8bcf355e1c86b17dfc56de50a2c036a53e4cb853fc3e159b7fbea2d9981
                                                                                                                                                                                                                                                        • Opcode Fuzzy Hash: be6354c58d4d4bf800ad865a1bd6bd5dd737dce8c9b33046179ff1e46ff32766
                                                                                                                                                                                                                                                        • Instruction Fuzzy Hash: F201AD32D01B11FBCB059FAC85867ADB3B1AF06B29F1049C6E854AF280CB34A851CBD1
                                                                                                                                                                                                                                                        Function 6F855C30 Relevance: 9.0, APIs: 1, Strings: 4, Instructions: 273fileCOMMON
                                                                                                                                                                                                                                                        Download Yara Rule
                                                                                                                                                                                                                                                        APIs
                                                                                                                                                                                                                                                          • Part of subcall function 6F85F460: CharUpperW.USER32(?), ref: 6F85F4F8
                                                                                                                                                                                                                                                          • Part of subcall function 6F85F460: CharUpperW.USER32(D0A01E50), ref: 6F85F509
                                                                                                                                                                                                                                                          • Part of subcall function 6F85BF10: RegCreateKeyExW.ADVAPI32(80000002,?,00000000,00000000,00000000,00000003,00000000,?,00000000,00000000,D0A01E50,80000002,?), ref: 6F85BF8F
                                                                                                                                                                                                                                                        • DeleteFileW.KERNEL32(?,?,?,00000004), ref: 6F855F78
                                                                                                                                                                                                                                                        Strings
                                                                                                                                                                                                                                                        • Nu4w.rHXhIL4Q579vMJODuE+i0b6uu+I.Gpq*gf3R/QsiGp5Mw8MSfjeh-)DUgpOjJMNlrXcnU)sCONs1)w+.IM9+ozMI5qe-2bPa7BsqHHevbe,5XSHJ-AA6v3+YUfS8SvaawIFNO/Q2U-xMOAsaB, xrefs: 6F855CE3
                                                                                                                                                                                                                                                        • vars, xrefs: 6F855D47, 6F855E05
                                                                                                                                                                                                                                                        • SchedulerQueue, xrefs: 6F855DD6
                                                                                                                                                                                                                                                        • \settings.dat, xrefs: 6F855C7C
                                                                                                                                                                                                                                                        Memory Dump Source
                                                                                                                                                                                                                                                        • Source File: 0000000C.00000002.2571435985.000000006F851000.00000020.00000001.01000000.0000000F.sdmp, Offset: 6F850000, based on PE: true
                                                                                                                                                                                                                                                        • Associated: 0000000C.00000002.2571402531.000000006F850000.00000002.00000001.01000000.0000000F.sdmpDownload File
                                                                                                                                                                                                                                                        • Associated: 0000000C.00000002.2571547852.000000006F8B1000.00000002.00000001.01000000.0000000F.sdmpDownload File
                                                                                                                                                                                                                                                        • Associated: 0000000C.00000002.2571607645.000000006F8C6000.00000004.00000001.01000000.0000000F.sdmpDownload File
                                                                                                                                                                                                                                                        • Associated: 0000000C.00000002.2571648475.000000006F8CC000.00000002.00000001.01000000.0000000F.sdmpDownload File
                                                                                                                                                                                                                                                        Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                                        • Snapshot File: hcaresult_12_2_6f850000_cpcsgui.jbxd
                                                                                                                                                                                                                                                        Similarity
                                                                                                                                                                                                                                                        • API ID: CharUpper$CreateDeleteFile
                                                                                                                                                                                                                                                        • String ID: Nu4w.rHXhIL4Q579vMJODuE+i0b6uu+I.Gpq*gf3R/QsiGp5Mw8MSfjeh-)DUgpOjJMNlrXcnU)sCONs1)w+.IM9+ozMI5qe-2bPa7BsqHHevbe,5XSHJ-AA6v3+YUfS8SvaawIFNO/Q2U-xMOAsaB$SchedulerQueue$\settings.dat$vars
                                                                                                                                                                                                                                                        • API String ID: 1627135577-1198711701
                                                                                                                                                                                                                                                        • Opcode ID: 3cd35a0516a973b944ed8cd2056bd05a494126c3879e4aff1d0205e4c13ced4a
                                                                                                                                                                                                                                                        • Instruction ID: 48743148127b26c23e23d41e24299182e6226c5d47d1f0794b39f8e3994d1b10
                                                                                                                                                                                                                                                        • Opcode Fuzzy Hash: 3cd35a0516a973b944ed8cd2056bd05a494126c3879e4aff1d0205e4c13ced4a
                                                                                                                                                                                                                                                        • Instruction Fuzzy Hash: 0DB14BB1908380DBD760CF68C441B9FB7E5BF99308F404D6EE5899B281DB759458CB53
                                                                                                                                                                                                                                                        Function 6F87BF50 Relevance: 9.0, APIs: 4, Strings: 1, Instructions: 222COMMON
                                                                                                                                                                                                                                                        Download Yara Rule
                                                                                                                                                                                                                                                        APIs
                                                                                                                                                                                                                                                        Strings
                                                                                                                                                                                                                                                        Memory Dump Source
                                                                                                                                                                                                                                                        • Source File: 0000000C.00000002.2571435985.000000006F851000.00000020.00000001.01000000.0000000F.sdmp, Offset: 6F850000, based on PE: true
                                                                                                                                                                                                                                                        • Associated: 0000000C.00000002.2571402531.000000006F850000.00000002.00000001.01000000.0000000F.sdmpDownload File
                                                                                                                                                                                                                                                        • Associated: 0000000C.00000002.2571547852.000000006F8B1000.00000002.00000001.01000000.0000000F.sdmpDownload File
                                                                                                                                                                                                                                                        • Associated: 0000000C.00000002.2571607645.000000006F8C6000.00000004.00000001.01000000.0000000F.sdmpDownload File
                                                                                                                                                                                                                                                        • Associated: 0000000C.00000002.2571648475.000000006F8CC000.00000002.00000001.01000000.0000000F.sdmpDownload File
                                                                                                                                                                                                                                                        Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                                        • Snapshot File: hcaresult_12_2_6f850000_cpcsgui.jbxd
                                                                                                                                                                                                                                                        Similarity
                                                                                                                                                                                                                                                        • API ID: _memmove_memset
                                                                                                                                                                                                                                                        • String ID: unexpected key token
                                                                                                                                                                                                                                                        • API String ID: 3555123492-251841271
                                                                                                                                                                                                                                                        • Opcode ID: cbb5e67cd1d4644af22a2b23c1207f8e69a6ebb50eba44d95d8ab27641974750
                                                                                                                                                                                                                                                        • Instruction ID: a7eeb95ad48ce4762f27d8f4231bbd3a565aa46723c09af60d72ed45472fc825
                                                                                                                                                                                                                                                        • Opcode Fuzzy Hash: cbb5e67cd1d4644af22a2b23c1207f8e69a6ebb50eba44d95d8ab27641974750
                                                                                                                                                                                                                                                        • Instruction Fuzzy Hash: E2819071504242EFC728DF28C490A5AF3A5FF45314F508AAAE8588F752EB30F994CBE1
                                                                                                                                                                                                                                                        Function 6F87C1F0 Relevance: 9.0, APIs: 4, Strings: 1, Instructions: 210COMMON
                                                                                                                                                                                                                                                        Download Yara Rule
                                                                                                                                                                                                                                                        APIs
                                                                                                                                                                                                                                                        Strings
                                                                                                                                                                                                                                                        Memory Dump Source
                                                                                                                                                                                                                                                        • Source File: 0000000C.00000002.2571435985.000000006F851000.00000020.00000001.01000000.0000000F.sdmp, Offset: 6F850000, based on PE: true
                                                                                                                                                                                                                                                        • Associated: 0000000C.00000002.2571402531.000000006F850000.00000002.00000001.01000000.0000000F.sdmpDownload File
                                                                                                                                                                                                                                                        • Associated: 0000000C.00000002.2571547852.000000006F8B1000.00000002.00000001.01000000.0000000F.sdmpDownload File
                                                                                                                                                                                                                                                        • Associated: 0000000C.00000002.2571607645.000000006F8C6000.00000004.00000001.01000000.0000000F.sdmpDownload File
                                                                                                                                                                                                                                                        • Associated: 0000000C.00000002.2571648475.000000006F8CC000.00000002.00000001.01000000.0000000F.sdmpDownload File
                                                                                                                                                                                                                                                        Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                                        • Snapshot File: hcaresult_12_2_6f850000_cpcsgui.jbxd
                                                                                                                                                                                                                                                        Similarity
                                                                                                                                                                                                                                                        • API ID: _memmove_memset
                                                                                                                                                                                                                                                        • String ID: unexpected value token
                                                                                                                                                                                                                                                        • API String ID: 3555123492-4033629345
                                                                                                                                                                                                                                                        • Opcode ID: de4e69f144e2694266da4262570f793e214a048348798a8b9ac96c41fce681ea
                                                                                                                                                                                                                                                        • Instruction ID: 776b9fdd93d27e14b88484c6182ed8a9e8a5fe4ddc04ceac2c09c894c9d77b38
                                                                                                                                                                                                                                                        • Opcode Fuzzy Hash: de4e69f144e2694266da4262570f793e214a048348798a8b9ac96c41fce681ea
                                                                                                                                                                                                                                                        • Instruction Fuzzy Hash: AE81ADB1504346AFC328CF19C880E6AF7A5FF4A314F508AADE8558F752EB31B954CB91
                                                                                                                                                                                                                                                        Function 6F853B30 Relevance: 8.9, APIs: 3, Strings: 2, Instructions: 129COMMON
                                                                                                                                                                                                                                                        Download Yara Rule
                                                                                                                                                                                                                                                        APIs
                                                                                                                                                                                                                                                        • std::_Xinvalid_argument.LIBCPMT ref: 6F853BA6
                                                                                                                                                                                                                                                        • std::_Xinvalid_argument.LIBCPMT ref: 6F853BC4
                                                                                                                                                                                                                                                        • _memmove.LIBCMT ref: 6F853C1F
                                                                                                                                                                                                                                                          • Part of subcall function 6F853A40: std::_Xinvalid_argument.LIBCPMT ref: 6F853A57
                                                                                                                                                                                                                                                          • Part of subcall function 6F853A40: std::_Xinvalid_argument.LIBCPMT ref: 6F853A75
                                                                                                                                                                                                                                                          • Part of subcall function 6F853A40: std::_Xinvalid_argument.LIBCPMT ref: 6F853A93
                                                                                                                                                                                                                                                          • Part of subcall function 6F853A40: _memmove.LIBCMT ref: 6F853AFC
                                                                                                                                                                                                                                                        Strings
                                                                                                                                                                                                                                                        Memory Dump Source
                                                                                                                                                                                                                                                        • Source File: 0000000C.00000002.2571435985.000000006F851000.00000020.00000001.01000000.0000000F.sdmp, Offset: 6F850000, based on PE: true
                                                                                                                                                                                                                                                        • Associated: 0000000C.00000002.2571402531.000000006F850000.00000002.00000001.01000000.0000000F.sdmpDownload File
                                                                                                                                                                                                                                                        • Associated: 0000000C.00000002.2571547852.000000006F8B1000.00000002.00000001.01000000.0000000F.sdmpDownload File
                                                                                                                                                                                                                                                        • Associated: 0000000C.00000002.2571607645.000000006F8C6000.00000004.00000001.01000000.0000000F.sdmpDownload File
                                                                                                                                                                                                                                                        • Associated: 0000000C.00000002.2571648475.000000006F8CC000.00000002.00000001.01000000.0000000F.sdmpDownload File
                                                                                                                                                                                                                                                        Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                                        • Snapshot File: hcaresult_12_2_6f850000_cpcsgui.jbxd
                                                                                                                                                                                                                                                        Similarity
                                                                                                                                                                                                                                                        • API ID: Xinvalid_argumentstd::_$_memmove
                                                                                                                                                                                                                                                        • String ID: \ChicaLogic\ChicaPC-Shield$string too long
                                                                                                                                                                                                                                                        • API String ID: 2168136238-1084033844
                                                                                                                                                                                                                                                        • Opcode ID: d8d9e7d73a1cdb335797b32533fac9e7bb63018f049098f499ead01b8c0f0079
                                                                                                                                                                                                                                                        • Instruction ID: a224ead779e87b07a16cbb8b150c5e48f51c9e9d9cdb7547e3456045a6ae1801
                                                                                                                                                                                                                                                        • Opcode Fuzzy Hash: d8d9e7d73a1cdb335797b32533fac9e7bb63018f049098f499ead01b8c0f0079
                                                                                                                                                                                                                                                        • Instruction Fuzzy Hash: 7231DA723057159B4364CEACE89186AF3EBEF957113100EBFE592CF650DB71AC2483A5
                                                                                                                                                                                                                                                        Function 6F8548D0 Relevance: 8.9, APIs: 3, Strings: 2, Instructions: 125timeCOMMON
                                                                                                                                                                                                                                                        Download Yara Rule
                                                                                                                                                                                                                                                        APIs
                                                                                                                                                                                                                                                          • Part of subcall function 6F8550B0: RegOpenKeyExW.ADVAPI32(80000002,00000000,00000000,00020019,?,D0A01E50,?,?,?,?), ref: 6F855112
                                                                                                                                                                                                                                                        • SystemTimeToFileTime.KERNEL32(?,?), ref: 6F854933
                                                                                                                                                                                                                                                        • __swprintf.LIBCMT ref: 6F854965
                                                                                                                                                                                                                                                        • SHDeleteValueW.SHLWAPI(80000002,00000000,SchedulerQueue), ref: 6F8549F3
                                                                                                                                                                                                                                                          • Part of subcall function 6F8552D0: RegOpenKeyExW.ADVAPI32(80000002,00000000,00000000,0002001B,?,?,?,?,?,?,?,6F854864,?,00000000,?,?), ref: 6F85530A
                                                                                                                                                                                                                                                          • Part of subcall function 6F8552D0: RegSetValueExW.ADVAPI32(?,SchedulerQueue,00000000,00000007,?,?,?,?,6F854864,?,00000000,?,?,?), ref: 6F855349
                                                                                                                                                                                                                                                          • Part of subcall function 6F8552D0: RegCloseKey.ADVAPI32(?,?,?,6F854864,?,00000000,?,?,?), ref: 6F855358
                                                                                                                                                                                                                                                        Strings
                                                                                                                                                                                                                                                        Memory Dump Source
                                                                                                                                                                                                                                                        • Source File: 0000000C.00000002.2571435985.000000006F851000.00000020.00000001.01000000.0000000F.sdmp, Offset: 6F850000, based on PE: true
                                                                                                                                                                                                                                                        • Associated: 0000000C.00000002.2571402531.000000006F850000.00000002.00000001.01000000.0000000F.sdmpDownload File
                                                                                                                                                                                                                                                        • Associated: 0000000C.00000002.2571547852.000000006F8B1000.00000002.00000001.01000000.0000000F.sdmpDownload File
                                                                                                                                                                                                                                                        • Associated: 0000000C.00000002.2571607645.000000006F8C6000.00000004.00000001.01000000.0000000F.sdmpDownload File
                                                                                                                                                                                                                                                        • Associated: 0000000C.00000002.2571648475.000000006F8CC000.00000002.00000001.01000000.0000000F.sdmpDownload File
                                                                                                                                                                                                                                                        Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                                        • Snapshot File: hcaresult_12_2_6f850000_cpcsgui.jbxd
                                                                                                                                                                                                                                                        Similarity
                                                                                                                                                                                                                                                        • API ID: OpenTimeValue$CloseDeleteFileSystem__swprintf
                                                                                                                                                                                                                                                        • String ID: %u, %u, %u, %u, %u | $SchedulerQueue
                                                                                                                                                                                                                                                        • API String ID: 3953210692-271011824
                                                                                                                                                                                                                                                        • Opcode ID: eab033b3dc5a5e7734c52a4b30ce9c918c9e67385ff570998710863a1a504d06
                                                                                                                                                                                                                                                        • Instruction ID: de333377a0d3a391483fc5901c7c5548ac131cd784a2791947e8863640674f0c
                                                                                                                                                                                                                                                        • Opcode Fuzzy Hash: eab033b3dc5a5e7734c52a4b30ce9c918c9e67385ff570998710863a1a504d06
                                                                                                                                                                                                                                                        • Instruction Fuzzy Hash: B6417071508300ABD754CF68C891A9FB3E5EFC4314F504D9EF59A9B290E730A969CB93
                                                                                                                                                                                                                                                        Function 6F856620 Relevance: 8.9, APIs: 3, Strings: 2, Instructions: 102COMMON
                                                                                                                                                                                                                                                        Download Yara Rule
                                                                                                                                                                                                                                                        APIs
                                                                                                                                                                                                                                                        • std::_Xinvalid_argument.LIBCPMT ref: 6F85663A
                                                                                                                                                                                                                                                          • Part of subcall function 6F88F682: std::exception::exception.LIBCMT ref: 6F88F697
                                                                                                                                                                                                                                                          • Part of subcall function 6F88F682: __CxxThrowException@8.LIBCMT ref: 6F88F6AC
                                                                                                                                                                                                                                                          • Part of subcall function 6F88F682: std::exception::exception.LIBCMT ref: 6F88F6BD
                                                                                                                                                                                                                                                        • std::_Xinvalid_argument.LIBCPMT ref: 6F856676
                                                                                                                                                                                                                                                          • Part of subcall function 6F88F635: std::exception::exception.LIBCMT ref: 6F88F64A
                                                                                                                                                                                                                                                          • Part of subcall function 6F88F635: __CxxThrowException@8.LIBCMT ref: 6F88F65F
                                                                                                                                                                                                                                                          • Part of subcall function 6F88F635: std::exception::exception.LIBCMT ref: 6F88F670
                                                                                                                                                                                                                                                        • _memmove.LIBCMT ref: 6F8566D7
                                                                                                                                                                                                                                                        Strings
                                                                                                                                                                                                                                                        Memory Dump Source
                                                                                                                                                                                                                                                        • Source File: 0000000C.00000002.2571435985.000000006F851000.00000020.00000001.01000000.0000000F.sdmp, Offset: 6F850000, based on PE: true
                                                                                                                                                                                                                                                        • Associated: 0000000C.00000002.2571402531.000000006F850000.00000002.00000001.01000000.0000000F.sdmpDownload File
                                                                                                                                                                                                                                                        • Associated: 0000000C.00000002.2571547852.000000006F8B1000.00000002.00000001.01000000.0000000F.sdmpDownload File
                                                                                                                                                                                                                                                        • Associated: 0000000C.00000002.2571607645.000000006F8C6000.00000004.00000001.01000000.0000000F.sdmpDownload File
                                                                                                                                                                                                                                                        • Associated: 0000000C.00000002.2571648475.000000006F8CC000.00000002.00000001.01000000.0000000F.sdmpDownload File
                                                                                                                                                                                                                                                        Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                                        • Snapshot File: hcaresult_12_2_6f850000_cpcsgui.jbxd
                                                                                                                                                                                                                                                        Similarity
                                                                                                                                                                                                                                                        • API ID: std::exception::exception$Exception@8ThrowXinvalid_argumentstd::_$_memmove
                                                                                                                                                                                                                                                        • String ID: invalid string position$string too long
                                                                                                                                                                                                                                                        • API String ID: 1615890066-4289949731
                                                                                                                                                                                                                                                        • Opcode ID: 5caa8d6e89e8a22c5a75c41d3dd0de397fbc444ccf158c96a227327e36e53ec2
                                                                                                                                                                                                                                                        • Instruction ID: 5fea2ec7b0c7e0f2dcca6269bf2ec1d90390b2e11f047e922a597e6e21a1800c
                                                                                                                                                                                                                                                        • Opcode Fuzzy Hash: 5caa8d6e89e8a22c5a75c41d3dd0de397fbc444ccf158c96a227327e36e53ec2
                                                                                                                                                                                                                                                        • Instruction Fuzzy Hash: 5521B9333046149BD3609E5CAC90A5AF7E9DF92665F200EAFF551CF390DB7298608BA1
                                                                                                                                                                                                                                                        Function 6F893A39 Relevance: 8.8, APIs: 3, Strings: 2, Instructions: 42COMMONLIBRARYCODE
                                                                                                                                                                                                                                                        Download Yara Rule
                                                                                                                                                                                                                                                        APIs
                                                                                                                                                                                                                                                        • ___BuildCatchObject.LIBCMT ref: 6F893A4C
                                                                                                                                                                                                                                                          • Part of subcall function 6F8939A7: ___BuildCatchObjectHelper.LIBCMT ref: 6F8939DD
                                                                                                                                                                                                                                                        • _UnwindNestedFrames.LIBCMT ref: 6F893A63
                                                                                                                                                                                                                                                        • ___FrameUnwindToState.LIBCMT ref: 6F893A71
                                                                                                                                                                                                                                                        Strings
                                                                                                                                                                                                                                                        Memory Dump Source
                                                                                                                                                                                                                                                        • Source File: 0000000C.00000002.2571435985.000000006F851000.00000020.00000001.01000000.0000000F.sdmp, Offset: 6F850000, based on PE: true
                                                                                                                                                                                                                                                        • Associated: 0000000C.00000002.2571402531.000000006F850000.00000002.00000001.01000000.0000000F.sdmpDownload File
                                                                                                                                                                                                                                                        • Associated: 0000000C.00000002.2571547852.000000006F8B1000.00000002.00000001.01000000.0000000F.sdmpDownload File
                                                                                                                                                                                                                                                        • Associated: 0000000C.00000002.2571607645.000000006F8C6000.00000004.00000001.01000000.0000000F.sdmpDownload File
                                                                                                                                                                                                                                                        • Associated: 0000000C.00000002.2571648475.000000006F8CC000.00000002.00000001.01000000.0000000F.sdmpDownload File
                                                                                                                                                                                                                                                        Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                                        • Snapshot File: hcaresult_12_2_6f850000_cpcsgui.jbxd
                                                                                                                                                                                                                                                        Similarity
                                                                                                                                                                                                                                                        • API ID: BuildCatchObjectUnwind$FrameFramesHelperNestedState
                                                                                                                                                                                                                                                        • String ID: csm$csm
                                                                                                                                                                                                                                                        • API String ID: 2163707966-3733052814
                                                                                                                                                                                                                                                        • Opcode ID: 781db7614acfea28c332aed71eb207493b0bb3aa81d73770282c5f9290fd4cc2
                                                                                                                                                                                                                                                        • Instruction ID: 3c2e40404bc8951f40c00c5293e1330a6c467d88b7c6d23cba7391612e820cd5
                                                                                                                                                                                                                                                        • Opcode Fuzzy Hash: 781db7614acfea28c332aed71eb207493b0bb3aa81d73770282c5f9290fd4cc2
                                                                                                                                                                                                                                                        • Instruction Fuzzy Hash: 9801F671000609BBEF029F59CC46EDA7FAAFF09358F004854BD1C591A0D736EAB2DBA5
                                                                                                                                                                                                                                                        Function 6F89DDC4 Relevance: 7.6, APIs: 5, Instructions: 68COMMONLIBRARYCODE
                                                                                                                                                                                                                                                        Download Yara Rule
                                                                                                                                                                                                                                                        APIs
                                                                                                                                                                                                                                                        • _malloc.LIBCMT ref: 6F89DDD2
                                                                                                                                                                                                                                                          • Part of subcall function 6F8932A4: __FF_MSGBANNER.LIBCMT ref: 6F8932BD
                                                                                                                                                                                                                                                          • Part of subcall function 6F8932A4: __NMSG_WRITE.LIBCMT ref: 6F8932C4
                                                                                                                                                                                                                                                          • Part of subcall function 6F8932A4: RtlAllocateHeap.NTDLL(00000000,00000001,00000001,00000000,00000000,?,6F89450F,00000000,00000001,00000000,?,6F89A441,00000018,6F8BD148,0000000C,6F89A4D1), ref: 6F8932E9
                                                                                                                                                                                                                                                        • _free.LIBCMT ref: 6F89DDE5
                                                                                                                                                                                                                                                        Memory Dump Source
                                                                                                                                                                                                                                                        • Source File: 0000000C.00000002.2571435985.000000006F851000.00000020.00000001.01000000.0000000F.sdmp, Offset: 6F850000, based on PE: true
                                                                                                                                                                                                                                                        • Associated: 0000000C.00000002.2571402531.000000006F850000.00000002.00000001.01000000.0000000F.sdmpDownload File
                                                                                                                                                                                                                                                        • Associated: 0000000C.00000002.2571547852.000000006F8B1000.00000002.00000001.01000000.0000000F.sdmpDownload File
                                                                                                                                                                                                                                                        • Associated: 0000000C.00000002.2571607645.000000006F8C6000.00000004.00000001.01000000.0000000F.sdmpDownload File
                                                                                                                                                                                                                                                        • Associated: 0000000C.00000002.2571648475.000000006F8CC000.00000002.00000001.01000000.0000000F.sdmpDownload File
                                                                                                                                                                                                                                                        Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                                        • Snapshot File: hcaresult_12_2_6f850000_cpcsgui.jbxd
                                                                                                                                                                                                                                                        Similarity
                                                                                                                                                                                                                                                        • API ID: AllocateHeap_free_malloc
                                                                                                                                                                                                                                                        • String ID:
                                                                                                                                                                                                                                                        • API String ID: 1020059152-0
                                                                                                                                                                                                                                                        • Opcode ID: 33b3a2815e56feae0c8a95806a822c2e254088ccf4b7864c04f6c9bedf27b5a6
                                                                                                                                                                                                                                                        • Instruction ID: 626ca2e28378e1dde0427262b298abea34dfafbea1b5b02a739419a469bad8b6
                                                                                                                                                                                                                                                        • Opcode Fuzzy Hash: 33b3a2815e56feae0c8a95806a822c2e254088ccf4b7864c04f6c9bedf27b5a6
                                                                                                                                                                                                                                                        • Instruction Fuzzy Hash: B411C437844715BBCB151F7CEC1464E3BAAAF513B1B104DE5E884DE190DF34D450C698
                                                                                                                                                                                                                                                        Function 6F863D50 Relevance: 7.6, APIs: 5, Instructions: 55COMMON
                                                                                                                                                                                                                                                        Download Yara Rule
                                                                                                                                                                                                                                                        APIs
                                                                                                                                                                                                                                                        • std::_Locinfo::_Locinfo_dtor.LIBCPMT ref: 6F863D7F
                                                                                                                                                                                                                                                          • Part of subcall function 6F88FA1C: _setlocale.LIBCMT ref: 6F88FA2E
                                                                                                                                                                                                                                                        • _free.LIBCMT ref: 6F863D91
                                                                                                                                                                                                                                                          • Part of subcall function 6F8922D5: RtlFreeHeap.NTDLL(00000000,00000000,?,6F8537D0,?,D0A01E50,?), ref: 6F8922EB
                                                                                                                                                                                                                                                        • _free.LIBCMT ref: 6F863DA4
                                                                                                                                                                                                                                                        • _free.LIBCMT ref: 6F863DB7
                                                                                                                                                                                                                                                        • _free.LIBCMT ref: 6F863DCA
                                                                                                                                                                                                                                                        Memory Dump Source
                                                                                                                                                                                                                                                        • Source File: 0000000C.00000002.2571435985.000000006F851000.00000020.00000001.01000000.0000000F.sdmp, Offset: 6F850000, based on PE: true
                                                                                                                                                                                                                                                        • Associated: 0000000C.00000002.2571402531.000000006F850000.00000002.00000001.01000000.0000000F.sdmpDownload File
                                                                                                                                                                                                                                                        • Associated: 0000000C.00000002.2571547852.000000006F8B1000.00000002.00000001.01000000.0000000F.sdmpDownload File
                                                                                                                                                                                                                                                        • Associated: 0000000C.00000002.2571607645.000000006F8C6000.00000004.00000001.01000000.0000000F.sdmpDownload File
                                                                                                                                                                                                                                                        • Associated: 0000000C.00000002.2571648475.000000006F8CC000.00000002.00000001.01000000.0000000F.sdmpDownload File
                                                                                                                                                                                                                                                        Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                                        • Snapshot File: hcaresult_12_2_6f850000_cpcsgui.jbxd
                                                                                                                                                                                                                                                        Similarity
                                                                                                                                                                                                                                                        • API ID: _free$FreeHeapLocinfo::_Locinfo_dtor_setlocalestd::_
                                                                                                                                                                                                                                                        • String ID:
                                                                                                                                                                                                                                                        • API String ID: 1034197179-0
                                                                                                                                                                                                                                                        • Opcode ID: 9ff84c63339050a6bf6b74d7cc14fc3781b53a9433a63f58d0e97405fe752866
                                                                                                                                                                                                                                                        • Instruction ID: 6d91ef6730fb7f22f12376657f9c388702bc87ecef4b27ce8035cd14e99ac7bd
                                                                                                                                                                                                                                                        • Opcode Fuzzy Hash: 9ff84c63339050a6bf6b74d7cc14fc3781b53a9433a63f58d0e97405fe752866
                                                                                                                                                                                                                                                        • Instruction Fuzzy Hash: 0A1191F1900B40AFD610CF9CD841A47F7E9AF94630F144E6AE466CBB80D775E9148B92
                                                                                                                                                                                                                                                        Function 6F89A2C3 Relevance: 7.5, APIs: 5, Instructions: 34COMMONLIBRARYCODE
                                                                                                                                                                                                                                                        Download Yara Rule
                                                                                                                                                                                                                                                        APIs
                                                                                                                                                                                                                                                        • __getptd.LIBCMT ref: 6F89A2CF
                                                                                                                                                                                                                                                          • Part of subcall function 6F897F46: __getptd_noexit.LIBCMT ref: 6F897F49
                                                                                                                                                                                                                                                          • Part of subcall function 6F897F46: __amsg_exit.LIBCMT ref: 6F897F56
                                                                                                                                                                                                                                                        • __getptd.LIBCMT ref: 6F89A2E6
                                                                                                                                                                                                                                                        • __amsg_exit.LIBCMT ref: 6F89A2F4
                                                                                                                                                                                                                                                        • __lock.LIBCMT ref: 6F89A304
                                                                                                                                                                                                                                                        • __updatetlocinfoEx_nolock.LIBCMT ref: 6F89A318
                                                                                                                                                                                                                                                        Memory Dump Source
                                                                                                                                                                                                                                                        • Source File: 0000000C.00000002.2571435985.000000006F851000.00000020.00000001.01000000.0000000F.sdmp, Offset: 6F850000, based on PE: true
                                                                                                                                                                                                                                                        • Associated: 0000000C.00000002.2571402531.000000006F850000.00000002.00000001.01000000.0000000F.sdmpDownload File
                                                                                                                                                                                                                                                        • Associated: 0000000C.00000002.2571547852.000000006F8B1000.00000002.00000001.01000000.0000000F.sdmpDownload File
                                                                                                                                                                                                                                                        • Associated: 0000000C.00000002.2571607645.000000006F8C6000.00000004.00000001.01000000.0000000F.sdmpDownload File
                                                                                                                                                                                                                                                        • Associated: 0000000C.00000002.2571648475.000000006F8CC000.00000002.00000001.01000000.0000000F.sdmpDownload File
                                                                                                                                                                                                                                                        Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                                        • Snapshot File: hcaresult_12_2_6f850000_cpcsgui.jbxd
                                                                                                                                                                                                                                                        Similarity
                                                                                                                                                                                                                                                        • API ID: __amsg_exit__getptd$Ex_nolock__getptd_noexit__lock__updatetlocinfo
                                                                                                                                                                                                                                                        • String ID:
                                                                                                                                                                                                                                                        • API String ID: 938513278-0
                                                                                                                                                                                                                                                        • Opcode ID: 0812b1ec3c051300ca2a571b97bb493a8c45cbf8d819f1cf623dea22585ff12a
                                                                                                                                                                                                                                                        • Instruction ID: 94e900031732878f4cd134b56e9cf630d7a2bda834ea8f78c5818f83220f773b
                                                                                                                                                                                                                                                        • Opcode Fuzzy Hash: 0812b1ec3c051300ca2a571b97bb493a8c45cbf8d819f1cf623dea22585ff12a
                                                                                                                                                                                                                                                        • Instruction Fuzzy Hash: F0F09A32D05B10FBDB24ABBC8505B5DB3E0AF01729F1049CDE406AE2C0CF24A940AA56
                                                                                                                                                                                                                                                        Function 6F8A23E2 Relevance: 7.5, APIs: 5, Instructions: 24threadCOMMON
                                                                                                                                                                                                                                                        Download Yara Rule
                                                                                                                                                                                                                                                        APIs
                                                                                                                                                                                                                                                          • Part of subcall function 6F895BFF: _doexit.LIBCMT ref: 6F895C0B
                                                                                                                                                                                                                                                        • ___set_flsgetvalue.LIBCMT ref: 6F8A23F4
                                                                                                                                                                                                                                                          • Part of subcall function 6F897D8B: TlsGetValue.KERNEL32(6F851114,6F897EE4,?,6F8537D0,?,D0A01E50,?), ref: 6F897D94
                                                                                                                                                                                                                                                          • Part of subcall function 6F897D8B: TlsSetValue.KERNEL32(00000000,?,6F8537D0,?,D0A01E50,?), ref: 6F897DB5
                                                                                                                                                                                                                                                        • ___fls_getvalue@4.LIBCMT ref: 6F8A23FF
                                                                                                                                                                                                                                                          • Part of subcall function 6F897D6B: TlsGetValue.KERNEL32(?,?,6F8A2404,00000000), ref: 6F897D79
                                                                                                                                                                                                                                                        • ___fls_setvalue@8.LIBCMT ref: 6F8A2412
                                                                                                                                                                                                                                                        • GetLastError.KERNEL32(00000000,?,00000000), ref: 6F8A241B
                                                                                                                                                                                                                                                        • ExitThread.KERNEL32 ref: 6F8A2422
                                                                                                                                                                                                                                                        • GetCurrentThreadId.KERNEL32 ref: 6F8A2428
                                                                                                                                                                                                                                                        • __freefls@4.LIBCMT ref: 6F8A2448
                                                                                                                                                                                                                                                        Memory Dump Source
                                                                                                                                                                                                                                                        • Source File: 0000000C.00000002.2571435985.000000006F851000.00000020.00000001.01000000.0000000F.sdmp, Offset: 6F850000, based on PE: true
                                                                                                                                                                                                                                                        • Associated: 0000000C.00000002.2571402531.000000006F850000.00000002.00000001.01000000.0000000F.sdmpDownload File
                                                                                                                                                                                                                                                        • Associated: 0000000C.00000002.2571547852.000000006F8B1000.00000002.00000001.01000000.0000000F.sdmpDownload File
                                                                                                                                                                                                                                                        • Associated: 0000000C.00000002.2571607645.000000006F8C6000.00000004.00000001.01000000.0000000F.sdmpDownload File
                                                                                                                                                                                                                                                        • Associated: 0000000C.00000002.2571648475.000000006F8CC000.00000002.00000001.01000000.0000000F.sdmpDownload File
                                                                                                                                                                                                                                                        Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                                        • Snapshot File: hcaresult_12_2_6f850000_cpcsgui.jbxd
                                                                                                                                                                                                                                                        Similarity
                                                                                                                                                                                                                                                        • API ID: Value$Thread$CurrentErrorExitLast___fls_getvalue@4___fls_setvalue@8___set_flsgetvalue__freefls@4_doexit
                                                                                                                                                                                                                                                        • String ID:
                                                                                                                                                                                                                                                        • API String ID: 2403457894-0
                                                                                                                                                                                                                                                        • Opcode ID: 9e66c13b078bbd8cdd57aa6f2eaeb19447434076eb068798ff101b56445b1841
                                                                                                                                                                                                                                                        • Instruction ID: a9ffa584b0522419899d728df38d63c81bd575cedd1b0217c11546489e57f028
                                                                                                                                                                                                                                                        • Opcode Fuzzy Hash: 9e66c13b078bbd8cdd57aa6f2eaeb19447434076eb068798ff101b56445b1841
                                                                                                                                                                                                                                                        • Instruction Fuzzy Hash: B5E0B635801B45779F116BFE89088EF7A6C9E81359B101ED0BA159F188EB29A92286E1
                                                                                                                                                                                                                                                        Function 6F866AE0 Relevance: 7.2, APIs: 1, Strings: 3, Instructions: 183COMMON
                                                                                                                                                                                                                                                        Download Yara Rule
                                                                                                                                                                                                                                                        APIs
                                                                                                                                                                                                                                                        Strings
                                                                                                                                                                                                                                                        Memory Dump Source
                                                                                                                                                                                                                                                        • Source File: 0000000C.00000002.2571435985.000000006F851000.00000020.00000001.01000000.0000000F.sdmp, Offset: 6F850000, based on PE: true
                                                                                                                                                                                                                                                        • Associated: 0000000C.00000002.2571402531.000000006F850000.00000002.00000001.01000000.0000000F.sdmpDownload File
                                                                                                                                                                                                                                                        • Associated: 0000000C.00000002.2571547852.000000006F8B1000.00000002.00000001.01000000.0000000F.sdmpDownload File
                                                                                                                                                                                                                                                        • Associated: 0000000C.00000002.2571607645.000000006F8C6000.00000004.00000001.01000000.0000000F.sdmpDownload File
                                                                                                                                                                                                                                                        • Associated: 0000000C.00000002.2571648475.000000006F8CC000.00000002.00000001.01000000.0000000F.sdmpDownload File
                                                                                                                                                                                                                                                        Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                                        • Snapshot File: hcaresult_12_2_6f850000_cpcsgui.jbxd
                                                                                                                                                                                                                                                        Similarity
                                                                                                                                                                                                                                                        • API ID: swprintf
                                                                                                                                                                                                                                                        • String ID: $$%$+
                                                                                                                                                                                                                                                        • API String ID: 233258989-3202472541
                                                                                                                                                                                                                                                        • Opcode ID: 69ba10b2b2bd3f06de24e4761c8aed0dc87c3039c206adaab6bc8f392c8f395b
                                                                                                                                                                                                                                                        • Instruction ID: bea63719a72983b8778b08ffbdd7e30517cd6123cdba27d599841d235287665e
                                                                                                                                                                                                                                                        • Opcode Fuzzy Hash: 69ba10b2b2bd3f06de24e4761c8aed0dc87c3039c206adaab6bc8f392c8f395b
                                                                                                                                                                                                                                                        • Instruction Fuzzy Hash: 27516872E09784AAD7059E58C5807CB7BF8FF87750F109ED9E8809F2A1E775984487C2
                                                                                                                                                                                                                                                        Function 6F866CF0 Relevance: 7.2, APIs: 1, Strings: 3, Instructions: 177COMMON
                                                                                                                                                                                                                                                        Download Yara Rule
                                                                                                                                                                                                                                                        APIs
                                                                                                                                                                                                                                                        Strings
                                                                                                                                                                                                                                                        Memory Dump Source
                                                                                                                                                                                                                                                        • Source File: 0000000C.00000002.2571435985.000000006F851000.00000020.00000001.01000000.0000000F.sdmp, Offset: 6F850000, based on PE: true
                                                                                                                                                                                                                                                        • Associated: 0000000C.00000002.2571402531.000000006F850000.00000002.00000001.01000000.0000000F.sdmpDownload File
                                                                                                                                                                                                                                                        • Associated: 0000000C.00000002.2571547852.000000006F8B1000.00000002.00000001.01000000.0000000F.sdmpDownload File
                                                                                                                                                                                                                                                        • Associated: 0000000C.00000002.2571607645.000000006F8C6000.00000004.00000001.01000000.0000000F.sdmpDownload File
                                                                                                                                                                                                                                                        • Associated: 0000000C.00000002.2571648475.000000006F8CC000.00000002.00000001.01000000.0000000F.sdmpDownload File
                                                                                                                                                                                                                                                        Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                                        • Snapshot File: hcaresult_12_2_6f850000_cpcsgui.jbxd
                                                                                                                                                                                                                                                        Similarity
                                                                                                                                                                                                                                                        • API ID: swprintf
                                                                                                                                                                                                                                                        • String ID: $$%$+
                                                                                                                                                                                                                                                        • API String ID: 233258989-3202472541
                                                                                                                                                                                                                                                        • Opcode ID: 9f5930cdcfc9e808017936ecc979beece001f8cfe30ce8c6482e7c3e2f49bafd
                                                                                                                                                                                                                                                        • Instruction ID: 6369aa7811e43e8e7df54f5d29d26fcc29a012063d901a95b048a15dac2c1944
                                                                                                                                                                                                                                                        • Opcode Fuzzy Hash: 9f5930cdcfc9e808017936ecc979beece001f8cfe30ce8c6482e7c3e2f49bafd
                                                                                                                                                                                                                                                        • Instruction Fuzzy Hash: D4516C72A09384AAD7059E18C68078B7BF5AF47750F205EE9F9808F2D1E736D84587C2
                                                                                                                                                                                                                                                        Function 6F854A70 Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 140COMMON
                                                                                                                                                                                                                                                        Download Yara Rule
                                                                                                                                                                                                                                                        APIs
                                                                                                                                                                                                                                                        Strings
                                                                                                                                                                                                                                                        Memory Dump Source
                                                                                                                                                                                                                                                        • Source File: 0000000C.00000002.2571435985.000000006F851000.00000020.00000001.01000000.0000000F.sdmp, Offset: 6F850000, based on PE: true
                                                                                                                                                                                                                                                        • Associated: 0000000C.00000002.2571402531.000000006F850000.00000002.00000001.01000000.0000000F.sdmpDownload File
                                                                                                                                                                                                                                                        • Associated: 0000000C.00000002.2571547852.000000006F8B1000.00000002.00000001.01000000.0000000F.sdmpDownload File
                                                                                                                                                                                                                                                        • Associated: 0000000C.00000002.2571607645.000000006F8C6000.00000004.00000001.01000000.0000000F.sdmpDownload File
                                                                                                                                                                                                                                                        • Associated: 0000000C.00000002.2571648475.000000006F8CC000.00000002.00000001.01000000.0000000F.sdmpDownload File
                                                                                                                                                                                                                                                        Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                                        • Snapshot File: hcaresult_12_2_6f850000_cpcsgui.jbxd
                                                                                                                                                                                                                                                        Similarity
                                                                                                                                                                                                                                                        • API ID: _swscanf
                                                                                                                                                                                                                                                        • String ID: %u, %u, %u, %u, %u |
                                                                                                                                                                                                                                                        • API String ID: 2748852333-2091373509
                                                                                                                                                                                                                                                        • Opcode ID: 57aca9dd6a1e7aca1915420d35b887c4156427a5ec29c44912d9fd17fb8a66d7
                                                                                                                                                                                                                                                        • Instruction ID: 7936319a2a0437d0e942feffc62ad0d85df88a5e775109f53c49a22f6f299ba6
                                                                                                                                                                                                                                                        • Opcode Fuzzy Hash: 57aca9dd6a1e7aca1915420d35b887c4156427a5ec29c44912d9fd17fb8a66d7
                                                                                                                                                                                                                                                        • Instruction Fuzzy Hash: A141E672A066009BC704CB68D46675BB3A4FBC9324F454DEAE45ACF280E771D928CB93
                                                                                                                                                                                                                                                        Function 6F867EF0 Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 122COMMON
                                                                                                                                                                                                                                                        Download Yara Rule
                                                                                                                                                                                                                                                        APIs
                                                                                                                                                                                                                                                        • std::_Xinvalid_argument.LIBCPMT ref: 6F867F61
                                                                                                                                                                                                                                                        • std::_Xinvalid_argument.LIBCPMT ref: 6F867F7C
                                                                                                                                                                                                                                                        • _memmove.LIBCMT ref: 6F867FCF
                                                                                                                                                                                                                                                          • Part of subcall function 6F868270: std::_Xinvalid_argument.LIBCPMT ref: 6F868287
                                                                                                                                                                                                                                                          • Part of subcall function 6F868270: std::_Xinvalid_argument.LIBCPMT ref: 6F8682A5
                                                                                                                                                                                                                                                          • Part of subcall function 6F868270: std::_Xinvalid_argument.LIBCPMT ref: 6F8682C0
                                                                                                                                                                                                                                                          • Part of subcall function 6F868270: _memmove.LIBCMT ref: 6F86831F
                                                                                                                                                                                                                                                        Strings
                                                                                                                                                                                                                                                        Memory Dump Source
                                                                                                                                                                                                                                                        • Source File: 0000000C.00000002.2571435985.000000006F851000.00000020.00000001.01000000.0000000F.sdmp, Offset: 6F850000, based on PE: true
                                                                                                                                                                                                                                                        • Associated: 0000000C.00000002.2571402531.000000006F850000.00000002.00000001.01000000.0000000F.sdmpDownload File
                                                                                                                                                                                                                                                        • Associated: 0000000C.00000002.2571547852.000000006F8B1000.00000002.00000001.01000000.0000000F.sdmpDownload File
                                                                                                                                                                                                                                                        • Associated: 0000000C.00000002.2571607645.000000006F8C6000.00000004.00000001.01000000.0000000F.sdmpDownload File
                                                                                                                                                                                                                                                        • Associated: 0000000C.00000002.2571648475.000000006F8CC000.00000002.00000001.01000000.0000000F.sdmpDownload File
                                                                                                                                                                                                                                                        Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                                        • Snapshot File: hcaresult_12_2_6f850000_cpcsgui.jbxd
                                                                                                                                                                                                                                                        Similarity
                                                                                                                                                                                                                                                        • API ID: Xinvalid_argumentstd::_$_memmove
                                                                                                                                                                                                                                                        • String ID: string too long
                                                                                                                                                                                                                                                        • API String ID: 2168136238-2556327735
                                                                                                                                                                                                                                                        • Opcode ID: 42144f9e1c755838d9eb3a3265667afbbbae1ac7f917cc6e77a714f769e116fa
                                                                                                                                                                                                                                                        • Instruction ID: a5d76ce1f5deb664da9397e0ee582d3509ceaf5264b70a5c80357553ac5c155b
                                                                                                                                                                                                                                                        • Opcode Fuzzy Hash: 42144f9e1c755838d9eb3a3265667afbbbae1ac7f917cc6e77a714f769e116fa
                                                                                                                                                                                                                                                        • Instruction Fuzzy Hash: 7231C2723006149BD3248EACA880E6EF3E9DF91725B204EAFF5518F780CF61AC4083E5
                                                                                                                                                                                                                                                        Function 6F886100 Relevance: 7.1, APIs: 2, Strings: 2, Instructions: 108COMMON
                                                                                                                                                                                                                                                        Download Yara Rule
                                                                                                                                                                                                                                                        APIs
                                                                                                                                                                                                                                                        Strings
                                                                                                                                                                                                                                                        Memory Dump Source
                                                                                                                                                                                                                                                        • Source File: 0000000C.00000002.2571435985.000000006F851000.00000020.00000001.01000000.0000000F.sdmp, Offset: 6F850000, based on PE: true
                                                                                                                                                                                                                                                        • Associated: 0000000C.00000002.2571402531.000000006F850000.00000002.00000001.01000000.0000000F.sdmpDownload File
                                                                                                                                                                                                                                                        • Associated: 0000000C.00000002.2571547852.000000006F8B1000.00000002.00000001.01000000.0000000F.sdmpDownload File
                                                                                                                                                                                                                                                        • Associated: 0000000C.00000002.2571607645.000000006F8C6000.00000004.00000001.01000000.0000000F.sdmpDownload File
                                                                                                                                                                                                                                                        • Associated: 0000000C.00000002.2571648475.000000006F8CC000.00000002.00000001.01000000.0000000F.sdmpDownload File
                                                                                                                                                                                                                                                        Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                                        • Snapshot File: hcaresult_12_2_6f850000_cpcsgui.jbxd
                                                                                                                                                                                                                                                        Similarity
                                                                                                                                                                                                                                                        • API ID: _memmove_memset
                                                                                                                                                                                                                                                        • String ID: \U00000000$u
                                                                                                                                                                                                                                                        • API String ID: 3555123492-2159923790
                                                                                                                                                                                                                                                        • Opcode ID: 286dc856a400a613b9172057ca7da156b8056352e6d8220d145ca6c06720d30e
                                                                                                                                                                                                                                                        • Instruction ID: 36303702249d83a7270069791e506f3a9a5ba0ae9be09dd5a3301853c4630eb6
                                                                                                                                                                                                                                                        • Opcode Fuzzy Hash: 286dc856a400a613b9172057ca7da156b8056352e6d8220d145ca6c06720d30e
                                                                                                                                                                                                                                                        • Instruction Fuzzy Hash: 6F41E1346087429FD314CF28C44066BBBE1AF8A314F548DADE8E58B352E775E909CB92
                                                                                                                                                                                                                                                        Function 6F874D40 Relevance: 7.1, APIs: 2, Strings: 2, Instructions: 102COMMON
                                                                                                                                                                                                                                                        Download Yara Rule
                                                                                                                                                                                                                                                        APIs
                                                                                                                                                                                                                                                        • __CxxThrowException@8.LIBCMT ref: 6F874DE7
                                                                                                                                                                                                                                                          • Part of subcall function 6F8924F0: RaiseException.KERNEL32(6F853778,?,D0A01E50,6F8B13C0,6F853778,?,6F8BD3C8,80000002,D0A01E50), ref: 6F892532
                                                                                                                                                                                                                                                        • __CxxThrowException@8.LIBCMT ref: 6F874E61
                                                                                                                                                                                                                                                          • Part of subcall function 6F864430: std::exception::exception.LIBCMT ref: 6F864498
                                                                                                                                                                                                                                                        Strings
                                                                                                                                                                                                                                                        • repeated TAG directive, xrefs: 6F874E11
                                                                                                                                                                                                                                                        • TAG directives must have exactly two arguments, xrefs: 6F874DA1
                                                                                                                                                                                                                                                        Memory Dump Source
                                                                                                                                                                                                                                                        • Source File: 0000000C.00000002.2571435985.000000006F851000.00000020.00000001.01000000.0000000F.sdmp, Offset: 6F850000, based on PE: true
                                                                                                                                                                                                                                                        • Associated: 0000000C.00000002.2571402531.000000006F850000.00000002.00000001.01000000.0000000F.sdmpDownload File
                                                                                                                                                                                                                                                        • Associated: 0000000C.00000002.2571547852.000000006F8B1000.00000002.00000001.01000000.0000000F.sdmpDownload File
                                                                                                                                                                                                                                                        • Associated: 0000000C.00000002.2571607645.000000006F8C6000.00000004.00000001.01000000.0000000F.sdmpDownload File
                                                                                                                                                                                                                                                        • Associated: 0000000C.00000002.2571648475.000000006F8CC000.00000002.00000001.01000000.0000000F.sdmpDownload File
                                                                                                                                                                                                                                                        Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                                        • Snapshot File: hcaresult_12_2_6f850000_cpcsgui.jbxd
                                                                                                                                                                                                                                                        Similarity
                                                                                                                                                                                                                                                        • API ID: Exception@8Throw$ExceptionRaisestd::exception::exception
                                                                                                                                                                                                                                                        • String ID: TAG directives must have exactly two arguments$repeated TAG directive
                                                                                                                                                                                                                                                        • API String ID: 994420026-120206097
                                                                                                                                                                                                                                                        • Opcode ID: 9e7e498e0920d14aa144f82dc1ae48a18e19ae3810f39bc6a87e64b1d5bf1537
                                                                                                                                                                                                                                                        • Instruction ID: 6e3aa7c24d882529ffa80e0fb72bdf9ec0689de10aea9385a4091f14aee83835
                                                                                                                                                                                                                                                        • Opcode Fuzzy Hash: 9e7e498e0920d14aa144f82dc1ae48a18e19ae3810f39bc6a87e64b1d5bf1537
                                                                                                                                                                                                                                                        • Instruction Fuzzy Hash: 76416D71609341AFD728DF59C881B9BBBE4FBC9714F404D5DE4898B781DB34A808CB52
                                                                                                                                                                                                                                                        Function 6F868000 Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 82COMMON
                                                                                                                                                                                                                                                        Download Yara Rule
                                                                                                                                                                                                                                                        APIs
                                                                                                                                                                                                                                                        • std::_Xinvalid_argument.LIBCPMT ref: 6F868016
                                                                                                                                                                                                                                                          • Part of subcall function 6F88F635: std::exception::exception.LIBCMT ref: 6F88F64A
                                                                                                                                                                                                                                                          • Part of subcall function 6F88F635: __CxxThrowException@8.LIBCMT ref: 6F88F65F
                                                                                                                                                                                                                                                          • Part of subcall function 6F88F635: std::exception::exception.LIBCMT ref: 6F88F670
                                                                                                                                                                                                                                                        • std::_Xinvalid_argument.LIBCPMT ref: 6F868031
                                                                                                                                                                                                                                                        Strings
                                                                                                                                                                                                                                                        Memory Dump Source
                                                                                                                                                                                                                                                        • Source File: 0000000C.00000002.2571435985.000000006F851000.00000020.00000001.01000000.0000000F.sdmp, Offset: 6F850000, based on PE: true
                                                                                                                                                                                                                                                        • Associated: 0000000C.00000002.2571402531.000000006F850000.00000002.00000001.01000000.0000000F.sdmpDownload File
                                                                                                                                                                                                                                                        • Associated: 0000000C.00000002.2571547852.000000006F8B1000.00000002.00000001.01000000.0000000F.sdmpDownload File
                                                                                                                                                                                                                                                        • Associated: 0000000C.00000002.2571607645.000000006F8C6000.00000004.00000001.01000000.0000000F.sdmpDownload File
                                                                                                                                                                                                                                                        • Associated: 0000000C.00000002.2571648475.000000006F8CC000.00000002.00000001.01000000.0000000F.sdmpDownload File
                                                                                                                                                                                                                                                        Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                                        • Snapshot File: hcaresult_12_2_6f850000_cpcsgui.jbxd
                                                                                                                                                                                                                                                        Similarity
                                                                                                                                                                                                                                                        • API ID: Xinvalid_argumentstd::_std::exception::exception$Exception@8Throw
                                                                                                                                                                                                                                                        • String ID: string too long
                                                                                                                                                                                                                                                        • API String ID: 963545896-2556327735
                                                                                                                                                                                                                                                        • Opcode ID: a9768fb2600df84e938433ffee815d89a7bef5906d12320e5e18ce924d0246e2
                                                                                                                                                                                                                                                        • Instruction ID: c45fb6b3e1ed1b7c7907c04bbfa63ae656e41081a6cb22621a7d5beebb2e9a14
                                                                                                                                                                                                                                                        • Opcode Fuzzy Hash: a9768fb2600df84e938433ffee815d89a7bef5906d12320e5e18ce924d0246e2
                                                                                                                                                                                                                                                        • Instruction Fuzzy Hash: 0421A73120C7458BC7359E6C9450A2ABBE9AFA7610F100E9EE4E58F7D1C7B2A8448763
                                                                                                                                                                                                                                                        Function 6F862060 Relevance: 7.1, APIs: 2, Strings: 2, Instructions: 79COMMON
                                                                                                                                                                                                                                                        Download Yara Rule
                                                                                                                                                                                                                                                        APIs
                                                                                                                                                                                                                                                        • VerQueryValueW.VERSION(00000000), ref: 6F862099
                                                                                                                                                                                                                                                        • VerQueryValueW.VERSION(00000000,?,?,?,?,?,?,?,00000000), ref: 6F8620EB
                                                                                                                                                                                                                                                        Strings
                                                                                                                                                                                                                                                        • \VarFileInfo\Translation, xrefs: 6F862085
                                                                                                                                                                                                                                                        • \StringFileInfo\%04x%04x\%ws, xrefs: 6F8620C8
                                                                                                                                                                                                                                                        Memory Dump Source
                                                                                                                                                                                                                                                        • Source File: 0000000C.00000002.2571435985.000000006F851000.00000020.00000001.01000000.0000000F.sdmp, Offset: 6F850000, based on PE: true
                                                                                                                                                                                                                                                        • Associated: 0000000C.00000002.2571402531.000000006F850000.00000002.00000001.01000000.0000000F.sdmpDownload File
                                                                                                                                                                                                                                                        • Associated: 0000000C.00000002.2571547852.000000006F8B1000.00000002.00000001.01000000.0000000F.sdmpDownload File
                                                                                                                                                                                                                                                        • Associated: 0000000C.00000002.2571607645.000000006F8C6000.00000004.00000001.01000000.0000000F.sdmpDownload File
                                                                                                                                                                                                                                                        • Associated: 0000000C.00000002.2571648475.000000006F8CC000.00000002.00000001.01000000.0000000F.sdmpDownload File
                                                                                                                                                                                                                                                        Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                                        • Snapshot File: hcaresult_12_2_6f850000_cpcsgui.jbxd
                                                                                                                                                                                                                                                        Similarity
                                                                                                                                                                                                                                                        • API ID: QueryValue
                                                                                                                                                                                                                                                        • String ID: \StringFileInfo\%04x%04x\%ws$\VarFileInfo\Translation
                                                                                                                                                                                                                                                        • API String ID: 3660427363-4289871972
                                                                                                                                                                                                                                                        • Opcode ID: 924fba4db58bb5abbf13bd449e8e4ffba1c2c6e36d8f1a10bbc1a1910bab3f79
                                                                                                                                                                                                                                                        • Instruction ID: 9394482e22d350f498313c968bcbc0109ad82ae9b6071d3888fd496bde64de09
                                                                                                                                                                                                                                                        • Opcode Fuzzy Hash: 924fba4db58bb5abbf13bd449e8e4ffba1c2c6e36d8f1a10bbc1a1910bab3f79
                                                                                                                                                                                                                                                        • Instruction Fuzzy Hash: 5B214F711083019BD728CF28D851BA7B3F9FF88704F444EADF58ACB640E779A54987A2
                                                                                                                                                                                                                                                        Function 6F855B30 Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 72COMMON
                                                                                                                                                                                                                                                        Download Yara Rule
                                                                                                                                                                                                                                                        APIs
                                                                                                                                                                                                                                                        • OpenEventW.KERNEL32(00000002,00000000,00000000), ref: 6F855BA0
                                                                                                                                                                                                                                                        • SetEvent.KERNEL32(00000000), ref: 6F855BFB
                                                                                                                                                                                                                                                        • CloseHandle.KERNEL32(00000000), ref: 6F855C02
                                                                                                                                                                                                                                                        Strings
                                                                                                                                                                                                                                                        Memory Dump Source
                                                                                                                                                                                                                                                        • Source File: 0000000C.00000002.2571435985.000000006F851000.00000020.00000001.01000000.0000000F.sdmp, Offset: 6F850000, based on PE: true
                                                                                                                                                                                                                                                        • Associated: 0000000C.00000002.2571402531.000000006F850000.00000002.00000001.01000000.0000000F.sdmpDownload File
                                                                                                                                                                                                                                                        • Associated: 0000000C.00000002.2571547852.000000006F8B1000.00000002.00000001.01000000.0000000F.sdmpDownload File
                                                                                                                                                                                                                                                        • Associated: 0000000C.00000002.2571607645.000000006F8C6000.00000004.00000001.01000000.0000000F.sdmpDownload File
                                                                                                                                                                                                                                                        • Associated: 0000000C.00000002.2571648475.000000006F8CC000.00000002.00000001.01000000.0000000F.sdmpDownload File
                                                                                                                                                                                                                                                        Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                                        • Snapshot File: hcaresult_12_2_6f850000_cpcsgui.jbxd
                                                                                                                                                                                                                                                        Similarity
                                                                                                                                                                                                                                                        • API ID: Event$CloseHandleOpen
                                                                                                                                                                                                                                                        • String ID: UpdateConfig
                                                                                                                                                                                                                                                        • API String ID: 1560313832-558628780
                                                                                                                                                                                                                                                        • Opcode ID: 36d3c72b9b1d12d258755e026bd453feb7eebba28f89d8242f66bc046b6966ec
                                                                                                                                                                                                                                                        • Instruction ID: ea9d00c981966ca86e2e5176176461b577a7b7af0821b819a68817bc9c491b31
                                                                                                                                                                                                                                                        • Opcode Fuzzy Hash: 36d3c72b9b1d12d258755e026bd453feb7eebba28f89d8242f66bc046b6966ec
                                                                                                                                                                                                                                                        • Instruction Fuzzy Hash: 4E2148B1908780EBD700CB28C845A5FBBE5FF89328F404E6DF4998B290D779A554CB97
                                                                                                                                                                                                                                                        Function 6F877B00 Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 62COMMON
                                                                                                                                                                                                                                                        Download Yara Rule
                                                                                                                                                                                                                                                        APIs
                                                                                                                                                                                                                                                        • std::_Xinvalid_argument.LIBCPMT ref: 6F877B0A
                                                                                                                                                                                                                                                          • Part of subcall function 6F88F635: std::exception::exception.LIBCMT ref: 6F88F64A
                                                                                                                                                                                                                                                          • Part of subcall function 6F88F635: __CxxThrowException@8.LIBCMT ref: 6F88F65F
                                                                                                                                                                                                                                                          • Part of subcall function 6F88F635: std::exception::exception.LIBCMT ref: 6F88F670
                                                                                                                                                                                                                                                        • std::_Xinvalid_argument.LIBCPMT ref: 6F877B19
                                                                                                                                                                                                                                                        Strings
                                                                                                                                                                                                                                                        Memory Dump Source
                                                                                                                                                                                                                                                        • Source File: 0000000C.00000002.2571435985.000000006F851000.00000020.00000001.01000000.0000000F.sdmp, Offset: 6F850000, based on PE: true
                                                                                                                                                                                                                                                        • Associated: 0000000C.00000002.2571402531.000000006F850000.00000002.00000001.01000000.0000000F.sdmpDownload File
                                                                                                                                                                                                                                                        • Associated: 0000000C.00000002.2571547852.000000006F8B1000.00000002.00000001.01000000.0000000F.sdmpDownload File
                                                                                                                                                                                                                                                        • Associated: 0000000C.00000002.2571607645.000000006F8C6000.00000004.00000001.01000000.0000000F.sdmpDownload File
                                                                                                                                                                                                                                                        • Associated: 0000000C.00000002.2571648475.000000006F8CC000.00000002.00000001.01000000.0000000F.sdmpDownload File
                                                                                                                                                                                                                                                        Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                                        • Snapshot File: hcaresult_12_2_6f850000_cpcsgui.jbxd
                                                                                                                                                                                                                                                        Similarity
                                                                                                                                                                                                                                                        • API ID: Xinvalid_argumentstd::_std::exception::exception$Exception@8Throw
                                                                                                                                                                                                                                                        • String ID: string too long
                                                                                                                                                                                                                                                        • API String ID: 963545896-2556327735
                                                                                                                                                                                                                                                        • Opcode ID: d632d46413f5c0c9c69ca468aee2fc773465790de393119e70d92bd7567917ff
                                                                                                                                                                                                                                                        • Instruction ID: 3b5529d0f3be891b18533acc54b2999aa4716a4798e6a5c7d3cc6999edf4771e
                                                                                                                                                                                                                                                        • Opcode Fuzzy Hash: d632d46413f5c0c9c69ca468aee2fc773465790de393119e70d92bd7567917ff
                                                                                                                                                                                                                                                        • Instruction Fuzzy Hash: EE1151307047409BD7358F2C9950B1E77F5EF96614F150ECAE0A18F391DB75A840C7A2
                                                                                                                                                                                                                                                        Function 6F85C660 Relevance: 6.1, APIs: 4, Instructions: 113registryCOMMON
                                                                                                                                                                                                                                                        Download Yara Rule
                                                                                                                                                                                                                                                        APIs
                                                                                                                                                                                                                                                          • Part of subcall function 6F853280: std::_Xinvalid_argument.LIBCPMT ref: 6F853298
                                                                                                                                                                                                                                                        • RegOpenKeyExW.ADVAPI32(?,6F85610F,00000000,00000001,D0A01E50,00000000,D0A01E50,00000000), ref: 6F85C6FD
                                                                                                                                                                                                                                                        • RegQueryValueExW.ADVAPI32(?,?,00000000,6F85610F,?,00001000), ref: 6F85C755
                                                                                                                                                                                                                                                        • RegCloseKey.ADVAPI32(D0A01E50), ref: 6F85C764
                                                                                                                                                                                                                                                        • RegCloseKey.ADVAPI32(D0A01E50), ref: 6F85C786
                                                                                                                                                                                                                                                        Memory Dump Source
                                                                                                                                                                                                                                                        • Source File: 0000000C.00000002.2571435985.000000006F851000.00000020.00000001.01000000.0000000F.sdmp, Offset: 6F850000, based on PE: true
                                                                                                                                                                                                                                                        • Associated: 0000000C.00000002.2571402531.000000006F850000.00000002.00000001.01000000.0000000F.sdmpDownload File
                                                                                                                                                                                                                                                        • Associated: 0000000C.00000002.2571547852.000000006F8B1000.00000002.00000001.01000000.0000000F.sdmpDownload File
                                                                                                                                                                                                                                                        • Associated: 0000000C.00000002.2571607645.000000006F8C6000.00000004.00000001.01000000.0000000F.sdmpDownload File
                                                                                                                                                                                                                                                        • Associated: 0000000C.00000002.2571648475.000000006F8CC000.00000002.00000001.01000000.0000000F.sdmpDownload File
                                                                                                                                                                                                                                                        Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                                        • Snapshot File: hcaresult_12_2_6f850000_cpcsgui.jbxd
                                                                                                                                                                                                                                                        Similarity
                                                                                                                                                                                                                                                        • API ID: Close$OpenQueryValueXinvalid_argumentstd::_
                                                                                                                                                                                                                                                        • String ID:
                                                                                                                                                                                                                                                        • API String ID: 4154549875-0
                                                                                                                                                                                                                                                        • Opcode ID: 6d992424c73e7bdbf1b9b83b8f6357786f85196d0d8d14699e9b238e885ae9da
                                                                                                                                                                                                                                                        • Instruction ID: ad1b9c8d448d9d2f66b6c50d41f4dd252b95687f1ae9a5c1150d497bd75c6411
                                                                                                                                                                                                                                                        • Opcode Fuzzy Hash: 6d992424c73e7bdbf1b9b83b8f6357786f85196d0d8d14699e9b238e885ae9da
                                                                                                                                                                                                                                                        • Instruction Fuzzy Hash: FC416071508780EBC764CF28C880EABB7E8FFC9754F000E5EF5958A240D774A958CB62
                                                                                                                                                                                                                                                        Function 6F879A60 Relevance: 6.1, APIs: 4, Instructions: 112COMMON
                                                                                                                                                                                                                                                        Download Yara Rule
                                                                                                                                                                                                                                                        APIs
                                                                                                                                                                                                                                                          • Part of subcall function 6F8907C7: _malloc.LIBCMT ref: 6F8907E1
                                                                                                                                                                                                                                                          • Part of subcall function 6F8907C7: std::exception::exception.LIBCMT ref: 6F890816
                                                                                                                                                                                                                                                          • Part of subcall function 6F8907C7: std::exception::exception.LIBCMT ref: 6F890830
                                                                                                                                                                                                                                                          • Part of subcall function 6F8907C7: __CxxThrowException@8.LIBCMT ref: 6F890841
                                                                                                                                                                                                                                                        • std::exception::exception.LIBCMT ref: 6F879AF3
                                                                                                                                                                                                                                                        • __CxxThrowException@8.LIBCMT ref: 6F879B0A
                                                                                                                                                                                                                                                        • std::exception::exception.LIBCMT ref: 6F879BA0
                                                                                                                                                                                                                                                        • __CxxThrowException@8.LIBCMT ref: 6F879BB7
                                                                                                                                                                                                                                                        Memory Dump Source
                                                                                                                                                                                                                                                        • Source File: 0000000C.00000002.2571435985.000000006F851000.00000020.00000001.01000000.0000000F.sdmp, Offset: 6F850000, based on PE: true
                                                                                                                                                                                                                                                        • Associated: 0000000C.00000002.2571402531.000000006F850000.00000002.00000001.01000000.0000000F.sdmpDownload File
                                                                                                                                                                                                                                                        • Associated: 0000000C.00000002.2571547852.000000006F8B1000.00000002.00000001.01000000.0000000F.sdmpDownload File
                                                                                                                                                                                                                                                        • Associated: 0000000C.00000002.2571607645.000000006F8C6000.00000004.00000001.01000000.0000000F.sdmpDownload File
                                                                                                                                                                                                                                                        • Associated: 0000000C.00000002.2571648475.000000006F8CC000.00000002.00000001.01000000.0000000F.sdmpDownload File
                                                                                                                                                                                                                                                        Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                                        • Snapshot File: hcaresult_12_2_6f850000_cpcsgui.jbxd
                                                                                                                                                                                                                                                        Similarity
                                                                                                                                                                                                                                                        • API ID: std::exception::exception$Exception@8Throw$_malloc
                                                                                                                                                                                                                                                        • String ID:
                                                                                                                                                                                                                                                        • API String ID: 2621100827-0
                                                                                                                                                                                                                                                        • Opcode ID: 6acf9cce9eaf2a2c21186133519e441d52bd016f9ed1f54a47759a5d8ab33273
                                                                                                                                                                                                                                                        • Instruction ID: 88ae48c910830d09817a1e648ff15a453e737f3daea0ffba86cc332c2f08a972
                                                                                                                                                                                                                                                        • Opcode Fuzzy Hash: 6acf9cce9eaf2a2c21186133519e441d52bd016f9ed1f54a47759a5d8ab33273
                                                                                                                                                                                                                                                        • Instruction Fuzzy Hash: C14109B5504B41AFC314CF2DC580A46FBE0BB48704F444EAEE59A8BB41D775E549CF92
                                                                                                                                                                                                                                                        Function 6F880C10 Relevance: 6.1, APIs: 4, Instructions: 106COMMON
                                                                                                                                                                                                                                                        Download Yara Rule
                                                                                                                                                                                                                                                        APIs
                                                                                                                                                                                                                                                          • Part of subcall function 6F8907C7: _malloc.LIBCMT ref: 6F8907E1
                                                                                                                                                                                                                                                          • Part of subcall function 6F8907C7: std::exception::exception.LIBCMT ref: 6F890816
                                                                                                                                                                                                                                                          • Part of subcall function 6F8907C7: std::exception::exception.LIBCMT ref: 6F890830
                                                                                                                                                                                                                                                          • Part of subcall function 6F8907C7: __CxxThrowException@8.LIBCMT ref: 6F890841
                                                                                                                                                                                                                                                        • std::exception::exception.LIBCMT ref: 6F880C97
                                                                                                                                                                                                                                                        • __CxxThrowException@8.LIBCMT ref: 6F880CAE
                                                                                                                                                                                                                                                        • std::exception::exception.LIBCMT ref: 6F880D17
                                                                                                                                                                                                                                                        • __CxxThrowException@8.LIBCMT ref: 6F880D2E
                                                                                                                                                                                                                                                        Memory Dump Source
                                                                                                                                                                                                                                                        • Source File: 0000000C.00000002.2571435985.000000006F851000.00000020.00000001.01000000.0000000F.sdmp, Offset: 6F850000, based on PE: true
                                                                                                                                                                                                                                                        • Associated: 0000000C.00000002.2571402531.000000006F850000.00000002.00000001.01000000.0000000F.sdmpDownload File
                                                                                                                                                                                                                                                        • Associated: 0000000C.00000002.2571547852.000000006F8B1000.00000002.00000001.01000000.0000000F.sdmpDownload File
                                                                                                                                                                                                                                                        • Associated: 0000000C.00000002.2571607645.000000006F8C6000.00000004.00000001.01000000.0000000F.sdmpDownload File
                                                                                                                                                                                                                                                        • Associated: 0000000C.00000002.2571648475.000000006F8CC000.00000002.00000001.01000000.0000000F.sdmpDownload File
                                                                                                                                                                                                                                                        Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                                        • Snapshot File: hcaresult_12_2_6f850000_cpcsgui.jbxd
                                                                                                                                                                                                                                                        Similarity
                                                                                                                                                                                                                                                        • API ID: std::exception::exception$Exception@8Throw$_malloc
                                                                                                                                                                                                                                                        • String ID:
                                                                                                                                                                                                                                                        • API String ID: 2621100827-0
                                                                                                                                                                                                                                                        • Opcode ID: 135d849e074103d39bdd2460b951357ed01f568df528a785ade21ef3e732bbe7
                                                                                                                                                                                                                                                        • Instruction ID: 7ea206f86cca4893875558402fa7f4800e47ea45220eb1226d2b6d6f412cc0ed
                                                                                                                                                                                                                                                        • Opcode Fuzzy Hash: 135d849e074103d39bdd2460b951357ed01f568df528a785ade21ef3e732bbe7
                                                                                                                                                                                                                                                        • Instruction Fuzzy Hash: 9F3148B5505745AFC344CF29C440A46FBE0FF88714F508E9EE4998B751E735A548CF92
                                                                                                                                                                                                                                                        Function 6F89E53A Relevance: 6.1, APIs: 4, Instructions: 103COMMONLIBRARYCODE
                                                                                                                                                                                                                                                        Download Yara Rule
                                                                                                                                                                                                                                                        APIs
                                                                                                                                                                                                                                                        • _LocaleUpdate::_LocaleUpdate.LIBCMT ref: 6F89E56E
                                                                                                                                                                                                                                                        • __isleadbyte_l.LIBCMT ref: 6F89E5A1
                                                                                                                                                                                                                                                        • MultiByteToWideChar.KERNEL32(00000080,00000009,?,?,?,00000000,?,?,?,?,?,?), ref: 6F89E5D2
                                                                                                                                                                                                                                                        • MultiByteToWideChar.KERNEL32(00000080,00000009,?,00000001,?,00000000,?,?,?,?,?,?), ref: 6F89E640
                                                                                                                                                                                                                                                        Memory Dump Source
                                                                                                                                                                                                                                                        • Source File: 0000000C.00000002.2571435985.000000006F851000.00000020.00000001.01000000.0000000F.sdmp, Offset: 6F850000, based on PE: true
                                                                                                                                                                                                                                                        • Associated: 0000000C.00000002.2571402531.000000006F850000.00000002.00000001.01000000.0000000F.sdmpDownload File
                                                                                                                                                                                                                                                        • Associated: 0000000C.00000002.2571547852.000000006F8B1000.00000002.00000001.01000000.0000000F.sdmpDownload File
                                                                                                                                                                                                                                                        • Associated: 0000000C.00000002.2571607645.000000006F8C6000.00000004.00000001.01000000.0000000F.sdmpDownload File
                                                                                                                                                                                                                                                        • Associated: 0000000C.00000002.2571648475.000000006F8CC000.00000002.00000001.01000000.0000000F.sdmpDownload File
                                                                                                                                                                                                                                                        Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                                        • Snapshot File: hcaresult_12_2_6f850000_cpcsgui.jbxd
                                                                                                                                                                                                                                                        Similarity
                                                                                                                                                                                                                                                        • API ID: ByteCharLocaleMultiWide$UpdateUpdate::___isleadbyte_l
                                                                                                                                                                                                                                                        • String ID:
                                                                                                                                                                                                                                                        • API String ID: 3058430110-0
                                                                                                                                                                                                                                                        • Opcode ID: 564b0b3480decd3ae92e8ad848325dcc1170470e81a0a1e23270a0f5288809aa
                                                                                                                                                                                                                                                        • Instruction ID: fc9e02f6fd24cfc05a86244400097f06580f3c484531bb495dc69a44d5f7a5a7
                                                                                                                                                                                                                                                        • Opcode Fuzzy Hash: 564b0b3480decd3ae92e8ad848325dcc1170470e81a0a1e23270a0f5288809aa
                                                                                                                                                                                                                                                        • Instruction Fuzzy Hash: 24319D31A04296EFDB15DF6CCC949AA3FA5BF01311F1089EAF4659F190E730E940CB61
                                                                                                                                                                                                                                                        Function 6F863CA0 Relevance: 6.1, APIs: 4, Instructions: 51COMMON
                                                                                                                                                                                                                                                        Download Yara Rule
                                                                                                                                                                                                                                                        APIs
                                                                                                                                                                                                                                                        • std::_Lockit::_Lockit.LIBCPMT ref: 6F863CCE
                                                                                                                                                                                                                                                        • std::exception::exception.LIBCMT ref: 6F863D09
                                                                                                                                                                                                                                                          • Part of subcall function 6F890109: std::exception::_Copy_str.LIBCMT ref: 6F890124
                                                                                                                                                                                                                                                        • __CxxThrowException@8.LIBCMT ref: 6F863D20
                                                                                                                                                                                                                                                          • Part of subcall function 6F8924F0: RaiseException.KERNEL32(6F853778,?,D0A01E50,6F8B13C0,6F853778,?,6F8BD3C8,80000002,D0A01E50), ref: 6F892532
                                                                                                                                                                                                                                                        • std::_Locinfo::_Locinfo_ctor.LIBCPMT ref: 6F863D27
                                                                                                                                                                                                                                                        Memory Dump Source
                                                                                                                                                                                                                                                        • Source File: 0000000C.00000002.2571435985.000000006F851000.00000020.00000001.01000000.0000000F.sdmp, Offset: 6F850000, based on PE: true
                                                                                                                                                                                                                                                        • Associated: 0000000C.00000002.2571402531.000000006F850000.00000002.00000001.01000000.0000000F.sdmpDownload File
                                                                                                                                                                                                                                                        • Associated: 0000000C.00000002.2571547852.000000006F8B1000.00000002.00000001.01000000.0000000F.sdmpDownload File
                                                                                                                                                                                                                                                        • Associated: 0000000C.00000002.2571607645.000000006F8C6000.00000004.00000001.01000000.0000000F.sdmpDownload File
                                                                                                                                                                                                                                                        • Associated: 0000000C.00000002.2571648475.000000006F8CC000.00000002.00000001.01000000.0000000F.sdmpDownload File
                                                                                                                                                                                                                                                        Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                                        • Snapshot File: hcaresult_12_2_6f850000_cpcsgui.jbxd
                                                                                                                                                                                                                                                        Similarity
                                                                                                                                                                                                                                                        • API ID: std::_$Copy_strExceptionException@8Locinfo::_Locinfo_ctorLockitLockit::_RaiseThrowstd::exception::_std::exception::exception
                                                                                                                                                                                                                                                        • String ID:
                                                                                                                                                                                                                                                        • API String ID: 73090415-0
                                                                                                                                                                                                                                                        • Opcode ID: 534ab10fa0d4101dfe5b0dd7af80797d7efaa50312cc9c4e32344d8bc08c9b00
                                                                                                                                                                                                                                                        • Instruction ID: 7112371d3f2318ad03947405acaccc419c6a7040fdaeba15848d85cd2f926f0b
                                                                                                                                                                                                                                                        • Opcode Fuzzy Hash: 534ab10fa0d4101dfe5b0dd7af80797d7efaa50312cc9c4e32344d8bc08c9b00
                                                                                                                                                                                                                                                        • Instruction Fuzzy Hash: B111A7B1408B819FC310CF1DC480A5BFBE4FB99614F804E9EE49997741D734A50CCBA6
                                                                                                                                                                                                                                                        Function 6F8A3AC4 Relevance: 6.0, APIs: 4, Instructions: 49COMMONLIBRARYCODE
                                                                                                                                                                                                                                                        Download Yara Rule
                                                                                                                                                                                                                                                        APIs
                                                                                                                                                                                                                                                        Memory Dump Source
                                                                                                                                                                                                                                                        • Source File: 0000000C.00000002.2571435985.000000006F851000.00000020.00000001.01000000.0000000F.sdmp, Offset: 6F850000, based on PE: true
                                                                                                                                                                                                                                                        • Associated: 0000000C.00000002.2571402531.000000006F850000.00000002.00000001.01000000.0000000F.sdmpDownload File
                                                                                                                                                                                                                                                        • Associated: 0000000C.00000002.2571547852.000000006F8B1000.00000002.00000001.01000000.0000000F.sdmpDownload File
                                                                                                                                                                                                                                                        • Associated: 0000000C.00000002.2571607645.000000006F8C6000.00000004.00000001.01000000.0000000F.sdmpDownload File
                                                                                                                                                                                                                                                        • Associated: 0000000C.00000002.2571648475.000000006F8CC000.00000002.00000001.01000000.0000000F.sdmpDownload File
                                                                                                                                                                                                                                                        Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                                        • Snapshot File: hcaresult_12_2_6f850000_cpcsgui.jbxd
                                                                                                                                                                                                                                                        Similarity
                                                                                                                                                                                                                                                        • API ID: __cftoe_l__cftof_l__cftog_l__fltout2
                                                                                                                                                                                                                                                        • String ID:
                                                                                                                                                                                                                                                        • API String ID: 3016257755-0
                                                                                                                                                                                                                                                        • Opcode ID: 4bdea013960d862e58fdc3211a87ed6cb7384f6b6b2695c697ae8ee222476223
                                                                                                                                                                                                                                                        • Instruction ID: 373fc7e2da5eef2c91e45b542c41d5f5ac3c6d3398ecb1f2c92c2291dcf3f008
                                                                                                                                                                                                                                                        • Opcode Fuzzy Hash: 4bdea013960d862e58fdc3211a87ed6cb7384f6b6b2695c697ae8ee222476223
                                                                                                                                                                                                                                                        • Instruction Fuzzy Hash: F011393204424ABBCF025E94DC12CEE3F27FB19354B488995FAA859131D737D9B2AB81
                                                                                                                                                                                                                                                        Function 6F861D90 Relevance: 6.0, APIs: 4, Instructions: 41fileCOMMON
                                                                                                                                                                                                                                                        Download Yara Rule
                                                                                                                                                                                                                                                        APIs
                                                                                                                                                                                                                                                        • CreateFileW.KERNEL32(?,C0000000,00000000,00000000,00000002,00000080,00000000,00000010,?,6F8639FA,00000000,?), ref: 6F861DB6
                                                                                                                                                                                                                                                        • WriteFile.KERNEL32(00000000,0000006C,D0A01E50,?,00000000), ref: 6F861DD5
                                                                                                                                                                                                                                                        • CloseHandle.KERNEL32(00000000), ref: 6F861DE0
                                                                                                                                                                                                                                                        • CloseHandle.KERNEL32(00000000), ref: 6F861DEB
                                                                                                                                                                                                                                                        Memory Dump Source
                                                                                                                                                                                                                                                        • Source File: 0000000C.00000002.2571435985.000000006F851000.00000020.00000001.01000000.0000000F.sdmp, Offset: 6F850000, based on PE: true
                                                                                                                                                                                                                                                        • Associated: 0000000C.00000002.2571402531.000000006F850000.00000002.00000001.01000000.0000000F.sdmpDownload File
                                                                                                                                                                                                                                                        • Associated: 0000000C.00000002.2571547852.000000006F8B1000.00000002.00000001.01000000.0000000F.sdmpDownload File
                                                                                                                                                                                                                                                        • Associated: 0000000C.00000002.2571607645.000000006F8C6000.00000004.00000001.01000000.0000000F.sdmpDownload File
                                                                                                                                                                                                                                                        • Associated: 0000000C.00000002.2571648475.000000006F8CC000.00000002.00000001.01000000.0000000F.sdmpDownload File
                                                                                                                                                                                                                                                        Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                                        • Snapshot File: hcaresult_12_2_6f850000_cpcsgui.jbxd
                                                                                                                                                                                                                                                        Similarity
                                                                                                                                                                                                                                                        • API ID: CloseFileHandle$CreateWrite
                                                                                                                                                                                                                                                        • String ID:
                                                                                                                                                                                                                                                        • API String ID: 3602564925-0
                                                                                                                                                                                                                                                        • Opcode ID: 37d0536e0bee9b8e1912657e62cc3ce42117695de8d8c4c0b96a1b82fffeaf1b
                                                                                                                                                                                                                                                        • Instruction ID: 16ba2f42530954b672e9c88dadaf7976d4e728fa494ebb0c65e65e09d4dcc5bf
                                                                                                                                                                                                                                                        • Opcode Fuzzy Hash: 37d0536e0bee9b8e1912657e62cc3ce42117695de8d8c4c0b96a1b82fffeaf1b
                                                                                                                                                                                                                                                        • Instruction Fuzzy Hash: DAF0F671241B207FDA149B64CC09F9B73A8AF4AB71F204989F651DF1C0D760681187E5
                                                                                                                                                                                                                                                        Function 6F881EE0 Relevance: 5.5, APIs: 2, Strings: 1, Instructions: 238COMMON
                                                                                                                                                                                                                                                        Download Yara Rule
                                                                                                                                                                                                                                                        APIs
                                                                                                                                                                                                                                                        • __CxxThrowException@8.LIBCMT ref: 6F882113
                                                                                                                                                                                                                                                          • Part of subcall function 6F864430: std::exception::exception.LIBCMT ref: 6F864498
                                                                                                                                                                                                                                                        • __CxxThrowException@8.LIBCMT ref: 6F8821BE
                                                                                                                                                                                                                                                          • Part of subcall function 6F8924F0: RaiseException.KERNEL32(6F853778,?,D0A01E50,6F8B13C0,6F853778,?,6F8BD3C8,80000002,D0A01E50), ref: 6F892532
                                                                                                                                                                                                                                                        Strings
                                                                                                                                                                                                                                                        Memory Dump Source
                                                                                                                                                                                                                                                        • Source File: 0000000C.00000002.2571435985.000000006F851000.00000020.00000001.01000000.0000000F.sdmp, Offset: 6F850000, based on PE: true
                                                                                                                                                                                                                                                        • Associated: 0000000C.00000002.2571402531.000000006F850000.00000002.00000001.01000000.0000000F.sdmpDownload File
                                                                                                                                                                                                                                                        • Associated: 0000000C.00000002.2571547852.000000006F8B1000.00000002.00000001.01000000.0000000F.sdmpDownload File
                                                                                                                                                                                                                                                        • Associated: 0000000C.00000002.2571607645.000000006F8C6000.00000004.00000001.01000000.0000000F.sdmpDownload File
                                                                                                                                                                                                                                                        • Associated: 0000000C.00000002.2571648475.000000006F8CC000.00000002.00000001.01000000.0000000F.sdmpDownload File
                                                                                                                                                                                                                                                        Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                                        • Snapshot File: hcaresult_12_2_6f850000_cpcsgui.jbxd
                                                                                                                                                                                                                                                        Similarity
                                                                                                                                                                                                                                                        • API ID: Exception@8Throw$ExceptionRaisestd::exception::exception
                                                                                                                                                                                                                                                        • String ID: end of map flow not found
                                                                                                                                                                                                                                                        • API String ID: 994420026-2863301259
                                                                                                                                                                                                                                                        • Opcode ID: d73193bec8bcb2c8492af04e637ec4e5ddda9a43911f7016c5e42f78a4b447e7
                                                                                                                                                                                                                                                        • Instruction ID: 897c2f27ee77ada53ae056e5d3e1ff4a7899dd3f7e27ba9bda561951e44a657d
                                                                                                                                                                                                                                                        • Opcode Fuzzy Hash: d73193bec8bcb2c8492af04e637ec4e5ddda9a43911f7016c5e42f78a4b447e7
                                                                                                                                                                                                                                                        • Instruction Fuzzy Hash: D6915871504742EFC724DF28C480A5EB7E6BF85718F204DAEE1659F2A0DB35E845CB91
                                                                                                                                                                                                                                                        Function 6F88E2A0 Relevance: 5.4, APIs: 1, Strings: 2, Instructions: 172COMMON
                                                                                                                                                                                                                                                        Download Yara Rule
                                                                                                                                                                                                                                                        APIs
                                                                                                                                                                                                                                                          • Part of subcall function 6F88DAB0: __CxxThrowException@8.LIBCMT ref: 6F88DD9F
                                                                                                                                                                                                                                                          • Part of subcall function 6F88DAB0: std::_Xinvalid_argument.LIBCPMT ref: 6F88DDA9
                                                                                                                                                                                                                                                          • Part of subcall function 6F864430: std::exception::exception.LIBCMT ref: 6F864498
                                                                                                                                                                                                                                                        • __CxxThrowException@8.LIBCMT ref: 6F88E513
                                                                                                                                                                                                                                                          • Part of subcall function 6F8924F0: RaiseException.KERNEL32(6F853778,?,D0A01E50,6F8B13C0,6F853778,?,6F8BD3C8,80000002,D0A01E50), ref: 6F892532
                                                                                                                                                                                                                                                        Strings
                                                                                                                                                                                                                                                        Memory Dump Source
                                                                                                                                                                                                                                                        • Source File: 0000000C.00000002.2571435985.000000006F851000.00000020.00000001.01000000.0000000F.sdmp, Offset: 6F850000, based on PE: true
                                                                                                                                                                                                                                                        • Associated: 0000000C.00000002.2571402531.000000006F850000.00000002.00000001.01000000.0000000F.sdmpDownload File
                                                                                                                                                                                                                                                        • Associated: 0000000C.00000002.2571547852.000000006F8B1000.00000002.00000001.01000000.0000000F.sdmpDownload File
                                                                                                                                                                                                                                                        • Associated: 0000000C.00000002.2571607645.000000006F8C6000.00000004.00000001.01000000.0000000F.sdmpDownload File
                                                                                                                                                                                                                                                        • Associated: 0000000C.00000002.2571648475.000000006F8CC000.00000002.00000001.01000000.0000000F.sdmpDownload File
                                                                                                                                                                                                                                                        Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                                        • Snapshot File: hcaresult_12_2_6f850000_cpcsgui.jbxd
                                                                                                                                                                                                                                                        Similarity
                                                                                                                                                                                                                                                        • API ID: Exception@8Throw$ExceptionRaiseXinvalid_argumentstd::_std::exception::exception
                                                                                                                                                                                                                                                        • String ID: '$unknown escape character:
                                                                                                                                                                                                                                                        • API String ID: 551578320-37139733
                                                                                                                                                                                                                                                        • Opcode ID: e716b3caec15073789c4b1cfe9de90d7a487b1db7c9bb34ed185f6c633770b87
                                                                                                                                                                                                                                                        • Instruction ID: 86d71f2a544bf6a9b3b54aaf26eb1c0777e8fe136c4b50cd301e70e4253760ee
                                                                                                                                                                                                                                                        • Opcode Fuzzy Hash: e716b3caec15073789c4b1cfe9de90d7a487b1db7c9bb34ed185f6c633770b87
                                                                                                                                                                                                                                                        • Instruction Fuzzy Hash: 4C51B07094D784EAC230DF68C940B9ABBE0AB87704F000EDEE4A95E381D774AD048B97
                                                                                                                                                                                                                                                        Function 6F85DB60 Relevance: 5.4, APIs: 1, Strings: 2, Instructions: 125COMMON
                                                                                                                                                                                                                                                        Download Yara Rule
                                                                                                                                                                                                                                                        APIs
                                                                                                                                                                                                                                                          • Part of subcall function 6F85E670: CryptCreateHash.ADVAPI32(00000000,?,00000000,00000000,?,00000000,?), ref: 6F85E68A
                                                                                                                                                                                                                                                          • Part of subcall function 6F85E670: CryptHashData.ADVAPI32(?,?,?,00000000,?,00000000,?), ref: 6F85E6A4
                                                                                                                                                                                                                                                          • Part of subcall function 6F85E670: CryptDestroyHash.ADVAPI32(00000000,?,?,?,00000000,?,00000000,?), ref: 6F85E6B2
                                                                                                                                                                                                                                                        • _memmove.LIBCMT ref: 6F85DC89
                                                                                                                                                                                                                                                        Strings
                                                                                                                                                                                                                                                        • , xrefs: 6F85DC9A
                                                                                                                                                                                                                                                        • %02x%02x%02x%02x%02x%02x%02x%02x%02x%02x%02x%02x%02x%02x%02x%02x, xrefs: 6F85DC3F
                                                                                                                                                                                                                                                        Memory Dump Source
                                                                                                                                                                                                                                                        • Source File: 0000000C.00000002.2571435985.000000006F851000.00000020.00000001.01000000.0000000F.sdmp, Offset: 6F850000, based on PE: true
                                                                                                                                                                                                                                                        • Associated: 0000000C.00000002.2571402531.000000006F850000.00000002.00000001.01000000.0000000F.sdmpDownload File
                                                                                                                                                                                                                                                        • Associated: 0000000C.00000002.2571547852.000000006F8B1000.00000002.00000001.01000000.0000000F.sdmpDownload File
                                                                                                                                                                                                                                                        • Associated: 0000000C.00000002.2571607645.000000006F8C6000.00000004.00000001.01000000.0000000F.sdmpDownload File
                                                                                                                                                                                                                                                        • Associated: 0000000C.00000002.2571648475.000000006F8CC000.00000002.00000001.01000000.0000000F.sdmpDownload File
                                                                                                                                                                                                                                                        Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                                        • Snapshot File: hcaresult_12_2_6f850000_cpcsgui.jbxd
                                                                                                                                                                                                                                                        Similarity
                                                                                                                                                                                                                                                        • API ID: CryptHash$CreateDataDestroy_memmove
                                                                                                                                                                                                                                                        • String ID: $%02x%02x%02x%02x%02x%02x%02x%02x%02x%02x%02x%02x%02x%02x%02x%02x
                                                                                                                                                                                                                                                        • API String ID: 2995263313-2265235149
                                                                                                                                                                                                                                                        • Opcode ID: b93cb6b1dbe3d8db8e7d66fc2a43ef12833417b548fb3cf896c48e61e19eb130
                                                                                                                                                                                                                                                        • Instruction ID: f3ef254007ee3e952ee369fc28226932a10c041ef7067fd1a165698e11f9940a
                                                                                                                                                                                                                                                        • Opcode Fuzzy Hash: b93cb6b1dbe3d8db8e7d66fc2a43ef12833417b548fb3cf896c48e61e19eb130
                                                                                                                                                                                                                                                        • Instruction Fuzzy Hash: 5C418FB251C390ABC365CB698810A2BFBF9AFCA705F044D9EF5D58A281D3789504CB63
                                                                                                                                                                                                                                                        Function 6F875EA0 Relevance: 5.4, APIs: 2, Strings: 1, Instructions: 120COMMON
                                                                                                                                                                                                                                                        Download Yara Rule
                                                                                                                                                                                                                                                        APIs
                                                                                                                                                                                                                                                          • Part of subcall function 6F864230: std::_Lockit::_Lockit.LIBCPMT ref: 6F86423F
                                                                                                                                                                                                                                                        • std::_Lockit::_Lockit.LIBCPMT ref: 6F875F34
                                                                                                                                                                                                                                                        • __Stoulx.LIBCPMT ref: 6F875F92
                                                                                                                                                                                                                                                        Strings
                                                                                                                                                                                                                                                        Memory Dump Source
                                                                                                                                                                                                                                                        • Source File: 0000000C.00000002.2571435985.000000006F851000.00000020.00000001.01000000.0000000F.sdmp, Offset: 6F850000, based on PE: true
                                                                                                                                                                                                                                                        • Associated: 0000000C.00000002.2571402531.000000006F850000.00000002.00000001.01000000.0000000F.sdmpDownload File
                                                                                                                                                                                                                                                        • Associated: 0000000C.00000002.2571547852.000000006F8B1000.00000002.00000001.01000000.0000000F.sdmpDownload File
                                                                                                                                                                                                                                                        • Associated: 0000000C.00000002.2571607645.000000006F8C6000.00000004.00000001.01000000.0000000F.sdmpDownload File
                                                                                                                                                                                                                                                        • Associated: 0000000C.00000002.2571648475.000000006F8CC000.00000002.00000001.01000000.0000000F.sdmpDownload File
                                                                                                                                                                                                                                                        Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                                        • Snapshot File: hcaresult_12_2_6f850000_cpcsgui.jbxd
                                                                                                                                                                                                                                                        Similarity
                                                                                                                                                                                                                                                        • API ID: LockitLockit::_std::_$Stoulx
                                                                                                                                                                                                                                                        • String ID: -
                                                                                                                                                                                                                                                        • API String ID: 3418229591-2547889144
                                                                                                                                                                                                                                                        • Opcode ID: 98deddee91300af9c33a0acb252582e3da573cd1bd849a769c4a78287ac1c1bb
                                                                                                                                                                                                                                                        • Instruction ID: 8abc9d83aabf9df1a616ee9418e7e872424ff4f88cda2769357a06f5d5505fbb
                                                                                                                                                                                                                                                        • Opcode Fuzzy Hash: 98deddee91300af9c33a0acb252582e3da573cd1bd849a769c4a78287ac1c1bb
                                                                                                                                                                                                                                                        • Instruction Fuzzy Hash: 7F4105716087459FC724CF28C580A5AB7E4FB89724F504E9EF9A59B390EB30E904CB92
                                                                                                                                                                                                                                                        Function 6F875D30 Relevance: 5.4, APIs: 2, Strings: 1, Instructions: 120COMMON
                                                                                                                                                                                                                                                        Download Yara Rule
                                                                                                                                                                                                                                                        APIs
                                                                                                                                                                                                                                                          • Part of subcall function 6F864230: std::_Lockit::_Lockit.LIBCPMT ref: 6F86423F
                                                                                                                                                                                                                                                        • std::_Lockit::_Lockit.LIBCPMT ref: 6F875DC4
                                                                                                                                                                                                                                                        • __Stoulx.LIBCPMT ref: 6F875E22
                                                                                                                                                                                                                                                        Strings
                                                                                                                                                                                                                                                        Memory Dump Source
                                                                                                                                                                                                                                                        • Source File: 0000000C.00000002.2571435985.000000006F851000.00000020.00000001.01000000.0000000F.sdmp, Offset: 6F850000, based on PE: true
                                                                                                                                                                                                                                                        • Associated: 0000000C.00000002.2571402531.000000006F850000.00000002.00000001.01000000.0000000F.sdmpDownload File
                                                                                                                                                                                                                                                        • Associated: 0000000C.00000002.2571547852.000000006F8B1000.00000002.00000001.01000000.0000000F.sdmpDownload File
                                                                                                                                                                                                                                                        • Associated: 0000000C.00000002.2571607645.000000006F8C6000.00000004.00000001.01000000.0000000F.sdmpDownload File
                                                                                                                                                                                                                                                        • Associated: 0000000C.00000002.2571648475.000000006F8CC000.00000002.00000001.01000000.0000000F.sdmpDownload File
                                                                                                                                                                                                                                                        Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                                        • Snapshot File: hcaresult_12_2_6f850000_cpcsgui.jbxd
                                                                                                                                                                                                                                                        Similarity
                                                                                                                                                                                                                                                        • API ID: LockitLockit::_std::_$Stoulx
                                                                                                                                                                                                                                                        • String ID: -
                                                                                                                                                                                                                                                        • API String ID: 3418229591-2547889144
                                                                                                                                                                                                                                                        • Opcode ID: 4d789e5832970c6b416abe58deae4fd9e4907c3427452c16ec71a51a5924f7aa
                                                                                                                                                                                                                                                        • Instruction ID: 17c1a052d743dd959027443b252e5e70348bbd3afe928c72f909f940032dc429
                                                                                                                                                                                                                                                        • Opcode Fuzzy Hash: 4d789e5832970c6b416abe58deae4fd9e4907c3427452c16ec71a51a5924f7aa
                                                                                                                                                                                                                                                        • Instruction Fuzzy Hash: 334149765087409FC324CF28C580A6EB7E5FF89714F504E6EF8A59B390EB31A904CB92
                                                                                                                                                                                                                                                        Function 6F856530 Relevance: 5.4, APIs: 2, Strings: 1, Instructions: 108COMMON
                                                                                                                                                                                                                                                        Download Yara Rule
                                                                                                                                                                                                                                                        APIs
                                                                                                                                                                                                                                                        • std::_Xinvalid_argument.LIBCPMT ref: 6F8565A4
                                                                                                                                                                                                                                                        • _memmove.LIBCMT ref: 6F8565F3
                                                                                                                                                                                                                                                          • Part of subcall function 6F856620: std::_Xinvalid_argument.LIBCPMT ref: 6F85663A
                                                                                                                                                                                                                                                        Strings
                                                                                                                                                                                                                                                        Memory Dump Source
                                                                                                                                                                                                                                                        • Source File: 0000000C.00000002.2571435985.000000006F851000.00000020.00000001.01000000.0000000F.sdmp, Offset: 6F850000, based on PE: true
                                                                                                                                                                                                                                                        • Associated: 0000000C.00000002.2571402531.000000006F850000.00000002.00000001.01000000.0000000F.sdmpDownload File
                                                                                                                                                                                                                                                        • Associated: 0000000C.00000002.2571547852.000000006F8B1000.00000002.00000001.01000000.0000000F.sdmpDownload File
                                                                                                                                                                                                                                                        • Associated: 0000000C.00000002.2571607645.000000006F8C6000.00000004.00000001.01000000.0000000F.sdmpDownload File
                                                                                                                                                                                                                                                        • Associated: 0000000C.00000002.2571648475.000000006F8CC000.00000002.00000001.01000000.0000000F.sdmpDownload File
                                                                                                                                                                                                                                                        Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                                        • Snapshot File: hcaresult_12_2_6f850000_cpcsgui.jbxd
                                                                                                                                                                                                                                                        Similarity
                                                                                                                                                                                                                                                        • API ID: Xinvalid_argumentstd::_$_memmove
                                                                                                                                                                                                                                                        • String ID: string too long
                                                                                                                                                                                                                                                        • API String ID: 2168136238-2556327735
                                                                                                                                                                                                                                                        • Opcode ID: 933005990041f7081b97bae9ebc774fb8e4c10d7abbd4b0f8cbc548ce22c7e12
                                                                                                                                                                                                                                                        • Instruction ID: 7950292f90a9bd4123c583878ebb04da71db69b2a37a5ae01cfa1ffec56c7231
                                                                                                                                                                                                                                                        • Opcode Fuzzy Hash: 933005990041f7081b97bae9ebc774fb8e4c10d7abbd4b0f8cbc548ce22c7e12
                                                                                                                                                                                                                                                        • Instruction Fuzzy Hash: 8F31A4323507109BD3648E5CD890A5AF7EAEF97651B204DAFE191CF284C760EC6487A2
                                                                                                                                                                                                                                                        Function 6F856710 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 71COMMON
                                                                                                                                                                                                                                                        Download Yara Rule
                                                                                                                                                                                                                                                        APIs
                                                                                                                                                                                                                                                        • std::_Xinvalid_argument.LIBCPMT ref: 6F856722
                                                                                                                                                                                                                                                          • Part of subcall function 6F88F635: std::exception::exception.LIBCMT ref: 6F88F64A
                                                                                                                                                                                                                                                          • Part of subcall function 6F88F635: __CxxThrowException@8.LIBCMT ref: 6F88F65F
                                                                                                                                                                                                                                                          • Part of subcall function 6F88F635: std::exception::exception.LIBCMT ref: 6F88F670
                                                                                                                                                                                                                                                        • _memmove.LIBCMT ref: 6F85676A
                                                                                                                                                                                                                                                        Strings
                                                                                                                                                                                                                                                        Memory Dump Source
                                                                                                                                                                                                                                                        • Source File: 0000000C.00000002.2571435985.000000006F851000.00000020.00000001.01000000.0000000F.sdmp, Offset: 6F850000, based on PE: true
                                                                                                                                                                                                                                                        • Associated: 0000000C.00000002.2571402531.000000006F850000.00000002.00000001.01000000.0000000F.sdmpDownload File
                                                                                                                                                                                                                                                        • Associated: 0000000C.00000002.2571547852.000000006F8B1000.00000002.00000001.01000000.0000000F.sdmpDownload File
                                                                                                                                                                                                                                                        • Associated: 0000000C.00000002.2571607645.000000006F8C6000.00000004.00000001.01000000.0000000F.sdmpDownload File
                                                                                                                                                                                                                                                        • Associated: 0000000C.00000002.2571648475.000000006F8CC000.00000002.00000001.01000000.0000000F.sdmpDownload File
                                                                                                                                                                                                                                                        Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                                        • Snapshot File: hcaresult_12_2_6f850000_cpcsgui.jbxd
                                                                                                                                                                                                                                                        Similarity
                                                                                                                                                                                                                                                        • API ID: std::exception::exception$Exception@8ThrowXinvalid_argument_memmovestd::_
                                                                                                                                                                                                                                                        • String ID: string too long
                                                                                                                                                                                                                                                        • API String ID: 1785806476-2556327735
                                                                                                                                                                                                                                                        • Opcode ID: afc9cd6f342f2f2e2ab815c3c0595bd5cbf738453f8e30b2c8e4c8450ff7cd8b
                                                                                                                                                                                                                                                        • Instruction ID: 57d58f4f63fe26426797582d9e4a2fb717fe514531fa20329866668fe463bd8a
                                                                                                                                                                                                                                                        • Opcode Fuzzy Hash: afc9cd6f342f2f2e2ab815c3c0595bd5cbf738453f8e30b2c8e4c8450ff7cd8b
                                                                                                                                                                                                                                                        • Instruction Fuzzy Hash: 8B113D721447049BE7B49D7CA890A3FB7E8AF52310F100F9FD097CA5C1EB61F4688251
                                                                                                                                                                                                                                                        Function 6F852950 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 65COMMON
                                                                                                                                                                                                                                                        Download Yara Rule
                                                                                                                                                                                                                                                        APIs
                                                                                                                                                                                                                                                        Strings
                                                                                                                                                                                                                                                        Memory Dump Source
                                                                                                                                                                                                                                                        • Source File: 0000000C.00000002.2571435985.000000006F851000.00000020.00000001.01000000.0000000F.sdmp, Offset: 6F850000, based on PE: true
                                                                                                                                                                                                                                                        • Associated: 0000000C.00000002.2571402531.000000006F850000.00000002.00000001.01000000.0000000F.sdmpDownload File
                                                                                                                                                                                                                                                        • Associated: 0000000C.00000002.2571547852.000000006F8B1000.00000002.00000001.01000000.0000000F.sdmpDownload File
                                                                                                                                                                                                                                                        • Associated: 0000000C.00000002.2571607645.000000006F8C6000.00000004.00000001.01000000.0000000F.sdmpDownload File
                                                                                                                                                                                                                                                        • Associated: 0000000C.00000002.2571648475.000000006F8CC000.00000002.00000001.01000000.0000000F.sdmpDownload File
                                                                                                                                                                                                                                                        Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                                        • Snapshot File: hcaresult_12_2_6f850000_cpcsgui.jbxd
                                                                                                                                                                                                                                                        Similarity
                                                                                                                                                                                                                                                        • API ID: __snwprintf
                                                                                                                                                                                                                                                        • String ID: %ws
                                                                                                                                                                                                                                                        • API String ID: 2391506597-1756730030
                                                                                                                                                                                                                                                        • Opcode ID: 5ad4c30e4b346627513ac80a49ef10141dc3324a5a38ab3062372a43dde37d04
                                                                                                                                                                                                                                                        • Instruction ID: 84105937a457d715b10cd039b1f6da84dde8a447b22888d5ed418a62967ee0f3
                                                                                                                                                                                                                                                        • Opcode Fuzzy Hash: 5ad4c30e4b346627513ac80a49ef10141dc3324a5a38ab3062372a43dde37d04
                                                                                                                                                                                                                                                        • Instruction Fuzzy Hash: 4B116DB1908304ABD700DF28C885D6BB3E8EB88324F445D6EF8858B350E735E950CBA7
                                                                                                                                                                                                                                                        Function 6F8567C0 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 55COMMON
                                                                                                                                                                                                                                                        Download Yara Rule
                                                                                                                                                                                                                                                        APIs
                                                                                                                                                                                                                                                        • std::_Xinvalid_argument.LIBCPMT ref: 6F8567D3
                                                                                                                                                                                                                                                          • Part of subcall function 6F88F682: std::exception::exception.LIBCMT ref: 6F88F697
                                                                                                                                                                                                                                                          • Part of subcall function 6F88F682: __CxxThrowException@8.LIBCMT ref: 6F88F6AC
                                                                                                                                                                                                                                                          • Part of subcall function 6F88F682: std::exception::exception.LIBCMT ref: 6F88F6BD
                                                                                                                                                                                                                                                        • _memmove.LIBCMT ref: 6F85680E
                                                                                                                                                                                                                                                        Strings
                                                                                                                                                                                                                                                        • invalid string position, xrefs: 6F8567CE
                                                                                                                                                                                                                                                        Memory Dump Source
                                                                                                                                                                                                                                                        • Source File: 0000000C.00000002.2571435985.000000006F851000.00000020.00000001.01000000.0000000F.sdmp, Offset: 6F850000, based on PE: true
                                                                                                                                                                                                                                                        • Associated: 0000000C.00000002.2571402531.000000006F850000.00000002.00000001.01000000.0000000F.sdmpDownload File
                                                                                                                                                                                                                                                        • Associated: 0000000C.00000002.2571547852.000000006F8B1000.00000002.00000001.01000000.0000000F.sdmpDownload File
                                                                                                                                                                                                                                                        • Associated: 0000000C.00000002.2571607645.000000006F8C6000.00000004.00000001.01000000.0000000F.sdmpDownload File
                                                                                                                                                                                                                                                        • Associated: 0000000C.00000002.2571648475.000000006F8CC000.00000002.00000001.01000000.0000000F.sdmpDownload File
                                                                                                                                                                                                                                                        Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                                        • Snapshot File: hcaresult_12_2_6f850000_cpcsgui.jbxd
                                                                                                                                                                                                                                                        Similarity
                                                                                                                                                                                                                                                        • API ID: std::exception::exception$Exception@8ThrowXinvalid_argument_memmovestd::_
                                                                                                                                                                                                                                                        • String ID: invalid string position
                                                                                                                                                                                                                                                        • API String ID: 1785806476-1799206989
                                                                                                                                                                                                                                                        • Opcode ID: a770ca0914eeda7acc6f8657e910fe7b57855f3e859edc2c0b88799814e9360c
                                                                                                                                                                                                                                                        • Instruction ID: ef1241c83864bdd579c747d3b5b516bf3a214a8acf8775acf4da4dc81b3ad03b
                                                                                                                                                                                                                                                        • Opcode Fuzzy Hash: a770ca0914eeda7acc6f8657e910fe7b57855f3e859edc2c0b88799814e9360c
                                                                                                                                                                                                                                                        • Instruction Fuzzy Hash: 6F01CC317043118BD264CE6CD890A1AB3EAABD6210B244EAED091CF745D7B0EC9283A1
                                                                                                                                                                                                                                                        Function 6F871FC0 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 42COMMON
                                                                                                                                                                                                                                                        Download Yara Rule
                                                                                                                                                                                                                                                        APIs
                                                                                                                                                                                                                                                        • std::_Xinvalid_argument.LIBCPMT ref: 6F871FCD
                                                                                                                                                                                                                                                          • Part of subcall function 6F88F635: std::exception::exception.LIBCMT ref: 6F88F64A
                                                                                                                                                                                                                                                          • Part of subcall function 6F88F635: __CxxThrowException@8.LIBCMT ref: 6F88F65F
                                                                                                                                                                                                                                                          • Part of subcall function 6F88F635: std::exception::exception.LIBCMT ref: 6F88F670
                                                                                                                                                                                                                                                        • _memmove.LIBCMT ref: 6F872006
                                                                                                                                                                                                                                                        Strings
                                                                                                                                                                                                                                                        Memory Dump Source
                                                                                                                                                                                                                                                        • Source File: 0000000C.00000002.2571435985.000000006F851000.00000020.00000001.01000000.0000000F.sdmp, Offset: 6F850000, based on PE: true
                                                                                                                                                                                                                                                        • Associated: 0000000C.00000002.2571402531.000000006F850000.00000002.00000001.01000000.0000000F.sdmpDownload File
                                                                                                                                                                                                                                                        • Associated: 0000000C.00000002.2571547852.000000006F8B1000.00000002.00000001.01000000.0000000F.sdmpDownload File
                                                                                                                                                                                                                                                        • Associated: 0000000C.00000002.2571607645.000000006F8C6000.00000004.00000001.01000000.0000000F.sdmpDownload File
                                                                                                                                                                                                                                                        • Associated: 0000000C.00000002.2571648475.000000006F8CC000.00000002.00000001.01000000.0000000F.sdmpDownload File
                                                                                                                                                                                                                                                        Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                                        • Snapshot File: hcaresult_12_2_6f850000_cpcsgui.jbxd
                                                                                                                                                                                                                                                        Similarity
                                                                                                                                                                                                                                                        • API ID: std::exception::exception$Exception@8ThrowXinvalid_argument_memmovestd::_
                                                                                                                                                                                                                                                        • String ID: vector<T> too long
                                                                                                                                                                                                                                                        • API String ID: 1785806476-3788999226
                                                                                                                                                                                                                                                        • Opcode ID: 83b39aeb044098ca91c08956527be6eb0a84585c9a03e813533053f8b6d15293
                                                                                                                                                                                                                                                        • Instruction ID: cef8d59a322cd9e7128b92cad2b58ec2c09ae69ec5c35158aa61e9fd92ffca0b
                                                                                                                                                                                                                                                        • Opcode Fuzzy Hash: 83b39aeb044098ca91c08956527be6eb0a84585c9a03e813533053f8b6d15293
                                                                                                                                                                                                                                                        • Instruction Fuzzy Hash: 8001A271B00A015BCF14DF6CD9A596A33F4F6423287040AEDE452C7380EB34B866CED1
                                                                                                                                                                                                                                                        Function 6F861E00 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 40COMMON
                                                                                                                                                                                                                                                        Download Yara Rule
                                                                                                                                                                                                                                                        APIs
                                                                                                                                                                                                                                                        • std::_Xinvalid_argument.LIBCPMT ref: 6F861E0F
                                                                                                                                                                                                                                                          • Part of subcall function 6F88F635: std::exception::exception.LIBCMT ref: 6F88F64A
                                                                                                                                                                                                                                                          • Part of subcall function 6F88F635: __CxxThrowException@8.LIBCMT ref: 6F88F65F
                                                                                                                                                                                                                                                          • Part of subcall function 6F88F635: std::exception::exception.LIBCMT ref: 6F88F670
                                                                                                                                                                                                                                                        • _memmove.LIBCMT ref: 6F861E32
                                                                                                                                                                                                                                                        Strings
                                                                                                                                                                                                                                                        Memory Dump Source
                                                                                                                                                                                                                                                        • Source File: 0000000C.00000002.2571435985.000000006F851000.00000020.00000001.01000000.0000000F.sdmp, Offset: 6F850000, based on PE: true
                                                                                                                                                                                                                                                        • Associated: 0000000C.00000002.2571402531.000000006F850000.00000002.00000001.01000000.0000000F.sdmpDownload File
                                                                                                                                                                                                                                                        • Associated: 0000000C.00000002.2571547852.000000006F8B1000.00000002.00000001.01000000.0000000F.sdmpDownload File
                                                                                                                                                                                                                                                        • Associated: 0000000C.00000002.2571607645.000000006F8C6000.00000004.00000001.01000000.0000000F.sdmpDownload File
                                                                                                                                                                                                                                                        • Associated: 0000000C.00000002.2571648475.000000006F8CC000.00000002.00000001.01000000.0000000F.sdmpDownload File
                                                                                                                                                                                                                                                        Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                                        • Snapshot File: hcaresult_12_2_6f850000_cpcsgui.jbxd
                                                                                                                                                                                                                                                        Similarity
                                                                                                                                                                                                                                                        • API ID: std::exception::exception$Exception@8ThrowXinvalid_argument_memmovestd::_
                                                                                                                                                                                                                                                        • String ID: vector<T> too long
                                                                                                                                                                                                                                                        • API String ID: 1785806476-3788999226
                                                                                                                                                                                                                                                        • Opcode ID: fc407bfb27ccce393c9a7b1809fde36ebc64cb705d98666fc5a987f5b80a8839
                                                                                                                                                                                                                                                        • Instruction ID: e2eaec1bca173ddfb708afedd9f0ab57deb9d81d938c5960c83e37e36d910c4c
                                                                                                                                                                                                                                                        • Opcode Fuzzy Hash: fc407bfb27ccce393c9a7b1809fde36ebc64cb705d98666fc5a987f5b80a8839
                                                                                                                                                                                                                                                        • Instruction Fuzzy Hash: DDF0AFB1600B066FD210DF6DD98082BF7E9EF906147104E2DE5A6CB785DB30F8108B60